1 / 13

CDS CERTIFICATION AND ACCREDITATION PROCESS

CDS CERTIFICATION AND ACCREDITATION PROCESS. David Wallick Chief, Navy Cross Domain Solutions Office SPAWAR Atlantic IA Division david.wallick@navy.mil (843) 218-3874. CDS Stakeholders. SPAWAR Atlantic Navy CDS Office (Certification Authority) CDS Engineering

Download Presentation

CDS CERTIFICATION AND ACCREDITATION PROCESS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CDS CERTIFICATION AND ACCREDITATION PROCESS David Wallick Chief, Navy Cross Domain Solutions Office SPAWAR Atlantic IA Division david.wallick@navy.mil (843) 218-3874

  2. CDS Stakeholders • SPAWAR Atlantic • Navy CDS Office (Certification Authority) • CDS Engineering • CDS Certification Test and Evaluation (CT&E) • Local DAA (NETWARCOM) • Unified Cross Domain Management Office (UCDMO) • Defense Security Accreditation Working Group (DSAWG), Cross Domain Technical Advisory Board (CDTAB) • National Security Agency (NSA) • Director of National Intelligence (DNI) Unclassified//FOUO

  3. Phase 1 – Requirements Validation Baseline CDS 1 Modified Baseline CDS 2 CDSO Analysis Community Jury PMO CDSAP Phase 1 CDA, SEE, *VLAR Criteria New Development 3 DISA CD Enterprise *Very Low Risk • This phase looks at CDS requirements. • CDSO guides PMO. • CDSO represents PMO at the board meetings. • CDTAB rep(s) will make recommendation to Community Jury. • * For VLoR process, there are 16 criteria to be met. Unclassified//FOUO

  4. Phase 2 – Solution Developmentand Evaluation Phase 2 CDA, ST&E Plan, Solution CONOPS PMO Baseline CDS Phase 2 Risk Assessment Modified Baseline CDS IATC CDTAB DSAWG DISA CD Enterprise *Very Low Risk ST&E ATO New Development CT&E (lab) • CDSO conducts Phase 2 risk assessment and brief CDTAB. • Modified Baseline CDS may require CT&E. • DISA CDSO handles all enterprise candidates. • CDSO determines what testing (site and/or lab) needs to be done for VLoR. • Local DAA grants ATO for VLoR. Unclassified//FOUO

  5. Phase 3 – Solution Validation Baseline CDS Phase 3 CDA, ST&E Report PMO Modified Baseline CDS Phase 3 Risk Assessment ATC CDTAB DSAWG DISA CD Enterprise New Development • PMO rep conducts Security Test and Evaluation (ST&E). • CDSO conducts Phase 3 risk assessment and brief CDTAB. • DSAWG approves Approval to Connect (ATC) for up to one year. Unclassified//FOUO

  6. Phase 4 – Continuous Monitoring • ATC for one year • Annual revalidation • Requires inspection of system to verify configuration hasn’t changed • Any change to CDS requires opening a new request with CDSO Unclassified//FOUO

  7. Certification Process • Security Design Review (SDR) – IC + DoD • Test Readiness Review (TRR) –documentation, IV&V, test lab • Certification testing –NIST SP 800-53 • Risk assessment • DoD – Risk Decision Authorization Criteria (RDAC) • UCDMO – TBD • Submit risk to CDTAB and DSAWG Unclassified//FOUO

  8. Questions ? Unclassified//FOUO

  9. Backup Slides Unclassified//FOUO

  10. Very Low Risk (VLoR) Phase 1 Phase 2 Phase 3 QUALIFICATION VALIDATION CONTINOUS MONITORING • Determine if the requirement is truly VLoR through answering very specific questions under the criteria categories. • Controls tailoring against the LLL NIST Controls Profile • Determine level of verification and testing • Certification and Accreditation activities • Steps to ensure Annual revalidation occurs Select Implement Assess Authorize Monitor Categorize Risk Management Framework (SP 800.37) Unclassified//FOUO

  11. CDS Timeline • Phase 0 - Expected Duration 105 Days, unless new or modified CDS is required • (PMO) Initiate CDS discussion with CDSO and DAA • (PMO) Registers CDS request on NTIRA/UNTS • (PMO/NCDSO) Develop Phase 1 Cross Domain Appendix (CDA) • (NCDSO) Concur requirement on NTIRA • (NNWC N8/OPNAV) CDS requirements validation • (NNWC) Send Second Echelon Endorsement to CNO • (NCDSO) Cross Domain Solution Ticket Request • Phase I - Expected Duration 30 Days • (NCDSO/PMO) Brief CDSAP (part of CDTAB) on CDS technical feasibility, who recommends approval • (PMO) Brief Community Jury (part of DSAWG), who evaluates the community risk associated with the CDS and approves • (CNO) Provide CDS prioritization per CC/S/A quarterly • (CCAO) Create a ticket as a result Unclassified//FOUO

  12. CDS Timeline (cont’d) • Phase II - Expected Duration 2 Months (for Baseline CDS) • (PMO/NCDSO) Decide on which CDS to use • (PMO/NCDSO/CDS PM) Phase 2 CDA, ST&E plan, Data Owner’s Guidance (DOG) • (NSA) Conducts CT&E for new CDS • (NSA) RDAC testing • (NSA) Penetration testing • (CDTAB) Technical Risk Rating • (NCDSO) Conduct data and threat risk assessment of CDS • (NCDSO/PMO) Brief CDTAB on risk assessment • (PMO) Brief DSAWG on risk assessment • (Site/PMO/NNWC) Update site accreditation documentation (SSAA, topology, SCQ, Accr Letter, etc) to prepare for site installation and ST&E • (DSAWG) IATC is granted as a result Unclassified//FOUO

  13. CDS Timeline (cont’d) • Phase III – Expected Duration 4 Months • (Site/PMO) Install CDS/system • (PMO/CDS PM) Conduct ST&E at site and submit results to NSA • (PMO/NCDSO) Phase 3 CDA • (NSA) Evaluate the ST&E and Phase 3 CDA for final risk assessment • (CDTAB) Analyze Phase 3 risk assessment • (DSAWG) Analyze risk assessment and grant ATC • (NNWC) Grant ATO for 1 year • Phase IV - (Operations) Usually no work on our part • (PMO/User) Operations • (PMO) Annual revalidation • (NCDSO/CDTAB/DSAWG/NNWC) Annual ATO + ATC Unclassified//FOUO

More Related