Certification and Accreditation CS-7493-01 Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat

Certification Certification and and

AccreditationAccreditationCS-7493-01CS-7493-01

Phase-1: DefinitionPhase-1: Definition

Atif SultanuddinAtif Sultanuddin

Raja ChawatRaja Chawat

2

Phase-1 Overview Phase-1 Overview

Phase 1 initiates the DITSCAP process by acquiring or developing the information necessary to understand the Information System under evaluation and then using that information to plan the C&A tasks.

3

Phase-1 DefinitionPhase-1 Definition

The objectives of the Phase 1 activities are to agree on

- The intended system mission - security requirements - C&A boundary - level of effort and - resources required.

4

Phase-1 DefinitionPhase-1 Definition

Business caseMission Need

Threat,Requirement,..etc

Preparation Registration Negotiation Agreement

SSAA

Phase 2

Yes

No

Review Documentation Prepare Mission Description and System Identification Register System Describe Environment & Threat Identify Organization and resources Draft SSAA

Certification Requirements reviewApprove Phase1 SSAA

5

Phase-1 ActivitiesPhase-1 Activities

Phase 1 activities: - Preparation - Registration - Negotiation

6

Phase-1 PreparationPhase-1 Preparation

The DITSCAP process starts when an Information System is developed or modified in response to a business case, operational requirements, mission needs, or significant change in threats to be countered.

During the preparation activity, information and documentation is collected about the system.

7

Phase-1 PreparationPhase-1 Preparation

Materials Reviewed During Preparation 1. Business Case 2. Mission Needs Statement 3. System Specifications 4. Architecture and Design Documents 5. User Manuals 6. Operating Procedures 7. Network Diagrams 8. Configuration Management Documents 9. Threat Analysis 10. Federal and Organizational IA and Security Instructions

and Policies

8

Phase-1 RegistrationPhase-1 Registration

Registration initiates the risk management agreement process among the program manager, DAA, Certifier, and user representative.

Registration begins with preparing the system description and system identification and concludes with preparing an initial draft of the SSAA.

9

Phase-1 Registration

Registration Tasks 1. Prepare business or operational functional description

and system identification. 2. Inform the DAA, Certifier, and user representative that

the system will require C&A support (register the system). 3. Prepare the environment and threat description. 4. Prepare system architecture description and describe the

C&A boundary. 5. Determine the system security requirements. 6. Tailor the DITSCAP tasks, determine the C&A level of

effort, and prepare a DITSCAP plan. 7. Identify organizations that will be involved in the C&A 8. Develop the draft SSAA.

10

Phase-1 NegotiationPhase-1 Negotiation

During negotiation all the participants involved in the Information System's development, acquisition, operation, security certification, and accreditation reach agreement on the implementation strategy to be used to satisfy the security requirements identified during system registration.

11

Phase-1 NegotiationPhase-1 Negotiation

Negotiation Tasks

1. Conduct the Certification Requirements Review (CRR).

2. Agree on the security requirements, level of effort, and schedule. 3. Approve final Phase 1 SSAA.

12

NegotiationNegotiation

Negotiation starts with a review of draft SSAA

All participants review the proposed certification level and resource requirements to determine that the appropriate assurance is being applied.

13

NegotiationNegotiation

The purpose of negotiation is to ensure that the SSAA properly and clearly defines the approach and level of effort .

During negotiation all participants must develop an understanding of their roles and responsibilities.

Negotiation ends when the responsible organizations adopt the SSAA and concur that those objectives have been reached.

14

Phase-1 TasksPhase-1 Tasks

Task 1-1Task 1-1 Review DocumentationReview Documentation - Task Objective: The objective of this task is to obtain and review documentation relevant to the system. - Task Description: In the review documentation task, information and documentation is collected about the system. This Information includes - capabilities and functions the system will perform - operational organizations supported - intended operational environment, and operational threat.

- This information is contained in the business case or mission needs statement, system specifications, architecture and design

documentation, user manuals, operating procedures, network diagrams, and

configuration management documentation.

15


Task 1-2Task 1-2 Prepare the System and Functional Description and system Identification.

Task Objective: The objective of this task is to prepare an accurate description of the system.

Task Description. The system and functional description and system identification task describes the system mission and functions, system capabilities and Concept of Operations (CONOPS).

- 1.2.1 System Identification: Identify the system being developed

or entering the C&A process. Provide the name, organization, and location of the organization developing the mission needs and the organizations containing the ultimate user. - 1.2.2 System Description. Describe the system focusing on the information security relevant features of the system. Describe all the components of the system.

16


- - 1.2.3 Functional Description and Capabilities: Describe the system

clearly delineating what functions or capabilities are expected in the

fully accredited system. - System Capabilities: The functions or capabilities

expected in the fully accredited system and the mission for which it will be used are clearly defined. - System Criticality: system criticality and the acceptable risk for the system in meeting the mission responsibilities are defined. - Classification and Sensitivity of Data: The type and sensitivity of the data processed by the system are defined. - System Users: User's security clearances, their access rights to specific categories of information processed, and the actual information that the system is required to process are defined. - System Life Cycle:. The system life cycle and where the system is in relationship to its life cycle is defined.

17


- 1.2.4 System CONOPS : The system CONOPS, including functions performed jointly with other systems are defined.

Task 1-3 Task 1-3 Register the System. - - Task Objective: The objective of this task is to identify the Agencies

and individuals involved in the C&A process and determine the current status of the system. - Task Description. This task identifies the applicable security and user authorities and informs them of the system status. 1.3.1 Identify Authorities: - The Agency or organization that will serve as the DAA, Certifier,

and user representative is identified . - Individuals and their responsibilities in the C&A process are identified.

18


Task 1-4: Prepare the Environment and Threat Description. - Task Objective. The objective of this task is to define the system environment and potential threats to the system. - Task Description. The environment and threat description task describes the operating environment, system development environment, and potential system threats. 1.4.1 Operating Environment: - The physical, personnel, communications, emanations, hardware, software, and procedural security features that will be necessary to support site operations are described. - Operating environment security involves the measures designed to prevent unauthorized personnel from gaining physical access to equipment, facilities, material and documents and to safeguard the assets against espionage, sabotage, damage, and theft.

19


Operating Environment task describes:Operating Environment task describes:

- - Facility - Physical security - Administrative security - Personnel - COMSEC - TEMPEST - Maintenance - Training

20

Phase-1 tasksPhase-1 tasks

1.4.21.4.2 System Development, Integration, and Maintenance Environment: - The system development approach and the environment within which

the system will be developed are described. The system development approach is an information security strategy that incorporates

security into each phase of a system's life cycle. 1.4.3 Threat Description and Risk Assessment: potential threats and single points of failure that can affect - confidentiality - availability - Integrity of the system are defined.

21


Task 1-5: Determine the System Security Requirements - Task Objective: The objective of this task is to identify the system security

requirements.

- Task Description. The system security requirements task defines the National, DoD and data security requirements, governing security requisites, network connection rules, and configuration management requirements.

22


- 1.5.1 Applicable Instructions or Directives: Determine the security

instructions or directives applicable to the system. - 1.5.2 Governing Security Requisite: Determine

requirements stipulated by local agencies and the DAA. Contact the DAA

and user representative to determine if they have any additional security requirements.

- 1.5.3 Data Security Requirements: Determine the type of data

processed by the system. - 1.5.4 Security Concept of Operations: Security CONOPS including system input, system processing, final outputs,

security controls and interactions and connections with external

systems are described.

23


- 1.5.5 Network Connection Rules: Identify any additional requirements

incurred if the system is to be connected to any other network or

system. - 1.5.6 Configuration Management: Additional requirements

based on the Configuration Management Plan are determined. - 1.5.7 Reaccreditation Requirements: Unique organizational

requirements related to the reaccredidation or reaffirmation of the

approval to operate the system are determined. - 1.5.8 Requirements Traceability Matrix (RTM) : The

directives and security requisites used to determine the system security

requirements are analyzed.

24

Task 6: Task 6: Prepare the System Prepare the System Architecture DescriptionArchitecture Description

ObjectiveObjective: To prepare a high level : To prepare a high level overview of the types of hardware, overview of the types of hardware, software, and firmware and associated software, and firmware and associated interfaces interfaces

DescriptionDescription: The system architecture : The system architecture task defines the system hardware, task defines the system hardware, software, firmware, and interfaces software, firmware, and interfaces

25

Task 6 DescriptionTask 6 Description

System Hardware:System Hardware: Target hardware and its Target hardware and its function function

System SoftwareSystem Software: OS, DBMS, and software : OS, DBMS, and software applications applications

System FirmwareSystem Firmware: Firmware stored : Firmware stored permanently in a hardware devicepermanently in a hardware device

System InterfacesSystem Interfaces: The system's external : The system's external interfaces, purpose and the relationship between interfaces, purpose and the relationship between the interface and the system the interface and the system

Data FlowsData Flows: The system's internal interfaces and : The system's internal interfaces and data flows including the types of data and the data flows including the types of data and the general methods for data transmission general methods for data transmission

26

Task 7: Identify the C&A Task 7: Identify the C&A Organizations and the Resources Organizations and the Resources

RequiredRequired

ObjectiveObjective: To identify the organizations : To identify the organizations and individuals involved in the C&A and individuals involved in the C&A process. process.

DescriptionDescription: Identify the appropriate : Identify the appropriate authorities, resource, and authorities, resource, and training training requirementsrequirements and determines the and determines the certification team'scertification team's roles and roles and responsibilitiesresponsibilities

27

Task 7 DescriptionTask 7 Description

Organizations: Identify the Organizations: Identify the organizationsorganizations, , individuals, and titles of the individuals, and titles of the key authoritieskey authorities in the in the C&A process.C&A process.

Resources: Identify the Resources: Identify the resourcesresources required to required to conduct the C&A. Identify the roles of the conduct the C&A. Identify the roles of the certification team and their responsibilitiescertification team and their responsibilities

Resources and Training Requirements: Resources and Training Requirements: – Describe the Describe the training requirementstraining requirements, , – types of training, types of training, – who is responsible for preparing and conducting the who is responsible for preparing and conducting the

trainingtraining Other Supporting Organizations: Identify Other Supporting Organizations: Identify

supporting groupssupporting groups to the C&A process. to the C&A process.

28

Task 8: Tailor the DITSCAP and Task 8: Tailor the DITSCAP and Prepare the DITSCAP PlanPrepare the DITSCAP Plan

ObjectiveObjective: To tailor the DITSCAP to the : To tailor the DITSCAP to the system and prepare the DITSCAP plan.system and prepare the DITSCAP plan.

Determines the Determines the appropriate certification levelappropriate certification level Adjusts the DITSCAP activities to the program Adjusts the DITSCAP activities to the program

strategy and system life cycle. strategy and system life cycle. Tailors the security activities to system Tailors the security activities to system

development activities, ensures that the development activities, ensures that the security activitiessecurity activities are relevant to the process are relevant to the process and provide the required degree of analysis. and provide the required degree of analysis.

29

Task 9: Draft the SSAATask 9: Draft the SSAA

ObjectiveObjective: Complete and assemble the : Complete and assemble the SSAA document.SSAA document.

DescriptionDescription: : – Completes the SSAA document. Completes the SSAA document. – Assemble into the formal SSAA document.Assemble into the formal SSAA document.– Submit the draft SSAA to the DAA, Certifier.Submit the draft SSAA to the DAA, Certifier.– The draft SSAA establishes a reference for The draft SSAA establishes a reference for

discussions during negotiation discussions during negotiation

30

Task 10: Conduct Certification Task 10: Conduct Certification Requirements ReviewRequirements Review

ObjectiveObjective: To conduct a CRR.: To conduct a CRR. DescriptionDescription: :

– Provides an opportunity for the DAA, Certifier, Provides an opportunity for the DAA, Certifier, to to discuss the system functionality, security discuss the system functionality, security requirementsrequirements, and planned C&A scheduled., and planned C&A scheduled.

– The CRR results in an agreement regarding The CRR results in an agreement regarding the the level of effortlevel of effort and the and the approachapproach that will that will be taken to implement the security be taken to implement the security requirements requirements

31

Task 11: Establish Agreement Task 11: Establish Agreement on Level of Effort and Scheduleon Level of Effort and Schedule

ObjectiveObjective: To agree on the C&A level of : To agree on the C&A level of effort and schedule.effort and schedule.

DescriptionDescription: This task ensures that the : This task ensures that the DAA, CertifierDAA, Certifier, program manager, and , program manager, and user representative user representative agree to the level of agree to the level of effort and scheduleeffort and schedule for the C&A activities for the C&A activities

32

Task 12: Approve Phase 1 Task 12: Approve Phase 1 SSAASSAA

ObjectiveObjective: To obtain the DAA's approval on the : To obtain the DAA's approval on the Phase 1 SSAA.Phase 1 SSAA.

DescriptionDescription: DAA makes a decision on : DAA makes a decision on approving the approving the system functionalitysystem functionality, operating , operating environmentenvironment, development environment, , development environment, potential potential threatsthreats, , security requirementssecurity requirements, system , system architecture, organization and resource architecture, organization and resource requirements, requirements, tailoring factorstailoring factors, certification , certification level, and DITSCAP plan level, and DITSCAP plan

33

PHASE 1PHASE 1

ROLES AND RESPONSIBILITIESROLES AND RESPONSIBILITIES

34

DAA ResponsibilitiesDAA Responsibilities

DAA ResponsibilitiesDAA Responsibilities Define Define accreditation requirementsaccreditation requirements.. Obtain a Obtain a threat assessmentthreat assessment for the for the

system.system. Assign a Certifier to conduct vulnerability Assign a Certifier to conduct vulnerability

and and risk assessmentsrisk assessments.. Support the Support the DITSCAP tailoringDITSCAP tailoring and level and level

of effort determination.of effort determination. ApproveApprove the SSAA the SSAA

35

Certifier and Certification Team Certifier and Certification Team Responsibilities Responsibilities

Support the DAASupport the DAA as the technical expert in the as the technical expert in the certification process.certification process.

Begin Begin vulnerabilityvulnerability and and risk assessmentsrisk assessments.. Review Review threat definitionthreat definition.. Identify the Identify the security requirementssecurity requirements.. Tailor the DITSCAP, determine the Tailor the DITSCAP, determine the appropriate appropriate

certification levelcertification level, and prepare the DITSCAP Plan., and prepare the DITSCAP Plan. Provide level of effort and resource requirements.Provide level of effort and resource requirements. Develop the SSAA.Develop the SSAA. Provide oversight for the CRR. Provide oversight for the CRR.

36

ISSO Responsibilities ISSO Responsibilities

Assist the DAA, Certifier, and certification Assist the DAA, Certifier, and certification team in the certification effortteam in the certification effort

Review the business caseReview the business case or mission or mission statement to determine that it accurately statement to determine that it accurately describes the systemdescribes the system

Review the environmentReview the environment description to description to verify that it accurately describes the verify that it accurately describes the system system

37

User Representative User Representative Responsibilities Responsibilities

Support the Support the DITSCAP tailoringDITSCAP tailoring and level of effort and level of effort determinationdetermination

Provide a business case or mission statementProvide a business case or mission statement Validate or Validate or define systemdefine system performance, performance,

availability, and availability, and functionality requirementsfunctionality requirements Provide data sensitivity, Provide data sensitivity, end user functionalityend user functionality, ,

and user organization informationand user organization information Verify the Verify the ability to comply with the SSAAability to comply with the SSAA

during operations during operations

38

Acquisition or Maintenance Acquisition or Maintenance Organization Responsibilities Organization Responsibilities

Program Manager ResponsibilitiesProgram Manager Responsibilities– Initiate the dialogue with the DAA, Certifier, and user

representative.– Define the system schedule and budget.– Support the DITSCAP tailoring and determine the

certification level.– Define the system architecture.– Integrate system security requirements into the

system.– Prepare Life-Cycle Management Plans.– Define the security architecture.

39

Developer, Integrator or Maintainer Responsibilities

Provide technical equipment environment requirements.

Provide target hardware and software architecture.

Provide information regarding the system development organization.

Determine the feasibility of technical solutions and security requirements.

40

Configuration Management Configuration Management Responsibilities Responsibilities

The configuration management staff The configuration management staff support the program manager in the support the program manager in the development and maintenance of systemdevelopment and maintenance of system and system documentation and system documentation

41

System Administration System Administration Responsibilities Responsibilities

There are no system administration There are no system administration responsibilities in Phase 1. responsibilities in Phase 1.

42

Questions Questions