1 / 14

Preparing System Security Plans

Preparing System Security Plans . 2013 Joint Security Awareness Council Seminar Sherry Williams, Speaker. Preparing System Security Plans JSAC 17-18 April, 2013. Requirements…. To start a new Classified Program Contract Instrument DD254 IFB IRAD RFP RFQ. Contract Instrument.

ull
Download Presentation

Preparing System Security Plans

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Preparing System Security Plans 2013 Joint Security Awareness Council Seminar Sherry Williams, Speaker

  2. Preparing System Security Plans JSAC 17-18 April, 2013

  3. Requirements… To start a new Classified Program • Contract Instrument • DD254 • IFB • IRAD • RFP • RFQ

  4. Contract Instrument • The Federal Acquisition Regulation (FAR) requires that a DD-254 be incorporated in each classified contract. The DD-254 provides the contractor (or subcontractor) security requirements and classification guidance necessary to perform on a classified contract • Invitation for Bid (IFB), Independent Research and Development (IRAD), Request for Proposal (RFP), Request for Quotation (RFQ)

  5. DD 254…

  6. Data Protection… • The Security Classification Guide or other relevant security docs (required prior to beginning a IS profile) • Identify classification level(s) and handling caveats • IS USER required training based on classification level and handling caveats • Closed area/Safe training requirements

  7. White Board Meeting… • “White board” meeting to discuss computing system requirements (Form 1116) • Engineering and program requirements • Unclassified and Classified systems • Allocate, Build and pre-Certify systems based upon ODAA technical baseline settings

  8. Why the Defense Security Service (DSS) denies an Approval to Operate (ATO) • Missing or incomplete Unique Identifier (UID) • ISSM did not sign the IS Security Package Submission and Certification Statement • Missing Hardware List / Software List / Configuration Diagram • Physical Security not adequately explained • No signed DSS Form 147 (Record of Controlled Area) if the system is in a Closed Area • No Certification Test Guide or NISP Tool Results were provided • Missing letter from Government Contracting Activity (GCA) if any variances are needed • Identification and Authentication not adequately addressed • Any unique issues that would require denial of the IATO • Missing MOU when required

  9. Missing MOU when required… MOU Requirements: • Interconnected systems accredited by different DAAs • Created to establish agreed upon roles, security responsibilities and other information • Signed by each DAA and submitted with SSP • Contractor-to-Contractor system interconnections do not require an MOU when DSS is the DAA for all systems involved • Valid for three years or until system changes occur affecting security posture

  10. Missing GCA Letter for variances… • A signed copy of the customers Risk Acceptance Letter (RAL) on Government letterhead stating they are willing to assume the residual risk for e.g. alternate trusted download procedures • Special purpose/Non-Complaint systems requiring a RAL should be under a separate profile and if connection to the larger compliant system is required a single page Network Security Plan (NSP) may be used • Risk Acceptance Letter's must be updated when the plan is reaccredited every three years

  11. Variances and Self-Certification • Profiles with RALs and Variances render and IS non-NISPOM compliant therefore ineligible for Self-Certification authority • Variance requests must be submitted after MSSP ATO granted and include a description of the approved variance and signed RAL • Approved variance must be maintained with the profile

  12. Forget-me Not’s • Identify Group Accounts • List Hardware Memory Size and Types • Ensure Caveats are listed on ATO letters and in profiles • Ensure UIDs on MSSP, Profile, and ATO all match • Ensure Sanitization procedures are included in profiles • Communicate often with your ISSP

  13. Lets Take A Look…

  14. Questions???

More Related