1 / 35

Thomas Howard Chris Pierce

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation. Thomas Howard Chris Pierce. Resources. http://iase.disa.mil/ditscap/ditsdocuments.html. Phase 1 - Definition. Phase 1 Tasks.

elmer
Télécharger la présentation

Thomas Howard Chris Pierce

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DoD Information Technology SecurityCertification and AccreditationProcess (DITSCAP)Phase III – Validation Thomas Howard Chris Pierce

  2. Resources http://iase.disa.mil/ditscap/ditsdocuments.html

  3. Phase 1 - Definition Phase 1 Tasks Initiates the DITSCAP process by acquiring or developing the information necessary to understand the IT and then using that information to plan the C&A tasks. • Register the system – Inform DAA, CA, PM and Users. • Determine system security requirements. • Develop system architecture and define C&A boundary. • Identify threat environment. • Prepare security CONOPS. • Identify organizations involved in the C&A activities. • Tailor the activities and determine the level of effort. • Develop draft SSAA.

  4. Phase 2 - Verification Verify the system’s compliance with the requirements agreed on in the SSAA. The goal is to obtain a fully integrated system for certification testing and accreditation. Phase 2 Tasks - Certification • Review and validate security architecture. • Software design analysis (i.e., NMCI applications). • Review network connection rule compliance. • Review integration approach of products. • Review life cycle management support requirements. • Conduct vulnerability assessment.

  5. Phase3 - Validation Phase 3 Tasks - Validation • Conduct Security Test and Evaluation. • Conduct penetration testing. • Validation of security requirements compliance. • Conduct site accreditation survey. • Develop and exercise contingency/incident response plan. • Conduct risk management review. • Identify residual risk and review with CA. • Present ST&E results and residual risk to the DAA. Validates the fully integrated system compliance with the requirements stated in the SSAA. The goal is to obtain full approval to operate the system - accreditation.

  6. Overview of Steps • Step 1 - Refine the SSAA • Step 2 - Certification Evaluation of the Integrated IS • Step 3 - Develop Recommendation and DAA Decision

  7. 1 - Refine the SSAA • Ensures requirements and agreements still apply • Review runs throughout Phase III • All details are added to the SSAA to reflect system’s current state • Changes are submitted to • DAA • CA • Program manager • User representative

  8. 2 - Certification Evaluation of the Integrated IS This step certifies the following: • The fully integrated and operational system complies with the SSAA requirements. • The IS may be operated at an acceptable level of risk

  9. 2 - Certification Evaluation of the Integrated IS These are the certification tasks: 2.1 Security Test and Evaluation 2.2 Penetration Testing 2.3 TEMPEST and Red-Black verification 2.4 Validation of COMSEC compliance 2.5 System management analysis 2.6 Site Accreditation Survey 2.7 Contingency plan evaluation 2.8 Risk-based management review

  10. 2.1.1 – Security Test & Evaluation Assess implementation of design and features are in accordance with the SSAA • Validates the correct implementation of identification and authentication, access controls and network connection rule compliance. • Test plans and procedures will address security requirements and provide evidence of residual risk. • The results of tests will validate proper installation and operation of features.

  11. 2.1.2 - Security Test & Evaluation Multiple Locations are handled in the following ways: • ST & E will occur at central integration and test facility • If facility not applicable, possible test at intended-operating sites System installation and security configuration should be tested at operational sites.

  12. 2.2 - Penetration Testing Penetration Testing • Penetration testing is suggested for applicable system classes • Testing may include attempts based on common vulnerabilities of technology in use.

  13. 2.3 - TEMPEST & RED-BLACK Verification • Used to validate that equipment and site meet security requirements • TEMPEST - Short name referring to investigation, study, and control of compromising emanations from IS equipment. • RED-BLACK – refer to inspection of cables and power lines

  14. 2.4 - Validation and COMSEC compliance COMSEC • Communication Security • Evaluates how well SSAA COMSEC requirements are integrated Validates the following: • That the IS is COMSEC approved • That the IS follows COMSEC management procedures

  15. 2.5.1 - System Management Analysis • System management infrastructure checked for support of maintenance of environment, mission and architecture. • The roles and responsibilities of ISSO are examined for SSAA consistency. • System and security management organization are examined to determine ISSO incident reporting and security changes implementation ability.

  16. 2.5.2 - System Management Analysis Benefits of System Management Analysis: • Insight of level of secure operation of the environment • Indication of the effectiveness of security personnel • Insight into potential security problem areas

  17. 2.5.3 - System Management Analysis • Configuration management program is mandatory for maintenance of a secure posture • Evaluates change control and configuration management practices on integrity of software and hardware • Periodic re-verification on configuration for unauthorized changes

  18. 2.6 - Site Accreditation Survey • Ensures that site operation is accomplished in accordance with SSAA • Validates that operational procedures pose no unacceptable risk • When system not confined to fixed site, system will be evaluated in a representative site or environment

  19. 2.7 - Contingency Plan Evaluation • Evaluates that contingency, back-up and continuity service plans meet SSAA requirements • DoD Directive 5200.28 requires periodic test for critical systems

  20. 2.8 - Risk Management Review • Evaluates operation of system to see if CIA is being maintained • Evaluates system vulnerabilities • Evaluates operational procedures and safeguards in offsetting a risk

  21. 3 – Develop Recommendation and DAA Decision • Begins after completion of all certification tasks • Ends with DAA Accreditation decision • Purpose • Consolidate findings • Submit CA’s report • Produce DAA decision

  22. 3.1 – CA’s Recommendation • CA issues system certification if technical requirements are satisfied • Supplemental recommendations might be made to improve security posture • Should provide input to future enhancement and change management decisions

  23. 3.1.1 - Deficiencies • CA may uncover security deficiencies, but believe risk level is acceptable • CA may make recommendation as long as there will be timely correction of deficiencies • SSAA will reflect deficiencies • Agreement obtained outlining acceptable operating conditions

  24. 3.1.2 – Don’t Accredit • If CA determines the system • Does not satisfy the SSAA, and • Short-term risks are unacceptable CA will recommend the system not be accredited

  25. 3.2 – DAA Accreditation Decision • Accreditation package consists of: • CA’s recommendation • DAA authorization to operate • Supporting documentation • SSAA • Supporting documentation may vary, but should include at least: • Security findings and deficiencies • Risks of operation

  26. 3.2.1 - DAA Accreditation Decision • If decision is to accredit it will include security parameters of acceptable operating conditions • If decision does not meet SSAA requirements a temporary approval may be issued if system need be operational • This requires a return to Phase I to negotiate accepted solutions, schedule, and security actions

  27. 3.2.2 - DAA Accreditation Decision • When accreditation has been issued the responsibility for the SSAA moves to the system operator • Phase IV begins if decision is to accredit • If accreditation is withheld • Reasons for denial are stated • Suggested solutions are provided • DITSCAP reverts to Phase I to resolve the issues

  28. 3.2.3 - Generic Accreditation • Mobile systems are difficult to accredit at all possible locations • Generic accreditation may be issued for a typical operating environment • It is the official authorization to employ identical copies in a specified environment

  29. 3.2.3 - Generic Accreditation • SSAA will identify • Specific uses of the system • Operational constraints and procedures • DAA would include disclaimer stating that operators are responsible for monitoring the environment for compliance

  30. Roles and Responsibilities • Describes the functional relationships and integration of these roles of each of the • In some cases the roles may be performed by three separate organizations • In other cases some roles may be combined

  31. Phase 1 – Role and Responsibility

  32. Phase 2 – Role and Responsibility

  33. Phase 3 – Role and Responsibility

  34. Conclusion • Validate that Phase I & II has produced an IS that operates in a specified computing environment with acceptable risk • The goal is to obtain full approval to operate – Accreditation

  35. Questions?

More Related