140 likes | 287 Views
Preparing System Security Plans . 2013 Joint Security Awareness Council Seminar Sherry Williams, Speaker. Preparing System Security Plans JSAC 17-18 April, 2013. Requirements…. To start a new Classified Program Contract Instrument DD254 IFB IRAD RFP RFQ. Contract Instrument.
E N D
Preparing System Security Plans 2013 Joint Security Awareness Council Seminar Sherry Williams, Speaker
Preparing System Security Plans JSAC 17-18 April, 2013
Requirements… To start a new Classified Program • Contract Instrument • DD254 • IFB • IRAD • RFP • RFQ
Contract Instrument • The Federal Acquisition Regulation (FAR) requires that a DD-254 be incorporated in each classified contract. The DD-254 provides the contractor (or subcontractor) security requirements and classification guidance necessary to perform on a classified contract • Invitation for Bid (IFB), Independent Research and Development (IRAD), Request for Proposal (RFP), Request for Quotation (RFQ)
Data Protection… • The Security Classification Guide or other relevant security docs (required prior to beginning a IS profile) • Identify classification level(s) and handling caveats • IS USER required training based on classification level and handling caveats • Closed area/Safe training requirements
White Board Meeting… • “White board” meeting to discuss computing system requirements (Form 1116) • Engineering and program requirements • Unclassified and Classified systems • Allocate, Build and pre-Certify systems based upon ODAA technical baseline settings
Why the Defense Security Service (DSS) denies an Approval to Operate (ATO) • Missing or incomplete Unique Identifier (UID) • ISSM did not sign the IS Security Package Submission and Certification Statement • Missing Hardware List / Software List / Configuration Diagram • Physical Security not adequately explained • No signed DSS Form 147 (Record of Controlled Area) if the system is in a Closed Area • No Certification Test Guide or NISP Tool Results were provided • Missing letter from Government Contracting Activity (GCA) if any variances are needed • Identification and Authentication not adequately addressed • Any unique issues that would require denial of the IATO • Missing MOU when required
Missing MOU when required… MOU Requirements: • Interconnected systems accredited by different DAAs • Created to establish agreed upon roles, security responsibilities and other information • Signed by each DAA and submitted with SSP • Contractor-to-Contractor system interconnections do not require an MOU when DSS is the DAA for all systems involved • Valid for three years or until system changes occur affecting security posture
Missing GCA Letter for variances… • A signed copy of the customers Risk Acceptance Letter (RAL) on Government letterhead stating they are willing to assume the residual risk for e.g. alternate trusted download procedures • Special purpose/Non-Complaint systems requiring a RAL should be under a separate profile and if connection to the larger compliant system is required a single page Network Security Plan (NSP) may be used • Risk Acceptance Letter's must be updated when the plan is reaccredited every three years
Variances and Self-Certification • Profiles with RALs and Variances render and IS non-NISPOM compliant therefore ineligible for Self-Certification authority • Variance requests must be submitted after MSSP ATO granted and include a description of the approved variance and signed RAL • Approved variance must be maintained with the profile
Forget-me Not’s • Identify Group Accounts • List Hardware Memory Size and Types • Ensure Caveats are listed on ATO letters and in profiles • Ensure UIDs on MSSP, Profile, and ATO all match • Ensure Sanitization procedures are included in profiles • Communicate often with your ISSP