Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
102 Cards in this Set
- Front
- Back
|
What is the Objective of Certification and Accreditation?
|
To achieve more secure information systems within the federal government.
|
|
|
How does C&A try to achieve more secure information systems within the federal government?
|
By Enabling more Consistent, Comparable and Repeatable assessments of security controls in federal information systems, -Promoting a better understanding of agency-related mission risks resulting from the operation of information systems, -Creating more Complete, Reliable, and Trustworthy information for authorizing officials in order to facilitate more informed accreditation decisions.
|
|
|
What is Certification?
|
The comprehensive evaluation of the Technical and Non-Technical security features of an AIS and other safeguards, made in support of the accreditation process, to establish the extent to which a particular design and implementation meets a specified set of security requirements.
|
|
|
Who Performs the certification?
|
An Independent Reviewer.
|
|
|
What is an Independent Reviewer?
|
Someone who was NOT involved with building or operating the system.
|
|
|
What is an Accreditation?
|
The decision given by the designated senior agency official to authorize operation of an information system.
|
|
|
What are the boundaries of an accreditation?
|
The accreditation is valid in a Particular Security Mode, -Using a Prescribed set of controls, -Against a defined threat, -At an acceptable level of risk, -For a specific period of time.
|
|
|
What is an AIS?
|
Any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data and includes computer software, firmware, and hardware.
|
|
|
What is IA?
|
Measures that protect and defend information and information systems by ensuring their Availability, Integrity, Confidentiality, Authentication, and Non-repudiation.
|
|
|
What is Availability?
|
Timely, reliable access to data and information services for authorized users.
|
|
|
What is Integrity?
|
Quality of an IS reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data.
|
|
|
What is Confidentiality?
|
Assurance that information is not disclosed to unauthorized individuals, processes, or devices.
|
|
|
What is Access Control?
|
Limiting access to information system resources only to authorized users, programs, processes, or other systems.
|
|
|
What is Authentication?
|
Security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information.
|
|
|
What is Non-repudiation?
|
Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the data.
|
|
|
What are the 3 types of accreditation?
|
System, Type, Site
|
|
|
What Acts are important for C&A?
|
Privacy Act of 1974, Computer Security Act of 1987, Clinger-Cohen Act of 1996
|
|
|
What is the Clinger-Cohen Act also known as?
|
Information Technology Management Reform Act.
|
|
|
What is the requirement for C&A?
|
OMB Circular A-130 - Management of Federal Information Resources.
|
|
|
What does OMB Circular A-130 define Adequate Security as?
|
Security commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information…provide appropriate Confidentiality, Integrity, and Availability, through the use of Cost-effective management, personnel, operational, and technical controls.
|
|
|
What is Executive Order 13231, 16 Oct 2001?
|
Critical Infrastructure Protection in the Information Age?
|
|
|
What did Executive Order 13231 establish?
|
Committee on National Security Systems (CNSS)
|
|
|
Who chairs the CNSS?
|
DoD - Rotating position
|
|
|
What does the CNSS issue?
|
Policies, directives instructions and advisory memorandums related to National Security Systems (NSS)
|
|
|
What was the CNSS created from?
|
National Security Telecommunications and Information Systems Security Committee (NSTISSC), and National Computer Security Committee (NCSC)
|
|
|
FISMA is What type of requirement?
|
Statutory (Public Law)
|
|
|
Who has oversight over E-Government?
|
OMB
|
|
|
What are the 4 phases of the old NIST 800-37 process?
|
Initiation, Certification, Accreditation, Continuous Monitoring
|
|
|
What policy directed the DITSCAP program?
|
DoDI 5200.40
|
|
|
What were the 4 phases of DITSCAP?
|
Definition, Verification, Validation, Post-accreditation
|
|
|
What was the deliverable from the DITSCAP?
|
System Security Authorization Agreement (SSAA)
|
|
|
What was the DITSCAP Application Manual?
|
DoDM 8510.1-M
|
|
|
What process mirrors the DITSCAP?
|
NIACAP
|
|
|
What process was the NIACAP copied from?
|
DITSCAP
|
|
|
What policy directed the National Information Assurance Certification and Accreditation Process (NIACAP)?
|
NSTISSI No. 1000, April 2000
|
|
|
What policy defines a National Security System?
|
NIST SP800-59
|
|
|
What is a National Security System (NSS)?
|
Involves Intelligence activities, Involves Cryptologic activities related to national security, Involves command and control of military forces, Involves equipment that is an integral part of a weapon or weapons system, Is critical to the direct fulfillment of military or intelligence missions.
|
|
|
What is the guidance for the NIST C&A process?
|
NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.
|
|
|
Which C&A process will be replaced by the 2008 revision of SP 800-37?
|
All other C&A processes.
|
|
|
What is the policy directing DIACAP?
|
DoDI 8510.01, 28 Nov 2007
|
|
|
What are the 5 phases of DIACAP?
|
Initiation and Planning, Implement and Validate Assign IA Controls, Make Certification Determination and Accreditation Decision, Maintain Authorization to Operate and Conduct Reviews, Decommission
|
|
|
What are the deliverables from the DIACAP?
|
SIP, DIP and Scorecard
|
|
|
What are the deliverables from the 2004 NIST 800-37 C&A process?
|
SSP and SAR
|
|
|
What are the 6 phases of the new 2008 NIST SP 800-37 C&A process?
|
Categorize, Select, Implement, Assess, Authorize, Monitor
|
|
|
What are the deliverables of the 2008 NIST C&A process?
|
SSP, POA&M, SAR
|
|
|
Who is the program Manager, according to NSTISSI 4009?
|
The PM represents the interests of the AIS, and is responsible for the AIS throughout its lifecycle; ensures the security requirements are integrated in order to achieve an acceptable level of risk as documented in the SSAA, and keeps all participants informed of AIS lifecycle actions, security requirements and user needs.
|
|
|
Who is the DAA, according to NSTISSI 4009?
|
The primary government official responsible for implementing system security. An executive with the authority to formally assume responsibility for operating an AIS or network at an acceptable level of risk, and to balance the needs of the system with the security risks.
|
|
|
Who is the User Representative, according to NSTISSI 4009?
|
Official with the authority to formally assume responsibility for operating an AIS or network at an acceptable level of risk.
|
|
|
Who is the Information System Security Officer (ISSO), according to NSTISSI 4009?
|
Person responsible to the designated approving authority who ensures that security of an information system is implemented through its design, development, operation, maintenance, and secure disposal stages.
|
|
|
What is the System Security Authorization Agreement (SSAA), according to DoDI 5200.40?
|
A description of the system mission, target environment, target architecture, security requirements, and applicable data access policies. It also describes the applicable set of planning and certification actions, resources, and documentation required to support the certification and accreditation. It is the vehicle that guides the implementation of INFOSEC requirements and the resulting certification and accreditation actions.
|
|
|
DITSCAP Phase 1 - Definition; What are the main tasks?
|
Define system functions, requirements and interfaces; Define information category and classification; Prepare the system architecture description; Identify principle C&A roles and responsibilities; Define C&A level of effort; Draft SSAA; Agree on method for implementing security requirements.
|
|
|
DITSCAP Phase 2 - Verification; What are the main tasks?
|
System architecture analysis; Software design analysis; Network connection rule compliance; Integrity analysis of integrated products; Life cycle management analysis; Security requirements validation procedures; Vulnerability evaluation; Refine/modify SSAA
|
|
|
DITSCAP Phase 3 - Validation; What are the main tasks?
|
ST&E; Pen-testing; COMSEC compliance; Systems Management analysis; Contingency Plan Evaluation; Site accreditation survey; Risk management review; Develop Certification Report and Recommendation for Accreditation; Ends with Accreditation decision from DAA.
|
|
|
DITSCAP Phase 4 - Post-accreditation; What are the main tasks?
|
Review configuration & security management; Conduct risk management review; Conduct compliance validation if needed; Maintain SSAA
|
|
|
What are the 4 levels of NIACAP certification?
|
Level 1 - Basic security review; Level 2 - Minimum analysis; Level 3 - Detailed analysis; Level 4 - Comprehensive analysis
|
|
|
What is the definition of the GiG?
|
Globally connected, end-to-end set of information capabilities, associated processes, and personnel for collecting, processing, storing, disseminating, and managing information for all.
|
|
|
What systems do not all under DIACAP?
|
Sensitive Compartmented Information (SCI), Special Access Program (SAP) information, Nuclear Command and Control Extremely Sensitive Information (NC2-ESI)
|
|
|
What are the Roles under DIACAP?
|
PAA, PAA Rep, DAA, Heads of DoD Components, CIO, SIAO, CA, PEO, PM\SO, IAM, IAO, UR
|
|
|
What is the Role of the PAA?
|
The senior official representing the interests of a GiG Mission Area regarding C&A>
|
|
|
What is the Role of the PAA Rep?
|
Appointed by the PAA, serves as a member of the DISN/GiG Flag Panel.
|
|
|
What is the Role of the Heads of DoD Components?
|
Ensures DoD Iss under their purview comply with the DIACAP; only operate accredited ISs.
|
|
|
What is the Role of the DAA?
|
The official with the authority to formally assume responsibility for operating a system at an acceptable level of risk.
|
|
|
What is the Role of the Chief Information Officer (CIO)?
|
Appoints the DoD Component SIAO; Establishes and manages an IT Security POA&M program
|
|
|
What is the Role of the Senior IA Officer (SIAO)?
|
Establishes and enforces the DoD Component IA program's C&A process. The single IA coordinator for joint or Defense-wide programs that are deploying ISs to DoD Component enclaves.
|
|
|
What is the Role of the Program Manager, System Manager, and Program Executive Officer (PM, SM, PEO)
|
Implements the DIACAP for assigned DoD ISs Plans and budgets for IA controls implementation, validation, and sustainment throughout the system life cycle, including timely and effective configuration and vulnerability management. Ensures that each assigned DoD IS has a designated IA Manager (IAMK) with the support, authority, and resources to satisfy their responsibilities (more responsibilities on pages 379\380)
|
|
|
What is the Role of the User Representative (UR)?
|
Represents the operational interests of the user community in the DIACAP. Supports the IA controls assignment and validation process to ensure user community needs are met.
|
|
|
Who constitutes the Certification Team?
|
Certifying Authority, CA Representative/Analyst, Validator
|
|
|
What is the Role of the Certifying Authority (CA)?
|
The senior official having authority and responsibility for the certification of information systems governed by a DoD Component IA program; Makes the certification recommendation to the DAA (Can be the SIAO)
|
|
|
What is the Role of the CA Rep/Analyst?
|
Delegated the responsibility of reviewing and assessing the DIACAP package for compliance and risk.
|
|
|
What is the Role of the Validator?
|
Individual responsible for conducting a validation procedure.
|
|
|
What is the Role of the Information Systems Security Engineer (ISSE)?
|
Works with system architects, engineers, and developers to ensure that IA controls are designed and implemented into a system throughout the development process.
|
|
|
What is the Role of the Information Assurance Manager (IAM)?
|
Support the PM or SM in implementing DIACAP; Advise And inform the DoD Component IA program's information and process requirements. (Plus more roles on Page 384)
|
|
|
What is the Role of the Information Assurance Officer (IAO)?
|
An individual responsible to the IAM for ensuring that the appropriate operational IA posture is maintained for a DoD information system or organization.
|
|
|
What makes a Valid IA control?
|
The objective condition must be testable, compliance must be measurable, and activities required to achieve the IA Control are assignable and thus accountable.
|
|
|
Controls are assigned according to?
|
MAC and CL
|
|
|
What are the Security Controls Areas?
|
Security Design and Configuration (DC); Identification and Authentication (IA); Enclave and Computing Environment (EC); Boundary Defense (EB); Physical and Environmental (PE); Personnel (PR); Continuity (CO); and Vulnerability and Incident Management (VI)
|
|
|
What control area does the digraph DC represent?
|
Security Design and Configuration.
|
|
|
What control area does the digraph IA represent?
|
Identification and Authentication
|
|
|
What control area does the digraph EC represent?
|
Enclave and Computing Environment
|
|
|
What control area does the digraph EB represent?
|
Boundary Defense
|
|
|
What control area does the digraph PE represent?
|
Physical and Environmental
|
|
|
What control area does the digraph PR represent?
|
Personnel
|
|
|
What control area does the digraph CO represent?
|
Continuity
|
|
|
What control area does the digraph VI represent?
|
Vulnerability and Incident Management
|
|
|
What are the 3 parts of the IA Control designation?
|
Subject area digraph, Control name digraph, Control level
|
|
|
MAC level corresponds to the level of protection for what attributes?
|
Availability and Integrity
|
|
|
CL level corresponds to the level of protection for what attribute?
|
Confidentiality
|
|
|
Where are the IA Control sets found?
|
DoDI 8500.2 and the DIACAP Knowledge Service
|
|
|
How do the levels of robustness correlate to the MAC levels?
|
Inverse - MAC I = High or robustness 3, MAC II = Medium or robustness 2, MAC III = Basic or robustness 1
|
|
|
Management, operational, and technical controls employed in lieu of recommended controls that provides equivalent or comparable protection for an information system are called what?
|
Compensating controls
|
|
|
What does the CAT severity code indicate?
|
Risk level associated with non-compliance, and Urgency with which corrective action must be completed.
|
|
|
Who assigns the CAT code?
|
The CA
|
|
|
When is the CAT code assigned?
|
During certification analysis
|
|
|
What is a CAT I rating on a MAC III system classified as?
|
Unclassified - trick question, MAC I and II systems are classified Confidential as a minimum
|
|
|
Who can approve a system to operate with an Open CAT I weakness?
|
Component CIO - only an IATO.
|
|
|
Who can approve a system to operate with an Open CAT II weakness?
|
DAA - can issue ATO if deficiency can be mitigated within 180 days.
|
|
|
What documents are required for the comprehensive DIACAP package?
|
SIP, DIP, Artifacts, Scorecard, POA&M.
|
|
|
What documents are required for the executive package?
|
SIP, Scorecard, POA&M
|
|
|
What is the DoD official site for DIACAP policy and implementation guidelines?
|
DIACAP Knowledge Service (KS)
|
|
|
What is the EITDR?
|
Enterprise Information Technology Data Repository - the Air Force system of record
|
|
|
What provides the guidance needed to development, integration, and updating of secure applications?
|
DISA STIGS
|
|
|
What are the DISA STIG Families?
|
Infrastructure, Operating System, Database, Web and Application Services, Desktop Application.
|
