Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) August 2010
Overview ODAA Documentation ISFO Process Manual (August 2010) Certification & Accreditation (C&A) Common Errors/Findings
ODAA Documentation NISPOM (Chapter 8) (February 2006) Industrial Security Letters (ISLs) ISFO Process Manual (August 2010) ISL 2007-01 ISL 2009-01 DSS ODAA Baseline Standards (March 2009) NISP Tool for Windows Version 3.5.1 (March 2010) System Security Plan (SSP) Templates (August 2009) Network Security Plan (NSP) Template (November 2008)
ISFO Process Manual System Security Plans (SSP) Types Standalone Local Area Network (LAN) Wide Area Network (WAN) Network Security Plan (NSP)
ISFO Process Manual Stand Alone Single User Stand Alone (SUSA) Only one general user Physical security Closed area Restricted area Classification level Multi User Stand Alone (MUSA) Two or more general users
ISFO Process Manual Local Area Network (LAN) Peer to peer Local user authentication Closed area Restricted area Classification level Domain controlled Central user authentication
ISFO Process Manual Wide Area Network (WAN) Unified WAN RDAA of host node will accredit IATO not allowed Single unified network SSP Must include all nodes on the unified network Interconnected WAN Separately accredited systems Network Security Plan (NSP) IATO may be issued
ISFO Process Manual Network Security Plan (NSP) Allows interconnection of separately accredited systems ATO/IATO will list nodes approved for connection Provides overall network view RDAA of host node will accredit Network ISSO is responsible An NSP must be written for any interconnection between two or more separately accredited information systems including two or more systems owned by the same ISSM at the same facility or campus (cage code.)
ISFO Process Manual Self Certification Authority granted in MSSP/Profile, Approval to Operate (ATO) Allows ISSM to self certify like systems Specific to system type and similar operations Only systems that are NISPOM compliant may be self certified Documentation for self certified systems Notify IS Rep, ISSP and ODAA An IS Profile under an MSSP is written for a system type (Single-User Non-networked, Multiuser Non-networked and Peer to Peer LAN, or Domain Controlled LAN) and similar operations (Trusted Downloads, Periods Processing, Mobile System, etc). Each IS Profile must be accredited by the CSA before the ISSM can self-certify a similar system. Master plans will not be written for any system requiring a variance or waiver. Only those systems that are NISPOM compliant may be self-certified.
Self Certification Issues NISPOM 8-202g, ISL 2007-01 Item 14, ISFO Process Manual Appendix F MSSP vs. SSP What can be self certified? Expiration or cancelation of the MSSP profile Submitting self certified paperwork to ODAA Self certified documentation not maintained with the system MSSP Tracking Forms What cannot be self certified Profiles with variance to NISP Requirements Profiles accredited prior to the release of ISL 2009-01
Certification & Accreditation (C&A) Plan Submission Must use approved SSP/MSSP/NSP templates Assign Unique Identifier (UID) Once assigned, UIDs never change Email to ODAA CC ODAA, IS Rep and ISSP Email subject line Email body
PLAN Unique Identifier Table E-1 Subject Line Requirements for Plan Submissions Region PLAN Unique Identifier IS # Identifier Variables XXXXX-YYYYMMDD-XXXXX Capital Northern Southern Western CageCode¹ YYYYMMDD² XXXXX³ XXXXX4 See Variables Unique Identifiers ¹ Use the facility's 5 character Cage Code ² Use the date on the SSP or MSSP ³ Use a number from 00001 - 99999. Each plan must use a unique number. 4 Variables MSSP Use MSSP when the plan is a Master Security Plan REV Use Rev when the plan has been resubmitted after the Contractor has made revisions as required by the ODAA. SIPR Use when the IS seeking accreditation has a connection to the SIPRNet. TERM Use when the IS is no longer used for classified processing INT Use INT for SSPs with International connections NSP Use NSP for Network Security Plans DIB Use DIB for DIBCS System Security Plans
Certification & Accreditation (C&A) Process Email plan to ODAA ODAA accepts or rejects plan Once accepted, ISSP performs desktop review RDAA can deny or issue IATO If required ISSM resubmits corrections ISSP will perform on site verification RDAA issues ATO
C&A Common Errors Missing or incomplete UID Not using approved DSS templates Missing signed IS Security Package Submission and Certification Statement Missing signed DSS Form 147 Missing ISSM System Certification Test Checklist Missing GCA risk acceptance letter for variances Missing MOU if required Missing published and promulgated IS Security Policy addressing the classified processing environment ISSM fails to submit required corrections
Common Errors Passwords SSPs not properly updated (Hardware list, software list, configuration diagram not accurate) Changing the security posture of the system without authorization Built-in admin password set never to expire BIOS Password not set Test Equipment with an operating system not included in a plan System audit review not being conducted on a weekly basis Weekly audit review not conducted during long holiday periods Dormant procedures implemented without authorization
Audit Issues References: NISPOM 8-602, ISL 2007-01 items 44 & 45 Security Relevant Objects (SRO), file, and folder permission & auditing System auditing Operating system executables Operating system configuration System management and maintenance executables Audit data/Audit review logs Security related software (Anti Virus, System/Network Scanners)
Questions & Answers