Presentation is loading. Please wait.

Presentation is loading. Please wait.

Unified Capabilities APL Testing Process

Published byGyles Hampton Modified over 6 years ago

Similar presentations

Presentation on theme: "Unified Capabilities APL Testing Process"— Presentation transcript:

1 Unified Capabilities APL Testing Process
Defense Information Systems Agency Department of Defense Unified Capabilities APL Testing Process Unified Capabilities Certification Office (UCCO) 10 Oct 2008

2 Agenda Policy Documents
Unified Capabilities (UC) Approved Product List (APL) Process Overview Unified Capabilities Certification Office (UCCO) Information Assurance Testing Interoperability Testing Product Pre-submittal Responsibilities UC APL Process Timeline Questions

3 Guiding Policy Documents
CJCSI C “DISN CONNECTION POLICY, RESPONSIBILITIES, AND PROCESSES” Establishes policy, responsibilities and connection approval process requirements for subnetworks of the Defense Information Systems Network (DISN). CJCSI C “POLICY FOR DOD VOICE NETWORKS WITH REAL TIME SERVICES (RTS)” Directs DISA to manage the DSN/DRSN from end to end. DoDI “DoD Voice Networks” Directs Joint Interoperability and Information Assurance testing of all components connected, or planned for connection to the DSN, DRSN, or PSTN. DoDD “Information Assurance” Directs all information Technology to be IA tested and certified before connection to the DISN.

4 Other Guidance Documents
Unified Capabilities Requirements (UCR 2007) Specifies technical standards for telecommunication switching equipment to be connected to the DSN; emphasis is on Military Unique Features, e.g., Multilevel Precedence and Preemption (MLPP). DISA Security Technical Implementation Guides (STIG) Defines technical security policies, requirements, and Implementation details for applying security to the DSN. NIST Special Publication (SP ) Guideline on Network Security Testing that describes multiple types of security tests used to assess vulnerabilities of telecom systems.

5 UC APL Product Certification Process
Interoperability Certification Information Assurance Certification Vendor/ Sponsor Submits UCCO Vendor/ Sponsor Submits JIC Product Testing IA Product Testing Both Certifications Required For Placement On Approved Products List Joint Staff Validation DISN DAA Validation Product Receives IO Cert to Connect to DISN UC APL Product Receives IA Cert to Connect to DISN

6 Unified Capabilities Certification Office
UCCO: Central point of contact for DSN connection approval and approved products list process and questions Manages IO and IA test team schedule Coordinates and tracks product status on testing schedule, test results, and the UC APL.  Provides Sponsors/vendor tracking numbers to track product Submits the proper certification documentation for the product to the DISN Security Accreditation Working Group (DSAWG) Contacts the sponsor with the decision regarding their submittal. The Unified Capabilities Connection Office (UCCO) acts as the staff element for the DSN Single System Manager to interact with the DoD components to achieve DSN connection approval of telecommunications products.  The UCCO has been established as an element within the DSN Program Manager's Office. Creates a Central focal point for Coordinating and tracking DSN Equipment Certification and Connection Status. Mirrors processes already established for data networks

7 UCCO Coordination Members
Sponsor Vendor IA Test Team CIO UCCO ASD/NII FSO DoD Components DSN SSM DSAWG

8 Information Assurance Testing
Supported by test teams at: JITC, Ft Huachuca, AZ Air Force Information Operations Center (AFIOC), San Antonio, TX Composed of two (2) phases: Phase I: Security Technical Implementation Guide (STIG) compliance, Functional Security Tests Phase II: IP Penetration Testing and Telephony Testing Validates product compliance with Federal and DoD IA requirements IA test results Vendor mitigations evaluated by Field Security Office (DISA) for certification recommendation by Certifying Authority to DISN Security Accreditation Working Group

9 Interoperability Testing
Joint Interoperability Test Command (JITC) Conducts all interoperability certification testing. Cooperative Research and Development Agreement (CRADA) between JITC and vendor is used to exchange cost of test services for vendor equipment. Benefits both vendor and Government Fee for service when CRADA not applicable Ensures end-to-end interoperability of voice switching systems by validating all Telecom equipment connected to the DSN meets applicable Unified Capabilities Requirements (UCR) Focus of testing is to ensure Military Unique Features (MUF) such as Multilevel Precedence and Preemption are met Test outcome is JITC certification letter that is validated by Joint Staff

10 Product Pre-submittal Responsibility
APPLICANT Responsibility The Applicant is required to adhere to the following requirements listed below. Neither JIC nor IA testing will be conducted on the submitted solution without ongoing compliance with the following requirements. Please check the boxes indicating your acceptance to comply. 1. Applicant responsible for coordinating payment of lab testing fees/CRADA agreements with Action Officer that will contact applicant upon acceptance of completed test submittal and release of solution Tracking Number. 2. Download APL Test Bundle.  Review bundle and submit documentation IAW the APL Documentation Guide which is included in the APL Test Bundle. Upon receipt of all required documentation a testing Tracking Number will be issued for the solution initiating testing process. 3. Apply applicable Security Technical Implementation Guide (STIGS) requirements to the submitted product and submit results to UCCO 2 weeks prior to scheduled testing Applicant (ie: either vendor or sponsor) ensures on-site engineering support be provided during all phase of APL testing assigned for the solution under test.  TSSI test scheduled is located at the following link: TSSI Testing Schedule 5. Applicant concurs with right of UCCO to make final determination of IA testing location based upon schedule load balancing and available testing resources.  

11 Step 1: Submittal *** Format change from to bullets ***
STEP 1: Applicant Agrees to the following prior to submittal: Payment or CRADA. Provide Technical Documentation prior to receiving tracking number from UCCO. Apply all applicable STIG’s requirements. Submit Self-assessment Results (SAR) and mitigations to UCCO no later than 2 weeks prior to scheduled test date. Will provide on site engineering support during all phases of testing. Agree to ship equipment to alternate test facility if UCCO assigns test there STEP 2: Complete submittal form. STEP 3: Download Test Requirements Bundle STEP 4: UCCO verifies Non-DSCD. If not, the sponsor is changed to DSCD WG. STEP 5: Notify all parties. Applicant Vendor Sponsor Submits UC APL Test Request UCCO Changes DSCD Sponsor to DSCD WG (DISA/TJTN) UCCO Determines Non-DSCD Sponsor? No *** Format change from to bullets *** *** Also remove animation *** *** All headings are 36 pt. shadow bold centered *** Yes UCCO Notifies Sponsor and Vendor

12 Step 2: Vendor Pre-Scheduling Actions
Applicant Complete STIG checklist. Provide STIG checklist and Product Technical Documentation IAW requirements outlined in Rules Of Engagement (Test Requirements Bundle) to UCCO. Sponsor Vendor UCCO *** Format change from to bullets *** *** Also remove animation *** *** All headings are 36 pt. shadow bold centered ***

13 Step 3: UCCO Verification
1) Upon receipt of STIG Checklist and documentation DISA will verify technical sufficiency (clock starts). 2) Send Sponsor Verification to solution sponsor requiring verification of the following: Sponsorship of submitted solution Agreement to review and confirm solution deployment configuration provided by vendor Agreement to attend scheduled Outbrief for solution 3) Send CCB Notification Contact UCCO if any issues 4) Sponsor verifies all items in to UCCO. UCCO CCB Rep Sponsor *** Format change from to bullets *** *** Also remove animation *** *** All headings are 36 pt. shadow bold centered ***

14 Step 4: Tracking Number *** Format change from to bullets ***
FSO JIC Team IA Team UCCO Vendor *** Format change from to bullets *** *** Also remove animation *** *** All headings are 36 pt. shadow bold centered *** Sponsor UCCO: Assigns and distributes Tracking Number after STIG Checklist and Product Documentation received and Verification successfully completed.

15 Step 5: Scheduling *** Format change from to bullets ***
UCCO IO Team JIC Team UCCO/Test Teams: TSSI Scheduling occurs every other Wednesday. Schedule new products for IA/IO testing. Make decisions on possible slips, postponements, and cancellations. If cancellation occurs, identify potential replacement vendors (If Self-Assessment Report (SAR) requirement has been satisfied) New schedule posted every other Friday *** Format change from to bullets *** *** Also remove animation *** *** All headings are 36 pt. shadow bold centered ***

16 Step 6: AO Initial Contact
STEP 1: Conducts Initial Contact Meeting (ICM) via teleconference with sponsor, vendor, IA, FSO and UCCO to discuss the following: (Note: Replaces Inbrief): Submitted Product Documentation and Diagrams. Describe the System Under Test (SUT) configuration CRADA/Fee arrangements FSO STIG Questionnaire and applicable STIG’s Scheduled IA test Dates Tentatively schedule Outbrief date Misc. Issues STEP 2: Generates ICM minutes. STEP 3: Minutes sent to sponsor for validation STEP 4: UCCO/Test Teams/FSO supply continuous support to vendor/sponsor. Action Officer (IA/IO) Setup Discussion *** Format change from to bullets *** *** Also remove animation *** *** All headings are 36 pt. shadow bold centered *** Vendor

17 Step 7: Self-Assessment Evaluation
UCCO sends warning notification to vendor/sponsor 1 week prior to Self-assessment due date. Self-Assessment reports and mitigations due to UCCO NLT 2 weeks prior to scheduled IA test dates. If Self Assessment is not received, the scheduled test window is cancelled. Tracking Number is retired and vendor must re-submit when ready. Vendor Submits Self-Assessment *** Format change from to bullets *** *** Also remove animation *** *** All headings are 36 pt. shadow bold centered *** UCCO

18 Self-Assessment Criteria
Received by UCCO at least 2 weeks prior to testing Initial Contact (ICM) Meeting Minutes used to determine completeness Vendor and Sponsor work together to provide Mitigations Self Assessments must be received on time Encourage early submissions to prevent last minute cancellations Self Assessments must be complete Requirements identified from STIG questionnaire STIGs verified by IATT and FSO during ICM Self Assessments must contain mitigations to all findings, particularly high risk

19 Step 8: IA Testing *** Format change from to bullets ***
Phase I: STIG Testing Phase II: IP Penetration/Telephony Testing Phase I Phase II Vendors will be required to provide on-site engineering support during all phases of testing. Vendors will be allowed to fix findings/TDR’s on-site within test window as long as doesn’t interfere with completion of testing. ** Note: Not all phases are applicable to all solutions *** Format change from to bullets *** *** Also remove animation *** *** All headings are 36 pt. shadow bold centered ***

20 Step 9: IA Testing Completed
IA Team Evaluates findings at end of each phase of testing with vendor At end of testing, determination is made on whether or not to proceed to IO (UCCO in coordination with FSO, AO and IA Test Team) Draft IA Findings letter is generated by IA Test Team NLT 1 week after completion of test. Vendor completes mitigations and submits to IATT NLT 2 weeks after receipt of Draft IA Findings Letter. IA Team All parties attend previously scheduled Out brief. (Approximately 3 weeks after completion of testing) Final IA Findings letter is generated by IATT within 3 days after completion of Out brief *** Format change from to bullets *** *** Also remove animation *** *** All headings are 36 pt. shadow bold centered *** FSO UCCO Vendor

21 Step 10: IO Testing *** Format change from to bullets ***
Concurrent with IA Steps IO testing process Vendors will be required to provide on-site engineering support during all phases of testing. Vendors will be allowed to fix findings/TDR’s within test window as long as doesn’t interfere with completion of testing. Results of testing presented to Joint Staff for final approval. Vendor Engineer Solution JIC Team Results *** Format change from to bullets *** *** Also remove animation *** *** All headings are 36 pt. shadow bold centered *** Joint Staff

22 Step 11: Out brief (Parallel track)
1. Previously scheduled out brief occurs approximately 3 weeks after completion of IA testing. 2. Decision is made on the following: Option 1: Rework mitigations: UCCO will make official CA recommendation request upon receipt of reworked mitigations. Option 2: Move Forward: IA Team Develops Security Assessment Report (IA Findings Letter w/vendor mitigations supplied) within 3 days. a) UCCO requests official CA Recommendation letter. b) UCCO creates DSAWG Read Ahead Briefing and requests slot on agenda at next scheduled upcoming DSAWG. Out brief Teleconference FSO JIC Team IA Team Action Officer (IA/IO) Vendor Sponsor *** Format change from to bullets *** *** Also remove animation *** *** All headings are 36 pt. shadow bold centered ***

23 Step 12: DSAWG (Parallel track)
DSAWG Board meets on a monthly basis If successful, product will be approved for connection to DISN If unsuccessful, product will be worked on a case-by-case basis UCCO DIA Air Force Navy Army J6 DISA Marines *** Format change from to bullets *** *** Also remove animation *** *** All headings are 36 pt. shadow bold centered *** The only change I would have made would have been to the APL Process brief. Slide 25 is missing three DSAWG members: DIAP for DoD HQ elements, CIA, and STRATCOM. DSAWG USSTRATCOM USD (I) NSA USD (AT&L) DIAP DNI CIO

24 UC APL Process Timeline
Self Assessment Due Findings Letter CA Letter Request from FSO IA Testing Start IA Testing Completed IA Out brief Tracking # Assigned DSAWG Meets Initial Submittal 1 mo 2 mos 3 mos 4 mos 5 mos 6 mos APL Memorandum Released, product added to the APL Vendor Docs Received Scheduling meeting ICM Setup JIC Test Started JIC Test Completed JS Validates IO certification * Note – The above timeline assumes a 2 month availability from new test request Test Diagram STIG Questionnaire White papers, diagrams, manuals, etc ICM – Identifies what STIGs will be required for the Self- Assessment 24

25 UCCO Points of Contact Michael Washington Hilario Moncada, Jr
DSN: (312) /0330 Comcl:(703) /0330 Steve Pursell Patty Beaudet DSN: (312) /3234 CML: (520) /3234 UCCO Group Alias:

26 Questions?

27

Download ppt "Unified Capabilities APL Testing Process"

Similar presentations

ATC Conference Call January 10, 2008 Thank you for joining the call. We will start the call shortly. Please enter * 6 to mute your line and # 6 to unmute.

ATC Conference Call January 10, 2008 Thank you for joining the call. We will start the call shortly. Please enter * 6 to mute your line and # 6 to unmute.
Chapter 3 Project Initiation

Chapter 3 Project Initiation
Doc.: IEEE 802.11-01/024 Submission January 2001 Jim Carlo, Texas InstrumentsSlide 1 Patents and IEEE 802 Stds IEEE 802 Chair’s Viewpoint Jim Carlo General.

Doc.: IEEE /024 Submission January 2001 Jim Carlo, Texas InstrumentsSlide 1 Patents and IEEE 802 Stds IEEE 802 Chair’s Viewpoint Jim Carlo General.
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
2015-2016 Special Education Accountability Reviews Let’s put the pieces together March 25, 2015.

Special Education Accountability Reviews Let’s put the pieces together March 25, 2015.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Chapter 3 Project Initiation. The stages of a project  Project concept  Project proposal request  Project proposal  Project green light  Project.

Chapter 3 Project Initiation. The stages of a project  Project concept  Project proposal request  Project proposal  Project green light  Project.
Wisconsin Technical Service Providers (TSP) Plan.

Wisconsin Technical Service Providers (TSP) Plan.
A Combat Support Agency Defense Information Systems Agency Unified Capabilities Requirements (UCR) Overview Joint Interoperability Test Command.

A Combat Support Agency Defense Information Systems Agency Unified Capabilities Requirements (UCR) Overview Joint Interoperability Test Command.
CDS CERTIFICATION AND ACCREDITATION PROCESS

CDS CERTIFICATION AND ACCREDITATION PROCESS
Module 19 STEP 9 Completion of the Feasibility Study Module 19 STEP 9 Completion of the Feasibility Study Civil Works Orientation Course - FY 11.

Module 19 STEP 9 Completion of the Feasibility Study Module 19 STEP 9 Completion of the Feasibility Study Civil Works Orientation Course - FY 11.
SWIS Digital Inspections Project (SWIS DIP) Chris Allen, Information Management Branch California Integrated Waste Management Board November 5, 2008 The.

SWIS Digital Inspections Project (SWIS DIP) Chris Allen, Information Management Branch California Integrated Waste Management Board November 5, 2008 The.
Server Virtualization: Navy Network Operations Centers

Server Virtualization: Navy Network Operations Centers
HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.

HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Procedures and Forms 2008 FRCC Compliance Workshop April 8-9, 2008.

Procedures and Forms 2008 FRCC Compliance Workshop April 8-9, 2008.
Certification and Accreditation CS-7493-01 Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
SPS policy – Information Presentation Presentation to ROS June 16, 2004.

SPS policy – Information Presentation Presentation to ROS June 16, 2004.

Similar presentations

Ads by Google