130 likes | 394 Views
Office of the Designated Approving Authority (ODAA) April 2008. DSS Designated Approving Authority. (DAA) Government entity responsible for approving cleared contractor systems to process classified data.
E N D
Office of the Designated Approving Authority (ODAA) April 2008
DSS Designated Approving Authority • (DAA) Government entity responsible for approving cleared contractor systems to process classified data. • Primary functions and goals are to ensure system security controls are in place that limit the risk of compromising national security information. • Provide a system to efficiently and effectively manage a certification and accreditation process. • Ensure adherence to national industrial security standards.
ODAA Improving Accreditation Timeliness and Consistency Average Timelines Nov. 2007 through Feb. 2008 • IATOs - 30 Days on Average • 92% ATOs - Granted From On-Site Verification Improvements Planned for 2008 • Standardize System Security Plans (Templates) (Spring 2008) • Standard configurations for various operating systems (Spring 2008) • Tools to assist contractors in complying with configuration standards (Spring 2008) • Updating ODAA Process Guide by adding more clarity, procedural instructions, and examples (Spring 2008) • ODAA system capabilities will provide ability to submit template plans online and gather metrics more efficiently (Winter 2008) These improvements will equate to quicker IATO and ATOs!
ODAA Metrics Security Plan Reviews • February 2008 114 IATO Plans Submitted and Reviewed • 9 Days – Time to perform initial DSS review (1st QTR 2008 10) • 9 Days – Contractors response to DSS questions/comments (1st QTR 2008 6) • 26 Days – Time from DSS receipt of plans to granting of IATOs (1st QTR 2008 27) • 30 Days – Average Review Time
ODAA Metrics Security Plan Reviews • Security Plan Review Questions and/or Comments, Errors/Corrections Noted • 33% Plans required some changes (1st QTR 2008 28) • 6.1% Plans had general procedures contradict protection profile requirements • (1st QTR 2008 6%) • 7.9% Plans not tailored to system (1st QTR 2008 8%) • 12.3% Plans had incomplete or missing attachments (1st QTR 2008 8%) • 14.9% Plans had missing ISSM certifications (1st QTR 2008 14%) • 7% Plans had integrity/available not completely addressed (1st QTR 2008 4%) • 5.3% Plans had inadequate trusted downloading procedures (1st QTR 2008 4%) • 9.6% Plans had inaccurate or incomplete configuration diagram/system • description (1st QTR 2008 3%) • 3.5% Plans inadequate antivirus procedures (1st QTR 2008 1.3%)
ODAA Metrics and Organization On-site Verification Stats (38% Required Some Level Modifications) #1. No discrepancies discovered during on-site validation. #2. Minor discrepancies noted and corrected during on-site validation. #3. Significant discrepancies noted which could not be resolved during on-site validation.
ODAA System Security Plans (Templates) • Standardizing System Security Plans (Templates) • ODAA is in final stages of developing a SSP for stand alone and peer-to-peer system types • Other system type SSP templates will be developed in 2008 • Benefit to Accreditation Process • Instituting a standard SSP will improve consistency across the industry in submitting security plans for DSS review and approval. Common submission and reviewer errors will be addressed which translates into shorter DSS review and reducing correspondence with contractors • Also, standard SSP will assist smaller contractors who may not be as seasoned as mid/larger contractors in the classified certification and accreditation process
Standardizing Technical Configurations • Operating Systems System technical configurations -Windows -Solaris -RedHat Linux -Others (Configurations based on DISA, NSA, and OEM) • Benefits to accreditation process • Strengthening systems security by establishing a DSS implementation standard based on computer security benchmark organizations • Provide DSS added assurance that system security controls are in place at the system level thereby shortening DSS review and reducing correspondence with contractors
ODAA Automated Tools • Automated tools will assist with DSS requirements compliance • Tools being designed in conjunction with • DSS Technical Configuration Standards • DSS System Security Plan Templates • Implementation Guides • Benefit to Accreditation Process • Provide DSS added assurance that system security controls are in place at the system level thereby shortening DSS review and reducing correspondence with contractors • Granting of IATOs more timely = ability to begin processing sooner
ODAA Process Guide Update • Updated ODAA Process Guide will provide • More clarity to issues brought to ODAA attention from ODAA and contractors • DSS procedural instructions with examples • Designed for continued improvement • Bi-annually updated to address issues identified that need DSS interpretation and guidance) • Benefit to accreditation process • Improve consistency interpretation for DSS and contractors • Improved consistency translates into clarifying and standardizing expectations across the industry • Improving compliance and decreasing DSS reviews and on-site verifications = Contractors begin processing sooner
Enhancing ODAA System Capabilities • DSS plans to design an ODAA system that will assist in the full spectrum management of the DSS certification and accreditation process. System is envisioned to have the following functionality: For Contractors Online means to submit template security plans* Online means to request status of security plans* (*assuming a secure mechanism can be implemented) For DSS Online means for ODAA to centrally manage, distribute, monitor, and account for security plans electronically
Benefit to Accreditation Process DSS management will be able to obtain immediate metrics for the ODAA mission Metrics will identify where management attention is needed for steering resources and identify opportunities for improvements Plans can be efficiently distributed to appropriate staff in near real-time thereby reducing human intervention (opening email attachments etc..) and plan transmission more efficiently Contractors will have a venue to efficiently submit (upload) security plan templates as opposed to emailing plans Automated ability to ensure plans were received by DSS Ability to obtain plan status Enhancing ODAA System Capabilities (Cont’d.)
ODAA Organization David Cole ODAA Alexandria, VA Western Region DAA Timothy Weaver San Diego, CA Southern Region DAA Randy Riley Melbourne, FL Capital Region DAA Karl Hellman Chantilly, VA Northern Region DAA David Berglund Boston, MA Assistant HQ ODAA Mike Farley Alexandria, VA