360 likes | 366 Views
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation. Stephen I. Khan Ted Chapman University of Tulsa Department of Mathematical & Computer Sciences CS 5493/7493 Secure System Administration & Certification Dr. Mauricio Papa. Resources.
E N D
Secure System Administration & CertificationDITSCAP Manual (Chapter 6)Phase 4 Post Accreditation Stephen I. KhanTed Chapman University of TulsaDepartment of Mathematical & Computer SciencesCS 5493/7493 Secure System Administration & CertificationDr. Mauricio Papa
Resources NSTISSI No. 1000 - National Information Assurance Certification and Accreditation Process (NIACAP), dated April 2000 DTSCAP manual http://www.dtic.mil/whs/directives/corres/text/p85101m.txt DITSCAP Article Documents Related to DTSCAP http://iase.disa.mil/ditscap/ditsdocuments.html
Phase 1 - Definition Phase 1 Tasks Initiates the DITSCAP process by acquiring or developing the information necessary to understand the IT and then using that information to plan the C&A tasks. • Register the system – Inform DAA, CA, PM and Users. • Determine system security requirements. • Develop system architecture and define C&A boundary. • Identify threat environment. • Prepare security CONOPS. • Identify organizations involved in the C&A activities. • Tailor the activities and determine the level of effort. • Develop draft SSAA.
Phase 2 - Verification Verify the system’s compliance with the requirements agreed on in the SSAA. The goal is to obtain a fully integrated system for certification testing and accreditation. Phase 2 Tasks - Certification • Review and validate security architecture. • Software design analysis (i.e., NMCI applications). • Review network connection rule compliance. • Review integration approach of products. • Review life cycle management support requirements. • Conduct vulnerability assessment.
Phase3 - Validation Phase 3 Tasks - Validation • Conduct Security Test and Evaluation. • Conduct penetration testing. • Validation of security requirements compliance. • Conduct site accreditation survey. • Develop and exercise contingency/incident response plan. • Conduct risk management review. • Identify residual risk and review with CA. • Present ST&E results and residual risk to the DAA. Validates the fully integrated system compliance with the requirements stated in the SSAA. The goal is to obtain full approval to operate the system - accreditation.
System Operation No Validation Req’d? Yes Compliance Validation No Change Required? Yes Phase 1: Definition SSAA Phase 4 – Post Accreditation • Objective is to maintain an acceptable level of residual risk • DITSCAP responsibilities shift to site system manager or maintenance organization • Major changes or periodic validation reinitiates the DITSCAP process to Phase 1 • Ends with system termination
Inputs • SSAA from Phase 3 • Test Procedures • Site Information
System and Security Operations Tasks • SSAA Maintenance • Physical Personnel and Management Control • Tempest Evaluation • COMSEC Evaluation • Contingency Plan Maintenance • Change Management • System Security Management • Risk Management
Task Analysis Report Topics • Record of findings • Evaluation of vulnerabilities • Summary of the analysis level of effort • Summary of tools used and results obtained • Recommendations
SSAA Management • Update, as needed, to reflect current operating system mission • Changes in the system should be reflected in the SSAA according to Security Level • Output: A revised SSAA
Physical, Personnel, and Management Control Review • Analyze the operational procedures, environmental concerns, operational procedures, personnel security controls, and physical security for any unacceptable risks • Complete Minimum Security Activity Checklist • Output:Physical, Personnel, and Management Control Review Summary Report
TEMPEST Evaluation • Periodic TEMPTEST and RED-BLACK verification may be required to ensure that the equipment meet security requirements • Output: A TEMPTEST Evaluation Summary Report
COMSEC Compliance • Validate appropriate COMSEC approval and compliance with SSAA • Verifies that the COMSEC approved key management procedures continue to be used • Output: COMSEC Compliance Evaluation Summary Report
Contingency Plan Management • Review Contingency Plans and related to procedures to ensure that they remain current • Complete the Minimum Security Activity Checklist • Output : Contingency Plan Maintenance Summary
Configuration Management • Assess proposed changes to the system to determine if they will impact system security • Accreditation ties certified hardware and software to the configuration of the computing environment • The SSAA defines the Configuration Management Strategy • Significant changes to the security posture must be forwarded to the DAA, Certifier, User Rep, and Program manager • Output: Configuration Management Summary Report
Risk Management Review • Assess the risk to confidentiality, integrity, and availability of the system and its information • Any changes to risk should be reported immediately to the DAA • Complete the Minimum Security Activity Checklist • Output: Updated SSAA and Risk Management Review Summary Report
Threat Changes • IT Mission or User Profile • IT architecture • Criticality/Sensitivity level • Security policy • Threat or System risk • Activity that requires a different Security mode • Breach of Security, System integrity, or unusual situation • Results of an audit or external assessment
Roles and Responsibilities • Describes the functional relationships and integration of these roles of each of the • In some cases the roles may be performed by three separate organizations • In other cases some roles may be combined
Compliance Validation • Periodic review of the operational system and its computing environment @ predefined intervals (as defined in the SSAA). • The purpose is to ensure the system continues to comply with the security requirements, current threat assessment and concept of operations. • The compliance review should ensure that the contents of the SSAA adequately address the functional environment into which the IS has been placed. • Should repeat all the applicable tasks from Phase 2 (Verification) and Phase 3 (Validation).
Compliance Validation (cont…) Phase 2 Tasks (Verification) 1. System Architecture Analysis. 2. Software Design Analysis. 3. Network Connection Rule Compliance Analysis. 4. Integrity Analysis of Integrated Products. 5. Life-Cycle Management Analysis. 6. Security Requirements Validation Procedures Preparation. 7. Vulnerability Assessment.
Compliance Validation (cont…) Phase 3 Tasks (Validation) 1. Security Test and Evaluation 2. Penetration Testing 3. TEMPEST and RED-BLACK Evaluation 4. COMSEC Compliance Evaluation 5. System Management Analysis 6. Site Accreditation Survey 7. Contingency Plan Evaluation 8. Risk Management Review
Compliance Validation (cont…) Minimal Tasks 1. Site and Physical Security Validation 2. Security Procedures Validation 3. System Changes and Related Impact Validation 4. System Architecture and System Interfaces Validation 5. Management Procedures Validation 6. Risk Decisions Validation
Compliance Validation (cont…) • Complete the Minimal Security Activity Checklist • Prerequisite Tasks: All Phase 2 and Phase 3 tasks. • Input: Approved SSAA and Task Summary Reports from all prerequisite tasks. • Output/Products: A Compliance Validation Summary Report, which must include the following: - Record of findings. - Evaluation of vulnerabilities discovered during evaluations. - Summary of the analysis level of effort. - Summary of tools used and results obtained. - Recommendations.
Change Requested or Required 2 Possibilities 1. No change 2. Changes returns to Phase 1 (Definition)
Roles and Responsibilities 1. Security Team Responsibilities - DAA Responsibilities - Certifier (CA) and Certification Team Responsibilities 2. User Responsibilities - User Representative Responsibilities - ISSO Responsibilities 3. Acquisition or Maintenance Organization Responsibilities - Program Manager Responsibilities - Program Management Support Staff Responsibilities - Developer, Integrator or Maintainer Responsibilities - Configuration Control and Configuration Management Responsibilities - System Administration Responsibilities
Roles and Responsibilities (cont…) DAA 1. Review proposed security changes. 2. Oversee compliance validation. 3. Monitor C&A integrity. 4. Establish reaccredidation requirements and ensuring all assigned systems comply with these requirements. 5. Decide to reaccreditate, accredit, IATO, or if the SSAA is no longer valid, terminate system operations. 6. Review the system for compliance with the SSAA. 7. Must be notified of any changes that significantly affect the security posture of the system.
Roles and Responsibilities (cont…) Certifier (CA) and Certification Team 1. Typically serve in a support role to the DAA, system operators and ISSO. 2. Review the SSAA. 3. Review proposed changes. 4. Oversee compliance validation. 5. Must be notified of any changes that significantly affect the security posture of the system.
Roles and Responsibilities (cont…) User Representative 1. Oversee the system operation according to the SSAA. 2. Report vulnerability and security incidents. 3. Report threats to the mission environment. 4. Review and update the system vulnerabilities. 5. Review changes to the security policy and standards. 6. Initiate SSAA review if there are changes in the threat or system configuration (review SSAA). 7. Maintain an acceptable level of residual risk. 8. Review and approve proposed changes. 9. Submit significant changes to the DAA and the CA. 10. Perform compliance validation actions.
Roles and Responsibilities (cont…) ISSO 1. Security focal point responsible for the secure operation of the IS within the environment as agreed on in the SSAA. 2. Ensures the IS is deployed and operated according to the SSAA to maintain an acceptable level of residual risk. 3. Periodically review the mission statement, operating environment, and security architecture to determine compliance with the approved SSAA. 4. Maintain the integrity of the site environment and accredited security posture. 5. Ensure that configuration management adheres to the security policy and security requirements. 6. Initiate the C&A process when periodic reaccredidation is required or system change dictates.
Roles and Responsibilities (cont…) Program Manager 1. Report security related changes in the IS to the DAA and user representative. 2. Update the IS to address reported vulnerabilities and patches under configuration management. 3. Review and update life-cycle management policies and standards. 4. Resolve security discrepancies. 5. Review the SSAA periodically. 6. Operate system as prescribed in the SSAA. 7. Maintain an acceptable level of residual risk. 8. Submit proposed changes to the user representative, ISSO, DAA and CA, as applicable. 9. Support compliance validation.
Roles and Responsibilities (cont…) Program Management Support Staff 1. Cost and schedule determinations. 2. Level of effort evaluation of subsequent C&A efforts. 3. System documentation.
Roles and Responsibilities (cont…) Developer, Integrator or Maintainer 1. Provide hardware and software architecture to the acquisition organization. 2. Provide system modifications or changes to the ISSO and informing the program manager, DAA, Certifier, and user representative. 3. Develop or integrate technical security solutions and security requirements.
Roles and Responsibilities (cont…) Configuration Control and Configuration Management 1. Supports the PM in the development and maintenance of system documentation.
Roles and Responsibilities (cont…) System Administration 1. Operate the system according to the SSAA. 2. Maintain an acceptable level of residual risk. 3. Inform the ISSO of any proposed changes or modifications to the system, information processed, operating procedures, operating environment that affect security.
Phase 4 - Overview • Objective is to maintain an acceptable level of residual risk • DITSCAP responsibilities shift to site system manager or maintenance organization • SSAA Maintenance • Physical Personnel and Management Control • Tempest Evaluation • COMSEC Evaluation • Contingency Plan Maintenance • Change Management • System Security Management • Risk Management