Download - Thomas Howard Chris Pierce
![Page 1: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/1.jpg)
DoD Information Technology Security Certification and Accreditation
Process (DITSCAP)
Phase III – Validation
Thomas HowardChris Pierce
![Page 2: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/2.jpg)
Resources
http://iase.disa.mil/ditscap/ditsdocuments.html
![Page 3: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/3.jpg)
Registration Negotiation
Agreement
A
Return fromPhases 2, 3, and 4
Verification
YesNo
DocumentMission Need
SSAA
Phase 2
1. Register the system – Inform DAA, CA, PM and Users.2. Determine system security requirements.3. Develop system architecture and define C&A boundary.4. Identify threat environment.5. Prepare security CONOPS.6. Identify organizations involved in the C&A activities.7. Tailor the activities and determine the level of effort.8. Develop draft SSAA.
Phase 1 Tasks
Phase 1 - DefinitionInitiates the DITSCAP process by acquiring or developing the information necessary to understand the IT and then using that information to plan the C&A tasks.
![Page 4: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/4.jpg)
Phase 2 - Verification
SSAA
System
Development
Activity
Certification
AnalysisPass
Ready
for
Certification
CorrectReanalyze No
No
YesYes
Phase 1
Definition
A Phase 1
Definition
Phase 3
Validation
Life Cycle Activity (1 to n)
Verify the system’s compliance with the requirements agreed on in the SSAA. The goal is to obtain a fully integrated system for certification testing and accreditation.
Phase 2 Tasks - Certification
1. Review and validate security architecture.2. Software design analysis (i.e., NMCI applications). 3. Review network connection rule compliance.4. Review integration approach of products.5. Review life cycle management support requirements.6. Conduct vulnerability assessment.
![Page 5: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/5.jpg)
Phase 3 - ValidationValidates the fully integrated system compliance with the requirements stated in the SSAA. The goal is to obtain full approval to operate the system - accreditation.
Phase 3 Tasks - Validation
1. Conduct Security Test and Evaluation.2. Conduct penetration testing.3. Validation of security requirements
compliance.4. Conduct site accreditation survey.5. Develop and exercise contingency/incident
response plan.6. Conduct risk management review.7. Identify residual risk and review with CA.8. Present ST&E results and residual risk to the
DAA.
![Page 6: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/6.jpg)
Overview of Steps
Step 1 - Refine the SSAAStep 2 - Certification Evaluation of the Integrated ISStep 3 - Develop Recommendation and DAA Decision
![Page 7: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/7.jpg)
1 - Refine the SSAA
Ensures requirements and agreements still applyReview runs throughout Phase IIIAll details are added to the SSAA to reflect system’s current stateChanges are submitted to DAA CA Program manager User representative
![Page 8: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/8.jpg)
2 - Certification Evaluation of the Integrated IS
This step certifies the following:The fully integrated and operational system complies with the SSAA requirements.The IS may be operated at an acceptable level of risk
![Page 9: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/9.jpg)
2 - Certification Evaluation of the Integrated IS
These are the certification tasks:2.1 Security Test and Evaluation2.2 Penetration Testing2.3 TEMPEST and Red-Black
verification2.4 Validation of COMSEC compliance2.5 System management analysis2.6 Site Accreditation Survey2.7 Contingency plan evaluation2.8 Risk-based management review
![Page 10: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/10.jpg)
2.1.1 – Security Test & Evaluation
Assess implementation of design and features are in accordance with the SSAAValidates the correct implementation of identification and authentication, access controls and network connection rule compliance.Test plans and procedures will address security requirements and provide evidence of residual risk.The results of tests will validate proper installation and operation of features.
![Page 11: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/11.jpg)
2.1.2 - Security Test & Evaluation
Multiple Locations are handled in the following ways:ST & E will occur at central integration and test facilityIf facility not applicable, possible test at intended-operating sites
System installation and security configuration should be tested at operational sites.
![Page 12: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/12.jpg)
2.2 - Penetration Testing
Penetration TestingPenetration testing is suggested for applicable system classesTesting may include attempts based on common vulnerabilities of technology in use.
![Page 13: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/13.jpg)
2.3 - TEMPEST & RED-BLACK Verification
Used to validate that equipment and site meet security requirements TEMPEST - Short name referring to investigation, study, and control of compromising emanations from IS equipment.RED-BLACK – refer to inspection of cables and power lines
![Page 14: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/14.jpg)
2.4 - Validation and COMSEC compliance
COMSECCommunication SecurityEvaluates how well SSAA COMSEC requirements are integrated
Validates the following:
That the IS is COMSEC approvedThat the IS follows COMSEC management procedures
![Page 15: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/15.jpg)
2.5.1 - System Management Analysis
System management infrastructure checked for support of maintenance of environment, mission and architecture.The roles and responsibilities of ISSO are examined for SSAA consistency.System and security management organization are examined to determine ISSO incident reporting and security changes implementation ability.
![Page 16: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/16.jpg)
2.5.2 - System Management Analysis
Benefits of System Management Analysis:Insight of level of secure operation of the environmentIndication of the effectiveness of security personnelInsight into potential security problem areas
![Page 17: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/17.jpg)
2.5.3 - System Management Analysis
Configuration management program is mandatory for maintenance of a secure postureEvaluates change control and configuration management practices on integrity of software and hardwarePeriodic re-verification on configuration for unauthorized changes
![Page 18: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/18.jpg)
2.6 - Site Accreditation Survey
Ensures that site operation is accomplished in accordance with SSAAValidates that operational procedures pose no unacceptable riskWhen system not confined to fixed site, system will be evaluated in a representative site or environment
![Page 19: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/19.jpg)
2.7 - Contingency Plan Evaluation
Evaluates that contingency, back-up and continuity service plans meet SSAA requirementsDoD Directive 5200.28 requires periodic test for critical systems
![Page 20: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/20.jpg)
2.8 - Risk Management Review
Evaluates operation of system to see if CIA is being maintainedEvaluates system vulnerabilities Evaluates operational procedures and safeguards in offsetting a risk
![Page 21: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/21.jpg)
3 – Develop Recommendation and DAA Decision
Begins after completion of all certification tasksEnds with DAA Accreditation decisionPurpose Consolidate findings Submit CA’s report Produce DAA decision
![Page 22: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/22.jpg)
3.1 – CA’s Recommendation
CA issues system certification if technical requirements are satisfiedSupplemental recommendations might be made to improve security postureShould provide input to future enhancement and change management decisions
![Page 23: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/23.jpg)
3.1.1 - Deficiencies
CA may uncover security deficiencies, but believe risk level is acceptableCA may make recommendation as long as there will be timely correction of deficienciesSSAA will reflect deficienciesAgreement obtained outlining acceptable operating conditions
![Page 24: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/24.jpg)
3.1.2 – Don’t Accredit
If CA determines the system Does not satisfy the SSAA, and Short-term risks are unacceptable
CA will recommend the system not be accredited
![Page 25: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/25.jpg)
3.2 – DAA Accreditation Decision
Accreditation package consists of: CA’s recommendation DAA authorization to operate Supporting documentation SSAA
Supporting documentation may vary, but should include at least: Security findings and deficiencies Risks of operation
![Page 26: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/26.jpg)
3.2.1 - DAA Accreditation Decision
If decision is to accredit it will include security parameters of acceptable operating conditionsIf decision does not meet SSAA requirements a temporary approval may be issued if system need be operational This requires a return to Phase I to
negotiate accepted solutions, schedule, and security actions
![Page 27: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/27.jpg)
3.2.2 - DAA Accreditation Decision
When accreditation has been issued the responsibility for the SSAA moves to the system operatorPhase IV begins if decision is to accreditIf accreditation is withheld Reasons for denial are stated Suggested solutions are provided DITSCAP reverts to Phase I to resolve the
issues
![Page 28: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/28.jpg)
Mobile systems are difficult to accredit at all possible locationsGeneric accreditation may be issued for a typical operating environmentIt is the official authorization to employ identical copies in a specified environment
3.2.3 - Generic Accreditation
![Page 29: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/29.jpg)
3.2.3 - Generic Accreditation
SSAA will identify Specific uses of the system Operational constraints and procedures
DAA would include disclaimer stating that operators are responsible for monitoring the environment for compliance
![Page 30: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/30.jpg)
Roles and Responsibilities
Describes the functional relationships and integration of these roles of each of the In some cases the roles may be performed by three separate organizationsIn other cases some roles may be combined
![Page 31: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/31.jpg)
Phase 1 – Role and Responsibility
Program Manager DAA and CA User Representative
Initiate security dialogue with DAA, the CA, and the user representative.
Define system schedule and budget.
Define and/or validate system performance, availability, and functionality requirements.
Support DITSCAP tailoring and level of effort determination.
Draft or support drafting of the SSAA.
Reach agreement on the SSAA.
Approve the SSAA.
Define ITSEC accreditation requirements.
Obtain threat assessment.
Begin vulnerability and risk assessments.
Assign the CA.
Support DITSCAP tailoring and determine the level of effort.
Draft or support drafting of the SSAA.
Reach agreement on the SSAA.
Approve the SSAA.
Validate and/or define system performance, availability and functionality requirements.
Support DITSCAP tailoring and level of effort determination.
Reach agreement on the SSAA.
Approve the SSAA.
![Page 32: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/32.jpg)
Phase 2 – Role and Responsibility
Program Manager DAA and CA User Representative
Review the SSAA.
Develop system or system modifications.
Support certification actions.
Review certification results.
Revise system as applicable.
Review the SSAA.
Evaluate developing system.
CA performs certification actions.
CA assesses vulnerabilities
CA reports results to the program manager, the DAA, and the user representative.
Maintain the SSAA.
Review the SSAA.
Support certification actions.
![Page 33: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/33.jpg)
Phase 3 – Role and Responsibility
Program Manager DAA and CA User Representative
Review the SSAA.
Test integrated system.
Support certification actions.
Review certification results.
Revise system as applicable.
Support SSAA revisions.
Review the SSAA.
Evaluate developing system.
CA performs certification actions.
Assess vulnerabilities and residual risk
CA reports results to the program manager, the DAA, and the user representative.
CA develops recommendation to the DAA.
CA prepares accreditation package.
Review the SSAA.
Issue decision.
Review the SSAA.
Support certification actions.
Review certification results.
Support SSAA revisions.
![Page 34: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/34.jpg)
Conclusion
Validate that Phase I & II has produced an IS that operates in a specified computing environment with acceptable riskThe goal is to obtain full approval to operate – Accreditation
![Page 35: Thomas Howard Chris Pierce](https://reader036.vdocuments.net/reader036/viewer/2022062322/568145d8550346895db2dc83/html5/thumbnails/35.jpg)
Questions?