Agency C&A Process Stakeholder Quarterly Training Presented by _______________ Date.

Agency C&A ProcessStakeholder Quarterly Training

Presented by _______________

Date

Page 2

LogisticsLogistics

• Participants will receive three (3) hours of credit for this training.

• Please email ____________ and indicate in the subject line of the email “C&A Stakeholder Training” so you can receive credit.

Page 3

Agency C&A Process - Stakeholder Training: Table of ContentsAgency C&A Process - Stakeholder Training: Table of Contents

• What is C&A and Why Bother with It?• NIST-Compliant C&A Process & Risk Management Framework• C&A Approach in Seven Phases• Agency Environment• Background• Key Stakeholders• C&A Team Roles and Responsibilities• WinZip Procedures• C&A Process Timeline & ELC Milestone Guidance• Stakeholders C&A Working/Validation Agenda• Boundary/Scope Meeting• Working Sessions• NIST SP 800-53 Controls• Validation Sessions• Security Test & Evaluation (ST&E)• Test Training & Exercise (TT&E) • Security Assessment Report (SAR)• Risk Overview and Stakeholder Outbrief Sessions• Critical Success Factors

Page 4

Agency C&A Process - Stakeholder Training: Certification & Accreditation (C&A)Agency C&A Process - Stakeholder Training: Certification & Accreditation (C&A)

• What is Certification and Accreditation?

Certification is the “comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.” (FIPS 200)

Accreditation is “the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.” (FIPS 200)

Page 5

Agency C&A Process - Stakeholder Training: Certification & Accreditation (C&A) (continued)Agency C&A Process - Stakeholder Training: Certification & Accreditation (C&A) (continued)

Why bother with Certification and Accreditation?

• It’s the LAW - Title III Public Law 107-347 commonly known as Federal Information Security Management Act (FISMA) of 2002 mandates “assessing the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information and information systems”

Federal Information Processing Standards Publication (FIPS) 199 mandates Standards for Security Categorization of Federal Information and Information Systems

FIPS 200 mandates Minimum Security Requirements for Federal Information and Information Systems

Systemic say to identify risks which should be mitigated or resolved

To proactively protect the Agency from attacks and threats!!!

Page 6

Agency C&A Process - Stakeholder Training: The Agency NIST- Compliant C&A ProcessAgency C&A Process - Stakeholder Training: The Agency NIST- Compliant C&A Process

• The Agency has established a standardized Certification & Accreditation Process

That process aligned with Guidance Provided by the National Institute of Standards and Technology (NIST) and OMB

It has been fully vetted by the business units through the business unit security PMOs

It is robust and comprehensive

It is a risk-based approach

The process is solid, defensible, and produces documentation and includes comprehensive testing and reporting

Page 7

Agency C&A Process - Stakeholder Training: The Agency C&A Process follows the NIST Risk Management Framework Agency C&A Process - Stakeholder Training: The Agency C&A Process follows the NIST Risk Management Framework

In system security plan, provides an overview of the security requirements for

the information system and documents the security controls planned or in place

SP 800-18

Security Control Documentation

Defines category of information system according to potential

impact of loss

FIPS 199 / SP 800-60

Security Categorization

Selects minimum security controls (i.e., safeguards and countermeasures) planned or

in place to protect the information system

SP 800-53 / FIPS 200

Security Control Selection

Determines extent to which the security controls are implemented correctly, operating as intended, and producing desired outcome

with respect to meeting security requirements

SP 800-53A / SP 800-37

Security Control Assessment

SP 800-53 / FIPS 200 / SP 800-30

Security Control Refinement

Uses risk assessment to adjust minimum control set based on local conditions, required

threat coverage, and specific agency requirements

SP 800-37

System Authorization

Determines risk to agency operations, agency assets, or individuals and, if acceptable,

authorizes information system processing

SP 800-37

Security Control Monitoring

Continuously tracks changes to the information system that may affect security controls and assesses control effectiveness

Implements security controls in new or legacy information

systems; implements security configuration checklists

Security Control Implementation

SP 800-70

Page 8

Agency C&A Process - Stakeholder Training: The Agency C&A Approach Consists of 7 PhasesAgency C&A Process - Stakeholder Training: The Agency C&A Approach Consists of 7 Phases

Phase 1: Preparation

Phase 2: Draft SSP, PIA, ITCP Documents

Phase 3: Finalize SSP, PIA, ITCP Documents

Phase 4: Develop ST&E Plan

Phase 5: Execute ST&E Plan

Phase 6: Assess Risk and Finalize C&A Package

Phase 7: Maintenance and Monitoring

Page 9

Agency C&A Process - Stakeholder Training : Agency EnvironmentAgency C&A Process - Stakeholder Training : Agency Environment

• General Support System (GSS) – infrastructure the application resides on

An interconnected set of information resources under the same direct management control that shares common functionality, which normally includes hardware, software, information, data, components, communications, and people

• Application (General)

“A self-contained program that performs a well-defined set of tasks under user control, as opposed to a system program”

“An application program (sometimes shortened to application) is any program designed to perform a specific function directly for the user or, in some cases, for another application program“

Applications process data• Application types

Major Application• An application that requires special attention to security due to the risk and magnitude of harm resulting

from the loss, misuse, or unauthorized access to or modification of the information in the application• Note: All federal applications require some level of protection; Certain applications, because of the

information in them, however, require special management oversight and should be treated as major applications; Adequate security for other applications should be provided by security of the systems in which they operate

Minor Application• An application, other than a major application, that requires attention to security due to the risk and

magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application

Definitions Associated with Agency Information Systems

Page 10

Security Categorization Definitions (potential impact):

• Low – the loss of confidentiality, integrity, or availability could be expected to have a LIMITED adverse effect on organizational operations, organizational assets, or individuals

• Moderate - the loss of confidentiality, integrity, or availability could be expected to have a SERIOUS adverse effect on organizational operations, organizational assets, or individuals

• High - the loss of confidentiality, integrity, or availability could be expected to have a SEVERE or CATASTROPHIC adverse effect on organizational operations, organizational assets, or individuals


Page 11


Security Controls provide:

Protection of Information Systems that support operations and assets of the organization to ensure the organization can:

– Accomplish its assigned mission

– Protect its assets and PII data

– Fulfill legal responsibilities

– Maintain day-to-day operations

– Protect individuals

The provide safeguards for people, systems, and applications throughout the organization

NIST SP 800-60 and FIPS 199 mandate agencies to define the category of information systems according to potential risk impact level

Page 12

• Security controls are an integral part of Agency applications, components, systems, and environment

• Organizational and Physical/Environmental and Media Protection controls support the foundation provided by Agency policies and procedures

• GSS/BU controls apply to applications and systems

• Application controls are specific to each application

Application

GSS/BU

Organizational and PE/MP Controls

•System Integrity•Access Controls•Database Controls•Auditing or Application Users•Transactions

•Access Controls to OS•Remote Access

•Database Controls•Backup and Recovery•Auditing of GSS Users

•Security Policies•Personnel Security•Physical and Environmental

•Security Training and Awareness (portions)•Incident Response (portions)•Media Protection

Security Framework for Agency Applications, Systems, & Organization

NIST SP 800-53 Controls : Agency Environment NIST SP 800-53 Controls : Agency Environment

Page 13

Agency C&A Process - Stakeholder Training : BackgroundAgency C&A Process - Stakeholder Training : Background

The C&A Process is lead by the C&A Team. The C&A Team is divided into two sub-teams; a documentation team and an ST&E team. The documentation team performs the following:

• MS Project is used to plan, monitor, and track the performance of the C&A process. A project plan is built based on the C&A timeline for each application and system. The schedule and timeline has recently been updated to reflect lessons learned from the C&A process conducted on prior applications and systems

• All applications/systems going through the C&A process will have its own MS project schedule

Standard process takes 126 business days for applications (Draft-Proposal)

Process takes 140 business days for systems (Draft-Proposal)• Schedules may vary slightly due to the following:

Categorization or complexity of the application/GSS

Prior or partial C&A’s performed; including changes made to the application

Specific requests made by the Business Owner

• Comprehensive analysis of existing and developmental security controls and application/system components

• Develop and conduct an exercise of the Information Technology Contingency Plan (ITCP) through team collaboration

• Facilitation of testing, training, and exercises of equipment, systems, and applications to ensure Agency personnel understand the IT regulations and procedures

Page 14

Key Application/System StakeholdersKey Application/System Stakeholders

Security Engineering POC - Responsible for application/system security and report to the Business Unit (BU)

Application/System POC- Represent application/system as primary POC for the Designated Approving Authority (DAA)

Security PMO - Oversee application/system for the DAA

Developer - Develop and provide ongoing support for the application/system

Database Administrator (DBA) - Perform maintenance and administration of database

System Administrator (SA) - Administer and maintain system on an ongoing basis

Functional Tester/Non-Functional Tester

- Manage the application/system test(s)

Configuration Management POC - Possess extensive knowledge of application/system for configuration management

Business Unit Security PMO - Guide and oversee application/system security for the DAA

Agency essential staff that represent applications/systems:

Agency C&A Process - Stakeholder Training : Key StakeholdersAgency C&A Process - Stakeholder Training : Key Stakeholders

Page 15

Agency C&A Process - Stakeholder Training: C&A Team Roles & ResponsibilitiesAgency C&A Process - Stakeholder Training: C&A Team Roles & Responsibilities

C&A Documentation Program Manager Manages application throughout entire processProvides guidance and authority on application/system decisions

C&A Documentation Team Lead

Serves as primary liaison between application/system team and internal C&A Documentation personnel and third party support personnel (contractor)

Leads Scoping sessions, working sessions, security categorization

Sends out Meeting Minutes (recaps)

Coordinates development and release of deliverables

Provides updates to the master schedule

Schedules ST&E Plan collaboration meetings

SSP POC Develops SSP, ST&E Plan, SAR, e-Authentication RA

PIA POC --Conducts and develops PIA, Appendix of SSP

E-authentication POCConducts and develops e-AUTH RA, Appendix of SSP

Page 16

Agency C&A Process - Stakeholder Training: C&A Team Roles & ResponsibilitiesAgency C&A Process - Stakeholder Training: C&A Team Roles & Responsibilities

ITCP, BIA, and TT&E Lead

Develops and writes ITCP and BIAGathers data through application/system personnel interviews,

demonstrations, and discussion and acquisition of IT process/procedure information including all aspects of application/system failure, recovery, and reconstitution

Facilitates ITCP training and tabletop exercise with Agency essential personnel

Documents results in an after action report (AAR) and works with team to ensure information gathered and lessons learned from exercise are implemented

Test team Leads and Supports application/system ST&EAttends TT&E as an observer

Certification Program Office (CPO)

Provides Program LeadershipProvides C&A process oversightProvides scheduling and logistics supportPerforms Stakeholder, Certifier and DAA Out briefsPrimary Lead for all C&A activities

C&A Team Roles and Responsibilities (continued)

Page 17

Agency C&A Process - Stakeholder Training: WinZip ProceduresAgency C&A Process - Stakeholder Training: WinZip Procedures

Issue:Due to the sensitivity of the data, information such as IP addresses, network diagrams, etc., should not be sent directly between the Agency network to the C&A Documentation team’s network.

Solution:WinZip 9.0 has been approved by the client as a secure way to encrypt attachments. Ensure that the BU POC has WinZip 9.0, since both sending and receiving ends must use this version to encrypt and decrypt attachments.

Sending Information: All emailed information should go through the BU POC. The BU POC will ensure that all information is encrypted and sent securely to the client inside the Agency network. (See next slides for how-to instructions.)

Receiving Information: All emailed information should go through the BU POC. The BU POC will ensure that all information is encrypted and sent securely to the team outside of the Agency network. (See next slides for how-to instructions.)

Transmission of Data – WinZip 9.0

Page 18


Encrypting WinZip 9.0:

How to encrypt using WinZip 9.0:

• Zip file(s)

• When the zip prompt appears, select “Encrypt added files”

• Use the 256-bit AES Encryption option when encrypting

• Input password (note: use standard team password)

• Once files are successfully zipped and encrypted, change the file extension from “.zip” to “.change”. If the .zip extension remains, often times the firewall will strip the attachment for various reasons

• Ensure when sending the email that “recompress file” is unchecked; option is located in the lower left corner when attaching files in Microsoft Outlook

Page 19


Decrypting WinZip 9.0:

How to decrypt using WinZip 9.0:

• Instructions to open the attachment are as follows:

1) Ensure the WinZip version is 9.0

2) Save file (e.g., to My Documents)

3) Change extension to '.zip'

4) Open zip file

5) Insert password

6) Open document contained in zip file

Page 20

Agency C&A Process - Stakeholder Training: Process TimelineAgency C&A Process - Stakeholder Training: Process Timeline

The C&A Process performed on applications and systems is divisible into phases and deliverablesApplication and system deliverables are broken down further into concrete activities and tasks in the Microsoft Project schedule…..

Page 21

Agency C&A Process - Stakeholder Training: C&A ELC Milestone RequirementsAgency C&A Process - Stakeholder Training: C&A ELC Milestone Requirements

• The C&A Customer Liaison Team (CLT) (within the Agency’s Security Organization) provides formal guidance and stakeholder education related to the Certification & Accreditation deliverables by Enterprise Lifecycle (ELC) Milestones (MS)

• Below is a list of Certification & Accreditation (C&A) deliverables as required by the Agency’s Security Organization. These deliverables build beginning in Milestone 1. A presentation describing deliverables by Milestone is available from the CLT.

- Boundary/Scope Memo (BSM)– System Security Plan (SSP) – Privacy Impact Statement (PIA) – Information Tech Contingency Plan (ITCP) – Security Test & Evaluation Plan (ST&E) – Security Risk Assessment (SRA) (ITSecurity Engineering will produce)– Interconnection Security Agreement (ISA) – Security Assessment Report (SAR) – produced after the completion of the ST&E

Page 22

Agency C&A Process - Stakeholder Training: Boundary/Scope MeetingAgency C&A Process - Stakeholder Training: Boundary/Scope Meeting

• Overview

• Conduct Boundary/Scope Meeting

Boundary/Scope: Table of Contents

Page 23

Agency C&A Process - Stakeholder Training: Boundary/Scope: OverviewAgency C&A Process - Stakeholder Training: Boundary/Scope: Overview

• Purpose

The purpose of the Boundary/Scope Meeting is to establish the scope of the application/system’s C&A review, confirm execution logistics, discuss the system’s functionality and purpose, and identify all Stakeholders and C&A Team members.

• Participants

C&A Team:

•PM and/or Team Lead (Documentation, Tester, Privacy & Engineering)

•SSP/ITCP/PIA Points of Contact (POCs)

Stakeholders:

•Business Unit Representatives

•Application POC

•Developers

•System Administrators

•DAA POC and/or BU POC

• Scheduling

One hour is typically dedicated to the Boundary/Scope Meeting

Page 24

Agency C&A Process - Stakeholder Training: Boundary/Scope: Conduct Boundary/Scope MeetingAgency C&A Process - Stakeholder Training: Boundary/Scope: Conduct Boundary/Scope Meeting

• Identify Participants

• Discuss purpose of the meeting

• Walk through the BSMValidate Application name, Business Unit (BU), and BU and DAA POCsDetermine production and development environments and the location of the system’s developersDiscuss the appropriate location to conduct the working sessionReview proposed C&A milestones and deliverables, determine black out dates, and establish if there is a hard deadline for completing the C&AVerify and collect additional system information (i.e. system description, modules, and components)Identify or confirm changes to the systemIdentify all supporting General Support Systems (GSSs)Discuss the system’s scope and security categorizationReview POCs to obtain additional informationIdentify any black out dates Identify production deployment date & when the system will be available for testingWalk through the working/validation agenda to identify folks to attend

The following activities will occur at the Boundary/Scope Meeting:

Page 25

Agency C&A Process - Stakeholder Training: Boundary/Scope: Conduct Boundary/Scope MeetingAgency C&A Process - Stakeholder Training: Boundary/Scope: Conduct Boundary/Scope Meeting

• Walk through the Working/Validation Agenda and obtain updates to the POCs who should attend each of the sessions

• Discuss Document Request ListEnsure stakeholders send the C&A Team all existing system documentation to prepare for the working sessionExamples of typical documents existing for the system/application:

• System Security Plan (SSP)• Information Technology Contingency Plan (ITCP)• Technical Contingency Planning Document (TCPD)• Risk Assessment• Installation Guides• User Manuals• Design Documents• Approved Deviation Requests

• Discuss Document TrackerThe document tracker will be used to record all documentation that has been received by the C&A Team

• Discuss use of e-mail naming convention and the use of WinZip for encrypting documents before sending via email: “C&A Initiative: Business Unit-Application Name”

The following activities will take place at the Boundary/Scope Meeting (continued):

Page 26

Agency C&A Process - Stakeholder Training: Working SessionsAgency C&A Process - Stakeholder Training: Working Sessions

Working Sessions: Table of Contents

• Overview

• Pre-Working Session Preparation

• Security Categorization

• Conduct SSP Working Sessions

Day 1, Kickoff Meeting, Demo

Remaining Days

After Each Day

• ITCP Working Sessions

• PIA Working Sessions

• Post-Working Sessions

Page 27

Agency C&A Process - Stakeholder Training: Working Session OverviewAgency C&A Process - Stakeholder Training: Working Session Overview

• Purpose

Gather information to develop/update the System Security Plan (SSP), IT Contingency Plan (ITCP), and Privacy Impact Assessment (PIA)

• Additional attention to AC-17 and MA-4 to ensure that any access by vendors, contractors, etc (such as call back, call home, etc) is documented

• Key Participants

C&A Team:

•Documentation Team Lead (including leads for SSP, ITCP, PIA, Engineering)

•ST&E Team

Stakeholders:

•System POC(s)

•Developers

•System Administrators

•Business Unit POC

• Scheduling

Dates determined by Boundary/Scope Meeting

Typical duration of Working Session is 3 to 5 days depending on complexity for Applications; 10 days for GSS

Page 28

Agency C&A Process - Stakeholder Training: Pre-Working Sessions PreparationsAgency C&A Process - Stakeholder Training: Pre-Working Sessions Preparations

The following activities need to take place before the Working Sessions:

• Work with System POC(s) to finalize Working Session agenda, distribute to C&A Team and Stakeholders, and send calendar invitations

Kickoff meeting

Demo

SSP data gathering

ITCP information gathering

• Coordinate with C&A Team members and system POCs

• If traveling to a site:

Coordinate visitor request, laptop information, clearances, etc.

Work with System POC(s) to reserve a conference room

• Review existing documentation and pre-populate the document templates

• Distribute documents to C&A Team and Stakeholders

Pre-populated documents v0.1

PDF of C&A Schedule

Page 29

Agency C&A Process - Stakeholder Training: Stakeholders C&A

Working/Validation Agenda Agency C&A Process - Stakeholder Training: Stakeholders C&A

Working/Validation Agenda Agenda Day 1 C&A Process Session Item Attendees

(Role of folks to participate)

Comments

General Description/Purpose of ApplicationApplication Points of Contact (owner, designated contacts, security personnel)Security Categorization

BUSD/DBA/SA – Limited Role - (Intro)

Application Demo/Walkthrough BU, SD

System EnvironmentNetwork InfrastructureNetwork/System Diagrams Input-Output Diagrams (Data Flow)

Hardware/Software InventorySystem Interconnection (MOUs & ISAs)Information Sharing Continuous Monitoring

BU, SA, SA, DBA

Risk Assessment and ManagementRules of BehaviorReview of Security Controls

BU

Privacy Considerations(Privacy Impact Assessment update and Identification of system information type)

Disclosure Considerations

BU

Physical Security ControlsMonitoring physical accessVisitor controls

Environmental Security Controls

Only appropriate if the GSS and/or application is located at a non-Agency site

8:00am Documentation Team Arrives

9:00am Meeting Kick OffIntroductionsGSS/APPs Boundary ScopesFinalize agenda/schedulesConduct C&A Process Sessions

Page 30

Agenda Day 2 C&A Process Session Item Attendees(Role of folks to

participate)

Comments

Input ControlsMedia Sanitization/DisposalUser Support System MonitoringVirus Detection Incident Response Capability

Incident handling/monitoring/reportingIncident Testing

Software Policy

BU, SD, SA

Maintenance and RepairMaintenance ProceduresRemote MaintenanceMaintenance Personnel

Configuration ManagementBaseline ConfigurationConfiguration Change ControlMonitoring Configuration Changes

Security in the System Development Life Cycle

BU, SD, SA, DBA

Security Awareness and TrainingSecurity Training and Awareness ProceduresSecurity Training Records

Personnel SecurityPosition CategorizationPersonnel Termination/TransferAccess AgreementsThird-Party Personnel Security

BU

Conduct C&A process as scheduled below:

Business Unit – BUSystem Developer – SDSystem Administrator – SADatabase Administrator - DBA


Working/Validation Agenda (continued) Agency C&A Process - Stakeholder Training: Stakeholders C&A

Working/Validation Agenda (continued)

Page 31

Agenda Day 2 C&A Process Session Item Attendees(Role of folks

to participate)

Comments

Separation of duties Least Privilege

Documentation Data Integrity/Validation

Flaw Remediation Malicious Code

Protection

BU, SDSA, DBA

(limited)




Page 32

Agenda Day 3 C&A Process Session Item Attendees(Role of folks to

participate)

Comments

Technical Controls Identification and Authentication (Access

Controls) Encryption MethodologyAccount ManagementUnsuccessful Login Attempts

Session lock/terminationSystem use NotificationSupervision and review of access controlsRemote accessWireless or mobile access controlsAudit TrailsAuditable eventsAudit storage capacityAudit processingAudit monitoring, analysis and reportingAudit retention/protection/timestamp

BU, SD, SA, DBA

IT Contingency PlanBusiness Impact Analysis

BU (System Owner if possible)SD,SA, DBA

IT Contingency PlanBackups Off Site Storage Recovery StrategiesAlternative Storage sitesAlternative processing sitesDocumentation Distribution

BU, SD,SA, DBA

Conduct C&A process as scheduled below:

Business Unit – BUSystem Developer – SDSystem Administrator – SADatabase Administrator - DBA




Page 33

Agenda Day 3 C&A Process Session Item Attendees(Role of folks

to participate)

Comments

IT Contingency Plan Key Personnel Notification List Vendor Information

Communication/Telecom Strategy

Telecommunication Procedures Training Contingency Plan Testing

BU, SD,SA, DBA

Follow-up on outstanding items




Page 34

Agency C&A Process - Stakeholder Training: Working Session Security CategorizationAgency C&A Process - Stakeholder Training: Working Session Security Categorization

•Security Categorization is the foundational step to determining the level of effort required for a C&A

•Security Categorization is performed early in the process (usually before the C&A kicks off)

•Security Categorization is based on the information types processed, stored or transmitted by the system/application according to FIPS 199 and NIST SP 800-60

Page 35

Agency C&A Process - Stakeholder Training: NIST SP 800-53 ControlsAgency C&A Process - Stakeholder Training: NIST SP 800-53 Controls

The following tables address the specific minimum Security Controls and Control Baselines as defined by NIST 800-53: CNTL NO. CONTROL NAME Control Baselines

LOW MODERATE HIGH

ACCESS CONTROL

AC-1 Access Control Policy and Procedures AC-1 AC-1 AC-1

AC-2 Account Management AC-2 AC-2 (1)(2)(3)(4) AC-2 (1)(2)(3)(4)

AC-3 Access Enforcement AC-3 AC-3 (1) AC-3 (1)

AC-4 Information Flow Enforcement Not Selected AC-4 AC-4

AC-5 Separation of Duties Not Selected AC-5 AC-5

AC-6 Least Privilege Not Selected AC-6 AC-6

AC-7 Unsuccessful Login Attempts AC-7 AC-7 AC-7

AC-8 System Use Notification AC-8 AC-8 AC-8

AC-9 Previous Logon Notification Not Selected Not Selected Not Selected

AC-10 Concurrent Session Control Not Selected Not Selected AC-10

AC-11 Session Lock Not Selected AC-11 AC-11

AC-12 Session Termination Not Selected AC-12 AC-12(1)

AC-13 Supervision and Review-Access Control AC-13 AC-13(1) AC-13(1)

AC-14 Permitted Actions without ID or Authentication AC-14 AC-14(1) AC-14(1)

AC-15 Automated Marking Not Selected Not Selected AC-15

AC-16 Automated Labeling Not Selected Not Selected Not Selected

AC-17 Remote Access AC-17 AC-17(1)(2)(3)(4) AC-17(1)(2)(3)(4)

AC-18 Wireless Access Restrictions AC-18 AC-18(1) AC-18(1)(2)

AC-19 Access Control for Portable and Mobile Systems Not Selected AC-19(1) AC-19(1)

AC-20 Use of External Information Systems AC-20 AC-20(1) AC-20(1)(2)

Page 36

Agency C&A Process - Stakeholder Training: NIST 800-53 Controls (continued)Agency C&A Process - Stakeholder Training: NIST 800-53 Controls (continued)

The following tables address the specific minimum Security Controls and Control Baselines as defined by NIST 800-53:

CNTL NO. CONTROL NAME Control Baselines

LOW MODERATE HIGH

AWARENESS AND TRAINING

AT-1 Security Awareness and Training Policy & Procedures

AT-1 AT-1 AT-1

AT-2 Security Awareness AT-2 AT-2 AT-2

AT-3 Security Training AT-3 AT-3 AT-3

AT-4 Security Training Records AT-4 AT-4 AT-4

AT-5 Contracts with Security Groups and Associations Not Selected

Not Selected Not Selected

AUDIT AND ACCOUNTABILITY

AU-1 Audit and Accountability Policy & Procedures AU-1 AU-1 AU-1

AU-2 Auditable Events AU-2 AU-2(3) AU-2(1)(2)(3)

AU-3 Content of Audit Records AU-3 AU-3(1) AU-3(1)(2)

AU-4 Audit Storage Capacity AU-4 AU-4 AU-4

AU-5 Response to Audit Processing Failures AU-5 AU-5 AU-5(1)(2)

AU-6 Audit monitoring, Analysis, and Reporting Not Selected

AU-6(2) AU-6(1)(2)

AU-7 Audit Reduction and Report Generation Not Selected

AU-7(1) AU-7(1)

AU-8 Time Stamps AU-8 AU-8(1) AU-8(1)

AU-9 Protection of Audit Information AU-9 AU-9 AU-9

AU-10 Non-repudiation Not Selected


AU-11 Audit Record Retention AU-11 AU-11 AU-11

Page 37



LOW MODERATE HIGH

CERTIFICATION, ACCREDITATION, & SECURITY ASSESSMENTS

CA-1 Certification, Accreditation, & Security Assessment Policies and Procedures

CA-1 CA-1 CA-1

CA-2 Security Assessments Not Selected

CA-2 CA-2

CA-3 Information System Connections CA-3 CA-3 CA-3

CA-4 Security Certification CA-4 CA-4(1) CA-4(1)

CA-5 Plan of Action and Milestones CA-5 CA-5 CA-5

CA-6 Security Accreditation CA-6 CA-6 CA-6

CA-7 Continuous Monitoring CA-7 CA-7 CA-7

CONFIGURATION MANAGEMENT

CM-1 Configuration Management Policy and Procedures CM-1 CM-1 CM-1

CM-2 Baseline Configuration and System Component Inventory

CM-2 CM-2(1) CM(1)(2)

CM-3 Configuration Change Control Not Selected

CM-3 CM-3(1)

CM-4 Monitoring Configuration Changes Not Selected


CM-5 Access Restrictions for Change Not Selected

CM-5 CM-5(1)

CM-6 Configuration Settings CM-6 CM-6 CM-6(1)

CM-7 Least Functionality Not Selected

CM-7 CM-7(1)

CM-8 Information System Component Inventory CM-8 CM-8(1) CM-8(1)(2)


Page 38



LOW MODERATE HIGH

CONTINGENCY PLANNING

CP-1 Contingency Planning Policy and Procedures CP-1 CP-1 CP-1

CP-2 Contingency Plan CP-2 CP-2(1) CP-2(1)(2)(3)

CP-3 Contingency Training Not Selected CP-3 CP-3(1)

CP-4 Contingency Plan Testing Not Selected CP-4(1) CP-4(1)(2)

CP-5 Contingency Plan Update CP-5 CP-5 CP-5

CP-6 Alternate Storage Sites Not Selected CP-6(1)(3) CP-6(1)(2)(3)

CP-7 Alternate Processing Sites Not Selected CP-7(1)(2)(3) CP-7(1)(2)(3)(4)

CP-8 Telecommunications Services Not Selected CP-8(1)(2) CP-8(1)(2)(3)(4)

CP-9 Information System Backup CP-9 CP-9(1)(4) CP-9(1)(2)(3)(4)

CP-10 Information System Recovery & Reconstitution CP-10 CP-10 CP-10(1)

INDENTIFICATION AND AUTHENTICATION

IA-1 Identification and Authentication Policy and Procedures IA-1 IA-1 IA-1

IA-2 User Identification and Authentication IA-2 IA-2 IA-2(1)

IA-3 Device Identification and Authentication Not Selected IA-3 IA-3

IA-4 Identifier Management IA-4 IA-4 IA-4

IA-5 Authenticator Management IA-5 IA-5 IA-5

IA-6 Authenticator Feedback IA-6 IA-6 IA-6

IA-7 Cryptographic Module Authentication IA-7 IA-7 IA-7


Page 39



LOW MODERATE HIGH

INCIDENT RESPONSE

IR-1 Incident Response Policy and Procedures IR-1 IR-1 IR-1

IR-2 Incident Response Training Not Selected

IR-2 IR-2(1)

IR-3 Incident Response Testing Not Selected

IR-3 IR-3

IR-4 Incident Handling IR-4 IR-4(1) IR-4(1)

IR-5 Incident Monitoring Not Selected

IR-5 IR-5

IR-6 Incident Reporting IR-6 IR-6(1) IR-6(1)

IR-7 Incident Response Assistance IR-7 IR-7(1) IR-7(1)

MAINTENANCE

MA-1 System Maintenance MA-1 MA-1 MA-1

MA-2 Periodic Maintenance MA-2 MA-2(1) MA-2(1)(2)

MA-3 Maintenance Tools Not Selected

MA-3 MA-3(1)(2)(3)

MA-4 Remote Maintenance MA-4 MA-4 MA-4(1)(2)(3)(4)

MA-5 Maintenance Personnel MA-5 MA-5 MA-5(1)

MA-6 Timely Maintenance Not Selected

MA-6 MA-6


Page 40



LOW MODERATE HIGH

MEDIA PROTECTION

MP-1 Media Protection Policy and Procedures MP-1 MP-1 MP-1

MP-2 Media Access MP-2 MP-2(1) MP-2(1)

MP-3 Media Labeling Not Selected MP-3 MP-3

MP-4 Media Storage Not Selected MP-4(1) MP-4(1)

MP-5 Media Transport Not Selected MP-5(1) MP-5(1)(2)

MP-6 Media Sanitization and Disposal MP-6 MP-6 MP-6(1)(2)

PHYSICAL AND ENVIRONMENTAL PROTECTION

PE-1 Physical and Environmental Protection Policy and Procedures

PE-1 PE-1 PE-1

PE-2 Physical Access Authorizations PE-2 PE-2 PE-2

PE-3 Physical Access Control PE-3 PE-3 PE-3(1)

PE-4 Access Control for Transmission Medium Not Selected Not Selected PE-4

PE-5 Access Control for Display Medium Not Selected PE-5 PE-5

PE-6 Monitoring Physical Access PE-6 PE-6(1) PE-6(1)(2)

PE-7 Visitor Control PE-7 PE-7(1) PE-7(1)

PE-8 Access Records PE-8 PE-8 PE-8(1)(2)

PE-9 Power Equipment and Power Cabling Not Selected PE-9 PE-9

PE-10 Emergency Shutoff Not Selected PE-10 PE-10

PE-11 Emergency Power Not Selected PE-11 PE-11(1)

PE-12 Emergency Lighting PE-12 PE-12 PE-12


P&E security controls are assessed annually and considered inherited unless the system is located at a contractor site.

Page 41



LOW MODERATE HIGH

PHYSICAL AND ENVIRONMENTAL PROTECTION

PE-13 Fire Protection PE-13 PE-13 PE-13

PE-14 Temperature and Humidity PE-14 PE-14 PE-14

PE-15 Water Damage Protection PE-15 PE-15 PE-15

PE-16 Delivery and Removal PE-16 PE-16 PE-16

PE-17 Alternate Work Site Not Selected

PE-17 PE-17

PE-18 Location of Information System Components PE-18 PE-18 PE-18

PE-19 Information Leakage Not Selected


PLANNING

PL-1 Security Planning and Policy and Procedures PL-1 PL-1 PL-1

PL-2 System Security Plan PL-2 PL-2 PL-2

PL-3 System Security Plan Update PL-3 PL-3 PL-3

PL-4 Rules of Behavior PL-4 PL-4 PL-4

PL-5 Privacy Impact Assessment PL-5 PL-5 PL-5

PL-6 Security-Related Activity Planning PL-6 PL-6 PL-6


Page 42




LOW MODERATE HIGH

PERSONNEL SECURITY

PS-1 Personnel Security Policy and Procedures PS-1 PS-1 PS-1

PS-2 Position Categorization PS-2 PS-2 PS-2

PS-3 Personnel Screening PS-3 PS-3 PS-3

PS-4 Personnel Termination PS-4 PS-4 PS-4

PS-5 Personnel Transfer PS-5 PS-5 PS-5

PS-6 Access Agreements PS-6 PS-6 PS-6

PS-7 Third-Party Personnel Security PS-7 PS-7 PS-7

PS-8 Personnel Sanctions PS-8 PS-8 PS-8

Page 43



LOW MODERATE HIGH

RISK ASSESSMENT

RA-1 Risk Assessment Policy and Procedures RA-1 RA-1 RA-1

RA-2 Security Categorization RA-2 RA-2 RA-2

RA-3 Risk Assessment RA-3 RA-3 RA-3

RA-4 Risk Assessment RA-4 RA-4 RA-4

RA-5 Vulnerability Scanning Not Selected

RA-5 RA-5(1)(2)

SYSTEM AND SERVICES ACQUISITION

SA-1 System and Services Acquisition Policy and Procedures

SA-1 SA-1 SA-1

SA-2 Allocation of Resources SA-2 SA-2 SA-2

SA-3 Life Cycle Support SA-3 SA-3 SA-3

SA-4 Acquisitions SA-4 SA-4 SA-4

SA-5 Information System Documentation SA-5 SA-5(1) SA-5(1)(2)

SA-6 Software Usage Restrictions SA-6 SA-6 SA-6

SA-7 User Installed Software SA-7 SA-7 SA-7

SA-8 Security Engineering Principles Not Selected

SA-8 SA-8

SA-9 Outsourced Information System Services SA-9 SA-9 SA-9

SA-10 Developer Configuration Management Not Selected

Not Selected SA-10

SA-11 Developer Security Testing Not Selected

SA-11 SA-11


Page 44



LOW MODERATE HIGH

SYSTEM AND COMMUNICATION PROTECTION

SC-1 System and Communications Protection Policy SC-1 SC-1 SC-1

SC-2 Application Partitioning Not Selected SC-2 SC-2

SC-3 Security Function Isolation Not Selected Not Selected SC-3

SC-4 Information Remnants Not Selected SC-4 SC-4

SC-5 Denial of Service Protection SC-5 SC-5 SC-5

SC-6 Resource Priority Not Selected Not Selected Not Selected

SC-7 Boundary Protection SC-7 SC-7(1)(2)(3) SC-7(1)(2)(3)(4)

SC-8 Transmission Integrity Not Selected SC-8 SC-8

SC-9 Transmission Confidentiality Not Selected SC-9 SC-9

SC-10 Network Disconnect Not Selected SC-10 SC-10

SC-11 Trusted Path Not Selected Not Selected Not Selected

SC-12 Cryptographic Key Establishment and Mgmt. Not Selected SC-12 SC-12

SC-13 Use of Validated Cryptography SC-13 SC-13 SC-13

SC-14 Public Access Protections SC-14 SC-14 SC-14

SC-15 Collaborative Computing Not Selected SC-15 SC-15

SC-16 Transmission of Security Parameters Not Selected Not Selected Not Selected

SC-17 Public Key Infrastructure Certificates Not Selected SC-17 SC-17

SC-18 Mobile Code Not Selected SC-18 SC-18

SC-19 Voice Over Internet Protocol Not Selected SC-19 SC-19

SC-20 Secure Name/Address Resolution Service (Authoritative Source)

Not Selected SC-20 SC-20


Page 45



LOW MODERATE HIGH

SYSTEM AND COMMUNICATION PROTECTION

SC-21 Secure Name/Address Resolution Service (Recursive or Caching Resolver)

Not Selected Not Selected SC-21

SC-22 Architecture and Provisioning for Name/Address Resolution Service

Not Selected SC-22 SC-22

SC-23 Session Authenticity Not Selected SC-23 SC-23(1)

SYSTEM AND INFORMATION INTEGRITY

SI-1 System and Information Integrity Policy and Procedures SI-1 SI-1 SI-1

SI-2 Flaw Remediation SI-2 SI-2(2) SI-2(1)(2)

SI-3 Malicious Code Protection SI-3 SI-3(1) SI-3(1)(2)

SI-4 Information System Monitoring Tools and Techniques Not Selected SI-4(4) SI-4(2)(4)(5)

SI-5 Security Alerts and Advisories SI-5 SI-5 SI-5(1)

SI-6 Security Functionality Verification Not Selected Not Selected SI-6

SI-7 Software and Information Integrity Not Selected Not Selected SI-7

SI-8 Spam Protection Not Selected SI-8 SI-8(1)

SI-9 Information Input Restrictions Not Selected SI-9 SI-9

SI-10 Information Accuracy, Completeness, Validity, and Authenticity

Not Selected SI-10 SI-10

SI-11 Error Handling Not Selected SI-11 SI-11

SI-12 Information Output Handling and Retention Not Selected SI-12 SI-12


Page 46

Working Session: Conduct SSP Working Sessions – FAgencyt Day (Kickoff Meeting, Demo)Working Session: Conduct SSP Working Sessions – FAgencyt Day (Kickoff Meeting, Demo)

The following activities will take place during the Working Sessions :

• Introductions

• Explain C&A Process from start to finish and walk through the agenda and identify stakeholder roles that will need to participate

• Discuss NIST guidance, controls, etc.

• Explain common controls (GSS, Organizational, and PE Controls)

• Explain GSS-level controls

• Explain layout of SSP

Section 2, System Identification

Section 3, Management Controls

Section 4, Operational Controls

Section 5, Technical Controls

System/Network Diagram

Input/Output Diagram

MOUs/ISAs (inquiry regarding connectivity to Agency system from outside of the Agency environment such as call back for maintenance or remote management)

e-Authentication Questionnaire

Page 47

Working Session: Conduct SSP Working Sessions – First Day (Kickoff Meeting, Demo)Working Session: Conduct SSP Working Sessions – First Day (Kickoff Meeting, Demo)

The following activities will take place during the Working Sessions :

• Gather information for Section 2 of SSP

System Name, Unique Identifier

System POCs

Operational Status

General Description/Purpose

System Environment

System Interconnections

• Demo/walk through of System

• Schedule during the Boundary Scoping Session

Page 48

Agency C&A Process - Stakeholder Training: Working Session: Conduct SSP Working SessionsAgency C&A Process - Stakeholder Training: Working Session: Conduct SSP Working Sessions

The following activities will take place during the Working Sessions (continued):

• Discuss remainder of SSP controls:

Management

Operational

Technical

• Discuss the impact of the following controls on the enterprise infrastructure/applications:

AC-17 (Remote Access) The organization authorizes, monitors, and controls all methods of remote access to the information system.

MA-4 (Remote Maintenance) The organization authorizes, monitors, and controls any remotely executed maintenance and diagnostic activities, if employed.

Page 49

Agency C&A Process - Stakeholder Training: Working Session: ITCPAgency C&A Process - Stakeholder Training: Working Session: ITCP

ITCP Working Sessions:

• Introductions

• Explain the different documentation (BIA, ITCP, TT&E)

• Explain the process for developing the ITCP

BIA including Recovery Time Objectives (RTO)

ITCP

TT&E

• Begin Data Gathering for BIA

Use ITCP/BIA Interview Guide

• Begin Data Gathering for ITCP

Continue with ITCP/BIA Interview Guide

• Post-ITCP Working Session

Let the System POCs know that you will follow up with an email listing any action items and requesting any information that has not yet been provided.

Page 50


The BIA is a fact finding process that provides the foundation for the ITCP:

• A BIA is used to identify and prioritize the components of an application by linking them to the Agency business processes that they support

• A BIA is conducted during the initial phase of building an ITCP, and it is included as an appendix to the ITCP

• Interviews are conducted with key stakeholders to gather information about the application, including:

Determine what Agency-wide critical business processes (CBP) and administrative/infrastructure (A/I) processes the application supports

Determine the Recovery Time Objective (RTO), the maximum amount of time that may elapse before unavailability of the application causes an unacceptable impact on the Business Unit sub-processes, and Recovery Point Objective (RPO), the point in time which sub-process data must be recovered

Recovery priority and timeframe of recovery for application components (i.e., servers, files, etc.)

• This information is used to develop procedures and strategies for recovering the application, if disrupted

Page 51


An ITCP establishes procedures to recover and resume normal operationsof an application following a disruption.

• A full activation of the ITCP includes three phases:

Notification/Activation

•Notify proper personnel

•Detect and assess damage

•Activate the plan

Recovery

•Identify and prioritize recovery activities

•Restore temporary IT operations

•Recover damage done to the original application

Reconstitution

•Resume application processing capabilities to normal operations

•Deactivate the plan

Page 52


The ITCP data gathering process:

• Interviews are conducted with key stakeholders to gather information about the application, including:

Key personnel and their roles/responsibilities

Threats to the application

Damage assessment procedures

Recovery procedures

Concurrent processing procedures

Off-site data storage details

Backup procedures

• This information is used to develop procedures and strategies for recovering and resuming normal operations of the application, if disrupted

• Data gathering for General Support Systems (GSS) may require separate sections for components and major systems

Page 53

Agency C&A Process - Stakeholder Training: Working Session: PIAAgency C&A Process - Stakeholder Training: Working Session: PIA

Privacy Impact Assessment (PIA) Purpose:

• PIAs are completed on information systems collecting personally identifiable information:

Examples: name, SSN, address, phone number, e-mail address, financial data and account numbers, biometric identifier, etc.

• PIAs ensure that:

The public is made aware of the information federal agencies collect about them

Any impact these systems have on personal privacy is adequately addressed

Only the necessary personal information is collected, nothing else

• Conducting PIAs will allow the Agency to identify which of its systems contain Information in Identifiable Form (IIF). For those systems containing IIF, the PIA will serve as a platform to:

Ensure that information handling conforms to applicable legal, regulatory, and policy requirements regarding privacy

Determine the risks and effects of collecting, maintaining, and disseminating IIF in an electronic information system

Examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks[1]

[1] Taken from the definition of “PIA” in OMB Memorandum M-03-22, “OMB Guidance for Implementing of the Privacy Provisions of the E-Government Act of 2002,” September 26, 2003.

Page 54

Agency C&A Process - Stakeholder Training: Working Session: PIAAgency C&A Process - Stakeholder Training: Working Session: PIA

Privacy Impact Assessment (PIA) Purpose (continued):

• Additionally, conducting a PIA provides an opportunity to identify privacy risks associated with information systems. Formal PIAs provide a number of advantages over ad hoc evaluations. These advantages include:

Providing inputs (e.g., privacy risks) for required C&A reporting documents, to include: POA&M, SAR, SSP (Appendix)

Improving the understanding of a system’s overall potential privacy risks, exposures, and liabilities

Providing a reliable basis for decision making of policy and system design

Generating and improving public confidence, at the organizational level, by anticipating and addressing privacy concerns

• Privacy Deliverables include:

Final Privacy Impact Assessment Questionnaire

Privacy Memo (Officially signed by the Director of the Agency Office of Privacy): States all privacy risks where acceptable

Page 55

Agency C&A Process - Stakeholder Training: Working Session: Conduct Working Sessions – After Each DayAgency C&A Process - Stakeholder Training: Working Session: Conduct Working Sessions – After Each Day

The following activities will take place after each day of the Working Sessions:

• Prepare and distribute recap

Attendees

Action Items

Information gathered by section and/or control

Documents received

For follow-up at the next working sessions

• Distribute soft copies of documents to entire team

• Update document tracker

Include CDs, hard copies, soft copies,

screen captures, etc.

Page 56

Agency C&A Process - Stakeholder Training: Working Session: Post-Working SessionsAgency C&A Process - Stakeholder Training: Working Session: Post-Working Sessions

The following activities will take place after each day of the Working Sessions(continued):

• Inform team of next steps

One week for drafting SSP and ITCP

Validation Session following drafting of documents (including PIA Working Session)

• Confirm or change Validation Session

PIA Working Session

Send calendar invitation

Page 57

Agency C&A Process - Stakeholder Training: Validation SessionsAgency C&A Process - Stakeholder Training: Validation Sessions

Validation Sessions: Table of Contents

• Overview

• Conduct Validation Session(s)

• Post-Validation Session(s)

• ITCP Validation Session(s)

Page 58

Agency C&A Process - Stakeholder Training: Validation Session OverviewAgency C&A Process - Stakeholder Training: Validation Session Overview

• Purpose

To validate the information documented in the System Security Plan (SSP), IT Contingency Plan (ITCP), and Privacy Impact Assessment (PIA) for accuracy, completeness, and validity

• Participants

Stakeholders who were involved during the Working Sessions

C&A Team

• Duration

Typically 2 to 4 hours to validate the SSP

Typically 2 hours to validate the ITCP

Typically 1 hour for PIA Working Session

*Note: Refer to the GSS schedule template for Validation Session duration specifics.

Page 59

Agency C&A Process - Stakeholder Training: Conduct Validation Session(s)Agency C&A Process - Stakeholder Training: Conduct Validation Session(s)

The following activities will take place during the Validation Session(s):

• Review outstanding action items to ensure all issues have been addressed

• Walk-through SSP to verify information is correct

Page 60

Agency C&A Process - Stakeholder Training: ITCP Validation Session(s)Agency C&A Process - Stakeholder Training: ITCP Validation Session(s)

ITCP Validation Session(s):

• Address any questions, comments, and input the attendees have regarding the draft ITCP

• Discuss any of your previous questions that followed the ITCP working session that are still outstanding

• Walk through the BIA and ITCP to validate existing information within the plan

• Recap any information that is still needed; follow up with an e-mail covering the same information

Page 61

Agency C&A Process - Stakeholder Training: ITCP Validation Session(s)Agency C&A Process - Stakeholder Training: ITCP Validation Session(s)

The following activities will take place after the Validation Session(s):

• Prepare and distribute recap

Attendees

Action Items

Information gathered by section and/or control

Documents received

For follow-up at the next validation sessions

• Make updates as identified

Obtain an email from DAA POC that all information is complete and accurate before finalizing the documents and sending to the C&A Team and Stakeholders

Distribute updated documents to C&A Team and Stakeholders

Page 62

Agency C&A Process - Stakeholder Training: Security Test & Evaluation (ST&E) ProcessAgency C&A Process - Stakeholder Training: Security Test & Evaluation (ST&E) Process

Purpose of conducting an ST&E:

• The purpose of performing a Security Test and Evaluation (ST&E) is to evaluate the management, operational and technical controls of the application/system, determine the effectiveness of these controls in operation, and identify the vulnerabilities.

• An ST&E will provide important insight into the effectiveness of the security controls that are a part of each Agency application, system, or GSS.

Page 63


Security Categorization Impacts the Type of ST&E Conducted:

• The Application/System business owner identifies the information types processed, stored, or transmitted by the application/GSS to determine the impact levels for confidentiality, integrity, and availability of the application/GSS and then categorizes the application as Low, Moderate, or High.

• The type of ST&E that is conducted varies depending on the application or GSS’s security categorization.

Page 64


Developing an ST&E Test Plan:

• The ST&E Test Plan is based on the information collected from several key documents that are created as a part of the Certification and Accreditation (C&A) process, such as:

*System Security Plan (SSP) – An SSP is a document that provides an overview of the security requirements of the system and describes the current implementation status (in place, planned, etc.) of the minimum security controls and roles and responsibilities.

* Information Technology Contingency Plan (ITCP) – The ITCP is a document that contains a strategy, procedures, and technical measures that enable the recovery of IT systems, operations, and data after a disruption.

* Privacy Impact Assessment (PIA) – The PIA is a process used to evaluate the

impact that information systems have on an individual. The PIA process is

designed to guide agency system developers and operators in assessing privacy through the early stages of development.

Page 65


Types of personnel that need to be involved in developing an accurateSSP and ITCP and conduct a thorough and complete ST&E:

• Business primary Points of Contact (POC)• Application developers• Application administrators• Operating system administrators• Database administrators• System operators• Security administrators• ST&E Team members

Page 66


ITCP:

• An ITCP test is conducted in conjunction with an ST&E; however, it is not part of the ST&E and is facilitated by the C&A Documentation Team.

*Testing, Training, and Exercise (TT&E), also known as a Table Top Exercise, usually includes the following testing areas:

- Preparations- Notification/Activation- Recovery- Reconstitution- Plan Deactivation

Note: The ST&E should always be conducted in the production environment. When this is not possible, this has to be raised by the BU stakeholders and resolved during the initial C&A Working Sessions. When an ST&E is conducted in a development or test environment, rather than the production environment, those environments must replicate the production environment, and all technical tests will need to be retested once the production environment is available. This scenario requires additional funding to support the additional ST&E activity and must be identified early in the process.

Page 67


• Throughout the ST&E process, BU personnel have numerous opportunities to review and provide input to the final SSP and ITCP that is used to develop the ST&E test plan for a particular application or GSS.

• BU personnel are given an opportunity to review and discuss the ST&E plan that is developed for a particular application or GSS.

• It is critical to the success of a ST&E that a stable and accurate SSP, ITCP, and Application or GSS Inventory are completed prior to beginning the ST&E testing of an application or GSS.

• The Agency conducts many ST&Es during each FISMA reporting cycle. This often means that several ST&Es will be occurring during the same time frame, which makes for a complex ST&E schedule. To minimize impact on the ST&E master testing schedule and to all the ST&E participants, it is important that all parties associated with each ST&E complete the work related to their ST&E in a manner that helps ensure that ST&E occurs within the projected master ST&E schedule timeframe.

General ST&E Process Comments:

Page 68


General ST&E Process Comments (continued):• Stakeholders - assigning the right people to participate in the ST&E is critical to

the success of the ST&E, and will minimize unnecessary findings. When the individual participating in a ST&E test does not know an answer to a ST&E question, or does not provide the correct information to answer the question, this will result in an ST&E finding. Stakeholders can avoid these types of unnecessary findings by assigning the right resources to participate in the ST&E and ensuring those key resources are present during the ST&E testing.

• After a ST&E is completed for an application or GSS, the results are provided to the C&A Documentation Team for analysis and inclusion in the final C&A package. BU stakeholders will receive the results prior to the Stakeholder Outbrief meeting conducted after that analysis and before the C&A package is submitted to the Certification Agent and the Designated Approving Authority for review and signature.

• Issue Resolution – Stakeholders will be given the opportunity to correct findings and provide additional evidence in a very short turnaround, prior to the stakeholder out brief. Instructions will be provided when the results are distributed.

• The ST&E Test Team members are not the personnel who make the determination as to whether an application or GSS is to receive an Authority to Operate (ATO) or an Interim Authority to Operate (IATO).

Page 69


• Types of Security Control Tests that are performed during an ST&E of an application or GSS:

*Management*Operational*Technical

*These three types of controls are defined in NIST SP 800-53 and determined during the SSP development*Some test sases will be Organizational or GSS Common Controls*Technical and Operational Controls can include test cases related to many application/system areas such as:

- Auditing- Databases- COTS Products- Media Protection- Operating System- Telecommunications- Contingency Planning- Configuration Management

Page 70

• ApplicationITCP DirectorITCP CoordinatorRecovery Personnel including Database Administrators, System Administrators, Developers, and Production Support StaffBusiness Unit PersonnelTest Team and Agency’s Security Organization will be Observers

• GSSITCP Plan DirectorITCP Incident CommanderITCP Recovery CoordinatorITCP Component CoordinatorITCP BU CoordinatorITCP Application Recovery TeamsITCP Component Recovery TeamsBusiness Unit PersonnelTest Team and Agency’s Security Organization will be Observers

Test, Training & Exercise (TT&E) Training: Pre-TT&ETest, Training & Exercise (TT&E) Training: Pre-TT&E

Invite TT&E Attendees:

The following activities will take place before the TT&E: The following activities will take place before the TT&E:

Page 71

Agency C&A Process - Stakeholder Training: Test, Training & Exercise (TT&E) TrainingAgency C&A Process - Stakeholder Training: Test, Training & Exercise (TT&E) Training

TT&E: Table of Contents

• Overview

Page 72

• Designed to train essential personnel on the Information Technology Contingency Plan (ITCP) and to provide a forum to talk through a realistic emergency scenario whereby the ITCP needs to be activated and exercised

• Developed to prepare personnel for an emergency situation and to ensure key personnel have a forum to talk through their roles and responsibilities, discuss what they would do during the emergency situation, and communicate how they would respond to the events

• Created so lessons can be drawn and recorded from the exercise, changes can be made to the plan to represent the flow of information and communication among essential personnel, and staff will be prepared during the event of an actual emergency situation

• Implemented to enhance understanding of the key communication, coordination, and information necessary during the three key ITCP phases: Notification/Activation, Recovery, and Reconstitution

• Upholds the following:Public Law 107-347, E-Government Act of 2002, the Federal Information Security Management Act of 2002 (FISMA 2002) which requires security awareness training, review of responsibilities regarding policies and procedures, periodic testing and training associated with upholding information security policies and principles, and requires a process for addressing policy and procedures deficienciesFederal Preparedness Circular FPC 65, Federal Executive Branch Continuity of Operations, June 15, 2004 which requires regular testing, training, and exercises of the agency’s equipment, personnel, systems, processes, and procedures during a COOP eventNational Institute Standards and Technology Special Publication 800-34, Contingency Planning Guide for Information Technology Systems, June 2002

TT&E Overview

Agency C&A Process - Stakeholder Training: TT&E Training OverviewAgency C&A Process - Stakeholder Training: TT&E Training Overview

Page 73

Agency C&A Process - Stakeholder Training: Security Assessment Report (SAR)Agency C&A Process - Stakeholder Training: Security Assessment Report (SAR)

SAR: Table of Contents

• Overview

Page 74

Agency C&A Process - Stakeholder Training: SAR OverviewAgency C&A Process - Stakeholder Training: SAR Overview

• DefinitionAs defined within NIST SP 800-37, the SAR provides the results of assessing the security controls in the information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the system security requirements. In addition, the SAR can also contain a list of recommended corrective actions.

• Purpose

The purpose of the Security Assessment Report (SAR) is to provide the Certifier and the Designated Approving Authority with a more holistic view of risk regarding the GSS/application. It documents the security assessment activities that were performed on the application and the results of those activities including ST&E, PIA, e-Authentication Assessment, audits, and any other risk assessment activities (e.g. Risk Based Review).

• Duration

Typically 5 days

Page 75

Agency C&A Process - Stakeholder Training: Risk Overview ActivitiesAgency C&A Process - Stakeholder Training: Risk Overview Activities

Risk Overview: Table of Contents

• Risk Overview C&A Package Preparation• Risk Overview/Stakeholder Outbrief Activities• Preparation of Final C&A Package• Stakeholder Outbrief Meeting

Page 76

Agency C&A Process - Stakeholder Training: Risk Overview: C&A Package PreparationAgency C&A Process - Stakeholder Training: Risk Overview: C&A Package Preparation

• C&A Package Preparation

Update all C&A documentation to reflex the current information

Put all files in the correct naming convention

Ensure draft watermarks are removed

Quality assurance

Send documents to Agency’s Security Organization and the C&A mailbox

Page 77

Agency C&A Process - Stakeholder Training: Stakeholder Outbrief Meeting

Agency C&A Process - Stakeholder Training: Stakeholder Outbrief Meeting

• C&A Documentation Team will update the documents based on the Risk Overview session

• C&A Documentation Team will send the finalized C&A package to the participants of the scheduled Stakeholder meeting

• For Applications – send documents out 3 days prior to the stakeholders meeting

• For GSSs – send documents out 5 days prior to the stakeholders meeting

The following activities will take place prior to the Stakeholder Outbrief Meeting:The following activities will take place prior to the Stakeholder Outbrief Meeting:

Page 78

The C&A Process comes to its conclusionThe C&A Process comes to its conclusion• After the Stakeholder Outbrief Meeting, the entire C&A package goes to

the Certifier for review, signature, and approval

• After Certifier signs the Certification Memo, CPO will then send the signed Certification memo and C&A package to the business unit security PMO with a request to schedule the DAA Outbrief

• A DAA outbrief will be held to walk the DAA through the C&A package and by the end of the session the DAA’s approval and signature on the Accreditation memo will be requested

• By signing, the DAA agrees to all risks of the application or GSS during the C&A process, and will work to develop strategies for addressing issues. A POA&M will be created and updated, monitored, and progress reported quarterly by the business unit.

Agency C&A Process - Stakeholder Training: Stakeholder Conclusion

Agency C&A Process - Stakeholder Training: Stakeholder Conclusion

Page 79

Critical Success FactorsCritical Success Factors

• Partnership between all stakeholders (Business Units) is Crucial in successfully completing Certification and Accreditation activities

• Engagement by business units to efficiently and effectively complete tasks

Security documentation is only as good as the information provided

Ultimately, the contents of the security documents are the responsibility of the business owner who will be responsible for maintaining the documents

Establishing a baseline of NIST-compliant C&A documents will have a positive impact on future costs

• Staying on schedule [1/3 of applications/GSSs must be certified each FISMA cycle (annually)]

Agency C&A Process - Stakeholder Training: A Successful C&A Process Depends on YouAgency C&A Process - Stakeholder Training: A Successful C&A Process Depends on You

Page 80

Agency C&A Process - Stakeholder Training: Your role as a Key Stakeholder in C&A…Agency C&A Process - Stakeholder Training: Your role as a Key Stakeholder in C&A…• Actively engage in the Boundary/Scope, Working, and Validation sessions

Ensure you understand the questions and the evidence required • Actively engage in the Security Test & Evaluation (ST&E)

Ensure you understand the test case questions

Work closely with the ST&E Team to ensure your responses completely answer the test case question

• Elevate concerns early through the C&A Team Lead or your business unit security PMO

• Help CPO ensure all of the right stakeholders are engaged throughout the process

If you cannot answer the test case question, help the C&A Test Team identify the right person to respond to that question

The goal is to document the current implementation status of the security controls and then validate the current implementation status of the required security controls through independent testing

It is not CPO’s intent to trick people into providing the wrong response, it is to ensure the correct people are asked the right questions

• Understand the expectation for engagement and the time commitment at the kick off of the C&A

Page 81

Agency C&A Process - Stakeholder Training: Who are the right people and what will they do?Agency C&A Process - Stakeholder Training: Who are the right people and what will they do?

• The “right people” to participate in C&A activities?

Someone with a working knowledge of how the controls have been implemented for the application being assessed

Someone with knowledge of how the application is managed and operated

• What will they do?

Participants will need to attend conference calls/meetings as scheduled

Participants will need to engage and provide input throughout the process

Participants will need to provide evidence and documentation timely

Participants will need to carefully review and provide feedback to the C&A documentation as scheduled for the Stakeholder Outbrief

Page 82

Agency C&A Process - Stakeholder Training: Success Indicators and Expected OutcomesAgency C&A Process - Stakeholder Training: Success Indicators and Expected Outcomes

• An added layer in the Agency defense in depth approach to security

• Consistent identification of risks

presenting an opportunity to proactively resolve or mitigate weaknesses before they are exploited resulting in better security for the application and across the enterprise

• Reusable NIST-compliant test cases for

Verification of resolution

Continuous monitoring

• Informed stakeholders and DAA

• Solid, defensible NIST-compliant C&A package

Improved FISMA reporting, improved audit reviews, improved GAO reviews

Demonstrates security commitment and accountability

Facilitates E300 Funding

Page 83

Questions?Questions?

Agency C&A Process - Stakeholder TrainingAgency C&A Process - Stakeholder Training

Date post:	15-Dec-2015
Category:	Documents
Upload:	cortez-ashfield
View:	214 times
Download:	0 times