Jacqueline Price Snouffer
Chief, Certification and Assessments Division
DISA Field Security Operations (FSO)
(717) 267-9997; [email protected]
May 2010
Making Certification Work:Reciprocity, Testing Strategies, Rapid Execution
A Combat Support Agency
Defense Information Systems Agency
UNCLASSIFIED 2
The information provided in this briefing is for general information purposes only. It does not constitute a commitment on behalf of the United States Government to provide any of the capabilities, systems or equipment presented and in no way obligates the United States Government to enter into any future agreements with regard to the same. The information presented may not be disseminated without the express consent of the United States Government.
UNCLASSIFIED 3
Agenda
• FSO Certification Responsibilities
• Assessment Strategies
• Process Re-engineering
• Rapid C&A
• Tools Integration
Recycle
UNCLASSIFIED 4
Certification and Assessments
Mission Overview
• DISA Certification and Assessments
• DOD System Certification and Assessments
• Reciprocity Risk Analysis
• Certifier for DoD Unified Capabilities
Approved Products List
UNCLASSIFIED 5
Assessment Strategies
• Self Assessments
– PM
– Hosting Site
• Program and other test input
– Program test results
– JITC
– Validation results
• SAAT/Pen-Testing
– In depth analysis conducted by FSO
• Certification Testing
– IA Control, STIG and Application testing
UNCLASSIFIED 6
C&A Process Re-Engineering
• Tiger Team has been formed
– Develop a process and timelines for DISA for implementation of DIACAP using eMASS
– Inception to decommission process documentation, awareness, and education
– Roles and responsibilities
– STIG applicability and self-assessments in VMS
– Artifact requirements for controls
– Develop a rapid C&A process for warfighter critical applications
UNCLASSIFIED 7
Rapid C&A Process
Start
PM
Review SysInfo If Available
Rapid
Team
Initiate RapidC&A Process
CIO
SystemReview Meeting
Rapid Team
And PM
System
Info
Request for
Rapid C&A
Rapid C&A
Task
System
Analysis
Accredit
CIO
Risk Stmt&
MitigationActions
ContinueCertification
Activities
NS & FSO
MonitorProgress
CIO and Host
Staff
Operate &Conduct Add’l
Actions
PM
IATT/IATO w/
Follow-up
actions
System Review Meeting• CIO Provides Oversight
• FSO Chairs
• NS, FSO and CIO Votes
• Interview Process with PM and Host
• Group focused on how to handle Knowledge Gaps
1
DevelopSubmit
Due Outs
PM
5
4
2
3
6
7
9
8
4
Certification Activities –This may include a Red Team or
a SAAT (indepth architecture
analysis and test
8
Official Kickoff
Notification to
Rapid Team
Rapid Team• CIO
• FSO
• NS
• Hosting Site
UNCLASSIFIED 8
Tools Integration
• VMS– Repository for system component level weaknesses
• Operating Systems
• Database and Web
• Application
• Enclave controls
• NetOps
• Network Infrastructure and Policy
• Cross Domain if Applicable
• Other
• EMASS– IA Controls and Artifacts
• Integration
UNCLASSIFIED 9
eMASS InheritanceCommon scenario: enabling an application to inherit controls from a hosting environment.
Using eMASS a System Owner can mark specific IA controls inheritable for their system,
which other systems may request to inherit. Once the request to inherit controls is granted,
the control compliance status is automatically updated in the inheriting system.
Application-
specific
controls
Inherited from
enclave
UNCLASSIFIED 10
VMS Integration
Within eMASS
Determine compliance
to IA Controls from
STIG vulnerabilities
and validation
procedures.
UNCLASSIFIED 11
Questions
Goal:
Reduce – Time for Certification
Reuse – Test Results
Recycle – Through Reciprocity
UNCLASSIFIED 13
FSO Certification and Assessments
Phone: Comm. 717-267-9074, DSN 570-9074
UNCLASSIFIED 14
Acronyms
• VMS – Vulnerability Management System
• MIAG – Mandatory Information Assurance
Guidance
• DoD UC APL – DoD Unified Capabilities
(UC) Approved Products List (APL)
• SAAT – Security Architecture and Analysis
Testing
