160 likes | 1.13k Views
Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) August 2010. Overview ODAA Documentation ISFO Process Manual (August 2010) Certification & Accreditation (C&A) Common Errors/Findings. ODAA Documentation NISPOM (Chapter 8) (February 2006)
E N D
Industrial Security Field Operations (ISFO)Office of theDesignated Approving Authority (ODAA) August 2010
Overview • ODAA Documentation • ISFO Process Manual (August 2010) • Certification & Accreditation (C&A) • Common Errors/Findings
ODAA Documentation • NISPOM (Chapter 8) (February 2006) • Industrial Security Letters (ISLs) • ISFO Process Manual (August 2010)
ISFO Process Manual • System Security Plans (SSP) Types • Standalone • Local Area Network (LAN) • Wide Area Network (WAN) • Network Security Plan (NSP)
ISFO Process Manual • Stand Alone • Single User Stand Alone (SUSA) • Only one general user • Physical security • Closed area • Restricted area • Classification level • Multi User Stand Alone (MUSA) • Two or more general users • Physical security • Closed area • Restricted area • Classification level
ISFO Process Manual • Local Area Network (LAN) • Peer to peer • Local user authentication • Closed area • Restricted area • Classification level • Domain controlled • Central user authentication • Closed area • Restricted area • Classification level
ISFO Process Manual • Wide Area Network (WAN) • Unified WAN • RDAA of host node will accredit • IATO not allowed • Single unified network SSP • Must include all nodes on the unified network • Interconnected WAN • Separately accredited systems • Network Security Plan (NSP) • IATO may be issued
ISFO Process Manual • Network Security Plan (NSP) • Allows interconnection of separately accredited systems • ATO/IATO will list nodes approved for connection • Provides overall network view • RDAA of host node will accredit • Network ISSO is responsible
ISFO Process Manual • Self Certification • Authority granted in MSSP/Profile, Approval to Operate (ATO) • Allows ISSM to self certify like systems • Specific to system type and similar operations • Only systems that are NISPOM compliant may be self certified • Documentation for self certified systems • Notify IS Rep, ISSP and ODAA
Certification & Accreditation (C&A) • Plan Submission • Must use approved SSP/MSSP/NSP templates • Assign Unique Identifier (UID) • Once assigned, UIDs never change • Email to ODAA • CC ODAA, IS Rep and ISSP • Email subject line • Email body
Certification & Accreditation (C&A) • Process • Email plan to ODAA • ODAA accepts or rejects plan • Once accepted, ISSP performs desktop review • RDAA can deny or issue IATO • If required ISSM resubmits corrections • ISSP will perform on site verification • RDAA issues ATO
C&A Common Errors • Missing or incomplete UID • Not using approved DSS templates • Missing signed IS Security Package Submission and Certification Statement • Missing signed DSS Form 147 • Missing ISSM System Certification Test Checklist • Missing GCA risk acceptance letter for variances • Missing MOU if required • Missing published and promulgated IS Security Policy addressing the classified processing environment • ISSM fails to submit required corrections
Common Errors • Passwords • SSPs not properly updated (Hardware list, software list, configuration diagram not accurate) • Changing the security posture of the system without authorization
Audit Issues • References: NISPOM 8-602, ISL 2007-01 items 44 & 45 • Security Relevant Objects (SRO), file, and folder permission & auditing • System auditing