• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key

image

Play button

image

Play button

image

Progress

1/636

Click to flip

636 Cards in this Set

  • Front
  • Back
  • 3rd side (hint)
What does CNSS stand for?
Committee for National Security Systems
Why is Executive Order 13231 significant?
major milestone document establishing the
President’s intent to secure the national infrastructure
What does NIAC stand for?
National Infrastructure Advisory Council
What does NSTAC stand for?
National Security Telecommunications Advisory Committee
What does EO 13231 require?
that the responsible personnel oversee,
develop, and ensure implementation of policies, principles, standards, and guidelines for the
security of information systems that support the operations under their respective control
What does EO 13231 establish?
* Voluntary public-private partnership
* Provided the Director OMB increased responsibility
* NIAC
* NSTAC
What policy created CNSS?
Executive Order 13231
What agency chairs the CNSS?
DoD
What is the effective date of EO 13231?
'16 OCT 2001
What is the ISSEP definition of availability?
Timely, reliable access to data and information services for
authorized users
What is the ISSEP definition of integrity?
Quality of an IS reflecting the logical correctness and
reliability of the operating system; the logical completeness
of the hardware and software implementing the protection
mechanisms; and the consistency of the data structures
and occurrence of the stored data.
What is the ISSEP definition of confidentiality?
Assurance that information is not disclosed to unauthorized
individuals, processes, or devices.
What is the ISSEP definition of access control?
Limiting access to information system resources only to
authorized users, programs, processes, or other systems.
What is the ISSEP definition of authentication?
Security measure designed to establish the validity of a
transmission, message, or originator, or a means of
verifying an individual's authorization to receive specific
categories of information.
What is the ISSEP definition of non-repudiation?
Assurance the sender of data is provided with proof of
delivery and the recipient is provided with proof of the
sender's identity, so neither can later deny having
processed the data.
What is a National Security System?
A system that:
Involves intelligence activities
Involves ctryptologic activities related to national security
Involves command and control of military forces
Involves equipment that is an integral part of a weapon or weapons system
Is critical to the direct fulfillment of military or intelligence missions
There are 5 categories
According to NIST, what are the phases of the Systems Development Life Cycle (SDLC)?
Initiation
Develop/Acquire
Implement
Ops/Maintenance
Disposal
There are 5 phases
What is C&A?
The standard DoD approach for:
identifying IS requirements
providing security solutions and
managing the security of DoD ISs
There are 3
What are the general phases of C&A?
Define Problem
Risk Assessment
Implement Controls
Certification
Accreditation
Ops/Maintenance
Disposal
There are 7
What are the phases of the Risk Management Framework?
Categorize the IS
Select security controls
Implement security controls
Assess security controls
Authorize IS
Monitor security controls
There are 6
With respect to the RMF, what are the contributing factors to categorize the IS?
Architecture Description
Organizational Input
There are 2
What are the components of the RMF architecture description?
Architecture reference models
Segment and solution architectures
Mission and business processes
Information system boundaries
There are 4
What are the components of the RMF organizational inputs?
Laws and directives
Policy guidance
Strategic goals and objectives
Priorities and resource availability
Supply chain considerations
There are 5
What government inputs should be considered when developing security requirements?
Statutory (USC, ACT, HR, Title, Public Law)
Regulatory (EO/PD, OMB, Cabinet/Agency Policy)
Processing Standards (FIPS, CNSS, NIST standards)
Guidelines (NIST SPs, STIGs)
What is the organizational role and authority of The White House?
Executive Office given statutory authority to issue E.O., proclamations,
PDD/HSPD, and similar documents that initiate action, stop action, or require
general notice be given.
What is the organizational role and authority of The US Congress?
Legislative body responsible for the USC and the general, permanent laws of
the nation that it contains. Congress’s power to authorize the appropriation of federal spending to carry out government activities.
What is the organizational role and authority of OMB?
Evaluates expenditure effectiveness, and provides oversight of
Administration procurement, fiscal management, information and regulatory
policy
What is the organizational role and authority of NSA?
Has responsibility for ensuring that all cryptographic methods and systems
used to protect USFG information and systems are sufficiently strong; for
penetrating adversary systems and codes; and to ensure that all national
security information is protected appropriately whether in transit or at rest
What is the organizational role and authority of NIST?
Has responsibility to ensure that standards and measures are developed to
improve performance, and charged by law with responsibility for information
security standards, metrics, tests, and various other means to support
agencies' missions. Issues SP, FIPS, ITL Bulletins, NISTIR, and other
guidance.
What is the organizational role and authority of NIAP?
NIAP is an initiative partnership between the NIST and the NSA to evaluate
and attempt to meet the needs and requirements of IT/IA product producers
and consumers to evaluate functionality and pedigree.
What does OMB stand for?
Office of Management and Budget
What does NIST stand for?
National Institute of Standards and Technology
What does NIAP stand for?
National Information Assurance Partnership
What is the organizational role and authority of CNSS?
Formerly know as NSTISSC, the CNSS provides a participative
forum to examine national policy and promulgates direction,
operational procedures and instructions (CNSSI), and other
forms of authoritative guidance for national security systems.
What is the significance of EO 13228?
Establishing the Office of Homeland Security and the HS
Council (2001) – Initiates a comprehensive strategy to secure the
US from terrorist attacks.
What is the significance of EO 13231?
CIP in the Information Age (2001) ~ which states policy
to protect CI against compromise. Renamed NSTISSC to CNSS.
What is the significance of HSPD-7?
Homeland Security Directive 7 (2003) ~ which directs the
identification and prioritization of CI assets and key resources to
protect them from terrorist attacks. Supersedes PDD-63.
What is the significance of HSPD-12?
Homeland Security Directive 12 (2004) ~ which directs a
common identification standard that is “secure and reliable” to verify
employee identity.
What is Public Law 100-235, Title 101, Statute 1724?
The Computer Security Act of 1987
What does the Computer Security Act of 1987 establish?
~ Improve security/privacy of sensitive information in federal
systems;
~ Federal agencies to establish standards & guidelines
~ Requires that any federal computer system that processes
sensitive information have a customized security plan
(SSAA).
~ Requires that users of those systems undergo security
training.
NIST responsible, NSA to advise.
~ assessing the vulnerability of federal computer systems,
~ developing standards,
~ providing technical assistance with NSA support, and
~ developing training guidelines for federal personnel
What is the significance of the Privacy act of 1974?
~ Balance the government’s need to maintain
information about individuals with the rights of
individuals
~ Act focuses on four basic policy objectives
– Restrict disclosure
– Increased rights of access to agency records
– Grant individuals the right to seek amendment
– Establish a code of “fair information practices”
What is the significance of the Clinger-Cohen Act of 1996?
Established that every federal agency must have a CIO
Reformed Information Technology Management
Defined a National Security System
What is the significance of OMB Circular A-130 Appendix III, 24 DEC 1985?
Management of Federal Information Resources
Mandatory implementation of Computer Security Act and FISMA requirements
Defines adequate security
~Provides specific practices and guidelines for
implementation of the Paperwork Reduction Act
-Established a mandate for agencies to perform their
information resources management in an effective
manner
~Requires accreditation of federal IS’ to operate
based on an assessment on management,
operational, and technical controls
What is the definition of adequate security (according to OMB Circular A-130)?
“security commensurate with the risk and magnitude of the
harm resulting from the loss, misuse, or unauthorized access to
or modification of information.…provide appropriate
confidentiality, integrity, and availability, through the use of cost-effective
management, personnel, operational, and technical
controls.”
What determines a systems criticality?
mission
What determines a systems sensitivity?
confidentiality, integrity and availability
What is Public Law 107-347, Title III?
The E-Government Act of 2002, Federal Information Security Management Act
What does the E-Government Act of 2002 establish?
~ OMB has Oversight over E-Government
-Federal Government (Organizations and IG’s) must report
IA status to OMB annually and quarterly
-OMB provides reports to Congress annually
-Congressional Cyber Security Grade
~ NIST publishes Standards and Guidelines
~ All Federal Government must follow NIST C&A
processes, with the exception of Defense and
Intelligence organizations.
What does the 2000 update to OMB Circular A-130 add?
~ Risk-based approach to assess and react to threat and
vulnerabilities
~ Security Plans and identification and correction of deficiencies
~ Incident Response capabilities
~ Interruption planning and continuity support
~ Technical controls consistent with NIST guidance
~ Periodic review of status and controls
~ Information sharing (MA only) and public access controls
~ Responsibility assignment
~ Periodic reporting of operational and security status
What does M-00-13 establish?
Privacy Policies and Data Collection on Fed. Websites
A continuation and update of M-99-18 to add the mention of
“cookies” and their impact, and to add as mandatory
compliance with the Children’s Online Privacy Act (COPA-98)
(2000).
What does M-01-08 establish?
Implementing GISRA (2001) – superseded by FISMA
Provides guidance to agency heads regarding GISRA
implementation
What does M-02-01 establish?
Guidance for Preparing and Submitting Security Plans
of Action and Milestones (Oct 2001)
What are the required components of a POA&M according to OMB?
Weakness
POC
Resources Required
Scheduled Completion Date
Milestones with Completion Dates
Changes to Milestones
Indentified in CFO Audit or other review?
Status
There are 8 columns
What are the required components of a DIACAP POA&M?
Weakness
CAT (Severity Code)
IA Control and Impact Code
POC
Resources Required
Scheduled Completion Date
Milestones with Completion Dates
Changes to Milestones
Indentified in CFO Audit or other review?
Status
Comments
There are 11 columns
DoD 5200.28 ~ Title, Date issued and what superseded it?
Security Requirements for Automated Information Systems, March 21, 1989
(updated under DOD 8500 series)
DoD CIO Policy 10-8460 ~ Title and date
Global Information Grid –Network Operations
Aug 24, 2000
What are the types of DoD Issuances?
~ Directives (DoDD): policy documents that establish
or describe requirements, missions, authorities, etc.
~ Memoranda (from SecDef): they direct
implementation of policy, legislation, EO; becomes
DoDD 180 days later unless subject is classified or
temporary.
~ Instructions (DoDI): describe policy implementation
~ Administrative (DoD AI): support supplement to
DoDI
~ Publication (DoDP): provides procedures for DoDI
What is DIAP?
Defense-Wide IA Program. Mission is to ensure
that information assets are protected through unified IA
activities using D-in-D approaches in support of GIG
Net-Centricity.
What is DISA?
Defense Information Systems Agency.
Responsible for all aspects of systems engineering and
support of GIG. Provides IASE as the clearinghouse
location for all DoD IA info.
What is NIAD?
NSA IA Directorate. Provide required capability
to support survival and success of all DoD missions.
What is DARPA?
R&D for DoD. Operates the OASIS program
to provide robust capability to enable survival of DoD
AIS against a sophisticated and motivated adversary.
What is the high-level list of DoD IA Policy series?
~ 8500: General Policy
~ 8510: IA Certification and Accreditation
~ 8520: Security Management
~ 8530: Computer Network Defense
~ 8540: Interconnectivity
~ 8550: Network and Web
~ 8560: IA Monitoring
~ 8570: Education, Training, and Awareness
There are 8
Describe DoDP 8500.1
Information Assurance (2003)
Supersedes: 5200.28,5200.28M, 5200.28STD
and CIO Memorandum 6-8510.
Applies to all DoD owned or controlled AIS
Establishes policy and assigns responsibilities
to achieve IA goals through Defense-in-Depth
and integrates people, technology, and
operations to support GIG.
Describe DoDI 8500.2
IA Implementation (2003)
Accompanies: 8500.1 Information Assurance
Provides guidance on how to implement 8500.1
policy to establish layered defenses IAW with
principles underlying GIG and D-in-D, defines
controls for MAC levels, and defines
Robustness levels
~ Basic (~ to CC EAL 2)
~ Medium (~ to CC EAL 4)
~ High (~ to CC EAL 6)
Describe DoDD 8570.1
IA Training, Certification, and
Workforce Management (2004)
This directive describes the program for training
and certification (qualifications, requirements,
metrics, and more) for ensuring adequate
security knowledge and skill in assigned duty
positions.
Describe DoDM 8570.1M
IA Workforce Improvement
Program (Change 1, 5/2008)
This manual accompanies DoDD 8570.1, and
provides details necessary to implement the
program.
Describe DoDI 500.2-R
Mandatory Procedures for Major
Defense Acquisition Programs (MDAPS) & Major
Automated Information System (MAIS) Acquisition
Programs (2001)
This has been superseded effective December
2008, and replaced by DoDI 5000.02., which also
cancels DoDI 5000.2 (2003)
It called for consideration of risks and IA
functions, capabilities, and features to be given
consideration in the acquisition process of COTS
and GOTS products.
Describe DoDI 5200.40
DITSCAP (1997)
DoD C&A standard that outlines an iterative
four-step process to accomplish the mission of
operational deployment of assured systems:
1. Definition: document al aspects of system context
2. Verification: Compliance status determination
3. Validation: all activities required to prove status
4. Post-Accreditation: Mgmt of SSAA, change, and
continual monitoring of compliance state
(This has been superseded by DoDI 8510.01 DIACAP effective November 2007.)
What is the CNSS?
NSTISSC was established by NSDD 42a (1990) in order to
implement provisions and requirements of NSDD 42, renamed
to CNSS by EO 13231 in 2001, in order to:
~ Considers technical matters and develop operating
policies, procedures, guidelines, instructions, and
standards;
~ Assess the overall security posture of and disseminate
information on threats to and vulnerabilities of national
security systems;
~ Review and approve all standards, techniques, systems,
and equipment related to the security of national security
systems, and,
~ To examine U.S. national security systems and evaluate
their vulnerability to foreign interception and exploitation,
and oversee mitigating action.
What are the CNSS issuance types and purpose?
Policy: assigns responsibilities and
establishes criteria (NSTISSP/CNSSP);
Directives: Establish or describe policy,
programs assign authority or
responsibilities (NSTISSD/CNSSD);
Instructions: Describe implementation or
intention of policy (NSTISSI/CNSSI);
Memoranda: To provide guidance or
explanation of policy or other issuance (NSTISSAM/CNSSAM)
Describe NTISSP 6
Issued 1994, Established the requirement for all
Federal agencies operating NSS to have a C&A
program; implemented through NSTISSI 1000.
Describe NSTISSP 7
Issued 1995, Specified functional, management, and
technical requirements to produce a secure electronic
messaging system for conduct of official business:
Additional guidance issued to implement by Y2000
To be government-wide interoperable across all NSS
Required this to be accomplished through common
standards and procedures
Describe NSTISSP 11
Issued 2003, States policy that IA shall be done through
COTS and GOTS products, and that such products are to be
evaluated through CC processes:
~ Must achieve more than simply confidentiality;
~ COTS/GOTS should be used as more readily available;
~ IA achievement must evolve beyond traditional view;
~ OCONUS CC partner evals for EAL 1-4 accepted w/o
NIAP
~ NIAP required as well for EAL 5-7 product requirements
Exceptions allowed:
~ Any COTS/GOTS acquired prior to policy effective date;
~ Recognition of the complexities of technology and
evaluation process
Describe NCSC-5
Issued 1981, Governs use of crypto-materials in high-risk
environments. Specifies requirements for equipment selection,
use, evacuation, destruction (to prevent loss), P2P keying (no
netting or common-user), and only minimum necessary.
Describe NSTISSP 200
Issued 1987, sets policy that, in essence, requires all
NSS to comply with C2-level requirements. Defines AIS, TCB,
TCSEC (now must meet EAL 4).
Describe NSTISSP 101
Issued 1999, Sets national policy that all military voice
radio and sensitive civilian government voice systems must be
secure; threats must be assessed and security implemented
must be commensurate.
Describe CNSSP 14
Issued 2002, Governs release of IA products and
services to non-USFG members, and specifies methods and
controls by which this can, as appropriate, be done.
Describe NSTISSD-500
Issued 1993, Specifies requirements for all USFG
departments to implement programs to address ongoing
needs for education, awareness, and training for NSS.
Describe NSTISSI 4011
Issued 1994, Course content InfoSec profession
Describe CNSSI 4012
Issued 2004, For senior system managers (DAAs).
Supersedes NSTISSI 4012 (1997)
Describe CNSSI 4013
Issues 2004, For Sysadmins. Supersedes NSTISSI
4013 (1997)
Describe CNSSI 4014
Issued 2004, For ISSOs. Supersedes NSTISSI 4014
(1997).
Describe NSTISSI 4015
Issued 2000, Standards for Systems Certifiers
Describe NACSI 6002
Issued 1984, Protection of USFG contractor
communications. In essence enforces the requirement for
contractors to protect their communications (contract related)
to the same level as the agency, and then charge
that agency for the cost of meeting those requirements.
Describe NSTISSI 7003
Issued 1994, Protected distribution systems.
This refers to systems that are used to transmit
unencrypted traffic (NSI) through lower-cleared areas, and
how, when, and where they can be used.
Describe NSTISSI 1000
Issued 2000, Establishes minimum national
standards for C&A processes, and provides guidance on
how to implement NSTISSP 6. Describes the NIACAP
Describe NSTISSAM CompuSec 1-98
Issued 1998, Describes the role of
firewalls and other enclave boundary protections IAW with
Defense in Depth principles. Names firewall types: packet,
proxy, and hybrid of these.
Describe NSTISSAM CompuSec 1-99
Issued 1999,Describes the
decision to transition from TCSEC to CC, recognition of
technology advances and evaluation independence needs.
Describe NSTISSAM InfoSec 1-00
Issued 2000, States that the policy
shall be that all applications or devices processing as
Unclassified NSS that use crypto must use a form
validated against FIPS 140 or the CC.
Describe NSTISSAM InfoSec 2-00
Issued 2000, Describes the policy and
a strategy for using the NIAP to evaluate COTS using
commercial labs. All units evaluated must be reviewed by
NIAP for compliance with the CC, and a separate NIAP
evaluation is optional.
Describe CNSSAM 1-04
Issued 2004, Provides guidance to all agencies
that a multilayer/multivendor approach to IA architecture is
desirable, as long as the overall architecture and
engineering is performed in a sound and well-executed
manner (to ensure optimal integration and interoperability).
What is NIST's role in the USFG?
Establishes an Information Assurance
Technology Framework (IATF)
Continuing Key Areas:
~ Developing security standards, guidelines, and
associated methods and techniques for information
services, including metrics as in SP 800-53
~ Conduct security research – understand vulnerabilities
and develop new security techniques
NIST SP 800-12
(1995): Introduction to Computer Security
Basic information and guidance (from OECD) on principles and
practices:
~ Supports org mission and is part of sound management
~ Cost-effective with a comprehensive, integrated approach
~ Responsibility and accountability are explicit
NIST SP 800-14
Generally Accepted Principles and Practices for Securing Information Technology Systems (GASSP)
(1996) Provides father and deeper explanation and guidance of the
topics introduced in 800-12
Among other things, addresses risk management, SLC
planning, incident response, training and awareness
NIST SP 800-16
Information Technology Security Training Requirements: A Role~ and Performance-Based Model
NIST SP 800-18
Guide for Developing Security Plans for Federal Information Systems (SSP)
Complies with and implements OMB A130 Appendix III and CSA 87
SSP Purpose:
~ Describe requirements of the particular AIS
~ Delineate responsibilities and required behaviors of users
Three primary tasks:
~ Preparation of the plan itself
~ Notification and resource identification
~ Plan analysis, update, and acceptance
Defines Major Application (MA) and General Support System (GSS)
NIST SP 800-27 REV A
Engineering Principles for IT Security, Baseline
Provides a listing of engineering principles (33) to be used to
achieve appropriate levels of InfoSec
Tied very closely to the principles stated in 800-12 and 800-14
Specifies a five phase model for employing these principles:
~ Initiation
~ Development/Acquisition
~ Implementation
~ O&M Phase
~ Disposal
NIST SP 800-30
Risk Management Guide for Information Technology Systems
1. System Characterization
2. Vulnerability Identification
3. Threat Identification
4. Control Analysis
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommendations
9. Results Documentation
What steps of SP 800-30 can be performed in parallel?
2. Vulnerability Identification
3. Threat Identification
NIST SP 800-34 REV 1
Contingency Planning Guide for Federal Information Systems
NIST SP 800-37 REV 1
Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (RMF)
NIST SP 800-39
Managing Information Security Risk: Organization, Mission, and Information System View (Enterprise Risk)
NIST SP 800-40
Creating a Patch and Vulnerability Management Program (Vulnerability Management)
NIST SP 800-41
Guidelines on Firewalls and Firewall Policy
NIST SP 800-47
Security Guide for Interconnecting Information Technology Systems
~ Establishes guidelines (including tasks and
subtasks) to plan, establish, maintain, and
terminate interconnections between AIS that are
owned and operated by different organizations.
~ Addresses all stages of interconnection lifecycle.
~ Does not address classified AIS.
NIST SP 800-50
Building an Information Technology Security Awareness and Training Program
NIST SP 800-53 REV 3
Recommended Security Controls for Federal Information Systems and Organizations
~ Provides a catalogue of security controls for
federal information systems (NSS).
~ Recommends baseline security controls for
federal information systems (IAW FIPS
Publication 199 risk levels)
~ Provides guidelines for agency-directed tailoring
of baseline security controls
Incorporates security controls from many public
and private sector sources
~ CC Part 2
~ ISO/IEC 27001
~ COBIT
~ GAO FISCAM
~ CMS (healthcare)
~ D/CID 6-3 Requirements
~ DoD Policy 8500
~ BITS Functional packages
NIST SP 800-53A REV1
Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans
Provides guidance for agencies to consistently map
impact levels to information types and sensitivities
and provide methods for evaluating the
effectiveness of deployed controls in IT systems.
Applicable to all Federal AIS other than NSS
Operating as intended
Implemented Effectively
Providing desired outcome
NIST SP 800-54
Border Gateway Protocol Security
NIST SP 800-59
Guideline for Identifying an Information System as a National Security System (NSS)
NIST SP 800-60
Guide for Mapping Types of Information and Information Systems to Security Categories: (2 Volumes)
Volume 1: Guide
Provides guidance for agencies to consistently map
impact levels to information types and sensitivities
Applicable to all Federal AIS other than NSS
Information types are based on OMB Federal
Enterprise Architecture PMO Consolidated
Reference Model, Version 2.3 (2007)
Volume 2: Appendices
Contains Appendices, References, Provisional
impact Assignment levels, Legislative sources, and
Rationale
NIST SP 800-61
Computer Security Incident Handling Guide
NIST SP 800-63
Electronic Authentication Guideline
NIST SP 800-64
Security Considerations in the System Development Life Cycle (SDLC)
NIST SP 800-66
An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
NIST SP 800-70 REV 1
National Checklist Program for IT Products: Guidelines for Checklist Users and Developers
NIST SP 800-88
Guidelines for Media Sanitization
NIST SP 800-92
Guide to Computer Security Log Management
NIST SP 800-94
Guide to Intrusion Detection and Prevention Systems (IDPS)
NIST SP 800-100
Information Security Handbook: A Guide for Managers
NIST SP 800-115
Technical Guide to Information Security Testing and Assessment
NIST SP 800-117
Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.0
NIST SP 800-122
Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
NIST SP 800-126 REV 2
The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1
NIST SP 800-128 (DRAFT)
DRAFT Guide for Security Configuration Management of Information Systems
NIST SP 800-137 (DRAFT)
DRAFT Information Security Continuous Monitoring for Federal Information Systems and Organizations
NIST SP 800-55 REV 1
Performance Measurement Guide for Information Security
NIST SP 800-45 V2
Guidelines on Electronic Mail Security
FIPS 199
Standards for Security Categorization of Federal Information and Information Systems
Establishes standards to be used by Federal agencies to categorize information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels and potential impacts using this general formula:
AIS Impact levels (using a H, M, L scale):
SC (AIS) = {(Conf,impact),(Integ,impact)(Avail,impact)
Result is system high, Moderate or Low.
Using NIST 800-53 provides system Control Baseline
What are the FIPS 199 impact levels?
Low
Moderate
High
What document(s) is/are used to categorize systems for FISMA?
FIPS 199
What document(s) is/are used to provide mapping guidelines recommending the types of information and information systems to be included in each category described in FIPS 199?
NIST SP 800-60
What document(s) is/are used to develop minimum information security requirements (i.e., management, operational, and technical security controls) for information and information systems in each category?
NISP SP 800-53 and FIPS 200
FIPS 200
Minimum Security Requirements for Federal Information and Information Systems
Specifies minimum security requirements in 17
areas that are to be met using controls outlined in
SP800-53. These are mandatory.
No provision for waivers is made.
Complements FIPS 199
What document(s) is/are used to define how C&A is performed under FISMA?
NIST SP 800-37 & NIST SP 800-53A
What NIST publications support FISMA?
~ FIPS 140: Crypto module requirements
~ FIPS 197: AES
~ FIPS 199: System Categorization
~ FIPS 200: Minimum Security Requirements
FIPS 201
~ SP 800-37: C&A
~ SP 800-53: Minimum Controls
~ SP 800-53A: Verification Procedures
~ SP 800-60: Mapping Guidance
FIPS 46
DES is permitted on legacy AIS only – and thus is
still relevant to the ISSEP
FIPS 81
Triple DES is a FIPS approved algorithm of choice.
Encourages transition to TDES as rapidly as prudent strategy and budgets permit
FIPS 140
Establishes requirements that must be met by
modules to be used or considered for use in SBU
systems, including voice systems.
Describes a hierarchical system of increasing levels;
Has a waiver procedure that allows relief in the
event that a) adverse mission impact or b) financial
impact
What are the hierarchy levels of FIPS 140?
1: lowest, executable on a general purpose system;
2: Includes 1, adds tamper-evidence features, AIS is EAL2 & up
3: Includes 2, adds mechanisms to prevent Rev-eng, and requires identity-based authentication; EAL3 and up
4: Includes 3, adds environmental protections (temp, voltage); EAL4 and higher
FIPS 197
Specifies that AES is a FIPS approved algorithm of choice.
For use on SBU, but not classified information and AIS.
Has a waiver procedure that allows relief in the event that a) adverse mission impact or b) financial impact
[For classified and financial data must use Type 1 crypto (AES 256 or better)
FIPS 199 low impact characteristics?
limited adverse effect
FIPS 199 moderate impact characteristics?
serious adverse effect
FIPS 199 high impact characteristics?
sever or catastrophic adverse effect; threat to human life, or result in loss of major assets
What key components are considered with each level of impact in FIPS 199?
Mission
Financial impact
Asset impact
Personnel security
What are options are available to manage risk?
~ Risk Assumption
~ Risk Avoidance
~ Risk Limitation
~ Research and Development
~ Risk Transference
NIST SP 800-37
Guidelines for the Security C & A of Federal Information Systems (2004)
~ Issued by NIST under the authority of FISMA-
2002, and is consistent with OMB A-130.
~ Establishes guidelines (including tasks and
subtasks) to certify and accredit information
systems supporting the executive branch of the
federal government
~ Applicable to non-national security information
systems as defined in the FISMA of 2002
~ Replaces FIPS Publication 102 (withdrawn 2005)
What are the SP 800-53 control classes?
Management security controls (aka Administrative)
-Policy, standards, baselines, guidelines, procedures
Technical security controls (aka Logical)
~ Hardware, software, firmware components and devices
-Often provides basic support enabling other controls to function correctly
Operational controls (aka Physical)
~ Include leading industry practices and procedural guidance
What are the types of controls in each class of 800-53 controls?
Preventive
Detective
Corrective
Compensating
Deterrent
Supplemental
What are the primary types of 800-53 controls?
Preventive
Detective
Corrective
What are the secondary types of 800-53 controls?
Compensating
Deterrent
Supplemental
What are the 800-53 Management Controls?
Security Assessment and Authorization (CA)
Planning (PL)
Risk Assessment (RA)
System and Services Acquisition (SA)
Program Management (PM)
What are the 800-53 Operational Controls?
Awareness and Training (AT)
Configuration Management (CM)
Contingency Planning (CP)
Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
Physical and Environmental Protection (PE)
Personnel Security (PS)
System and Information Integrity (SI)
What are the 800-53 Technical Controls?
Access Control (AC)
Audit and Accountability (AU)
Identification and Authentication (IA)
System and Communications Protection (SC)
What is the Common Criteria?
The CC is a collection of generic security requirements
(statements) to aid in the specification of product or
system security attributes (Functional and Assurance)
Common Criteria (CC) approach offers:
~ Security focus to individual network components
~ Software Applications
CC Evaluated Products (EAL/EPL)
~ Evaluate Security Posture
~ Isolate Product by Defining Interface Boundary
What is the consumers role in Common Criteria?
Support procurement of evaluated products
What is the Developers/Integrators role in Common Criteria?
Support development to meet requirements
What is the evaluators role in Common Criteria?
Use the CC as a basis for evaluation of products
What is the Auditor/Certifier/Accreditors role in Common Criteria?
to support specific needs for security specifications
What is Common Criteria derived from?
ISO/IEC 15408
Rainbow series was too rigid and did not take many
things into account and expensive evaluations
ITSEC provided more flexibility, but added more
complexity with its attempts
Made up from:
~ TCSEC
~ ITSEC
~ Canadian Trusted Computer Product Evaluation Criteria
(CTCPEC)
~ Federal Criteria from US, UK, Germany, France, Canada
What are the Common Criteria evaluation ratings?
EAL 1: Functionally tested
EAL 2: Structurally tested
EAL 3: Methodically tested and checked
EAL 4: Methodically designed, tested and reviewed
EAL 5: Semi-formally designed and tested
EAL 6: Semi-formally verified, designed, and tested
EAL 7: Formally verified, designed, and tested
What are the components of the Common Criteria?
Protection Profile
~ Description of needed security solution
Target of Evaluation
~ Product proposed to provide needed security solution
Security Target
~ Written by vendor explaining security functionality and
assurance mechanisms that meet the needed security
solution
Packages – Evaluation Assurance Levels (EAL)
~ Security requirements are bundled into packages for re-use
~ Reqs to be met to achieve specific EAL ratings
What are the sets of requirements used in Common Criteria?
Security functional requirements (performance)
Security assurance requirements (pedigree)
What areas comprise the security functional requirements of the Common Criteria?
~ Identification and authentication
~ Audit
~ Resource utilization
~ Trusted paths/channels
~ User data protection
~ Security management
~ TOE access
~ Communications
~ Privacy
~ Protection of the TOE security functions
~ Cryptographic support
What areas comprise the security assurance requirements of the Common Criteria?
~ Guidance documents and manuals
~ Configuration management
~ Vulnerability assessment
~ Delivery and operation
~ Life cycle support
~ Assurance maintenance
~ Development
~ Testing
What are the steps of the Common Criteria methodology?
1. Evaluate the conditions between the evaluated
product and the present situation.
2. Evaluate the differences of the conditions for
regression and/or independent testing.
3. Determine if additional security requirements are
required for the present situation.
4. Analyze the security impact of the interfaces.
5. Performed the testing and/or analysis.
There are 5 steps
What is the intended scope/application of the Common Criteria?
A paradigm used to specify security properties
of IT products and systems that address
~ unauthorized disclosure (confidentiality, privacy)
~ unauthorized modification (integrity)
~ loss of use (availability)
The basis for comparison of the results of
independent evaluations
Applicable to IT security functions implemented
by hardware, software, and firmware
How do consumers use the Common Criteria?
They need to document user requirements in the protection profile
~ Part I: structure for PP
~ Part II & III: guidance for formulating and determining reqs
How do developers use the Common Criteria?
They need to develop security equipments into products
~ Part I: development and formulating reqs
~ Part II & III: interpreting requirements -> commonality
How do evaluators use the Common Criteria?
They need to prepare the ST for testing
~ Part I: structure for PPs and STs
~ Part II & III: mandatory statement of eval criteria
What are the documents that make up the Common Criteria?
Part 1 ~ Intro and General Model
Part 2 ~ Security Functional Reqs
Part 3 ~ Security Assurance Reqs
How is Part 1 of the Common Criteria organized?
Scope, Glossary, Overview
Security Context & CC Approach
Security Concepts, Environment & Objectives
Evaluation Results
Appendix A: History
Appendix B: Specification of Protection Profiles (PPs)
Appendix C: Specification of Security Targets (STs)
What is a Protection Profile?
~ Answers the question:
“What do I need in a security solution?”
~ Implementation independent for a class of
products or systems
~ Protection Profile authors:
anyone who wants to state IT security needs (e.g.,
commercial consumer, consumer groups)
anyone who supplies products which support IT
security needs…..anyone.
PP makes a statement of implementation
independent security needs
~ a generic OS with DAC, Audit, and I&A
What is a Security Target?
~ Answers the question:
“What does a developer provide in a security
solution?”
~ Implementation dependent and version specific
~ Security Target authors:
~ Product vendors, developers, integrators
Knowledge of implementation details required
ST defines the implementation dependent
capabilities of a specific product, e.g.
– Microsoft NT 4.0.0.2 (TOE)
– Sun OS 4.7.4 (TOE)
What is the Common Criteria security environment?
Security Environment defined with consideration
to the:
~ Purpose and function of the TOE
~ Environment in which the TOE operates (IT &
Non-IT)
–IT Environment
– Security services or capabilities provided by IT
systems or products that are not part of the TOE
–Non-IT Environment
– Security implemented by personnel
~ Assets to be protected
Assumptions
~ The security aspects of the environment in which the
TOE will be used or is intended to be used.
Threats
~ The ability to exploit a vulnerability by a threat agent.
Organizational Security Policies (OSPs)
~ A set of rules, procedures, practices, or guidelines
imposed by an organization upon its operations.
What is the Common Criteria security objectives?
Objectives establish the basis for the selection of
security requirements (functional & assurance)
Objective are completely based upon the
statement of the Security Environment
Objectives
~ Support Assumptions
~ Counter Threats (eliminate, minimize, monitor)
~ Enforce OSPs
Objectives are the “focal point” of the PP/ST
What are Common Criteria security functional requirements?
Levied upon functions of the TOE that
support IT security; their behavior can
generally be observed
Name the Common Criteria security functional requirements classes
~ Security Audit (FAU)
~ Communication (FCO)
~ Cryptographic Support (FCS)
~ User Data Protection (FDP)
~ Identification & Authentication (FIA)
~ Security Management (FMT)
~ Privacy (FPR)
~ Protection of the TOE Security Functions (FPT)
~ Resource Utilization (FRU)
~ TOE Access (FTA)
~ Trusted Path/Channels (FTP)
How are Common Criteria security functional requirements organized?
Class
Family
Component
Element
FIA_UID.1.1 (class_famly.component.element)
What are the types of Common Criteria component relationships?
~ Dependency relationship ~ other component support
(functional & assurance)
~ Hierarchy relationship ~ between components within a
class
What are the types of Common Criteria operations on functional components?
~ Assignment ~ “fill in the blank”
~ Selection ~ “select from a list”
~ Iteration ~ “repetitive use”
~ Refinement ~ “tailor/modify”
What is the Common Criteria definition of assurance?
Grounds for confidence that an IT
product or system meets its
security objectives.
According to Common Criteria, why do we care about assurance?
Vulnerabilities arising from …
Requirements
~ Insufficient or ineffective requirements
Construction
~ Incorrect design decisions
~ Errors in implementation
Operation
~ Inadequate controls
Name the Common Criteria security assurance requirements classes
TOE Assurance:
Configuration Mgt (ACM)
Delivery and Operation (ADO)
Development Docs (ADV)
Guidance Documents (AGD)
Life-Cycle Support (ALC)
Testing (ATE)
Vulnerability Assessment (AVA)
Maintenance of Assurance (AMA)
Specs Assurance:
Protection Profile Eval (APE)
Security Target Eval (ASE)
How are Common Criteria security assurance requirements organized?
Class
Family
Component
Element
Element Identifier
ADV_LLD.3.1(D,C,E) (class_famly.component.element(element id))
What are the Common Criteria assurance packages?
Basic Assurance Level ~ EAL 1 & 2
~ Limited vendor involvement
~ Functional & independent testing
Medium Assurance Level ~ EAL 3 & 4
~ Development environment controls
~ High-level design documentation
High Assurance Level ~ EAL 5, 6, & 7
~ Additional CM requirements
~ Analysis based on entire TSF implementation
~ Covert channel analysis
~ Modular and layered TOE design
~ Automated CM
~ Formal methods of functional specification & high-level design
What NIST publication is characterized by 8 principles and 14 practices?
NISP SP 800-14, Generally accepted Principles and Practices for Securing Information Technology Systems (GASSP)
Name the principles of the 800-14
1 Computer Security Supports the Mission of the Organization
2 Computer Security is an Integral Element of Sound Management
3 Computer Security Should Be Cost-Effective
4 Systems Owners Have Security Responsibilities Outside Their Own Organizations
5 Computer Security Responsibilities and Accountability Should Be Made Explicit
6 Computer Security Requires a Comprehensive and Integrated Approach
7 Computer Security Should Be Periodically Reassessed
8 Computer Security is Constrained by Societal Factors
Review pages 669-670 of the ISC2 ISSEP book
Name the first 7 practices of the 800-14
1. Have policies to enforce compliance with
organizational security practices
2. Managing computer security at multiple levels
administered by central oversight
3. Manage organizational risks by assessing
threats and taking steps to reduce their effects
4. Manage security by planning a system’s life
cycle
5. Implement security practices to manage
personnel
6. Prepare for contingencies and disasters
7. Deploy a security incident response system
Name the last 7 practices of the 800-14
8. Perform security awareness training
9. Apply security principles to all operational
aspects of the organization
10. Implement physical and environmental security
11.Enforce effective user identification and
authentication
12.Control logical access to systems
13.Maintain audit trails
14. Implement cryptography to protect sensitive data
Review pages 671 - 673 of the ISC2 ISSEP
What are the phases of the NIST 800-37 C&A process?
Initiation
Security Certification
Security Accreditation
Continuous Monitoring
What are the key roles of the NIST 800-37?
~ Authorizing Official
~ Authorizing Official Designated Representative
~ Senior Agency Information Security Officer
~ Information System Owner
~ Information System Security Officer
~ Certification Agent
~ User Representative
According to NIST 800-37, what is role of the authorizing official?
~ Reviews and approves the security plan for the
information system
~ Determines residual risk to agency operations or assets
based on information generated during the security
certification
~ Makes security accreditation decisions and signs
associated transmittal letter for accreditation package
(authorizing official only) [GOVT ONLY!!!]
~ Reviews security status reports from continuous
monitoring operations
~ Initiates security reaccreditation actions
According to NIST 800-37, what is role of the Senior Agency Information Security Officer?
~ Carrying out the Chief Information Officer responsibilities
under FISMA.
~ Possessing professional qualifications, including training and
experience, required to administer the information security
program functions;
~ Primary duty Information System Security.
~ Heading an office with the mission & resources.
~ Serve as the authorizing official's designated representative.
~ Serves as the CIO’s primary liaison to the agency’s
authorizing officials, information system owners, and
information system security officers.
According to NIST 800-37, what is role of the Information System Owner?
~ Represents the interests of the user community
~ Prepares security plan and conducts risk assessment
~ Informs agency officials of the need for security certification
and accreditation of the information system; ensures
appropriate resources are available
~ Provides the necessary system-related documentation to the
certification agent
~ Prepares plan of action (and milestones) to reduce or
eliminate vulnerabilities in the information system
~ Assembles final security certification package; submits to
authorizing official
According to NIST 800-37, what is role of the Information System Security Officer?
~ Serves as principal staff advisor to the system owner
on all matters involving the security of the information
system
~ Manages the security aspects of the information
system and, in some cases, oversees the day-to-day
security operations of the system
~ Assists the system owner in:
– Developing and enforcing security policies for the information
system
– Assembling the security certification package
– Managing and controlling changes to the information system
and assessing the security impacts of those changes
According to NIST 800-37, what is role of the Certification Agent?
~ Provides an independent assessment of the
security plan
~ Evaluates the security controls in the
information system to determine:
– The effectiveness of those controls in a particular
environment of operation
– The vulnerabilities in the system after the
implementation of such controls
~ Provides recommended corrective actions to
reduce or eliminate vulnerabilities in the
information system
According to NIST 800-37, what is role of the User Representative?
~ Represents the operational interests and
mission needs of the user community
~ Identifies mission and operational
requirements
~ Serves as the liaison for user community
throughout the life cycle of the information
system
~ Assists in the security certification and
accreditation process, when needed
What are the tasks of the 800-37?
Task 1: Preparation
Task 2: Notification and Resource Identification
Task 3: System Security Plan Analysis, Update, and Acceptance
Task 4: Security Control Assessment
Task 5: Security Certification Documentation
Task 6: Security Accreditation Decision
Task 7: Security Accreditation Documentation
Task 8: Configuration Management and Control
Task 9: Security Control Monitoring
Task 10: Status Reporting and Documentation
What tasks are associated with the Initiation Phase of the 800-37?
Task 1: Preparation
Task 2: Notification and Resource Identification
Task 3: System Security Plan Analysis, Update, and Acceptance
What tasks are associated with the Security Certification Phase of the 800-37?
Task 4: Security Control Assessment
Task 5: Security Certification Documentation
What tasks are associated with the Security Accreditation Phase of the 800-37?
Task 6: Security Accreditation Decision
Task 7: Security Accreditation Documentation
What tasks are associated with the Continuous Monitoring Phase of the 800-37?
Task 8: Configuration Management and Control
Task 9: Security Control Monitoring
Task 10: Status Reporting and Documentation
What are the subtasks of Task 1 of the 800-37?
Subtask 1.1: Information System Description
Subtask 1.2: Security Categorization
Subtask 1.3: Threat Identification
Subtask 1.4: Vulnerability Identification
Subtask 1.5: Security Control Identification
Subtask 1.6: Initial Risk Determination
List the responsible role, reference and output of 800-37 subtask 1.1
Information System Owner, 800-18 + 800-59, first section of the SSP
List the responsible role, reference and output of 800-37 subtask 1.2
Information System Owner, FIPS 199 + 800-60, security categorization report
List the responsible role, reference and output of 800-37 subtask 1.3
Information System Owner, 800-30 + 800-60, threat section of RAR
List the responsible role, reference and output of 800-37 subtask 1.4
Information System Owner, 800-30 + 800-60, vulnerability section of the RAR
List the responsible role, reference and output of 800-37 subtask 1.5
Information System Owner, FIPS 200 + 800-53, second section of the SSP
List the responsible role, reference and output of 800-37 subtask 1.6
Information System Owner, 800-30, RAR
What are the subtasks of Task 2 of the 800-37?
Subtask 2.1: Notification
Subtask 2.2: Planning and Resources
List the responsible role, reference and output of 800-37 subtask 2.1
Information System Owner, 800-37, SSP
List the responsible role, reference and output of 800-37 subtask 2.2
Authorizing Official
SAISO/CISO
Information System Owner
Certification Agent, 800-37, Approved SSP
What are the subtasks of Task 3 of the 800-37?
Subtask 3.1: Security Categorization Review
Subtask 3.2: System Security Plan Analysis
Subtask 3.3: System Security Plan Update
Subtask 3.4: System Security Plan Acceptance
List the responsible role, reference and output of 800-37 subtask 3.1
Authorizing Official
SAISP/CISO
Certification Agent, 800-60, Approved SecCat
List the responsible role, reference and output of 800-37 subtask 3.2
Authorizing Official
SAISP/CISO
Certification Agent, 800-18, Draft SSP
List the responsible role, reference and output of subtask 3.3
Information System Owner, 800-18, Final SSP
List the responsible role, reference and output of 800-37 subtask 3.4
Authorizing Official
SAISP/CISO, 800-37, Approved SSP
What are the subtasks of Task 4 of the 800-37?
Subtask 4.1: Documentation and Supporting Materials
Subtask 4.2: Methods and Procedures
Subtask 4.3: Security Assessment
Subtask 4.4: Security Assessment Report
List the responsible role, reference and output of 800-37 subtask 4.1
Information System Owner
Certification Agent, 800-37, ST&E
List the responsible role, reference and output of 800-37 subtask 4.2
Certification Agent, 800-53A, ST&E
List the responsible role, reference and output of 800-37 subtask 4.3
Certification Agent, 800-53A + 800-30, vulnerability assessment report
List the responsible role, reference and output of 800-37 subtask 4.4
Certification Agent, 800-53A, SAR
What are the subtasks of Task 5 of the 800-37?
Subtask 5.1: Findings and Recommendations
Subtask 5.2: System Security Plan Update
Subtask 5.3: Plan of Action and Milestones Preparation
Subtask 5.4: Accreditation Package Assembly
List the responsible role, reference and output of 800-37 subtask 5.1
Certification Agent, 800-53A, SAR
List the responsible role, reference and output of 800-37 subtask 5.2
Information System Owner, 800-18, SSP
List the responsible role, reference and output of 800-37 subtask 5.3
Information System Owner, OMB M02-01, POA&M
List the responsible role, reference and output of 800-37 subtask 5.4
Information System Owner, 800-37 + OMB M02-01, SAR + SSP + POA&M
What are the subtasks of Task 6 of the 800-37?
Subtask 6.1: Final Risk Determination
Subtask 6.2: Risk Acceptability
List the responsible role, reference and output of 800-37 subtask 6.1
Authorizing Official, 800-37, Questions
List the responsible role, reference and output of 800-37 subtask 6.2
Authorizing Official, 800-37, AO ATO Decision Letter
What are the subtasks of Task 7 of the 800-37?
Subtask 7.1: Security Accreditation Package Transmission
Subtask 7.2: System Security Plan Update
List the responsible role, reference and output of 800-37 subtask 7.1
Authorizing Official, 800-37, Security Accreditation Package
List the responsible role, reference and output of 800-37 subtask 7.2
Information System Owner, 800-37, Updated SSP and POA&M
What are the subtasks of Task 8 of the 800-37?
Subtask 8.1: Documentation of Information System Changes
Subtask 8.2: Security Impact Analysis
List the responsible role, reference and output of 800-37 subtask 8.1
Information System Owner, 800-37, Change requests
List the responsible role, reference and output of 800-37 subtask 8.2
Information System Owner, 800-30, Change approvals
What are the subtasks of Task 9 of the 800-37?
Subtask 9.1: Security Control Selection
Subtask 9.2: Selected Security Control Assessment
List the responsible role, reference and output of 800-37 subtask 9.1
Information System Owner, 800-53A, Continuous monitoring plan
List the responsible role, reference and output of 800-37 subtask 9.2
Information System Owner, 800-53A, Continuous monitoring reports
What are the subtasks of Task 10 of the 800-37?
Subtask 10.1: System Security Plan Update
Subtask 10.2: Plan of Action and Milestones Update
Subtask 10.3: Status Reporting
List the responsible role, reference and output of 800-37 subtask 10.1
Information System Owner, 800-18 + 800-37, Updated SSP
List the responsible role, reference and output of 800-37 subtask 10.2
Information System Owner, OMB M02-01, Updated POA&M
List the responsible role, reference and output of 800-37 subtask 10.3
Information System Owner, 800-37, System security status report to AO
According to the IATF, how is IA implemented in the system life cycle?
System Life Cycle is a process by which systems are
developed, from pre-concept to deployment and disposal
IA objectives are to achieve levels of confidentiality, integrity
and availability commensurate with the type and value of
data, mission requirements, support organization, etc.
The processes:
~ Generally Accepted System Security Principles (GASSP)
~ Security in the System Life Cycle (SLC)
~ Common IT Security Practices
~ NIST Engineering Principles
~ ISSE, CMM, and IATF
List the first 7 NIST Engineering Principles
1. Establish a sound security policy as the
“foundation” for design
2. Treat security as an integral part of the overall
design
3. Clearly delineate the physical and logical security
boundaries governed by associated security
policies
4. Reduce risk to an acceptable level
5. Assume that external systems are insecure
6. Identify potential trade-offs between reducing risk
and increased costs and decrease in other aspects
of operational effectiveness
7. Ensure no single point of vulnerability
List NIST engineering principles 8 -14
8. Implement tailored system security measures to
meet organizational security goals
9. Strive for simplicity
10.Design and operate an IT system to limit
vulnerability and to be resilient in response
11.Minimize the system elements to be trusted
12.Implement security through a combination of
measures distributed physically and logically
13.Provide assurance that the system is, and
continues to be, resilient in the face of expected
threats
14.Limit or contain vulnerabilities
List NIST engineering principles 15-20
15.Formulate security measures to address multiple
overlapping information domains
16.Isolate public access systems from mission
critical resources
17.Use boundary mechanisms to separate
computing systems and network infrastructures
18.Where possible, base security on open
standards for portability and interoperability
19.Use common language in developing security
requirements
20.Design and implement audit mechanisms to
detect authorized use and to support incident
investigations
List NIST engineering principles 21-27
21.Design security to allow for regular adoption of
new technology, including a secure and logical
technology upgrade process
22.Authenticate users and processes to ensure
appropriate access control decisions both within
and across domains
23.Use unique identities to ensure accountability
24.Implement least privilege
25.Do not implement unnecessary security
mechanisms
26.Protect data during all the transaction’s phases
27.Strive for operational ease of use
List NIST engineering principles 28-33
28.Develop and exercise contingency or disaster
recovery procedures to ensure appropriate
availability
29.Consider custom products to achieve adequate
security
30.Ensure security in the shutdown or disposal of a
system
31.Protect against all likely classes of “attacks”
32.Identify and prevent common errors and
vulnerabilities
33.Ensure that developers are trained to develop
secure software
Name the 3 IATF key principles
1 Always keep Problem and Solution spaces
separate.
~ Problem Space: desired end-product functionality
~ Solution Space: how that functionality will be provided
2 Customer’s mission/business needs defines
Problem.
~ Includes mission, compliance requirements, constraints...
~ Takes into account threats, risks, operational efficiencies...
3 SE and SSE collaborate to define the Solution,
which is driven by the Problem space.
~ Must satisfy operational as well as security requirements
~ Must include trade-offs and flexibility to assure mission
success
What are the DODAF architecture views?
All view (AV)
Operational view (OV)
Systems view (SV)
Technical view (TV)
What does the DODAF OV convey?
Information flows
Indentifies what needs to be accomplished and who does it
What does the DODAF SV convey?
systems and interconnections
Relates systems and characteristics to operational needs
What does the DODAF TV convey?
rules governing the arrangements, interactions and interdependence of system parts or elements
Prescribes standards and conventions
What are the 6 fundamental steps DODAF calls for when building and architecture?
1 - Determine the intended use of the architecture
2 - Determine scope of architecture
3 - Determine characteristics to be captured
4 - Determine views and products to be built
5 - Gather data and build the requisite products
6 - Use architecture for intended purpose
What is the ISSE process definition?
Discovering users’ requirements and designing systems
that meet the requirements effectively and securely
What are the 6 elements of the systems engineering process?
Discover Needs
Refine Requirements
Design Architecture
Detailed Design
Implement System
Assess Effectiveness
What are the 6 elements of the systems security engineering process?
Discover system protection needs
Define system security requirements
Design system security architecture
Develop detailed security design
Implement system security
Assess system security effectiveness
What is the Information Assurance Technology Framework?
Provides an integrated process (involving technical
and non-technical aspects) for developing and
deploying IT systems with intrinsic and appropriate
security measures in order to meet the organization’s
mission.
It defines the requirements for the TCB hardware,
software, and firmware, and applies the processes to
achieve a layered protection architectural strategy
known as “Defense in Depth”, to defend the:
~ Computing Environment
~ Enclave Boundary
~ Network and Infrastructure
~ Supporting Infrastructures
What 3 areas does the IATF technical process focus on?
~ People - those authorized to perform to work
~ Technology – the tools and technologies used
~ Operations – the processes and activities
What is the goal of IATF?
“Defense in Depth” implementation
What are the principles of defense in depth?
Defense in multiple places: to protect against internal and
external threats
Layered defenses: to ensure adversaries must negotiate
multiple impediments to gain access and achieve attack
goals
Security robustness: the assurance and relative strength
of the security component against anticipated threats
Deploy KMI/PKI: deployment of robust key management
infrastructures and PKI technologies
Deploy intrusion detection systems: use of IDS and
similar technologies to detect intrusions, evaluate information
and results, and take or support taking action.
What is the technology goal of defense in depth?
Appropriate tools and technologies must be
acquired and applied prudently to achieve program
goals:
~ Security policy and principles
~ IA architectures and standards
~ IA Architecture framework areas
~ Specification criteria for product selection
~ IA criteria (security, interoperability, and PKI)
~ Acquisition and integration of evaluated products
~ System risk assessments
What are the focus areas of defense in depth?
Defend the computing environment
~ Clients, servers, applications, and other AIS
components
Defend the enclave boundaries
~ A collection of AIS under single authority/policy
~ Assume highest mission assurance category
Defend the networks & infrastructure
~ Networks and support systems providing
interconnection between locations or enclaves
Defend the supporting infrastructures
~ Defense with KMI/PKI with detect-response capability
(IDS/IPS/IDP)
What does defense in depth seek to protect?
~ People
~ Technology
~ Operations
What must management commit to for defense in depth to work?
Management must demonstrate its commitment
to achieving success in IA programs through
~ Policies and procedures
~ Roles and Responsibilities
~ Commitment of resources
~ Training and awareness
~ Physical security and countermeasures
~ Personnel security programs and controls
~ Personal accountability
~ Sanctions and penalties
What must be performed to make defense in depth work for operations?
The activities required to perform and maintain the
effective security posture are daily, and include
~ Visible and enforced current security policy
~ Certification and accreditation
~ Readiness assessments
~ Security assessments
~ Infrastructure protection
~ Security management
~ Key management
~ Monitoring and reacting to threats
~ Attack sensing and warning response
~ Recovery and reconstitution
What is the general approach to defense in depth?
~ Conduct risk assessments.
~ Deploy cost-effective, risk-based security.
~ Use commercial off-the-shelf (COTS) products.
~ Education, training, and awareness.
~ Continuous monitoring.
~ Employ multiple means of threat mitigation.
~ Implement a robust IA posture to cope with the
unexpected.
~ Only trustworthy personnel have access.
~ Have effective incident response plan.
What is a countermeasure?
A targeted control [response] to a single threat
What are the 3 categories of information according to IATF?
Public
Private
Classified
What is the IATF definition of an information system?
An “Information System”:
~ Also referred to as: Automated Information System
(AIS), Information Technology System
~ “Any equipment or interconnected system or subsystem
of equipment that is used in the automatic acquisition,
storage, manipulation, management, movement,
control, display, switching, interchange, transmission or
reception of data and includes computer software,
firmware, and hardware.”
What is the IATF definition of a security engineer?
“A Security Engineer, through engineering
discipline and process, helps build
dependable systems in the face of malice,
error, or mischance.”
“As a discipline, it focuses on tools,
processes, and methods needed to design,
implement, and test complete systems, and to
adapt existing systems as their environment
evolves.”
What is the IATF definition of a threat?
The likelihood that the impact of an unwanted
incident will be realized
What is the IATF definition of a vulnerability?
An inherent or intrinsic flaw or weakness in a
system, its subsets, or components (hardware,
software, or firmware) that can be exploited by a
threat
What is the IATF definition of impact?
An adverse operational impairment or loss caused by the
materialization of a threat
What is the IATF definition of risk?
The quantification of a) probability that a threat will
materialize and cause impact, or b) the estimate of
potential financial loss (exposure) an organizational unit
might experience in a scenario
What is the IATF definition of trust?
~ All protection mechanisms work cohesively to process
sensitive data for all authorized users and maintain the
required level of protection
~ Consistent enforcement of policy through all states
What is the IATF definition of assurance?
~ Degree of confidence that the system will act in a
correct and predictable manner in all possible
computing situations
~ Known inputs produce expected results through all
states
What is the engineering definition of a system?
a combination of elements designed to
function as a unit to perform a function
What is the engineering definition of a structure?
formulation of systems or processes
to perform a function or achieve an objective
What is the engineering definition of a function?
a description of work that a system
must perform to meet customer requirements
What is the engineering definition of a purpose?
knowledge used to perform a function
Study slide 199
Study slide 199
Study slide 200
Study slide 200
What is the equation for an instance of risk?
instance = threat x vulnerability x impact
What are the parts of the NSTISSI-4009 Risk Management Cycle?
~ Identify and value assets in context
~ Assess the risk/threat environment
~ Develop Risk Management Plan
~ Implement Risk Management Actions
~ Monitor to ensure continued correct
performance and operation
~ Periodically re-evaluate the risk
environment and act as required
What are the risk management actions of Phase 1 of the SLC?
Phase 1 (Initiation) – Identified risks are used to support the
development of the system requirements, including
security requirements, and a security concept of operations
(strategy)
What are the risk management actions of Phase 2 of the SLC?
Phase 2 (Development/Acquisition) – The risks identified
during this phase can be used to support the security
analyses of the IT system that may lead to architecture and
design tradeoffs during system development
What are the risk management actions of Phase 3 of the SLC?
Phase 3 (Implementation) – The risk management process
supports the assessment of the system implementation
against its requirements and within its modeled operational
environment. Decisions regarding risks identified must be
made prior to system operation
What are the risk management actions of Phase 4 of the SLC?
Phase 4 (Operation/Maintenance) – Risk management
activities are performed for periodic system
reauthorization (or reaccreditation) or whenever major
changes are made to an IT system in its operational,
production environment (i.e., new system interfaces)
What are the risk management actions of Phase 5 of the SLC?
Phase 5 (Disposal) – Risk management activities are
performed for system components that will be disposed of
or replaced to ensure that the hardware and software are
properly disposed of, that residual data is appropriately
handled, and that system migration is conducted in a
secure and systematic manner
What are the inputs to step 1 of the SP 800-30 Risk Assessment Activities?
~ Hardware
~ Software
~ Systems interfaces
~ Data and information
~ People
~ Systems mission
What are the inputs to step 2 of the SP 800-30 Risk Assessment Activities?
~ History of system attack
~ Data from intelligence agencies, NIPC, OIG, FedCIRC, mass media
What are the inputs to step 3 of the SP 800-30 Risk Assessment Activities?
~ Reports from prior risk assessments
~ Any audit comments
~ Security requirements
~ Security test results
What are the inputs to step 4 of the SP 800-30 Risk Assessment Activities?
~ Current controls
~ Planned controls
What are the inputs to step 5 of the SP 800-30 Risk Assessment Activities?
~ Threat-source motivation
~ Threat capacity
~ Nature of vulnerability
~ Current controls
What are the inputs to step 6 of the SP 800-30 Risk Assessment Activities?
~ Mission impact analysis
~ Asset criticality assessment
~ Data criticality
~ Data Sensitivity
What are the inputs to step 7 of the SP 800-30 Risk Assessment Activities?
~ Likelihood of threat exploitation
~ Magnitude of impact
~Adequacy of planned or current controls
What are the outputs to step 1 of the SP 800-30 Risk Assessment Activities?
~ System boundary
~ System functions
~ System and data criticality
~ System and data sensitivity
What are the outputs to step 2 of the SP 800-30 Risk Assessment Activities?
~ Threat statement
What are the outputs to step 3 of the SP 800-30 Risk Assessment Activities?
~ List of potential vulnerabilities
What are the outputs to step 4 of the SP 800-30 Risk Assessment Activities?
~ List of current and planned controls
What are the outputs to step 5 of the SP 800-30 Risk Assessment Activities?
Likelihood rating
What are the outputs to step 6 of the SP 800-30 Risk Assessment Activities?
Impact rating
What are the outputs to step 7 of the SP 800-30 Risk Assessment Activities?
Risks and associated risk levels
What are the outputs to step 8 of the SP 800-30 Risk Assessment Activities?
Recommended controls
What are the outputs to step 9 of the SP 800-30 Risk Assessment Activities?
Risk Assessment Report
What is the DoD 500.2-R definition of Systems Engineering?
The systems engineering process shall:
~ Transform approved operational requirements into an
integrated system design solution through concurrent
consideration of all life-cycle needs
~ Ensure the integration of all operational, functional, and
physical interfaces, and that system definition and
design reflect the requirements for all system elements
~ Characterize and manage technical risks
~ Apply engineering principles to identify security
vulnerabilities and contain information assurance as
well as enforce protection risks associated with these
vulnerabilities
What is security engineering?
It is the application of traditional
systems engineering processes to the specific
problems and issues regarding assurance and
security of systems and information.
What are the goals of security engineering?
~ Understand Security Risks
~ Establish Security Needs
~ Develop Security Guidance
~ Determine Acceptable Risks
~ Establish Assurance
Who practices security engineering?
~ Developers
~ Product vendors
~ Integrators
~ Buyers
~ Security evaluation organizations
~ System administrators
~ Consulting/service organizations
When is security engineering practiced?
throughout all phases of the SDLC
What activities should be included/considered in security engineering?
Operations Security
Information Security
Network Security
Physical Security
Personnel Security
Administrative Security
Communications Security
Emanations Security
Computer Security
What are the system lifecycle phases of IEEE-1220?
1. Development: the initial phases of planning and executing system
definition tasks required to meet the evolving customer need
2. Manufacturing: the activities necessary to produce models and
prototypes to demonstrate the planned design functionality
3. Test: performance validation of prototype or the pre-commission
version of the produced solution to measure customer satisfaction
4. Distribution: delivery and commissioning of the produced solution
in the planned operational environment(s)
5. Operations: the produced solution performing as
intended/expected
6. Support: sustaining maintenance of the produced solution
7. Training: all tasks, tools, and technologies employed to prepare
and sustain human knowledge and proficiency in the produced
solution
8. Disposal: the disposal, retirement, or recycling of the original
produced solution in a secure and environmental sound manner
What is the goal of activity 1 of the IATF ISSE process?
Discover Information Protection Needs
Ascertain why the system needs to be built – what
needs the system must fulfill.
What is the goal of activity 2 of the IATF ISSE process?
Define System Security Requirements
Define the system in terms of what the system
needs to be able to do.
What is the goal of activity 3 of the IATF ISSE process?
Define System Security Architecture
Use previously documented information to choose
the types of security components that will perform
specific security function. This process is the core
of designing the security architecture.
What is the goal of activity 4 of the IATF ISSE process?
Develop Detailed Security Design
Based on the security architecture, begin to design the system to
be able to do what it needs to.
What is the goal of activity 5 of the IATF ISSE process?
Implement System Security
Build/Implement the system so it does what it is
suppose to do.
What is the goal of activity 6 of the IATF ISSE process?
Assess Security Protection Effectiveness
Assess the degree to which the system, as it is
defined, designed, and implemented, meets the
needs. This assessment activity occurs during and
with all the other activities in the ISSE process.
What is the goal of activity 7 & 8 of the IATF ISSE process?
Plan and Manage Technical Effort
~ Planning the technical effort occurs throughout the
ISSE process.
~ ISSE must review each of the following areas to
scope support to the customer in conjunction with
the other activities.
~ Requires a unique skill set, and is likely to be
assigned to senior-level personnel.
List the tasks and subtasks of IATF ISSE Activity 1
Task - 01.1 Analyze organizations mission
Task - 01.2 Determine relationship and importance of information to mission
Task - 01.3 Identify legal and regulatory requirements
Task - 01.4 Identify classes of threats
Task - 01.5 Determine impacts
Task - 01.6 Identify security services
Task - 01.7 Document the information protection needs
Task - 01.8 Document security management roles and responsibilities
Task - 01.9 Identify design constraints
Task - 01.10 Assess information protection effectiveness
Subtask - 01.10.1 Provide/present documented information protection needs to the customer
Subtask - 01.10.2 Obtain concurrence from the customer in the information protection needs
Task - 01.11 Support system C&A
Subtask - 01.11.1 Identify DAA/Accreditor
Subtask - 01.11.2 Identify Cert Authority/Certifier
Subtask - 01.11.3 Identify C&A and acquisition processes to be applied
Subtask - 01.11.4 Ensure accreditors and certifiers concurrence in the information protection needs
List the tasks and subtasks of IATF ISSE Activity 7
Task - 07.1 Estimate the project scope
Task - 07.2 Identify resources and availability
Task - 07.3 Identify roles and responsibilities
Task - 07.4 Estimate project costs
Task - 07.5 Develop project schedule
Task - 07.6 Identify technical activities
Task - 07.7 Identify deliverables
Task - 07.8 Define management interfaces
Task - 07.9 Prepare technical management plan
Task - 07.10 Review project plan
Task - 07.11 Obtain customer agreement
List the tasks and subtasks of IATF ISSE Activity 8
Task - 08.1 Direct technical effort
Task - 08.2 Track project resources
Task - 08.3 Track technical parameters
Task - 08.4 Monitor progress of technical activities
Task - 08.5 Ensure quality of deliverables
Task - 08.6 Manage configuration elements
Task - 08.7 Review project performance
Task - 08.8 Report project status
What are the ISSE duties during Initiation?
The need for a system is expressed and the purpose
of the system is documented:
~ Discover information protection needs
~ Define system security requirements
~ Categorize/characterize the system (as intended in final
form)
~ Conduct a Sensitivity Assessment
~ Prepare a Security Plan (initial very general working plan)
~ Initiate Risk Assessment activities
All items are documented and become part of the
system history and build baseline documentation.
What tasks must the ISSE complete while Discovering Information Protection Needs?
~ Develop an understanding of the customer’s mission or
business
~ Help the customer determine what information
management is needed to support the mission or
business
~ Create a model of that information management, with
customer concurrence
~ Document the results as the basis for defining
information systems that will satisfy the customer’s
needs
What are the key documents/components produced when discovering information protection needs?
Business/Mission
~ Mission Needs Statement (MNS)
~ Concept of Operations (CONOPS)
Information Management Model (IMM)
~ Users or members
~ Rules, privileges, roles, and responsibilities
~ Information objects being managed
Information Protection Policy (IPP)
~ Protection needs that support Mission/Business
~ Security service requirements
What constitutes the requirements baseline?
To determine the customer’s needs:
~ Define the mission need
~ Define the information management to create an
Information Management Model (IMM)
~ Define the Information Protection Policy (IPP)
Results become the basis for creating an Information
Management Policy that meets the customer’s needs
What is Harm To Information (HTI)?
considers the value of
the information and the degree of harm to the
mission if the information were disclosed, modified,
destroyed, or unavailable when needed
What are Potentially Harmful Events (PHE)?
considers the
existence of malicious adversaries, their degree of
motivation, and the potential for accidents and
natural disasters
What is an Information Management Policy?
The ISSEP documents:
~ Information threats
~ Security services and priorities
~ Roles and responsibilities
Information Protection Policy
(IPP) basis for IMP
Information Management
Policy (IMP)
~ Information Flow
~ Access and Privileges
What are the parts of the requirements hierarchy?
~ Business Mission
~ Functions
~ Architecture
~ Components
~ Design
~ Specifications
~ Implementation
List the parts of the requirements hierarch from most abstract to most specific.
~ Business Mission
~ Functions
~ Architecture
~ Components
~ Design
~ Specifications
~ Implementation
What are the ISSE duties during Development or Acquisition phase?
The system is designed, purchased, programmed,
developed, or otherwise constructed
~ Design system security architecture
~ Develop detailed security design
~ Incorporate Security Requirements Into Specifications
~ Make-Buy decisions are made:
– Procurement (component or turn-key)
– Program
– Build
All items are documented and become part of the system history
and build baseline documentation. Previously recorded items
are updated or replaced as required to ensure accuracy.
What tasks must the ISSE complete while defining system security requirements?
The ISSEP defines a solution set that satisfies
the information protection needs of the IPP
A solution set consists of:
~ The System Context
~ A Concept of Operations (CONOPS)
~ The System Requirements
What are the ISSE duties during the Implementation phase?
The system is tested and installed or fielded
~ Install and configure selected controls and
countermeasures
~ Enable and test all controls required in the design
documentation
~ Verification and validation of controls functionality
~ Security Testing
All items are documented and become part of the system
history and build baseline documentation. Previously
recorded items are refined, updated or replaced as
required to ensure accuracy.
~ Design system security architecture
What tasks must the ISSE complete while designing system security architecture?
~ Performs functional analysis of potential architectures
to meet requirements from Step 2
~ Allocates security services
~ Selects security mechanisms
~ Identifies elements of the system to be protected
~ Allocates security functions to those elements
~ Describes the relationships between the elements
What tasks must be performed as part of the detailed design?
~ Design must satisfy customer-specified design
constraints and the security requirements
~ Design should project the schedule and cost of
long-lead items and life-cycle support
~ Design should be under configuration control
~ Design should include a revised security
CONOPS
~ Trade-offs must consider priorities, cost, schedule,
performance, and residual security risks
~ Failures to satisfy security requirements must be
reported to C&A authorities
What tasks must the ISSE complete when developing a detailed security design?
~ Allocating security mechanisms to system security
design elements
~ Identifying candidate products
~ Qualifying element and system interfaces
~ Developing system specifications
When does the Operations & Maintenance phase official being?
When the AO signs and issues the ATO
What are the ISSE duties during the Operation & Maintenance phase?
The system is being modified by the addition or
removal of components, features, or changes in
them:
~ Security Operations and Administration
~ Operational Assurance and measurement
~ Audits and Monitoring and subsequent corrective actions
~ Assessment of controls effectiveness
~ Configuration and change management
All items are documented and become part of the system
history and operational baseline documentation. Previously
recorded items are updated or replaced as required to ensure
accuracy.
What factors should be considered when selecting components?
~ Current and future availability
~ Cost
~ Form factor
~ Reliability
~ Potential risk to system due to component failure
~ Conformance to design specifications
~ Compatibility with existing components
~ Satisfying evaluation criteria
What tasks must the ISSE complete during implementation?
~ Provides inputs to C&A process activities
~ Reviews evolving system life cycle support plans
~ Reviews operational procedures for users
~ Reviews maintenance training for administrators
~ Assesses information protection measures in
preparation for the final system effectiveness
assessment
What tasks must the ISSE complete testing?
~ Participation in the testing of protection mechanisms
and functions
~ Verification that the system implementation does
protect against the threats identified in the original
threat assessment
~ Application information protection assurance
mechanisms related to system implementation and
testing practices
~ Continuing risk management
~ Supporting the C&A processes
What tasks must the ISSE complete during the disposal phase?
This involves the final disposition of data,
hardware, and software
~ Information archiving
~ Data transferral to new operational environment
~ Media Sanitization
~ Retirement or destruction
~ Recycling
All items are documented and become part of the system
history and operational baseline documentation. Previously
recorded items are updated or replaced as required to
ensure accuracy.
Why use the CMM approach?
Accepted way of defining practices and improving
capability
Increasing use in acquisition as an indicator of
capability
ROI for software indicates success
Why was the SSE-CMM developed?
Objective:
~ advance security engineering as a defined,
mature, and measurable discipline
Project Goal:
~ Develop a mechanism to enable:
– selection of appropriately qualified security
engineering providers
– focused investments in security engineering
practices
– capability-based assurance
List the organizational capability measures?
~ Level 1 (Performed Informally)
1.1 Base Practices are Performed
~ Level 2 (Planned and Tracked)
2.1 Planning Performance
2.2 Disciplined Performance
2.3 Verifying Performance
2.4 Tracking Performance
~ Level 3 (Well-Defined)
3.1 Defining a Standard Process
3.2 Perform the Defined Process
3.3 Coordinate the Process
~ Level 4 (Quantitatively Controlled)
4.1 Establishing Measurable Quality Goals
4.2 Objectively Managing Performance
~ Level 5 (Continuously Improving)
5.1 Improving Organizational Capability
5.2 Improving Process Effectiveness
How does the SSE-CMM define best practices at the domain level?
~ process areas
~ base practices
How does the SSE-CMM define best practices at the organizational capability level?
~ implementation of process areas
~ institutionalization of process areas
What are the SSE-CMM process categories?
Engineering processes
Project processes
Organizational Processes
What are the SSE-CMM organizational process areas?
~ Define Organization’s Security Engineering Process
~ Improve Organization’s Security Engineering
Process
~ Manage Security Product Line Evolution
~ Manage Security Engineering Support Environment
~ Provide Ongoing Skills and Knowledge
~ Coordinate with Suppliers
What are the SSE-CMM project process areas?
~ Ensure Quality
~ Manage Configurations
~ Manage Program Risk
~ Monitor and Control Technical Effort
~ Plan Technical Effort
What are the SSE-CMM engineering technical "base" process areas?
PA01 – Administer Security Controls
PA02 – Assess Security Impacts
PA03 – Assess Security Risk (to CIA and other information assets)
PA04 – Assess Threat
PA05 – Assess Vulnerability
PA06 – Build Assurance Argument
PA07 – Coordinate Security
PA08 – Monitor Security Posture
PA09 – Provide Security Input
PA10 – Specify Security Needs
PA11 – Verify and Validate Security
What are the classes of attacks?
~ Passive attacks can result in the disclosure of data to an
attacker without the knowledge of the user
~ Active attacks include attempts to circumvent protection
features to execute a deliberate attack
~ Close-in attacks occur when an attacker is in physical
close proximity to resources to launch an attack
~ Insider attacks can be malicious or non-malicious:
– Malicious insiders intend to deliberately attack an asset
– Non-malicious attacks typically result from lack of knowledge
~ Distribution attacks focus on the malicious modification
of resources during production or distribution
What is the first line of defense for a passive attack?
Link and network layer and
encryption and traffic flow
security
What is the first line of defense for a active attack?
Defend the enclave
boundaries
What is the first line of defense for a insider attack?
Physical and personnel
security
What is the first line of defense for a close-in attack?
Physical and personnel
security
What is the first line of defense for a distribution attack?
Trusted software development
and distribution
What is the second line of defense for a passive attack?
Security-enabled
applications
What is the second line of defense for a active attack?
Defend the computing
environment
What is the second line of defense for a insider attack?
Authenticated access
controls, audit
What is the second line of defense for a close-in attack?
Technical surveillance
countermeasures
What is the second line of defense for a distribution attack?
Run time integrity
controls
What is the major goal of C&A?
Enabling more consistent, comparable, and
repeatable assessments of security controls in federal
information systems
What are the objectives of C&A?
To achieve more secure information systems
within the federal government by:
~ Enabling more consistent, comparable, and
repeatable assessments of security controls in federal
information systems
~ Promoting a better understanding of agency-related
mission risks resulting from the operation of information
systems
~ Creating more complete, reliable, and trustworthy
information for authorizing officials in order to facilitate
more informed accreditation decisions
What is the NSTISSI 4009 definition of Certification?
“The comprehensive evaluation of the technical
and non-technical security features of an AIS and
other safeguards, made in support of the
accreditation process, to establish the extent to
which a particular design and implementation
meets a specified set of security requirements.”
What are the characteristics of certification?
Formal process for testing systems against a set of
security requirements
Performed by an independent reviewer instead of
someone who was involved with building or
operating the system
The amount of rigor employed may vary depending
on the system level or operational context.
What is accreditation?
The decision given by the designated senior agency
official to authorize operation of an information
system:
~ In a particular security mode
~ Using a prescribed set of controls
~ Against a defined threat
~ At an acceptable level of risk
~ For a specific period of time
The official explicitly accepts the risk to agency
assets based on the implementation of these
security conditions.
[remember the phrase "and the nation"]
What is the NSTISSI 4009 definition of Accreditation?
“A formal declaration by the DAA that an AIS is
approved to operate in a particular security mode
using a prescribed set of safeguards.”
What are the significant benefits of C&A?
More consistent, comparable, and repeatable
security evaluations
More complete, reliable technical information for
information system accreditation authorities, leading
to better understanding of complex systems and
associated risks and vulnerabilities
Greater availability of competent certification
services for customers
Assessments by accredited organizations can
form the basis for cyber insurance policy decisions
What is the NSTISSI 4009 definition of an Automated Information System (AIS)?
“Any equipment or interconnected system or
subsystem of equipment used in the automatic
acquisition, storage, manipulation, management,
movement, control, display, switching, interchange,
transmission or reception of data and includes
computer software, firmware, and hardware.”
What is Information Assurance?
Measures that protect and defend information and
information systems by ensuring their
availability, integrity, confidentiality,
authentication and non-repudiation.
This includes providing for restoration of information
systems by incorporating the following capabilities:
protection,
detection, and
reaction.
What is Availability?
Timely, reliable access to data and information services for
authorized users.
What is Integrity?
Quality of an IS reflecting the logical correctness and
reliability of the operating system; the logical completeness
of the hardware and software implementing the protection
mechanisms; and the consistency of the data structures and
occurrence of the stored data.
What is confidentiality?
Assurance that information is not disclosed to unauthorized
individuals, processes, or devices.
What is Access Control?
Limiting access to information system resources only to
authorized users, programs, processes, or other systems.
What is Authentication?
Security measure designed to establish the validity of a
transmission, message, or originator, or a means of verifying
an individual's authorization to receive specific categories of
information.
What is Non-Repudiation?
Assurance the sender of data is provided with proof of
delivery and the recipient is provided with proof of the
sender's identity, so neither can later deny having processed
the data.
What are the accreditation options?
1 - System: accreditation evaluates a major system
application or a clearly defined independent
system.
2 - Type: accreditation evaluates a common application
or system that is distributed to a number of
different locations.
3 - Site: accreditation evaluates applications and
systems at a specific, self-contained location.
What are C&A artifacts?
System policies, documentation, plans, test
procedures, test results, and other evidence that
express or enforce the information assurance (IA)
posture of the DoD IS, make up the certification and
accreditation (C&A) information, and provide evidence
of compliance with the assigned IA controls.
What is C&A from the DoD's perspective?
The standard DoD approach for:
~ identifying information security
requirements,
~ providing security solutions, and
~ managing the security of DoD
information systems.
What are the general steps of the C&A process?
~ Define problem
~ Risk assessment
~ Implement controls
~ Certification
~ Accreditation
~ Ops/maintenance
~ Disposal
What Acts support C&A?
Privacy Act of 1974
Computer Security Act of 1987
Clinger-Cohen Act of 1996
~ Information Technology Management Reform Act
~ Defines National Security Systems
NIST SP800-59
What Government document requires C&A?
OMB Circular A-130
~ Management of Federal Information Resources,
Appendix III, December 24, 1985
~ Mandatory implementation of Computer Security Act
and FISMA requirements – 3-year reviews
~ Defines "adequate security"
What is "adequate security"?
“security commensurate with the risk and magnitude of the
harm resulting from the loss, misuse, or unauthorized access to
or modification of information.…provide appropriate
confidentiality, integrity, and availability, through the use of cost effective
management, personnel, operational, and technical
controls.”
What executive order mandates C&A?
Executive Order 13231, 16 October 2001
Critical Infrastructure Protection in the Information Age
What law is the most recent overarching requirement for C&A?
FISMA
~ (Federal Information Security Management Act) -
Title III of E-Government Act of 2002 (Public Law
107-347)
~ OMB has Oversight over E-Government
– Federal Government (Organizations and IG’s) must report
IA status to OMB annually and quarterly
– OMB provides reports to Congress annually
– Congressional Cyber Security Grade
~ NIST publishes Standards and Guidelines
~ All Federal Government must follow NIST C&A
processes, with the exception of Defense and
Intelligence organizations.
What does DITSCAP stand for?
Defense Information Technology Security
Certification and Accreditation Process
What instruction created DITSCAP?
DoDI 5200.40, 30 December 1997
~ Applies to all DoD systems
What are the phases of DITSCAP?
o Definition
o Verification
o Validation
o Post-accreditation
What document further defined DITSCAP?
DoD 8510.1-M DITSCAP Application Manual, July 00
~ Implementation guidance
~ Deliverable format
What is the document created by DITSCAP called?
System Security Authorization Agreement (SSAA)
What activities occur in phase 1 of DITSCAP/NIACAP?
~ Determine requirements
~ Define boundaries
~ Tailor the process & scope the effort
~ Draft the SSAA
What activities occur in phase 2 of DITSCAP/NIACAP?
~ System development activities
~ Initial certification analysis
~ Document results in SSAA
What activities occur in phase 3 of DITSCAP/NIACAP?
~ Test installed system
~ Evaluate procedural, physical, personnel, CM etc. procedures
~ Document results
What activities occur in phase 4 of DITSCAP/NIACAP?
~ Operate the system
~ Security operations
~ CM & change control
~ Maintain SSAA
What does NIACAP stand for?
National Information Assurance Certification and
Accreditation Process
What instruction created NIACAP?
NSTISSI No. 1000, April 2000
Applies to all National Security Systems (NSSs)
What are the phases of NIACAP?
Definition
Verification
Validation
Post-accreditation
What is the document created by NIACAP called?
System Security Authorization Agreement (SSAA)
What document defines the NIST C&A process?
Guide for the Security Certification and
Accreditation of Federal Information Systems
NIST 800-37, May 2004
~ Applies to all Federal Systems
What are the phases of the NIST C&A process (800-37)?
Initiation
Certification
Accreditation
Continuous Monitoring
What are the key documents produced in the NIST C&A process (800-37)?
SSP – System Security Plan, NIST SP800-18
ST&E – Security Test and Evaluation – NIST SP800-53A
SAR – System Assessment Report – NIST 800-37
POA&M – Program of Actions & Milestones – OMB 02-1
What does DIACAP stand for?
DoD Information Assurance Certification and
Accreditation Process
What are the major components of DIACAP?
~ Process (DoDI 8510)
~ Automation (eMASS)
~ Guidance and Collaboration (Knowledge Service)
What instruction created DIACAP?
DoDI 8510.01, 28 November 2007
~ Applies to all DoD systems
What are the phases of DIACAP?
~ Initiation and Planning IA C&A
~ Implement and Validate Assign IA Controls
~ Make Certification Determination and Accreditation Decision
~ Maintain Authorization to Operate and Conduct Reviews
~ Decommission
What are the key documents produced by DIACAP?
~ System Identification Profile (SIP) [Description/Registration]
~ DIACAP Implementation Plan (DIP) [Implement/Validate]
~ POA&M [correction/mitigation]
~ Scorecard [risk assessment]
What are the supporting resources for DIACAP?
Knowledge Service
eMASS and other tools
What is the NSTISSI 4009 definition of Program Manager?
“The PM represents the interests of the AIS, and is
responsible for the AIS throughout its lifecycle; ensures
the security requirements are integrated in order to
achieve an acceptable level of risk as documented in the
SSAA, and keeps all participants informed of AIS lifecycle
actions, security requirements and user needs.”
What is the NSTISSI 4009 definition of Designated Approving Authority?
“The primary government official responsible for
implementing system security. An executive with the
authority to formally assume responsibility for
operating an AIS or network at an acceptable level of
risk, and to balance the needs of the system with the
security risks.”
What is the NSTISSI 4009 definition of User Representative?
“Official with the authority to formally assume
responsibility for operating an AIS or network
at an acceptable level of risk.”
What is the NSTISSI 4009 definition of Information Systems Security Officer?
“Person responsible to the designated approving
authority who ensures that security of an
information system is implemented through its
design, development, operation, maintenance,
and secure disposal stages.”
What is the DoDI 5200.40 definition of System Security Authorization Agreement?
“A description of the system mission, target environment,
target architecture, security requirements, and applicable
data access policies. It also describes the applicable set
of planning and certification actions, resources, and
documentation required to support the certification and
accreditation. It is the vehicle that guides the
implementation of INFOSEC requirements and the
resulting certification and accreditation actions.”
What does the SSAA document?
~ The operating environment and the threat
~ The AIS security architecture and the C&A
boundary of the AIS to be accredited
~ The agreement among the parties involved
~ All requirements necessary for accreditation
~ Condenses and consolidates the documentation
requirements (CONOPS, tests, etc)
~ The overall C&A plan (NIACAP/DITSCAP)
~ The test plans, results, and residual risk
~ The baseline security configuration document
What are the characteristics of an SSAA?
~ Describes the operating environment and threat
~ Describes the system security architecture
~ Establishes the C&A boundary of the system
~ Documents the formal agreement among the DAA,
certifier, program manager, and user representative
~ Documents all requirements necessary for accreditation
~ Documents test plans and procedures, certification
results, and residual risk
~ Forms the baseline security configuration document
What are the main tasks of DITSCAP phase 1?
~ Define system functions, requirements, and
interfaces
~ Define information category and classification
~ Prepare the system architecture description
~ Identify principle C&A roles & responsibilities
~ Define C&A level of effort
~ Draft SSAA
~ Agree on the method for implementing security
requirements (documented in SSAA)
What are the phases of the 800-37 Rev 1?
~ Categorize
~ Select
~ Implement
~ Assess
~ Authorize
~ Monitor
What are the key deliverables of the 800-37 Rev 1?
SSP, SAR, POA&M
In the Definition phase of DITSCAP (Determine mission needs), what documents/information is needed?
~ System Requirements and Capabilities
~ System Mission, Function, Interfaces
~ Organizations operating system
~ Operational environment
~ Information types and classifications
~ Expected System Life Cycle
~ System User Characteristics
~ Intended system/network interfaces
What actions are required in Task 1 of DITSCAP Definition: Determine Mission Needs?
Registration begins with preparing the business, mission, or operational
functional description as well as system description and system identification.
The information collected during the preparation activity is evaluated and
applicable information assurance requirements are determined.
What actions are required in Task 2 of DITSCAP Definition: Determine Mission Needs?
Inform the DAA, Certifier, and user representative that the system will
require C&A support (register the system).
What actions are required in Task 3 of DITSCAP Definition: Determine Mission Needs?
Prepare the environment and threat description. Threats should be assessed
against the specific business functions and system description to determine
the required protection. The threat, and subsequent vulnerability assessments,
must be used in establishing and selecting the IA policy objectives that will
counter the threat.
What actions are required in Task 4 of DITSCAP Definition: Determine Mission Needs?
Prepare system architecture description, describe the C&A boundaries, and
document relationships with external systems or equipment.
What actions are required in Task 5 of DITSCAP Definition: Determine Mission Needs?
Determine the system security requirements. The risk management and
vulnerability assessment actions commence. A risk management process may
also be installed in an effective, understandable, and repeatable manner.
What actions are required in Task 6 of DITSCAP Definition: Determine Mission Needs?
Tailor the C&A tasks, determine the level of effort, and prepare a C&A plan.
The C&A team determines the level of effort by evaluating the security
requirements and the degree of assurance needed in areas such as
confidentiality, integrity, availability, and accountability. The planned level of
effort is targeted at addressing the security requirements and fulfilling the
mission of the program.
What actions are required in Task 7 of DITSCAP Definition: Determine Mission Needs?
Identify organizations involved in C&A and the resources required.
What actions are required in Task 8 of DITSCAP Definition: Determine Mission Needs?
Develop the draft SSAA during the registration activities to consider the
program’s system development approach and life cycle stage, existing
documentation and environment, architecture and business functions, and
documentation on users and data classification and categorization.
In the Definition phase of DITSCAP (Registration), what information is needed?
Information collected
Security requirements determined
Threat Assessment started
Level of effort of C&A determined
Prepare system description with boundaries
Determine acquisition strategy & life cycle
Assess impact of life cycle on certification
In the Definition phase of DITSCAP (Registration), what tasks must be performed?
Determine classification and types of information
Determine clearances and access requirements
Identify system class and security requirements
Identify organizations supporting DITSCAP
Tailor DITSCAP activities
Determine scope, level of effort, and schedule
In the Definition phase of DITSCAP (negotiation), who needs to participate?
Key members are:
~ Designated Approving Authority
~ Program Manager
~ Certifying Agent
~ User Representative
Information Systems Security Officer
Strategy agreed upon
~ Not a bargaining session!
~ Everyone understands roles
~ No surprises
In the Definition phase of DITSCAP (negotiation), what needs to happen?
Clearly defines
~ Requirements
~ Approach
~ Level of Activity
Approval of SSAA
~ Designated Approving Authority
~ Program Manager
~ User Representative
What are the objectives of the DITSCAP SSAA?
~ Phase 1 End Product (refined in later phases)
~ Document the formal agreement among the DAA,
the CA, the user representative, and the program
manager
~ Document all requirements necessary for
accreditation
~ Document all security criteria for use throughout
the IT system life-cycle
~ Minimize documentation requirements by
consolidating applicable information into the
SSAA
~ Document the DITSCAP plan
What are the main tasks of DITSCAP phase 2?
~ System Architecture Analysis
~ Software Design Analysis
~ Network Connection Rule Compliance
~ Integrity Analysis of Integrated Products
~ Life Cycle Management Analysis
~ Security Requirements Validation Procedures
~ Vulnerability Evaluation
~ Refine/modify SSAA
In the Verification phase of DITSCAP, what are the goals?
Verify system compliance with requirements
Refine the SSAA, if needed
Refine analysis
~ System development
~ Modifications
~ Certifications
Review and refine SSAA, if necessary
~ Hardware details
~ Software details
Certification analysis
~ Corresponds to Life Cycle activity
~ Verification by analysis, investigation, comparison
In the Verification phase of DITSCAP, what are the certification actions?
System Architecture
Analysis
Software Design Analysis
Network Connection Rule
Compliance
Product Integrity Analysis
Life Cycle Management
Vulnerability Assessment
Actions Completion gives:
~ Documented security specification
~ Comprehensive test plan
~ All interconnection requirements
implemented
Vulnerability assessment impacts
Configuration Management
~ “Good configuration management builds good
security; good security application establishes
good configuration management.”
In the Verification phase of DITSCAP, what are the completion actions?
Review certification analysis results upon
conclusion of each life cycle development
milestone
Significant deviation from SSAA, revert to
Definition Phase to resolve problems
What are the main tasks of DITSCAP phase 3?
~ ST&E* (Implementation of security reqs, I&A, AC, Audits…)
~ Penetration Testing (Exploitation, Insider/Outsider)
~ COMSEC Compliance Evaluation (reqs, integration)
~ System Management Analysis (Maintain Mgmt/CM/Arch)
~ Contingency Plan Evaluation (Backup, COOP…)
~ Site Accreditation Survey (SSAA compliance, environment)
~ Risk Management Review (acceptable risks to CIAA**)
~ Develop Certification Report and Recommendation for
Accreditation:
– System Certified: Yes or No (based on meeting SSAA reqs)
– If Certified, Recommend: IATO or full accreditation
~ Ends with accreditation decision from DAA
In the Validation phase of DITSCAP, what are the goals?
~ Review the SSAA to ensure requirements and
agreements are current
~ Evaluation of the IT system
~ Formal system certification test and security
accreditation actions
In the Validation phase of DITSCAP, what are the evaluation actions?
~ System Security Testing and Evaluation
~ Penetration Testing
~ TEMPEST (EMSEC) and Red/Black Verification
~ Validation System Management Analysis
~ Site Accreditation Surveys
~ Personnel Security
~ Physical Security
~ Environmental Security
~ Contingency Plan Examination
~ Risk Management Review
~ Recommendation and documentation to DAA
Security Findings
Deficiencies
Risks of Operation
In the Validation phase of DITSCAP, what are the possible accreditation decisions?
Denial
IATO
ATO
What are the main tasks of DITSCAP phase 4?
Review configuration & security management
~ Follow change mgmt documented in SSAA
~ Determine if system security mgmt continues to support
mission and architecture
Conduct risk management review
~ Assess if risk to CIAA is being maintained at an
acceptable level
Conduct compliance validation if needed
~ Ensure continued compliance w/SSAA reqs, current
threat assessment, and concept of operations
Maintain SSAA
What are the roles and responsibilities of NIACAP?
~ DAA – Designated Approving Authority
~ Program Manager
~ Certifier
~ User Representative
What NIACAP establish?
NIACAP establishes a standard national process
to certify and accredit systems that will maintain
the IA of a system
What are the NIACAP levels of certification?
~ Level 1: Basic security review
~ Level 2: Minimum analysis
~ Level 3: Detailed analysis
~ Level 4: Comprehensive analysis
Level is determined by criticality, C.I.A.
requirements, business mission, CI involvement,
data processed, user types, accountability and other
factors. The higher on such scales, the more
comprehensive the C&A.
Why was DIACAP established?
Providing a standard C&A approach.
Giving guidance on managing and disseminating
enterprise standards and guidelines for:
~ IA design, implementation, configuration, validation,
operational sustainment, and reporting.
~ Implementing and maintaining security through the
IS’s Life-Cycle
Accommodating diverse information systems in a
dynamic environment.
What is a DIACAP SIP?
System Identification Profile (SIP)
The SIP is compiled during:
~ DIACAP registration
~ Maintained throughout the system life
cycle.
Provides detailed description of:
~ System mission
~ Components and Information
~ Location and Environment
~ Connections
~ Players
What is a DIACAP DIP?
DIACAP Implementation Plan (DIP)
Contains the IS’s:
~ Assigned IA controls
~ Implementation status
~ Responsible entities
~ Resources
~ Estimated completion date
The plan may reference:
~ Supporting implementation material
~ Artifacts
What does the DICAP DIP do?
How each assigned IA control is implemented
Implementation follows guidelines described in the
DIACAP KS
What information is included in the DIACAP DIP?
IA Control #
IA Control Subject Area
IA Control Name
IA Control Text (Requirement)
Threat/Vulnerability/ Countermeasure
General Implementation Guidance
System-specific Guidance Resource
What is a DIACAP Scorecard?
~ Summary report that succinctly conveys
information on the IA posture of the
system in a format that can be
exchanged electronically.
~ Documents the accreditation decision
and must be signed, either manually or
with a DoD PKI-certified digital signature.
~ The Scorecard contains a listing of all IA
controls and their status of either C, NC,
or NA.
~ Additional data elements may be
specified by CIOs, DAAs, or other
enterprise users of the Scorecard
What is a DICAP POA&M?
~ Is a management tool.
~ Primary purpose assist agencies in
identifying, assessing, prioritizing, and
monitoring security weaknesses found in
programs and systems, along with the
progress of corrective efforts for those
vulnerabilities.
~ OMB requires agencies to prepare IT
Security POA&Ms for all programs and
systems in which an IT security
weakness has been found.
~ Agency CIOs must report their progress
on at least a quarterly basis to OMB.
What tasks are part of DIACAP Activity 1?
Initiate and Plan IA C&A
~ Create the System Identification Plan (SIP)
~ Register system with DoD Component IA Program
~ Assign IA controls
~ Assemble DIACAP Team
~ Initiate DIACAP Implementation Plan (DIP)
What tasks are part of DIACAP Activity 2?
Implement and Validate Assigned IA Controls
~ Execute DIP
~ Conduct validation activities
~ Plan of Action and Milestones (POA&M)
~ Compile validation results in DIACAP Scorecard
What tasks are part of DIACAP Activity 3?
Make Certification Determination and
Accreditation Decision
~ Make certification determination
~ Make accreditation decision
What tasks are part of DIACAP Activity 4?
Maintain Authorization to Operate and Conduct
Reviews
~ Maintain situational awareness
~ Maintain IA posture
~ Conduct annual reviews
~ Initiate reaccreditation
What tasks are part of DIACAP Activity 5?
Decommission
~ Retire the system
~ Update/remove registration with DoD Component IA
Program
What is the GIG?
Global Information Grid
Globally interconnected, end-to-end set of information
capabilities, associated processes, and personnel for
collecting, processing, storing, disseminating, and
managing information for all.
Provides capabilities from all locations, interfaces to
coalition, allied, and non-DoD users and systems.
What does the GIG support?
Supports National Security, Intelligence Community
and DoD Mission Areas (MA) functions:
~ Enterprise Information Environment MA (EIEMA)
~ Business MA (BMA)
~ Warfighting MA (WMA)
~ Defense Intelligence MA (DIMA)
What is the DICAP TAG?
Technical Advisory Group (TAG)
~ A formally chartered body established by ASD-NII
and DoD CIO to examine and address common
C&A issues, including changes to the baseline IA
controls, across the DoD Component IA
programs, IA Communities of Interest (COIs), and
other GIG entities.
~ The DIACAP TAG also maintains configuration
control and management of the DIACAP and all
its supporting content on the DIACAP KS.
What is the role of the DIACAP IA Senior Leadership?
IA Senior Leadership (IASL)
~ Provides the integrated planning, coordination,
and oversight of the Department's IA programs to
assure the availability, integrity, authentication,
confidentiality, and non-repudiation of the
Department's mission essential and mission
support information and the reliability DII.
What does the DIACAP apply to?
DIACAP applies to DoD-owned information
systems and DoD-controlled information systems
operated by a contractor or other entity on behalf of
the DoD that receive, process, store, display, or
transmit DoD information, regardless of
classification or sensitivity
What does the DIACAP NOT apply to?
DIACAP does not apply to DoD systems that
process:
~ Sensitive Compartmented Information (SCI)
~ Special Access Program (SAP) information
~ Nuclear Command and Control Extremely Sensitive
Information (NC2-ESI)
What are the DIACAP roles and responsibilities?
Principal Accrediting Authority (PAA)
PAA Representative
Designated Approving Authority (DAA)
Heads of DoD Components
Chief Information Officer (CIO)
Senior Information Assurance Official (SIAO)
Certifying Authority (CA)
– (e.g., validators, analysts, CA representatives (CAR)).
Program Executive Officer (PEO)
Program/System Manager (PM/SM)
Information Assurance Manager (IAM)
Information Assurance Officer (IAO)
User Representative (UR)
What is the PAA?
The senior official representing the interests of a
GIG MA regarding C&A
~ Represent the interests of the MA and, as required,
issue accreditation guidance specific to the MA,
consistent with this Instruction.
~ Appoint flag-level (e.g., general officer, senior
executive) PAA Representatives to the DISN/GIG
Flag Panel.
~ Resolve accreditation issues within their respective
MAs and work with other PAAs to resolve issues
among MAs, as needed.
~ Designate DAAs for MA ISs, if required, in
coordination with appropriate DoD Components.
What is the PAA Representative?
Appointed by PAA
~ Serve as a member of the DISN/GIG Flag Panel.
~ Provide MA-related guidance to DAAs, Milestone
Decision Authorities (MDA), the DSAWG, and the
DIACAP TAG.
~ Advise the corresponding MA PAAs and assist the DoD
CIO and SIAO in assessing the effectiveness of GIG IA
capabilities.
What do the Heads of DoD Components do to support DIACAP?
~ Ensures DoD ISs under their purview comply
with the DIACAP.
~ Operates only accredited ISs.
~ Complies with all accreditation decisions,
including denial of authorization to operate
(DATO), and enforce authorization termination
dates (ATD).
~ Ensures that an annual assessment of the DoD
Component IA program is conducted.
~ Appoints DAAs for DoD ISs under their purview.
What is the role of the DAA in DIACAP?
The official with the authority to formally assume
responsibility for operating a system at an acceptable
level of risk.
~ ATO
~ IATO
~ DATO
~ IATT
Responsible for the Mission and Resources
Must be a Government Employee
What is the role of the CIO in DIACAP?
Appoints the DoD Component SIAO.
Ensures
~ Implementation and validation of IA controls through the
DIACAP are incorporated in the IS’s life-cycle
management processes.
~ C&A status of the ISs are visible to the ASD(NII)/DoD CIO
and PAAs.
~ Collaboration and cooperation between the DoD
Component IA program and the PAA and DAA structure.
~ PM or SM is identified for each IS.
Establishes and manages an IT Security POA&M
program.
What is the role of the SIAO in DIACAP?
Senior IA Officer (SIAO)
~ Establishes and enforces the DoD Component IA
program’s C&A process.
~ The single IA coordinator for joint or Defense-wide
programs that are deploying ISs to DoD Component
enclaves
~ Ensures participation in the DIACAP TAG.
~ Tracks C&A status of Component ISs.
~ Establishes and manages a coordinated IA
certification process.
~ Is the certifying authority (CA) or formally delegating
CA for ISs and oversees CA experts.
What is the role of the PM, SM and PEO in DIACAP?
~ Implements the DIACAP for assigned DoD ISs.
~ Plans and budgets for IA controls implementation,
validation, and sustainment throughout the
system life cycle, including timely and effective
configuration and vulnerability management.
~ Develops, tracks, resolves, and maintains the
DIACAP Implementation Plan (DIP) for assigned
ISs.
~ Enforces DAA accreditation decisions for hosted
or interconnected DoD ISs.
What is the role of the PM, SM and PEO in DIACAP?
Ensures that:
~ Each assigned DoD ISs has a designated IA manager
(IAM) with the support, authority, and resources to
satisfy their responsibilities.
~ Information system security engineering is employed to
implement or modify the IA component of the system
architecture in compliance with the IA component of the
GIG Architecture and to make maximum use of
enterprise IA capabilities and services.
~ IT Security POA&M development, tracking, and
resolution.
~ Annual reviews of assigned ISs required by FISMA are
conducted.
What is the role of the user representative in DIACAP?
~ Represents the operational interests of the user
community in the DIACAP.
~ Supports the IA controls assignment and
validation process to ensure user community
needs are met.
Who are the members of the certifying team in DIACAP?
Certifying Authority (CA)
~ The senior official having the authority and
responsibility for the certification of information
systems governed by a DoD Component IA program.
~ Make the certification recommendation to the DAA
~ Can be the SIAO.
CA Representative/Analyst
~ Delegated the responsibility of reviewing and
assessing the DIACAP package for compliance and
risk.
Validator
~ Individual responsible for conducting a validation
procedure.
What is the role of the ISSE in DIACAP?
Information Systems Security Engineer
~ An individual that performs the Information Systems
Security Engineering functions.
~ Works with system architects, engineers, and
developers to ensure that IA controls are designed
and implemented into a system throughout the
development process.
What is the role of the IAM in DIACAP?
~ Support the PM or SM in implementing DIACAP.
~ Advise and inform the DoD Component IA program
on ISs C&A status and issues.
~ Comply with the DoD Component IA program’s
information and process requirements.
~ Provide direction to the IA Officer (IAO).
~ Coordinate with the organization’s SM to ensure
issues affecting the organization’s overall security
are addressed appropriately.
~ Similar to the IA title Information Systems Security
Manager (ISSM) used else where.
What is the role of the IAO in DIACAP?
~ An individual responsible to the IAM for ensuring
that the appropriate operational IA posture is
maintained for a DoD information system or
organization.
~ While the title IAO is favored within the DoD, it
may be used interchangeably with other IA titles
(e.g., Information Systems Security Officer,
Information Systems Security Custodian, Network
Security Officer, or Terminal Area Security
Officer).
What are the DIACAP risks?
Risks are assessed to determine the impact upon:
~ Integrity (MAC)
~ Availability (MAC)
~ Confidentiality (CL)
What is a Mission Assurance Category?
Applicable to DoD information systems, the
mission assurance category (MAC) reflects the
importance of information relative to the
achievement of DoD goals and objectives,
particularly the warfighters' combat mission.
MACs are primarily used to determine the
requirements for availability and integrity.
The DoD has three defined MAC Levels:
~ MAC I
~ MAC II
~ MAC III
What are the details of MAC I?
Availability (HIGH), Integrity (HIGH), Most Stringent Protection Measures
What are the details of MAC II?
Availability (MEDIUM), Integrity (HIGH), Beyond Best Practices
What are the details of MAC III?
Availability (BASIC), Integrity (BASIC), Commensurate with Commercial Best Practices
What are the Confidentiality Levels (CLs)?
Classified:
~ Kept secret in the interest of national defense or foreign
policy.
~ Includes Confidential, Secret, and Top Secret.
Sensitive:
~ could adversely affect the national interest or the conduct
of Federal programs, or the privacy of individuals.
Public:
~ has been reviewed and approved for public release by
the information owner.
What types of information are recognized by DIACAP?
Sensitive
~ Controlled Unclassified Information (CUI)
~ Loss of confidentiality, integrity, availability, could
have serious, sever, or catastrophic adverse impact [includes critical infrastructure data]
~ Types:
Personnel, Financial, Payroll, Operational,
Medical, and Privacy Act [PII]
Non-Sensitive
~ Approval must be gained prior to release
What EO defines classified information?
EO 12356
What is the damage the loss of "top secret" would cause?
cause exceptionally grave damage to the national
security
What is the damage the loss of "secret" would cause?
cause serious damage to the national security
What is the damage the loss of "confidential" would cause?
cause damage to the national security
What are confidentiality levels used for?
Used to establish requirements for:
~ individual security clearances or background
investigations requirements
~ access approvals
~ need-to-know determinations
~ interconnection controls and approvals
~ acceptable methods by which users may access the
system (e.g., intranet, Internet, wireless)
~ appropriate security controls
What are the details of CL: Classified?
Robustness (HIGH), Security: NSA-approved cryptography
and key management
What are the details of CL: Sensitive?
Robustness (MEDIUM), Security: NIST/FIPS approved
cryptography and NSA approved
key management
What are the details of CL: Public?
Robustness (BASIC), Security: NIST/FIPS-approved
cryptography and key
management
What are DIACAP IS Controls?
An objective IA condition of integrity, availability or
confidentiality achieved through the application of
specific safeguards or through the regulation of
specific activities that is expressed in a specified
format, i.e., a control number, a control name, control
text, and a control class.
Specific management, personnel, operational, and
technical controls are applied to each DoD information
system to achieve an appropriate level of integrity,
availability, and confidentiality in accordance with
reference OMB A-130.
What are the objective conditions for DIACAP IA Controls?
~ objective condition is testable
~ compliance is measurable, and
~ activities required to achieve the IA Control are
assignable and thus accountable.
How are DIACAP IA controls assigned?
Assignment of the controls are made according
with:
~ MAC
~ CL
How are DIACAP IA controls laid out?
Are laid out in:
~ IA Control Subject Areas
~ IA Control Names
List the DIACAP IA control areas, their acronym and number of controls?
Security Design and Configuration, DC, 31
Identification and Authentication, IA, 9
Enclave and Computing Environment, EC, 48
Boundary Defense, EB, 8
Physical and Environmental, PE, 27
Personnel, PR, 7
Continuity, CO, 24
Vulnerability and Incident Management, VI, 3
Study slide 398
Study slide 398
Study slide 399
Study slide 399
What is the robustness level of a DIACAP MAC I system?
HIGH
What is the robustness level of a DIACAP MAC II system?
MEDIUM
What is the robustness level of a DIACAP MAC III system?
BASIC
How are DIACAP IA control robustness levels numbered?
1 -3 where 3 is HIGH robustness. The opposite of MAC levels
List the DIACAP IA controls associated with Security Design and Configuration
Procedural Review DCAR-1 Availability
Acquisition Standards DCAS-1 Confidentiality
Best Security Practices DCBP-1 Integrity
Control Board DCCB-2 Integrity
Configuration Specification DCCS-2 Integrity
Compliance Testing DCCT-1 Availability
Dedicated IA Services DCDS-1 Integrity
Functional Architecture for AIS Applications DCFA-1 Integrity
HW Baseline DCHW-1 Availability
Interconnection Documentation DCID-1 Integrity
IA Impact Assessment DCII-1 Integrity
IA for IT Services DCIT-1 Integrity
Mobile Code DCMC-1 Integrity
Non-repudiation DCNR-1 Integrity
List the DIACAP IA controls associated with Security Design and Configuration
Partitioning the Application DCPA-1 Integrity
IA Program and Budget DCPB-1 Availability
Public Domain Software Controls DCPD-1 Availability
Ports, Protocols, and Services DCPP-1 Availability
CM Process DCPR-1 Integrity
IA Documentation DCSD-1 Availability
System Library Management Controls DCSL-1 Integrity
Security Support Structure Partitioning DCSP-1 Integrity
Software Quality DCSQ-1 Integrity
Specified Robustness – Medium DCSR-2 Confidentiality
System State Changes DCSS-2 Integrity
SW Baseline DCSW-1 Availability
What guidance/instructions are reference for the DIACAP IA controls?
DoD 5200.1-R, "DoD Information Security Program," January
1997, i.e., Storage, Access, Classification, etc.
DoD Directive C-5200.5 COMSEC activities
ASD(C3I) Memorandum, dated June 4, 2001, "Disposition of
Unclassified DoD Computer Hard Drives."
DoD Directive S-5200.19, DoD TEMPEST
DoD Instruction O-8530.2, defines reportable incidents,
outlines a standard operating procedure for incident
response.
IATF, IA Technical Framework, Protection Profile Consistency
Guidance for High, Medium, and Basic Robustness
NIST FIPS 140-2, validated cryptography
What is a compensating control?
Management, operational, and technical controls
employed in lieu of recommended controls that
provides equivalent or comparable protection for an
information system.
What is a DIACAP CAT Severity Code?
Indicates:
~ Risk level associated with non-compliance, and
~ Urgency with which corrective action must be
completed.
CA assigns the CAT codes to a system security
weakness during certification analysis.
How serious are these codes:
~ A CAT I rating for a MAC I or MAC II must, at a
minimum, be classified CONFIDENTIAL.
~ CAT II weaknesses must be reviewed for their
classification level.
What are Category I Severity Code Weakness?
Allows:
~ Primary security protections to be bypassed.
~ Immediate access by unauthorized personnel or
unauthorized assumption of super-user privileges.
Only Component CIO can
~ authorize operation of a system with a Cat I weakness
and then only through an IATO.
System must be
~ critical to military operations and failure to deploy will
preclude mission accomplishment.
~ Copy of authorization must be sent to DoD SIAO.
What are Category II Severity Code Weakness?
A weakness that can lead to unauthorized system
access or activity.
Usually are corrected or mitigated to a point where
any residual risk is acceptable.
Can be granted an ATO
~ Only when clear evidence exists that that deficiency
can be mitigated within 180 days of the accreditation
decision.
~ Only one 180 day extension allowed.
DAA
~ Will normally issue a DATO if not corrected or
mitigated in 360 consecutive days.
What are Category III Severity Code Weakness?
CAT III
~ One that if corrected will improve the system’s IA
posture.
DAA
~ Will determine if these types of weaknesses will be
corrected or if the risk will be accepted.
CAT IIIs accepted by DAA will be documented in
the POA&M:
~ Marked N/A in the scheduled completion date column.
~ Note acceptance by DAA in the milestone column
~ Note risk accepted in the status column
What are the types of DIACAP packages?
Comprehensive Package
~ Used for the CA recommendation
~ Includes all the information resulting from the DIACAP
process
Executive Package
~ Less than the Comprehensive package
~ Used for an accreditation decision
~ Provided to others in support of accreditation or other
decisions, such as connection approval
Actual Artifact Formats:
~ Each DAA will determine what information is
necessary to make an accreditation decision and what
format they want it presented in.
What documents constitute a DIACAP Comprehensive Package?
SIP, DIP, Supporting Certification Documentation, Scorecard, POA&M
What documents constitute a DIACAP Executive Package?
SIP, Scorecard, POA&M
What is the DICAP Knowledge Service?
~ A Web-based, DoD PK-enabled DIACAP
knowledge resource that provides current GIG
IA C&A.
~ A library of tools, diagrams, process maps,
documents, etc., to support and aid in execution
of the DIACAP.
~ A collaboration workspace for the DIACAP user
community to develop, share and post lessons
learned & best practices.
~ A source for IA news and events and other IA related
information resources.
What is included in the validation procedures?
IA Control #
Procedure Name
Procedure Objective
Procedure Script
Expected Results
What is a STIG?
Security Technical Implementation Guides (STIG)
~ Provides the guidance needed to development, integration,
and updating of secure applications.
~ Subjects: development, design, testing, maintenance,
configuration management, education, and training.
What are the families of STIGs?
~ Infrastructure
~ Operating System
~ Database
~ Web and Application Services
~ Desktop Application
What is technical project management?
Project Management is a structured, pro-active
management approach for finite undertakings
that produce a unique product, service, or other
result.
What are the characteristics of technical project management?
It is characterized by the application of
knowledge, skills, tools, and techniques in
detailed planning and execution of the endeavor.
How is technical project management accomplished?
It is accomplished through integrated and
logically flowing processes to perform initiating,
planning, executing, monitoring, controlling, and
close-out activities while balancing competing
demands for quality, scope, schedule, and cost.
What is a project framework?
The Project Framework illustrates and
combines all elements necessary to begin,
manage, and conclude a project. It starts as a
skeleton with basic contents and evolves and
expands as the project proceeds.
What is a scope statement?
A formal definition agreed to by all stakeholders
in the project, describing what is to be done,
why it is being undertaken, who will be engaged
to do the work and when the whole venture
should be completed.
What is milestone identification?
Refers to the process of identifying those
discrete steps in a project which represent
major steps of achievement, and are
generally tied to progress payments.
What is a work breakdown structure?
This step consists of both the decomposition
of all the work associated with milestone
achievement into individual work tasks, as
well as the identification of all dependencies.
What is a baseline project plan?
This is the final set of project documents which
collectively represents the foundation
“agreement” from which work will proceed to its
desired end-product or solution. Changes to
the baseline should be managed carefully and
precisely to avoid unwanted or unforeseen
impacts.
What are change management procedures?
Formal change management is vital in order to
avoid unplanned or unmanaged impacts
occurring that adversely effect the project
schedule or resource profiles. All changes
considered must be reviewed and formally
agreed to by all parties after discussing issues
and risks, and before proceeding with the
proposed modifications. Prevents “scope
creep”.
Define activity
A discrete element of work performed during the course of a
project. Has measured duration, cost, and resource
requirements. Often subdivided into tasks.
Define baseline
Officially approved version of the plan (cost, schedule, or
technical) for a project, a work package, or an activity, plus or
minus approved scope changes. Normally altered or
updated through changes in scope, funding, schedule,
requirements, etc. through the Change Management
process.
Define critical path
Series of activities that determines the duration of the project.
In a deterministic model, the critical path is usually defined as
those activities with float equal to zero. It is the longest path
through the project. See critical path method.
Define critical path method (CPM)
A network analysis technique used to assess the degree of
flexibility (float) through multiple scheduling paths in project
duration in order to determine overall project duration, and
task start/end dates (early-late).
Define decision tree analysis
The decision tree is a diagram that describes a decision
under consideration and the implications of choosing one or
another of the available alternatives, incorporating risk,
value, scheduling and potential outcomes variables
Define deliverable
A measurable, tangible, verifiable outcome, result, or item
that must be produced to complete a project or part of a
project.
Define deming cycle
Another name for the “Plan-Do-Check-Act” model popularized by W.
Edwards Deming as a continual quality management tool.
Define dependency
An action, input, or outcome (cost, schedule, or other factor)
that creates a cause-and-effect relationship between two or
more aspects of a project. Can result in a slippage,
acceleration, overrun, or similar result in the effected element.
Define estimate
An assessment of the likely quantitative result; as in cost,
schedule, outcome, plus or minus some percent or ROM.
Define life-cycle costing
The concept of including acquisition, operating, and disposal
costs when evaluating various alternatives.
Define network analysis
The process of identifying early and late start and finish dates for
the uncompleted portions of project activities. See also critical
path method, program evaluation and review technique, and
graphical evaluation and review technique.
Define pareto diagram
A histogram, ordered by frequency of occurrence, that shows
how many results were generated by each identified cause.
Define PERT chart
The term is commonly used to refer to a project network
diagram.
Define PERT
Program Evaluation and Review Technique (PERT):
An event-oriented network analysis technique used to estimate
program duration when there is uncertainty in the individual
activity duration estimates. PERT applies the CPM using
durations that are computed by a weighted average of optimistic,
pessimistic, and most likely duration estimates. PERT computes
the standard deviation of the completion date from those of the
path’s activity durations. Also known as the Method of Moments
Analysis.
Define project
A temporary endeavor undertaken to create a unique product,
service, or result.
Define project life-cycle
A collection of generally sequential project phases whose
name and number are determined by the control needs of
the organization or organizations involved in the project.
Define project network diagram
Any schematic display of the logical relationships of project
activities. Always drawn from left to right to reflect project
chronology. Often referred to as a PERT chart.
Define project plan
A formal, approved document used to guide both project execution and
project control. The primary uses of the project plan are to document
planning assumptions and decisions, facilitate communication among
stakeholders, and document approved scope, cost, and schedule
baselines. A project plan may be produced or presented in a summary or
detail form.
Define project risk management
The systematic process of identifying, analyzing, and responding to
project risk (produced by any element that threatens to cause adverse
impact to cost, schedule, resource utilization, or overall project failure). It
includes the processes of risk management planning, risk identification,
qualitative risk analysis, quantitative risk analysis, risk response planning,
and risk monitoring and control.
Define project schedule
The planned dates for performing activities and the planned
dates for meeting milestones.
Define project scope
The work that must be done to deliver a product with the
specified features and functions. Also, The sum of the products
and services to be provided as a project. See project scope and
product scope.
Define schedule control
Controlling changes to the project schedule.
Define scope change control
Controlling changes to project scope (“creep”) so that the rate of
change does not exceed the rate of progress.
Define stakeholder
Individuals and organizations that are actively involved in the
project, or whose interests may be positively or negatively
affected as a result of project execution or project completion.
They may also exert influence over the project and its results.
Define statement of work (SOW)
A narrative description of products or services to be supplied
under contract.
Define task
A generic term for work that is not included in the work
breakdown structure, but potentially could be a further
decomposition of work by the individuals responsible for that
work. Also, lowest level of effort on a project.
Define work breakdown structure (WBS)
A deliverable-oriented grouping of project elements that
organizes and defines the total work scope of the project. Each
descending level represents an increasingly detailed definition of
the project work.
Define work package
A deliverable at the lowest level of the work breakdown structure,
when that deliverable may be assigned to another project
manager to plan and execute. This may be accomplished
through the use of a subproject where the work package may be
further decomposed into activities.
Technical Project Management Roles and Responsibilities (provider/project): System Owner
System owner – verifier of product design and purpose. Has
overall accountability for system (final result). Has the
CHECKPOINT FUNCTION to APPROVE changes in scope,
products, results, functionality, etc.
Technical Project Management Roles and Responsibilities (provider/project): User POC
User POC – represents intended end-user community and
provides conduit for communication, approval, and changes.
Has the CHECKPOINT FUNCTION to APPROVE.
Technical Project Management Roles and Responsibilities (provider/project): Project Manager
Project Manager – overall responsibility for project work,
progress and control, staffing and resource utilization.
Technical Project Management Roles and Responsibilities (provider/project): Planner
Planner – provides administrative support of planning effort.
Collects metrics to report status of “planned to actual”
regarding resources, cost, and schedules.
Technical Project Management Roles and Responsibilities (provider/project): Quality Manager
Quality Manager – owns QM plan and all QA activities.
Has CHECKPOINT FUNCTION to APPROVE items
impacting QA
Technical Project Management Roles and Responsibilities (provider/project): Configuration Manager
Configuration Manager – owns CM plan and related
activity
Technical Project Management Roles and Responsibilities (provider/project): Testers
Testers – conduct full range of tests for product
performance at various stages (SUT, IVTE, etc), and final
acceptance testing to assure ultimate success
Technical Project Management Roles and Responsibilities (USFG/customer): Federal Technical Monitor
Federal Technical Monitor – has responsibility to oversee
and assure SOW composition, project cost-control, timely
performance, standards compliance, plans analysis,
approvals, stakeholder coordination and representation
Technical Project Management Roles and Responsibilities (USFG/customer): Federal Program Manager
Federal Program Manager – general oversight of program
and assurance of funding, plan approval, deliverables
acceptance and approval, issue escalation and resolution
Technical Project Management Roles and Responsibilities (USFG/customer): Federal Project Manager
Federal Project Manager – daily involvement in
performance or oversight of configuration management,
change, management, requirements management, risk
management, and QA.
What are the program manager responsibilities?
The PM has the lead for all activities involving:
~ Cost
~ Schedule
~ Performance
~ Security
The PM works directly with:
~ Development
~ Maintenance
~ Configuration management
~ Quality Assurance
~ Test verification and validation
What is necessary for successful implementation?
early planning
What are the steps for SSE planning?
~ Definition of program requirements
~ Development of a Program Management Plan (PMP)
~ Identification of SSE requirements
~ Preparation of a detailed Systems Engineering
Management Plan (SEMP)
What are the ISSEP planning phase activities?
~ Reviewing, setting, and agreeing to project scope
~ Defining appropriate management structure
~ Assessing and determining resource requirements
~ Developing schedules and discovering dependencies
~ Setting performance milestones and metrics
List the specific planning phase tasks (steps 1-3)?
1. Estimation of project scope: must be as concise and as
accurate as possible (will evolve). Must include
assessment of complexity regarding human, technology,
and other factors.
2. Identification of resources and constraints: this will
include skills, technology, physical assets, and requires
addressing the question of “in-house” or “out-source”.
3. Identifying roles and responsibilities: clearly
establishing who will do what, skill levels, rotation, etc.
List the specific planning phase tasks (steps 4-6)?
4. Estimation of project cost: As much art as science.
Should use cost models where feasible and historical cost
where possible. WBS are used to collect and estimate
cost factors.
5. Developing schedules: Setting start-finish dates for
optimistic, pessimistic, and probable completion.
6. Identify Technical Activities: Define the work at the
task level, sequencing and linking, establishing methods
and materials required.
List the specific planning phase tasks (steps 7-9)?
7. Identify deliverables: Must have clear definitions of
WHAT is due, required content, format, and success
criteria.
8. Define Management Interfaces: Communications
planning and channels must be established as early as
possible for flow of PM information on all subjects.
9. Preparation of Technical Mgmt. Plan (TEMP): Included
in the overall PMP and SEMP, and integrates technical
execution with overall systems engineering and PM.
List the specific planning phase tasks (steps 10-11)?
10. Review of overall Project Mgmt. Plan (PMP): This
overarching plan integrates consistently and coherently all aspects of
project execution, schedule, and resource. All actions and changes roll
up into this from subsidiary plans. It evolves and changes as the project
moves forward.
11. Obtain customer agreement: All aspects must be in
accordance with customer requires and expectations, and includes:
~ Environmental analysis
~ Feasibility analysis
~ Scope, requirements, and deliverables verification
~ Customer approval
What process groups are part of the management phase of technical management?
controlling
executing
What are management phase activities?
~ Managing change: requesting, implementing, rejecting
~ Managing configurations: documents, deliverables, etc.
~ Managing corrective actions: identifying, applying
~ Managing updates: scope, PMP, performance plans, etc.
~ Managing expectations: effective, timely communication
~ Managing risk: identifying, tracking, mitigating
List the specific management phase tasks (steps 1-3)?
1. Directing technical effort: the management of the
actual technical (engineering, designing, etc) work and
production of deliverables.
2. Tracking resources: Using all necessary tools and
feedback mechanisms to ensure timely accurate
knowledge of the “planned to actual” consumption rates.
3. Tracking performance: Continuous awareness and
access to performance metrics (cost, schedule, earned
value, customer satisfaction) to ensure timely action
List the specific management phase tasks (steps 4-6)?
4. Monitoring progress: Evaluation of overall progress
toward completion of short-term, mid-term, and long-term
objectives and deliverables IAW plans and requirements.
5. Ensuring quality: Evaluation of quality indicators to
ensure timely awareness and correction of issues and
unacceptable variances.
6. Managing Configuration elements: Continuous
management and control of changes to baselines,
documentation, products, and other items.
List the specific management phase tasks (steps 7-8)?
7. Evaluation of performance: Review and assessment of
overall aspects of performance in technical, schedule,
cost, human resources, and other areas of performance
measurement for the project.
8. Status reporting: providing all stakeholders with timely
progress reports, including status of technical changes,
cost profiles, staffing/skills requirements, quality
indicators, schedule changes or slippage, scope
changes, and corrective actions.
What does project monitoring provide?
Project Monitoring activities provide for metrics
collection, evaluation, comparison, and reporting on
all aspects of project performance to stakeholders
(includes owners, sponsors, staff, and others).
What does effective and timely monitoring provide?