160 likes | 713 Views
CDS CERTIFICATION AND ACCREDITATION PROCESS. David Wallick Chief, Navy Cross Domain Solutions Office SPAWAR Atlantic IA Division david.wallick@navy.mil (843) 218-3874. CDS Stakeholders. SPAWAR Atlantic Navy CDS Office (Certification Authority) CDS Engineering
E N D
CDS CERTIFICATION AND ACCREDITATION PROCESS David Wallick Chief, Navy Cross Domain Solutions Office SPAWAR Atlantic IA Division david.wallick@navy.mil (843) 218-3874
CDS Stakeholders • SPAWAR Atlantic • Navy CDS Office (Certification Authority) • CDS Engineering • CDS Certification Test and Evaluation (CT&E) • Local DAA (NETWARCOM) • Unified Cross Domain Management Office (UCDMO) • Defense Security Accreditation Working Group (DSAWG), Cross Domain Technical Advisory Board (CDTAB) • National Security Agency (NSA) • Director of National Intelligence (DNI) Unclassified//FOUO
Phase 1 – Requirements Validation Baseline CDS 1 Modified Baseline CDS 2 CDSO Analysis Community Jury PMO CDSAP Phase 1 CDA, SEE, *VLAR Criteria New Development 3 DISA CD Enterprise *Very Low Risk • This phase looks at CDS requirements. • CDSO guides PMO. • CDSO represents PMO at the board meetings. • CDTAB rep(s) will make recommendation to Community Jury. • * For VLoR process, there are 16 criteria to be met. Unclassified//FOUO
Phase 2 – Solution Developmentand Evaluation Phase 2 CDA, ST&E Plan, Solution CONOPS PMO Baseline CDS Phase 2 Risk Assessment Modified Baseline CDS IATC CDTAB DSAWG DISA CD Enterprise *Very Low Risk ST&E ATO New Development CT&E (lab) • CDSO conducts Phase 2 risk assessment and brief CDTAB. • Modified Baseline CDS may require CT&E. • DISA CDSO handles all enterprise candidates. • CDSO determines what testing (site and/or lab) needs to be done for VLoR. • Local DAA grants ATO for VLoR. Unclassified//FOUO
Phase 3 – Solution Validation Baseline CDS Phase 3 CDA, ST&E Report PMO Modified Baseline CDS Phase 3 Risk Assessment ATC CDTAB DSAWG DISA CD Enterprise New Development • PMO rep conducts Security Test and Evaluation (ST&E). • CDSO conducts Phase 3 risk assessment and brief CDTAB. • DSAWG approves Approval to Connect (ATC) for up to one year. Unclassified//FOUO
Phase 4 – Continuous Monitoring • ATC for one year • Annual revalidation • Requires inspection of system to verify configuration hasn’t changed • Any change to CDS requires opening a new request with CDSO Unclassified//FOUO
Certification Process • Security Design Review (SDR) – IC + DoD • Test Readiness Review (TRR) –documentation, IV&V, test lab • Certification testing –NIST SP 800-53 • Risk assessment • DoD – Risk Decision Authorization Criteria (RDAC) • UCDMO – TBD • Submit risk to CDTAB and DSAWG Unclassified//FOUO
Questions ? Unclassified//FOUO
Backup Slides Unclassified//FOUO
Very Low Risk (VLoR) Phase 1 Phase 2 Phase 3 QUALIFICATION VALIDATION CONTINOUS MONITORING • Determine if the requirement is truly VLoR through answering very specific questions under the criteria categories. • Controls tailoring against the LLL NIST Controls Profile • Determine level of verification and testing • Certification and Accreditation activities • Steps to ensure Annual revalidation occurs Select Implement Assess Authorize Monitor Categorize Risk Management Framework (SP 800.37) Unclassified//FOUO
CDS Timeline • Phase 0 - Expected Duration 105 Days, unless new or modified CDS is required • (PMO) Initiate CDS discussion with CDSO and DAA • (PMO) Registers CDS request on NTIRA/UNTS • (PMO/NCDSO) Develop Phase 1 Cross Domain Appendix (CDA) • (NCDSO) Concur requirement on NTIRA • (NNWC N8/OPNAV) CDS requirements validation • (NNWC) Send Second Echelon Endorsement to CNO • (NCDSO) Cross Domain Solution Ticket Request • Phase I - Expected Duration 30 Days • (NCDSO/PMO) Brief CDSAP (part of CDTAB) on CDS technical feasibility, who recommends approval • (PMO) Brief Community Jury (part of DSAWG), who evaluates the community risk associated with the CDS and approves • (CNO) Provide CDS prioritization per CC/S/A quarterly • (CCAO) Create a ticket as a result Unclassified//FOUO
CDS Timeline (cont’d) • Phase II - Expected Duration 2 Months (for Baseline CDS) • (PMO/NCDSO) Decide on which CDS to use • (PMO/NCDSO/CDS PM) Phase 2 CDA, ST&E plan, Data Owner’s Guidance (DOG) • (NSA) Conducts CT&E for new CDS • (NSA) RDAC testing • (NSA) Penetration testing • (CDTAB) Technical Risk Rating • (NCDSO) Conduct data and threat risk assessment of CDS • (NCDSO/PMO) Brief CDTAB on risk assessment • (PMO) Brief DSAWG on risk assessment • (Site/PMO/NNWC) Update site accreditation documentation (SSAA, topology, SCQ, Accr Letter, etc) to prepare for site installation and ST&E • (DSAWG) IATC is granted as a result Unclassified//FOUO
CDS Timeline (cont’d) • Phase III – Expected Duration 4 Months • (Site/PMO) Install CDS/system • (PMO/CDS PM) Conduct ST&E at site and submit results to NSA • (PMO/NCDSO) Phase 3 CDA • (NSA) Evaluate the ST&E and Phase 3 CDA for final risk assessment • (CDTAB) Analyze Phase 3 risk assessment • (DSAWG) Analyze risk assessment and grant ATC • (NNWC) Grant ATO for 1 year • Phase IV - (Operations) Usually no work on our part • (PMO/User) Operations • (PMO) Annual revalidation • (NCDSO/CDTAB/DSAWG/NNWC) Annual ATO + ATC Unclassified//FOUO