Student Guide. Course: NISP C&A Process: A Walk-Through. Lesson 1: Course Introduction. Course Information. Course Overview

Transcription

1 Course: NISP C&A Process: A Walk-Through Lesson 1: Course Introduction Course Information Purpose Audience Provides training on the policies and standards used throughout the U.S. Government to protect information within computer systems, as delineated by the certification and accreditation (C&A) process and in support of the DSS Mission. In addition, provides an understanding of the contractor requirements under the NISP. Department of Defense (DoD) information system users and other U.S. Government personnel and contractors within the National Industrial Security Program who have responsibility for evaluating information systems and certifying to the Government that information systems meet security requirements Pass/Fail % 75% Estimated completion time 3 hours Course Overview It is the policy of the U.S. Government that classified information be appropriately safeguarded at all times, including when processed on an information system, or IS. To comply with this policy, IS hardware and software must be protected. The certification and accreditation (C&A) process is designed to assist contractors in complying with this policy. The process provides guidance for contractors to use to ensure the protection of classified information as specified in the National Industrial Security Program Operating Manual (NISPOM). In this course, you will learn about each phase of the process.

2 Lesson 1: Course Introduction Course Objectives Identify the individual phases of the ODAA certification and accreditation process Identify the contractor and Government roles participating in the certification and accreditation process and their assigned responsibilities Identify key characteristics of common system and network types that undergo the certification and accreditation process Recognize the necessary templates and attachments required for successful system security package submission Course Structure Course Introduction The C&A Process: Getting Started Phase 1 Initiation and Planning Phase 2 Systems Development Phase 3 Review and Certification Phase 4 Accreditation Decision Phase 5 Continuous Review Phase 6 Disestablishment Course Conclusion Page 2

3 Course: NISP C&A Process: A Walk-Through Lesson 2: The C&A Process: Getting Started Introduction Objectives To ensure that contractor information systems are able to properly safeguard the critical information they contain, each system must be certified and accredited to meet established standards and fulfill the security requirements of the NISPOM. In this lesson, you will learn about the prerequisites and the certification and accreditation (C&A) process. You will learn about the information systems commonly involved and about unified and interconnected networks. Here are the lesson objectives: Identify the prerequisites of the C&A process Identify common IS system types involved in the C&A process Identify the characteristics of unified and interconnected networks Review of the C&A Process 1. Overview The NISP certification and accreditation process follows a standard process and specific regulations and policies. The process is carried out by key personnel within both the contractor facility and the Defense Security Service (DSS). You were first introduced to this process, its associated policies and regulations, and key roles in the web-based Introduction to the NISP Certification and Accreditation Process course. If you have not already done so, use the Security, Training, Education and Professionalization Portal (STEPP) to access this elearning course before proceeding with this course. 2. The C&A Process The C&A lifecycle is a continuous process designed to validate that information systems processing classified information meet the requirements for accreditation, and that the systems continue to maintain the accredited security posture throughout their lifecycle: from system inception to termination. Within DSS Industrial Security Field Operations (ISFO), the Office of the Designated Approving Authority (ODAA) is the entity that oversees this process for cleared contractor information systems. The C&A process begins with the contractor initiating and planning the certification and accreditation of its information system. The next step is systems development. In this step, the contractor builds, configures, and tests its system. The next phase is review

4 Lesson 2: The C&A Process: Getting Started and certification. Here, the cleared contractor reviews and certifies that the system meets C&A requirements. Once the system has been reviewed and certified, DSS can make a formal authorization to accredit it. Once a system is accredited, in order to maintain its accreditation, the contractor must continue to operate it at an acceptable level of risk. If the contactor does not maintain the information system at an acceptable operation level, DSS can withdraw the accreditation and stop any classified processing until the risks are addressed or it may be disestablished. Finally, when an information system has come to the end of its usefulness such as at the end of a contract or program DSS withdraws the system s accreditation. You ll learn more about each of these phases throughout this course. 3. Key Regulations and Tools To be authorized to operate, cleared contractor information systems must meet DSS requirements of key information assurance (IA) procedures and guidance. The National Industrial Security Program Operating Manual (NISPOM) establishes the standard procedures and requirements for all government contractors, with regard to classified information. Chapter 8 contains the requirements for information system security; Section 2 specifically addresses the C&A process. As the Cognizant Security Office (CSO) designated to administer industrial security on behalf of the Cognizant Security Agency (CSA), DSS is responsible for issuing Industrial Security Letters (ISLs) which provide further guidance on selected NISPOM changes and issue processes and procedures, technical standards, and templates. Contractors should also refer to the Office of the Designated Approving Authority (ODAA) Process Manual. This manual contains certification and accreditation process standards. Adherence to the standards in this process manual is required in order for DSS to be able to issue Approvals to Operate (ATOs.) Other publications that provide important guidance are the ODAA Standardization of Baseline Technical Security Configurations documents. The purpose of these documents is to establish a baseline standard of technical security controls for information systems for the DSS National Industrial Security Program (NISP) and its participants. The ODAA documents are living documents. In order to stay abreast of changing technologies and the security controls necessary in this changing environment, these documents are subject to change. They are available to cleared industry personnel upon request. Please refer to the Industrial Security section of the DSS website. Page 2

5 Lesson 2: The C&A Process: Getting Started 4. Key Roles The C&A process relies on the actions of both DSS and cleared contractor personnel. Cleared contractor personnel work to ensure their systems are developed, operated, and maintained following the requirements of the C&A process. The Facility Security Officer (FSO) supervises and directs all security measures for the implementation of regulatory requirements at the facility. The Information System Security Manager (ISSM) supports the FSO with security through oversight of the facility s information systems. The ISSM holds ultimate responsibility for implementing information system security requirements as mandated by the NISPOM. Some cleared contractor facilities also have an Information System Security Officer (ISSO). This role is appointed by the ISSM when necessary, and supports the ISSM in implementing NISP requirements. Finally, the users of the cleared contractor's information system must follow information system security procedures. DSS C&A professionals make the ultimate certification decision and accreditation determination. The Designated Approving Authority (DAA) has the ultimate approving responsibility and authority. The DAA delegates this responsibility regionally to the Regional Designated Approving Authority (RDAA). In addition, there are Information System Security Professionals (ISSPs) and C&A Reviewers who evaluate, certify, and inspect all information system technical features and safeguards. There are several professionals in this role. Each reviews and inspects systems within his or her level of competence. Page 3

6 Lesson 2: The C&A Process: Getting Started C&A Prerequisites 1. Requirements Before a contractor may begin the C&A process, there are certain prerequisites that need to be met. When a contractor is awarded a classified contract, the government contracting agency must provide the contractor appropriate classification guidance for protecting the classified information that the contractor receives or generates in performance of the contract. The government contracting agency fulfills this obligation by incorporating into each classified contract DD Form 254, the Contract Security Specification, or other sponsorship documentation approved by the NISPOM, such as a Framework Agreement or Request for Proposal. This documentation provides classification guidance from the government contracting agency. 2. DD Form 254 and Other NISPOM-Approved Documentation Before starting the C&A process, a contractor must have either a properly completed DD Form 254 or other approved sponsorship documentation per the NISPOM, such as a Framework Agreement or Request for Proposal. If the contractor does not have this documentation, it cannot make any C&A submissions. When DD Form 254 is used, block 11c "RECEIVE AND GENERATE CLASSIFIED MATERIAL" must be marked "Yes." Regardless of whether a contractor has DD Form 254, a Framework Agreement, a Request for Proposal, or other NISPOM-approved documentation, the documentation is a contractual specification and is as important as any other specification in a contract. It provides the contractor with the security classification guidance necessary for the classified information to be received and generated under the contract. This documentation also provides the contractor with a brief summary of the security requirements that apply to the contract and that must be addressed in the contractor s system security plans. Page 4

7 Lesson 2: The C&A Process: Getting Started Identifying IS Type 1. Types of Information Systems There are a number of information system types that may be accredited under the C&A process. Correctly identifying the type of system to be accredited is important. It dictates what the contractor is required to submit to ODAA, as well as the requirements for accrediting that system. While there are a large number of information system types that may undergo the C&A process, those most commonly accredited are multi-user standalone systems, local area networks, and wide area networks. There are also a number of information systems that both the NISPOM and ODAA Process Manual identify as special categories. 2. MUSA and SUSA As their names imply, both the multi-user and single user standalone information systems are not connected to any other computers. Both IS types are located in closed or restricted areas. While MUSA and SUSA ISs are the same in configuration and physical security, they differ in the number of users they have. MUSA ISs have two or more general users while SUSA ISs have only one general user. The number of users an information system has is an important element of the C&A process. The NISPOM requires that there be accountability of users on classified information systems. What does this mean? In order to meet the NISPOM requirement, a MUSA requires certain technical security features be enabled to account for different users. These features include identification and authentication, session controls, and auditing. Before identifying an IS as a SUSA, you must consider the possibility of allowing additional users in the future. If that might be the case, it is better to identify the IS as a MUSA. Page 5

8 Lesson 2: The C&A Process: Getting Started 3. LAN and WAN Both LANs and WANs are networks that connect systems so that information may be shared. LANs connect ISs that are in close proximity to one another using hubs, switches, and routers. WANs connect LANs using routers and public communications links and cover a broad area. The Internet is the largest and most well-known WAN. The key characteristics of LANs, when compared to WANs, include higher data transfer rates and the lack of a need for leased telecommunication lines. LANs can vary widely. For example, they may be as simple as two laptops connected together in a peer-to-peer configuration or they may be as complex as many desktops connected by multiple switches and routers, traversing buildings, and sharing group security policies. In part because WANs use public communications links, WANs undergoing the C&A process require National Security Agency, or NSA, type 1 encryption. In addition, when undergoing the C&A process, both LANs WANs may be protection level 1, 2, or 3. a. Protection Levels Cleared contractor facilities must meet requirements based on the protection level defined for their information systems. There are three protection levels, which are defined based on: clearance, formal access approval, and need-to-know of the system s users and the sensitivity level of the information on the system. Take a moment to review the requirements of each protection level. Protection Level Lowest Clearance Formal Access Approval Need-to-Know Protection Level 1 At least equal to highest data All users have approval for all data All users have a need-to-know for all data Protection Level 2 At least equal to highest data All users have approval for all data Not all users have a need-to-know for all data Protection Level 3 At least equal to highest data Not all users have approval for all data Not contributing to the decision Page 6

9 Lesson 2: The C&A Process: Getting Started 4. Special Categories In addition to the information system types you ve just learned about, there are also information systems and functions that the NISPOM refers to as special categories. This includes periods processing, pure server, test equipment, and tactical or embedded equipment. a. Periods Processing Periods processing is a method of sequential operation that provides the capability to process information at various levels of sensitivity or to process different general users at different times. This may include upgrading to the classified level or downgrading to the unclassified level. b. Pure Server Pure servers are unlike other information systems and are used for specialized purposes. For example, pure servers may be packet routing servers or image producing servers for simulators. The only users of pure servers are the privileged users that maintain the device. Because no two pure servers are alike, when a pure server undergoes accreditation, the ISSP or C&A Reviewer must review it to determine what, if any, technical security features are required. c. Test Equipment When test equipment contains nonvolatile memory and processes or retains classified information, it requires accreditation. Related C&A documentation should include clearing and sanitization procedures and a description of the physical security measures taken to protect the equipment. d. Tactical/Embedded Equipment Tactical and embedded systems are designed and implemented to provide a very limited set of predetermined functions. Tactical systems may support weapons, navigation, and communications. Examples of embedded systems include those that may support robotics or simulators. These systems are incapable of user alteration. Tactical and embedded systems are not accredited by DSS. Instead, they are accredited by the Government Contracting Activity (GCA). If the Cognizant Security Agency (CSA) determines that the system is sufficiently incapable of alteration, and that the application running on the system provides an adequate level of security, the system can undergo the C&A process without meeting additional security requirements. Page 7

10 Lesson 2: The C&A Process: Getting Started Connecting IS Together 1. Interconnected Systems Networks connect information systems together and are designed for sharing information among people and groups. The way these systems are set up has implications for the C&A process. Networks may be unified or they may be interconnected. 2. Unified Networks A unified network is a connected collection of systems or networks. Unified networks can vary in complexity. A simple unified network may consist of a small LAN. A complex unified network is a large WAN or collection of hundreds of LANs separated over a wide area. Regardless of whether the unified network is simple or complex, all unified networks undergoing the C&A process follow a single security policy and are accredited as a single entity with one DAA. 3. Interconnected Networks An interconnected network consists of two or more separately accredited systems and/or networks. There are two types of interconnected networks: contractor-to-contractor and contractor-to-government. They have different requirements, which you will learn about later in this course. In an interconnected network, each accredited system or network retains its services and controls, protects its own resources, retains its individual accreditation, and has its own ISSM. However, in part because risks, threats, and vulnerabilities are increased when information is shared through interconnected networks, interconnected contactor-to-contractor networks also require accreditation as a unit. Page 8

11 Lesson 2: The C&A Process: Getting Started Review Activity 1 The contractors described below have just been awarded classified contracts. Based on the information below, who is able to begin the C&A process? For each statement, select the correct answer. Check your answers in the Answer Key at the end of this. In addition to the contract, John s company has only: A Framework Agreement An executed DD Form 441: Security Agreement May Begin C&A Process May Not Begin C&A Process In addition to the contract, Sue s company has only: An executed DD Form 441: Security Agreement In addition to the contract, Jack s company has only: DD Form 254: DoD Contract Security Specification Review Activity 2 This is a matching activity. Select an IS or component type and drag it to its matching description. Check your answers in the Answer Key at the end of this. Description A. Local Area Networks (LANs) Located in a secure location and has only 1 user B. Wide Area Networks (WANs) C. Single User Standalone (SUSA) D. Multiple User Standalone (SUSA) E. Pure Server Connect LANs using routers and public communication lines and cover a large geographic range Connect ISs using hubs, switches, and routers and cover the same facility Each is different and serves a specialized purpose Require enabling of technical security features to account for multiple users Page 9

12 Lesson 2: The C&A Process: Getting Started Answer Key Review Activity 1 May Begin C&A Process May Not Begin C&A Process In addition to the contract, John s company has only: A Framework Agreement An executed DD Form 441: Security Agreement In addition to the contract, Sue s company has only: An executed DD Form 441: Security Agreement In addition to the contract, Jack s company has only: DD Form 254: DoD Contract Security Specification Review Activity 2 Description A. Local Area Networks (LANs) C Located in a secure location and has only 1 user B. Wide Area Networks (WANs) C. Single User Standalone (SUSA) D. Multiple User Standalone (SUSA) B Connect LANs using routers and public communication lines and cover a large geographic range A Connect ISs using hubs, switches, and routers and cover the same facility E Each is different and serves a specialized purpose E. Pure Server D Require enabling of technical security features to account for multiple users Page 10

13 Course: NISP C&A Process: A Walk-Through Lesson 3: Phase 1 Initiation and Planning Introduction Objectives During Phase 1 of the certification and accreditation (C&A) process, the contractor prepares for the process. In this lesson, you will learn about the individuals involved in the Initiation and Planning phase. You will learn about the selection of the appropriate System Security Plan template, and you will learn about the logic behind a distinct and critical code, known as a unique identifier (UID). Here are the lesson objectives: Identify the responsibilities of the entities involved in the Initiation and Planning phase of the C&A process Given a particular set of system characteristics, identify the appropriate System Security Plan template Overview of Initiation and Planning 1. Scenario: Target Technology Jack, the Information System Security Manager (ISSM) at Target Technology approaches Susan, an Information System Security Officer (ISSO), to share exciting news. Target Technology has just been awarded a government contract. Jack knows they cannot begin processing until the DD Form 441, Security Agreement, is executed. They also must have a properly completed DD Form 254, Contract Security Specification or other NISPOM -approved documentation, such as a Request for Proposal or Framework Agreement. Jack received DD Form 254. With the required documentation in their possession, Jack and Susan begin the Initiation and Planning phase of the C&A process. During this initial phase, they identify the security requirements mandated by the contract. They also must analyze the current technology environment to determine if it can support the security requirements or if they will need to purchase or obtain hardware or software. Once the environment is defined, Jack will select and generate the appropriate System Security Plan and Information System Profile, or IS Profile. This documentation is the essential first step in certifying and accrediting Target Technology s information system.

14 Lesson 3: Phase 1 Initiation and Planning 2. Initiation and Planning Inputs and Outputs You learned about the prerequisites to the C&A process in the previous lesson. These same documents are the inputs of the Initiation and Planning phase the contract, the Security Agreement, and the executed DD Form 254 or other NISPOM-approved documentation. The contractor, and more specifically the ISSM or ISSO, uses these documents to produce the System Security Plan and the information system, or IS, profile. The System Security Plan defines the security features in place to protect classified information. The IS Profile is an attachment to the System Security Plan. It documents the specific characteristics of the IS. Once these documents are drafted, the contractor can move to phase 2 of the C&A process Systems Development. Let s take a closer look at the Initiation and Planning phase activities. 3. Initiation and Planning Activities During the Initiation and Planning phase, the contractor identifies the security requirements mandated by the contract and analyzes its current technology environment to determine if it can support these requirements. How does the contractor do this? The contractor and specifically, the ISSM or ISSO identifies the IS user classification, scope, physical security requirements, and any other special requirements. The contactor also identifies the system architecture. This may be done via hardware and software inspections. Based on the government requirements and the existing architecture, the contractor determines if hardware or software must be purchased or received. As part of Initiation and Planning, the contractor also conducts security assessments by using the appropriate Standardization of Baseline Technical Security Configurations. In this initial phase, the contractor also begins creating the documentation needed to undergo the C&A process. The contractor will utilize the DSS Security Plan, IS Profile, and Certification Statement templates. This includes identifying the protection measures required to safeguard the IS s classified information. Finally, the contractor will utilize the ODAA Business Management System to create a Unique Identifier that will be used by both the contractor and ODAA to identify the IS and its associated System Security Plan. Page 2

15 Lesson 3: Phase 1 Initiation and Planning System Security Plans 1. Overview The System Security Plan (SSP) is a formal document that is completed by the contractor s ISSM or alternate to identify the protection measures to safeguard classified information. It assists the contractor in ensuring that the proper controls are in place to protect classified information. The specific content of the SSP varies somewhat depending on the contractor s information system. However, the more detail the contractor uses in explaining and defining the IS and its characteristics, the better. In addition, the SSP does have required components, which include descriptions of the contractor s IS maintenance process and security education program, as well as the system s media controls, output procedures, periods processing requirements, and classified markings. 2. Self-Certification Authority There are a few different types of SSPs. Which plan a contractor uses depends in part upon self-certification authority. Self-certification authority allows similar systems to be accredited under a single plan. DSS accredits the plan and the contractor then extends the accreditation to similar systems. Similar systems are those that operate in the same operating environment, classification level, and system type and have similar operating systems and operations. Self-certification authority is granted to the individual ISSM, not to the contractor s facility as a whole. In addition, the ISSM is granted self-certification authority only for the specific entity where they work. The ISSM is granted self-certification authority only if ODAA determines the ISSM has the requisite knowledge and skills to manage multiple information systems under one plan. You can learn more about self-certification authority by referring to the ODAA Process Manual. Now let s take a look at the different types of System Security Plans. 3. Types of SSPs There are three types of security plans: the System Security Plan (SSP), the Master System Security Plan (MSSP), and the Network Security Plan (NSP). Both the SSP and MSSP may be used for any type of IS. However, which plan a contractor uses depends upon self-certification authority. The MSSP is used by contractors that have or are seeking such authority, while the SSP is used when the contractor does not have and is not seeking self-certification authority. The Network Security Plan is used when there is an interconnection between two or more separately accredited information systems with the same Designated Approving Authority (DAA). Regardless of which security plan a contractor uses, the plans submitted to ODAA are based upon ODAA-provided plan templates. The templates can be downloaded from the Defense Security Service web site. Page 3

16 Lesson 3: Phase 1 Initiation and Planning 4. SSP The contractor uses a System Security Plan to gain accreditation for a single IS and when the contractor is not seeking self-certification authority. Additional SSP information can be found in the introduction of the ODAA Process Manual. 5. MSSP The contractor uses a Master System Security Plan when the ISSM has or is seeking self-certification authority and the systems being accredited are similar. The MSSP allows the ISSM to add information systems to previously approved MSSPs. Additional MSSP information can be found in the ODAA Process Manual. 6. NSP A contractor will use the Network Security Plan when there is any interconnection between two or more separately accredited information systems. This plan is used only for interconnections between contractor-to-contractor networks. An interconnection between a contractor and a Government entity requires a memorandum of understanding (MOU). The Network Security Plan documents the security posture of the interconnecting systems in a standalone document separate from the associated IS profiles for the interconnected systems Additional NSP information can be found in the ODAA Process Manual. 7. Other Documentation In addition to the security plan guidance, the ODAA Process Manual specifically identifies and provides additional guidance for the systems listed here. System Type Protected Distribution Systems (PDS) Mobile Information Systems International Systems Tactical, Embedded, Data-Acquisition, and Special-Purpose Systems Required Documentation DSS Protected Distribution System Installation Plan Mobile Processing Procedures System/Component Information Letter 16: Letter Acknowledging Relocation of IS by Contractor Site or Letter Acknowledging Relocation of IS by Government Activity/Site Secure Communications Plan Risk Acceptance Letter, or Government Contracting Activity (GCA) Security Requirements Page 4

17 Lesson 3: Phase 1 Initiation and Planning 8. Scenario: Target Technology Now that you have an understanding of the three available templates, let s check back in with Jack, the ISSM at Target Technology. He knows the current government contract is the first of a string of possible engagements and that he may need similar information systems certified and accredited in the future. Based on this, he chooses to use an MSSP template. Self-certification authority, if obtained, will be a big benefit in the future. This authority will expedite the C&A process if and when a similar IS requires certification and accreditation. Page 5

18 Lesson 3: Phase 1 Initiation and Planning IS Profile 1. Overview The IS Profile is an attachment to the System Security Plan. It is a collection of documents that outline at a high level the IS to be accredited and its characteristics. Some of these documents that make up the profile are always required, while others are only required under certain conditions. 2. Required Documentation Every IS Profile will contain, at a minimum, the following documents and forms. Document/Form System Identification Requirements Specification (SIRS) Hardware Baseline Configuration Diagram Software Baseline Briefing Acknowledgement Form Sample Maintenance, Operating System & Security Software Change Log System Certification Test Checklist Description The first page of the IS Profile, the SIRS lists the overall description of classification level and security controls as well as any caveats. This list includes all hardware, including the systems, device type, manufacturer and model, memory and media size and type, and sanitization or write-protect procedures. This diagram documents the configuration of the IS and its components. This list must include all security relevant software and operating system software. Examples include audit, antivirus, and sanitization software. This form is signed by the IS s users and attests that the users: Comply with all security measures necessary to prevent any unauthorized disclosure, modification, or destruction of information Have read or will read all portions of the System Security Plan (SSP) pertaining to their level of responsibilities This log is used to record additions, removals, maintenance, and changes to hardware, installation, and testing of the operating system and security software. Documents that the system operates in accordance with the approved System Security Plan and that the security features, including access controls and configuration management, are implemented and operational. Page 6

19 Lesson 3: Phase 1 Initiation and Planning 3. Situation-Dependent Forms There are a number of other documents that may be required to document an IS s characteristics, depending on the specific IS. Refer to the ODAA Process Manual for more information. Document DSS Form 147, Record of Approval for Closed Area IS Security Seal Log Upgrade/Downgrade Procedures Trusted Download Procedures Mobile Processing Procedures Mobility Plan for the Movement of Classified Information Systems Relocation Letter When Prepared Required for Closed Area Required for Restricted Areas, if needed Required for Periods Processing Required for Trusted Downloads Required for Mobile Systems Required for Mobile Systems Required for Mobile Systems to Government Site Page 7

20 Lesson 3: Phase 1 Initiation and Planning Unique Identifier (UID) 1. Creating a Unique Identifier A Unique Identifier (UID) is used by both the contractor and ODAA reviewer to identify a specific security plan and its owner. The ISSM will utilize the ODAA Business Management System (OBMS) which will automatically create UIDs. Once a UID has been created and shared with ODAA through OBMS, it remains the same through the IS s life. Incorrect, missing, or changed UIDs will result in rejection or C&A process delays. Page 8

21 Lesson 3: Phase 1 Initiation and Planning Review Activity 1 Do you know how to select the proper System Security Plan? For each question, select the best answer. Check your answers in the Answer Key at the end of this Student Guide. 1) Rick, an ISSM, needs to have an interconnected network accredited. The network will connect with another contractor. Which security plan template should he use to seek accreditation? SSP MSSP NSP 2) Matthew, an ISSM, needs to have an information system accredited and does not have and is not seeking self-certification authority. Which security plan template should he use to seek accreditation? SSP MSSP NSP 3) Molly, an ISSM, is seeking self-certification authority. Which System Security Plan template should she use? SSP MSSP NSP Page 9

22 Lesson 3: Phase 1 Initiation and Planning Answer Key Review Activity 1 1) Rick, an ISSM, needs to have an interconnected network accredited. The network will connect with another contractor. Which security plan template should he use to seek accreditation? SSP MSSP NSP Rationale: The NSP template is used when networks are seeking accreditation. 2) Matthew, an ISSM, needs to have an information system accredited and does not have and is not seeking self-certification authority. Which security plan template should he use to seek accreditation? SSP MSSP NSP Rationale: The SSP template is used when the contractor does not have and is not seeking self-certification authority. 3) Molly, an ISSM, is seeking self-certification authority. Which System Security Plan template should she use? SSP MSSP NSP Rationale: Molly wishes to have self-certification authority, so in this case, she selects the MSSP. Page 10

23 Course: NISP C&A Process: A Walk-Through Lesson 4: Phase 2 Systems Development Introduction Objectives During the second phase of the certification and accreditation (C&A) process, the contractor builds, configures, tests, and certifies that the information system is operating as required. In this lesson, you will learn about how this is accomplished. Here are the lesson objectives: Identify the role and responsibilities of the entities involved in the Systems Development phase of the C&A process Identify the purpose and function of the Certification Statement Identify the purpose and function of the Plan of Actions and Milestones (POA&M) Overview of Systems Development 1. Scenario: Target Technology During the Initiation and Planning phase of the C&A process, Jack, Target Technology s Information System Security Manager (ISSM) was responsible for the design of the company s information system. Susan, an Information System Security Officer (ISSO), supported these activities. Now during the Systems Development phase, the system is built, configured, and tested. Following successful testing, Jack will certify that the IS meets C&A requirements. Let s look at how this happens. 2. Phase 2 Inputs and Outputs As you learned earlier in this course, at the conclusion of the Initiation and Planning phase, the contractor drafted the System Security Plan. Now, during the Systems Development phase, the contractor builds, configures, and tests the system. The contractor s ISSM reviews the results and certifies to the Industrial Security Field Operations Office of the Designated Approving Authority (ODAA) that the IS is operating within an acceptable level of risk. In some facilities, the ISSM may have an ISSO who helps support these activities. Following certification, the ISSM will provide the required documentation to ODAA through the ODAA Business Management System (OBMS) and the Review and Certification phase can begin. Let s take a closer look at the Systems Development phase.

24 Lesson 4: Phase 2 Systems Development 3. System Configuration and Testing Initiation and Planning Activities Once the contractor s IS is built and configured, the contractor performs certification to evaluate all technical and non-technical security features and safeguards. This includes ensuring that configuration standards have been addressed in the System Security Plan, as appropriate. The results of this testing are documented in a variety of ways. Phase Documentation 1. Overview The results of the system testing are documented in a few ways. First, the contractor uses a Certification Statement and Certification Test Checklist. In certain circumstances, the contractor may also need a Plan of Action and Milestones (POA&M) or a Risk Acceptance Letter. 2. Certification Statement and Checklist The Certification Statement verifies that the IS has undergone certification. The contractor uses the Certification Statement to specifically certify that the information system has undergone a comprehensive evaluation of all technical and non-technical security features and safeguards, and that all required security features are functioning as outlined in the plan. It also details the inspection and test procedures used to demonstrate that the IS complies with the security requirements associated with its assigned Protection Level. The Certification Statement includes the Certification Test Checklist. This checklist helps the contractor ensure that all regulatory requirements are met. Finally, by signing the Certification Statement, the ISSM attests that all security features are in place and are operational. 3. Plan of Actions and Milestones (POA&M) When the contractor s testing detects that NISPOM security controls cannot immediately be met, but will eventually be met, the contractor must develop a POA&M. The POA&M serves as an agreement between the contractor and the Defense Security Service (DSS) stating which baseline technical security configurations cannot immediately be met and why. It is the method the contractor uses to document the approach to bring the system into compliance. The document outlines the non-compliance issues, the mitigation plans and adjustments necessary to demonstrate that assigned information assurance (IA) controls have been implemented; and the timeline to accomplish the plan, which includes the anticipated completion date and the risk level of each non-compliance issue. The Approval to Operate (ATO) cannot be issued while the POA&M is in place. However, a system operating under a POA&M may be issued an Interim Approval to Operate (IATO) to allow temporary operation until the issues are resolved. Page 2

25 Lesson 4: Phase 2 Systems Development 4. Risk Acceptance Letter The Risk Acceptance Letter is required when a contractual requirement prohibits the system from being in compliance with NISPOM standards. For example, a Risk Acceptance Letter is needed if the contractor cannot update the legacy operating system because it is required to support older classified technology. The Risk Acceptance Letter comes from the government customer through the prime contractor. The Government Contracting Activity (GCA) signs this letter to acknowledge they accept the risk to the system. 5. POA&M vs. Risk Acceptance Letter Take a moment to review the differences between the POA&M and the Risk Acceptance Letter. POA&M Risk Acceptance Letter Defense Security Service (DSS) accepts risk System can be made compliant Provides contractor time to correct noncompliance issues Systems with a POA&M may be granted an Interim Approval to Operate (IATO) only Government Contracting Activity (GCA) accepts risk Configuration or operation is mandated by GCA System is non-compliant Process is non-compliant An IS with a Risk Acceptance Letter may be granted an Approval to Operate (ATO) Submitting a System Security Plan 1. Submission Methods Once the contractor completes the required documentation, they submit the plan to ODAA. The contractor can do this in one of two ways. The first and preferred method is to submit the security plan via OBMS. With this method, the contractor s ISSM accesses OBMS and creates or uploads the Security Plan, IS Profile, and Certification Statement. The second method is to ship an electronic copy of the security plan to ODAA using the U.S. Postal Service, UPS, FedEx, or other carrier. With this method, the security plan must be saved to a compact disk, or CD. The inner wrapper, CD, or CD jacket must be marked For Official Use Only (FOUO). The mailing address and complete submission requirements are found within the ODAA Process Manual. When an electronic copy is shipped, the ISSM must send a submission notification to the ODAA s general address and copy the local ISSP and IS Rep. Page 3

26 Lesson 4: Phase 2 Systems Development Review Activity 1 How well do you understand the documents created during the Systems Development phase? Select Certification Statement, Plan of Actions and Milestones, or Risk Acceptance Letter for each statement Check your answers in the Answer Key at the end of this Every System Security Plan package contains this document. This document is used when NISPOM requirements are not met and the contractor will not be able to make corrective actions to meet the requirements. This is used when NISPOM requirements are not met, but the contractor will make corrective actions to meet the requirements. Certification Statement Plan of Actions and Milestones Risk Acceptance Letter Page 4

27 Lesson 4: Phase 2 Systems Development Answer Key Review Activity 1 Every System Security Plan package contains this document. This document is used when NISPOM requirements are not met and the contractor will not be able to make corrective actions to meet the requirements. This is used when NISPOM requirements are not met, but the contractor will make corrective actions to meet the requirements. Certification Statement Plan of Actions and Milestones Risk Acceptance Letter Page 5

28 Course: NISP C&A Process: A Walk-Through Lesson 5: Phase 3 Review and Certification Introduction Objectives During the third phase of the certification and accreditation (C&A) process, the information system is reviewed and certified. In this lesson, you will learn about the roles and responsibilities of those involved in this phase. You will also learn about its two components the plan review and onsite validation and the outcomes of each. Here are the lesson objectives: Identify the roles and responsibilities of the entities involved during the Review and Certification phase of the C&A process Given a set of circumstances, identify the outcome of a plan review Given a set of circumstances, identify the outcome of an onsite validation

29 Lesson 5: Phase 3 Review and Certification Overview of Review and Certification 1. Scenario: Target Technology During the Systems Development phase of the C&A process, the contractor built, configured, and tested the information system (IS) and submitted the Security Plan Package to the Industrial Security Field Operations, Office of the Designated Approving Authority (ODAA). Now, during the Review and Certification phase, the IS will be reviewed to ensure that it meets the requirements that enable it to be certified. 2. Phase 3 Inputs and Outputs Now that Target Technology s information system is built, it must be reviewed and certified. The review is completed by either the Information System Security Professional (ISSP) or by a qualified C&A Reviewer. The ISSP or C&A Reviewer will review Target Technology s completed Security Plan Package and the associated IS. If the reviewer finds that changes need to be made, the reviewer will document these changes and the associated recommendations. Once the review is complete, the ISSP or C&A Reviewer will make a recommendation to the Regional Designated Approving Authority (RDAA). If the review results are favorable, the contractor will receive an Interim Approval to Operate (IATO) and the process will proceed to Phase 4 the Accreditation Decision. 3. Receipt of Security Plan Package The Review and Certification phase begins when ODAA receives the Security Plan Package from the Information System Security Manager (ISSM). The package includes the System Security Plan, the IS Profile, and the Certification Statement. ODAA then inputs the Certification Statement and completed System Security Plan into the ODAA database. The appropriate ISSP then reviews the submission. Page 2

30 Lesson 5: Phase 3 Review and Certification Plan Review 1. Definition When the ISSP or C&A Reviewer receives the Security Plan Package, the reviewer first conducts a plan review, which is also referred to as a desktop review. During this review, the ISSP or C&A Reviewer reviews the Security Plan Package and recommends either an IATO approval or denial based on this review. If the ISSP or C&A Reviewer recommends that the IATO be approved, the process proceeds to the onsite validation. 2. Review of Contractor s Submission The ISSP or C&A Reviewer examines the contractor's submission for completeness and compliance. Through this review, the reviewer determines whether or not all System Security Plan certification requirements are met and if Certification Test Checklists are completed. There are 3 possible outcomes of this review: Recommend IATO approved Recommend IATO approved with corrective actions Recommend IATO denied Page 3

31 Lesson 5: Phase 3 Review and Certification 3. ISSP/C&A Reviewer s Recommendation The reviewer may find that all requirements are met and all test checklists are complete. In this case, the reviewer will recommend the IATO be approved and will schedule the onsite visit to the contractor s facility. Other times, the reviewer may find that all requirements are met and all test checklists are complete, but corrective actions are required. In this case, the reviewer will recommend that the IATO be approved, but the contractor will be required to make corrective actions. Finally, the reviewer may find the IATO cannot be approved and will recommend that the IATO be denied. a. Common Reasons to Deny an IATO ISSM did not sign the IS Security Package Submission and Certification Statement Missing Hardware List/Software List/Configuration Diagram No Certification Test Guide or NISP Tool Results provided Physical security not adequately explained Identification and authentication not adequately addressed Missing memorandum of agreement (MOA) when one is required Missing a letter from Government Contracting Activity (GCA) when variances are needed Missing a signed Defense Security Service (DSS) Form 147 (Record of Controlled Area) when the system is in a Closed Area Any unique issues that would require denial of the Interim Approval to Operate (IATO) 4. RDAA Review of IATO When the RDAA receives the ISSP or C&A Reviewer s recommendation, the RDAA reviews the associated documentation. Based on this review, the RDAA makes and communicates the accreditation decision. There are two possible outcomes. The RDAA may issue an IATO or deny the IATO. When the RDAA denies accreditation, the RDAA notifies the ISSM of the areas of concern that must be addressed. When the RDAA issues an IATO, it is valid for up to 180 days from the date of issuance. Page 4

32 Lesson 5: Phase 3 Review and Certification 5. Contractor Next Steps When the contractor s ISSM receives the IATO status notification from the RDAA, the contractor s next steps depend on the IATO status. The IATO may be approved, it may be approved with corrective actions, or it may be denied. a. IATO approved When the IATO is approved, the contractor may begin processing classified information and schedules the upcoming onsite IS and System Security Plan validation. It is important to note that as soon as classified processing begins, the contractor must begin continuous review activities to ensure that an acceptable level of risk is maintained. This includes, but is not limited to, conducting routine reviews such as self-inspections. You will learn more about how this is accomplished later in this course. b. IATO approved with corrective actions When the IATO is approved with corrective actions, the contractor may begin processing classified information. The contractor must also respond to the corrective actions and recommendations and schedule the upcoming onsite IS and System Security Plan validation. c. IATO denied When the IATO is denied, the contractor responds to the corrective actions and recommendations and updates the System Security Plan. The contractor then resubmits the Security Plan Package to the ODAA and the Review and Certification phase begins again. Keep in mind that only three submission attempts are allowed. If, during the third attempt, the System Security Plan is again denied, the ISSP archives the package and notifies the contractor s senior security officer. The ISSM is then required to start the C&A process from the beginning. Page 5

33 Lesson 5: Phase 3 Review and Certification Onsite Validation 1. Definition During the onsite validation, the ISSP or C&A Reviewer travels to the contractor s facility to validate that the IS is operating as documented in its Security Plan Package and that the system controls are in place and operating as intended. The onsite visit must be completed within six months of the IATO issue date or another IATO must be recommended. 2. IS Compliance Verification The ISSP completes the onsite validation to verify that the IS is operating in compliance with its System Security Plan. There are three possible outcomes resulting from the onsite validation. The ISSP may recommend the Approval to Operate (ATO) be approved. Under extreme circumstances only, the IATO may be extended and the onsite validation may be rescheduled. Depending on the severity of the issues, the ISSP may recommend that the IATO be revoked. Review and Certification Outcomes 1. Scenario: Target Technology So, how did Target Technology s information system fare during the Review and Certification phase? Target Technology s IS received its interim approval to operate and the ISSP recommended the RDAA approve its ATO. Now, the system will move to the next phase in the process during which the formal accreditation decision will be made. Page 6