1 / 16

Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) August 2010

Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) August 2010. Overview ODAA Documentation ISFO Process Manual (August 2010) Certification & Accreditation (C&A) Common Errors/Findings. ODAA Documentation NISPOM (Chapter 8) (February 2006)

teal
Télécharger la présentation

Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) August 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Industrial Security Field Operations (ISFO)Office of theDesignated Approving Authority (ODAA) August 2010

  2. Overview • ODAA Documentation • ISFO Process Manual (August 2010) • Certification & Accreditation (C&A) • Common Errors/Findings

  3. ODAA Documentation • NISPOM (Chapter 8) (February 2006) • Industrial Security Letters (ISLs) • ISFO Process Manual (August 2010)

  4. ISFO Process Manual • System Security Plans (SSP) Types • Standalone • Local Area Network (LAN) • Wide Area Network (WAN) • Network Security Plan (NSP)

  5. ISFO Process Manual • Stand Alone • Single User Stand Alone (SUSA) • Only one general user • Physical security • Closed area • Restricted area • Classification level • Multi User Stand Alone (MUSA) • Two or more general users • Physical security • Closed area • Restricted area • Classification level

  6. ISFO Process Manual • Local Area Network (LAN) • Peer to peer • Local user authentication • Closed area • Restricted area • Classification level • Domain controlled • Central user authentication • Closed area • Restricted area • Classification level

  7. ISFO Process Manual • Wide Area Network (WAN) • Unified WAN • RDAA of host node will accredit • IATO not allowed • Single unified network SSP • Must include all nodes on the unified network • Interconnected WAN • Separately accredited systems • Network Security Plan (NSP) • IATO may be issued

  8. ISFO Process Manual • Network Security Plan (NSP) • Allows interconnection of separately accredited systems • ATO/IATO will list nodes approved for connection • Provides overall network view • RDAA of host node will accredit • Network ISSO is responsible

  9. ISFO Process Manual • Self Certification • Authority granted in MSSP/Profile, Approval to Operate (ATO) • Allows ISSM to self certify like systems • Specific to system type and similar operations • Only systems that are NISPOM compliant may be self certified • Documentation for self certified systems • Notify IS Rep, ISSP and ODAA

  10. Certification & Accreditation (C&A) • Plan Submission • Must use approved SSP/MSSP/NSP templates • Assign Unique Identifier (UID) • Once assigned, UIDs never change • Email to ODAA • CC ODAA, IS Rep and ISSP • Email subject line • Email body

  11. Table E-1 Subject Line Requirements for Plan Submissions

  12. Certification & Accreditation (C&A) • Process • Email plan to ODAA • ODAA accepts or rejects plan • Once accepted, ISSP performs desktop review • RDAA can deny or issue IATO • If required ISSM resubmits corrections • ISSP will perform on site verification • RDAA issues ATO

  13. C&A Common Errors • Missing or incomplete UID • Not using approved DSS templates • Missing signed IS Security Package Submission and Certification Statement • Missing signed DSS Form 147 • Missing ISSM System Certification Test Checklist • Missing GCA risk acceptance letter for variances • Missing MOU if required • Missing published and promulgated IS Security Policy addressing the classified processing environment • ISSM fails to submit required corrections

  14. Common Errors • Passwords • SSPs not properly updated (Hardware list, software list, configuration diagram not accurate) • Changing the security posture of the system without authorization

  15. Audit Issues • References: NISPOM 8-602, ISL 2007-01 items 44 & 45 • Security Relevant Objects (SRO), file, and folder permission & auditing • System auditing

  16. Questions & Answers

More Related