DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

Slides:



Advertisements
Similar presentations
METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE.
Advertisements

Software Quality Assurance Plan
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Contractor Safety Management
SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security Controls – What Works
Managing the Information Technology Resource Jerry N. Luftman
Information Systems Security Officer
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
System Implementation
7.2 System Development Life Cycle (SDLC)
Computer Security: Principles and Practice
PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 7 System Design and Implementation System Design and.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE , Fall Security Strategies.
4. Quality Management System (QMS)
Network security policy: best practices
Chapter 17 Acquiring and Implementing Accounting Information Systems
4. Quality Management System (QMS)
Introduction to Computer Technology
Codex Guidelines for the Application of HACCP
SEC835 Database and Web application security Information Security Architecture.
Introduction to Software Quality Assurance (SQA)
Condor Technology Solutions, Inc. Grace RFTS Application Extension Phase.
Server Virtualization: Navy Network Operations Centers
C &A CS Unit 2: C&A Process Overview using DITSCAP Jocelyne Farah Clinton Campbell.
Chapter 2 The process Process, Methods, and Tools
Information Systems Security Computer System Life Cycle Security.
Commissioning of Fire Protection and Life Safety Systems Presented by: Charles Kilfoil Bechtel National Waste Treatment Plant Richland WA.
11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.
System Planning- Preliminary investigation
S oftware Q uality A ssurance Part One Reviews and Inspections.
N-Wave Shareholders Meeting May 23, 2012 N-Wave Security Update Lisa
NIST Special Publication Revision 1
FCS - AAO - DM COMPE/SE/ISE 492 Senior Project 2 System/Software Test Documentation (STD) System/Software Test Documentation (STD)
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Jewuan Davis DSN Voice Connection Approval Office 18 May 2006 DSN Connection Approval Process (CAP)
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Certification and Accreditation CS Syllabus Ms Jocelyne Farah Mr Clinton Campbell.
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
Authorizing Information Systems FITSP-A Module 6.
Project management Topic 1 Project management principles.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
Maintaining and Sustaining System Integrity Configuration Management for Transportation Management Systems Configuration management (CM) describes a series.
NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.
SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:
Evaluate Phase Pertemuan Matakuliah: A0774/Information Technology Capital Budgeting Tahun: 2009.
Process Asad Ur Rehman Chief Technology Officer Feditec Enterprise.
Disaster Recovery Planning (DRP) DRP: The definition of business processes, their infrastructure supports and tolerances to interruptions, and formulation.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
1 Certification and Accreditation CS Unit 4:RISK MANAGEMENT Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah.
Accounting systems design & evaluation 9434SB 18 March 2002.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Introduction for the Implementation of Software Configuration Management I thought I knew it all !
Principles of Information Systems Eighth Edition
Software Project Configuration Management
Software and Systems Integration
IEEE Std 1074: Standard for Software Lifecycle
Software Requirements
Certification and Accreditation
1 Stadium Company Network. The Stadium Company Project Is a sports facility management company that manages a stadium. Stadium Company needs to upgrade.
Operationalizing Export Certification and Regionalization Programmes
System Analysis and Design:
Presentation transcript:

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce

Resources

1.Register the system – Inform DAA, CA, PM and Users. 2.Determine system security requirements. 3.Develop system architecture and define C&A boundary. 4.Identify threat environment. 5.Prepare security CONOPS. 6.Identify organizations involved in the C&A activities. 7.Tailor the activities and determine the level of effort. 8.Develop draft SSAA. Phase 1 Tasks Phase 1 - Definition Initiates the DITSCAP process by acquiring or developing the information necessary to understand the IT and then using that information to plan the C&A tasks.

Phase 2 - Verification Verify the system’s compliance with the requirements agreed on in the SSAA. The goal is to obtain a fully integrated system for certification testing and accreditation. Phase 2 Tasks - Certification 1.Review and validate security architecture. 2.Software design analysis (i.e., NMCI applications). 3.Review network connection rule compliance. 4.Review integration approach of products. 5.Review life cycle management support requirements. 6.Conduct vulnerability assessment.

Phase 3 - Validation Validates the fully integrated system compliance with the requirements stated in the SSAA. The goal is to obtain full approval to operate the system - accreditation. Phase 3 Tasks - Validation 1.Conduct Security Test and Evaluation. 2.Conduct penetration testing. 3.Validation of security requirements compliance. 4.Conduct site accreditation survey. 5.Develop and exercise contingency/incident response plan. 6.Conduct risk management review. 7.Identify residual risk and review with CA. 8.Present ST&E results and residual risk to the DAA.

Overview of Steps Step 1 - Refine the SSAA Step 2 - Certification Evaluation of the Integrated IS Step 3 - Develop Recommendation and DAA Decision

1 - Refine the SSAA Ensures requirements and agreements still apply Review runs throughout Phase III All details are added to the SSAA to reflect system’s current state Changes are submitted to DAA CA Program manager User representative

2 - Certification Evaluation of the Integrated IS This step certifies the following: The fully integrated and operational system complies with the SSAA requirements. The IS may be operated at an acceptable level of risk

2 - Certification Evaluation of the Integrated IS These are the certification tasks: 2.1 Security Test and Evaluation 2.2 Penetration Testing 2.3 TEMPEST and Red-Black verification 2.4 Validation of COMSEC compliance 2.5 System management analysis 2.6 Site Accreditation Survey 2.7 Contingency plan evaluation 2.8Risk-based management review

2.1.1 – Security Test & Evaluation Assess implementation of design and features are in accordance with the SSAA Validates the correct implementation of identification and authentication, access controls and network connection rule compliance. Test plans and procedures will address security requirements and provide evidence of residual risk. The results of tests will validate proper installation and operation of features.

Security Test & Evaluation Multiple Locations are handled in the following ways: ST & E will occur at central integration and test facility If facility not applicable, possible test at intended- operating sites System installation and security configuration should be tested at operational sites.

2.2 - Penetration Testing Penetration Testing Penetration testing is suggested for applicable system classes Testing may include attempts based on common vulnerabilities of technology in use.

2.3 - TEMPEST & RED-BLACK Verification Used to validate that equipment and site meet security requirements TEMPEST - Short name referring to investigation, study, and control of compromising emanations from IS equipment. RED-BLACK – refer to inspection of cables and power lines

2.4 - Validation and COMSEC compliance COMSEC Communication Security Evaluates how well SSAA COMSEC requirements are integrated Validates the following: That the IS is COMSEC approved That the IS follows COMSEC management procedures

System Management Analysis System management infrastructure checked for support of maintenance of environment, mission and architecture. The roles and responsibilities of ISSO are examined for SSAA consistency. System and security management organization are examined to determine ISSO incident reporting and security changes implementation ability.

System Management Analysis Benefits of System Management Analysis: Insight of level of secure operation of the environment Indication of the effectiveness of security personnel Insight into potential security problem areas

System Management Analysis Configuration management program is mandatory for maintenance of a secure posture Evaluates change control and configuration management practices on integrity of software and hardware Periodic re-verification on configuration for unauthorized changes

2.6 - Site Accreditation Survey Ensures that site operation is accomplished in accordance with SSAA Validates that operational procedures pose no unacceptable risk When system not confined to fixed site, system will be evaluated in a representative site or environment

2.7 - Contingency Plan Evaluation Evaluates that contingency, back-up and continuity service plans meet SSAA requirements DoD Directive requires periodic test for critical systems

2.8 - Risk Management Review Evaluates operation of system to see if CIA is being maintained Evaluates system vulnerabilities Evaluates operational procedures and safeguards in offsetting a risk

3 – Develop Recommendation and DAA Decision Begins after completion of all certification tasks Ends with DAA Accreditation decision Purpose Consolidate findings Submit CA’s report Produce DAA decision

3.1 – CA’s Recommendation CA issues system certification if technical requirements are satisfied Supplemental recommendations might be made to improve security posture Should provide input to future enhancement and change management decisions

Deficiencies CA may uncover security deficiencies, but believe risk level is acceptable CA may make recommendation as long as there will be timely correction of deficiencies SSAA will reflect deficiencies Agreement obtained outlining acceptable operating conditions

3.1.2 – Don’t Accredit If CA determines the system Does not satisfy the SSAA, and Short-term risks are unacceptable CA will recommend the system not be accredited

3.2 – DAA Accreditation Decision Accreditation package consists of: CA’s recommendation DAA authorization to operate Supporting documentation SSAA Supporting documentation may vary, but should include at least: Security findings and deficiencies Risks of operation

DAA Accreditation Decision If decision is to accredit it will include security parameters of acceptable operating conditions If decision does not meet SSAA requirements a temporary approval may be issued if system need be operational This requires a return to Phase I to negotiate accepted solutions, schedule, and security actions

DAA Accreditation Decision When accreditation has been issued the responsibility for the SSAA moves to the system operator Phase IV begins if decision is to accredit If accreditation is withheld Reasons for denial are stated Suggested solutions are provided DITSCAP reverts to Phase I to resolve the issues

Mobile systems are difficult to accredit at all possible locations Generic accreditation may be issued for a typical operating environment It is the official authorization to employ identical copies in a specified environment Generic Accreditation

SSAA will identify Specific uses of the system Operational constraints and procedures DAA would include disclaimer stating that operators are responsible for monitoring the environment for compliance

Roles and Responsibilities Describes the functional relationships and integration of these roles of each of the In some cases the roles may be performed by three separate organizations In other cases some roles may be combined

Phase 1 – Role and Responsibility Program ManagerDAA and CAUser Representative Initiate security dialogue with DAA, the CA, and the user representative. Define system schedule and budget. Define and/or validate system performance, availability, and functionality requirements. Support DITSCAP tailoring and level of effort determination. Draft or support drafting of the SSAA. Reach agreement on the SSAA. Approve the SSAA. Define ITSEC accreditation requirements. Obtain threat assessment. Begin vulnerability and risk assessments. Assign the CA. Support DITSCAP tailoring and determine the level of effort. Draft or support drafting of the SSAA. Reach agreement on the SSAA. Approve the SSAA. Validate and/or define system performance, availability and functionality requirements. Support DITSCAP tailoring and level of effort determination. Reach agreement on the SSAA. Approve the SSAA.

Phase 2 – Role and Responsibility Program ManagerDAA and CAUser Representative Review the SSAA. Develop system or system modifications. Support certification actions. Review certification results. Revise system as applicable. Review the SSAA. Evaluate developing system. CA performs certification actions. CA assesses vulnerabilities CA reports results to the program manager, the DAA, and the user representative. Maintain the SSAA. Review the SSAA. Support certification actions.

Phase 3 – Role and Responsibility Program ManagerDAA and CAUser Representative Review the SSAA. Test integrated system. Support certification actions. Review certification results. Revise system as applicable. Support SSAA revisions. Review the SSAA. Evaluate developing system. CA performs certification actions. Assess vulnerabilities and residual risk CA reports results to the program manager, the DAA, and the user representative. CA develops recommendation to the DAA. CA prepares accreditation package. Review the SSAA. Issue decision. Review the SSAA. Support certification actions. Review certification results. Support SSAA revisions.

Conclusion Validate that Phase I & II has produced an IS that operates in a specified computing environment with acceptable risk The goal is to obtain full approval to operate – Accreditation

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.