Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
636 Cards in this Set
- Front
- Back
- 3rd side (hint)
What does CNSS stand for?
|
Committee for National Security Systems
|
|
|
Why is Executive Order 13231 significant?
|
major milestone document establishing the
President’s intent to secure the national infrastructure |
|
|
What does NIAC stand for?
|
National Infrastructure Advisory Council
|
|
|
What does NSTAC stand for?
|
National Security Telecommunications Advisory Committee
|
|
|
What does EO 13231 require?
|
that the responsible personnel oversee,
develop, and ensure implementation of policies, principles, standards, and guidelines for the security of information systems that support the operations under their respective control |
|
|
What does EO 13231 establish?
|
* Voluntary public-private partnership
* Provided the Director OMB increased responsibility * NIAC * NSTAC |
|
|
What policy created CNSS?
|
Executive Order 13231
|
|
|
What agency chairs the CNSS?
|
DoD
|
|
|
What is the effective date of EO 13231?
|
'16 OCT 2001
|
|
|
What is the ISSEP definition of availability?
|
Timely, reliable access to data and information services for
authorized users |
|
|
What is the ISSEP definition of integrity?
|
Quality of an IS reflecting the logical correctness and
reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data. |
|
|
What is the ISSEP definition of confidentiality?
|
Assurance that information is not disclosed to unauthorized
individuals, processes, or devices. |
|
|
What is the ISSEP definition of access control?
|
Limiting access to information system resources only to
authorized users, programs, processes, or other systems. |
|
|
What is the ISSEP definition of authentication?
|
Security measure designed to establish the validity of a
transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information. |
|
|
What is the ISSEP definition of non-repudiation?
|
Assurance the sender of data is provided with proof of
delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the data. |
|
|
What is a National Security System?
|
A system that:
Involves intelligence activities Involves ctryptologic activities related to national security Involves command and control of military forces Involves equipment that is an integral part of a weapon or weapons system Is critical to the direct fulfillment of military or intelligence missions |
There are 5 categories
|
|
According to NIST, what are the phases of the Systems Development Life Cycle (SDLC)?
|
Initiation
Develop/Acquire Implement Ops/Maintenance Disposal |
There are 5 phases
|
|
What is C&A?
|
The standard DoD approach for:
identifying IS requirements providing security solutions and managing the security of DoD ISs |
There are 3
|
|
What are the general phases of C&A?
|
Define Problem
Risk Assessment Implement Controls Certification Accreditation Ops/Maintenance Disposal |
There are 7
|
|
What are the phases of the Risk Management Framework?
|
Categorize the IS
Select security controls Implement security controls Assess security controls Authorize IS Monitor security controls |
There are 6
|
|
With respect to the RMF, what are the contributing factors to categorize the IS?
|
Architecture Description
Organizational Input |
There are 2
|
|
What are the components of the RMF architecture description?
|
Architecture reference models
Segment and solution architectures Mission and business processes Information system boundaries |
There are 4
|
|
What are the components of the RMF organizational inputs?
|
Laws and directives
Policy guidance Strategic goals and objectives Priorities and resource availability Supply chain considerations |
There are 5
|
|
What government inputs should be considered when developing security requirements?
|
Statutory (USC, ACT, HR, Title, Public Law)
Regulatory (EO/PD, OMB, Cabinet/Agency Policy) Processing Standards (FIPS, CNSS, NIST standards) Guidelines (NIST SPs, STIGs) |
|
|
What is the organizational role and authority of The White House?
|
Executive Office given statutory authority to issue E.O., proclamations,
PDD/HSPD, and similar documents that initiate action, stop action, or require general notice be given. |
|
|
What is the organizational role and authority of The US Congress?
|
Legislative body responsible for the USC and the general, permanent laws of
the nation that it contains. Congress’s power to authorize the appropriation of federal spending to carry out government activities. |
|
|
What is the organizational role and authority of OMB?
|
Evaluates expenditure effectiveness, and provides oversight of
Administration procurement, fiscal management, information and regulatory policy |
|
|
What is the organizational role and authority of NSA?
|
Has responsibility for ensuring that all cryptographic methods and systems
used to protect USFG information and systems are sufficiently strong; for penetrating adversary systems and codes; and to ensure that all national security information is protected appropriately whether in transit or at rest |
|
|
What is the organizational role and authority of NIST?
|
Has responsibility to ensure that standards and measures are developed to
improve performance, and charged by law with responsibility for information security standards, metrics, tests, and various other means to support agencies' missions. Issues SP, FIPS, ITL Bulletins, NISTIR, and other guidance. |
|
|
What is the organizational role and authority of NIAP?
|
NIAP is an initiative partnership between the NIST and the NSA to evaluate
and attempt to meet the needs and requirements of IT/IA product producers and consumers to evaluate functionality and pedigree. |
|
|
What does OMB stand for?
|
Office of Management and Budget
|
|
|
What does NIST stand for?
|
National Institute of Standards and Technology
|
|
|
What does NIAP stand for?
|
National Information Assurance Partnership
|
|
|
What is the organizational role and authority of CNSS?
|
Formerly know as NSTISSC, the CNSS provides a participative
forum to examine national policy and promulgates direction, operational procedures and instructions (CNSSI), and other forms of authoritative guidance for national security systems. |
|
|
What is the significance of EO 13228?
|
Establishing the Office of Homeland Security and the HS
Council (2001) – Initiates a comprehensive strategy to secure the US from terrorist attacks. |
|
|
What is the significance of EO 13231?
|
CIP in the Information Age (2001) ~ which states policy
to protect CI against compromise. Renamed NSTISSC to CNSS. |
|
|
What is the significance of HSPD-7?
|
Homeland Security Directive 7 (2003) ~ which directs the
identification and prioritization of CI assets and key resources to protect them from terrorist attacks. Supersedes PDD-63. |
|
|
What is the significance of HSPD-12?
|
Homeland Security Directive 12 (2004) ~ which directs a
common identification standard that is “secure and reliable” to verify employee identity. |
|
|
What is Public Law 100-235, Title 101, Statute 1724?
|
The Computer Security Act of 1987
|
|
|
What does the Computer Security Act of 1987 establish?
|
~ Improve security/privacy of sensitive information in federal
systems; ~ Federal agencies to establish standards & guidelines ~ Requires that any federal computer system that processes sensitive information have a customized security plan (SSAA). ~ Requires that users of those systems undergo security training. NIST responsible, NSA to advise. ~ assessing the vulnerability of federal computer systems, ~ developing standards, ~ providing technical assistance with NSA support, and ~ developing training guidelines for federal personnel |
|
|
What is the significance of the Privacy act of 1974?
|
~ Balance the government’s need to maintain
information about individuals with the rights of individuals ~ Act focuses on four basic policy objectives – Restrict disclosure – Increased rights of access to agency records – Grant individuals the right to seek amendment – Establish a code of “fair information practices” |
|
|
What is the significance of the Clinger-Cohen Act of 1996?
|
Established that every federal agency must have a CIO
Reformed Information Technology Management Defined a National Security System |
|
|
What is the significance of OMB Circular A-130 Appendix III, 24 DEC 1985?
|
Management of Federal Information Resources
Mandatory implementation of Computer Security Act and FISMA requirements Defines adequate security ~Provides specific practices and guidelines for implementation of the Paperwork Reduction Act -Established a mandate for agencies to perform their information resources management in an effective manner ~Requires accreditation of federal IS’ to operate based on an assessment on management, operational, and technical controls |
|
|
What is the definition of adequate security (according to OMB Circular A-130)?
|
“security commensurate with the risk and magnitude of the
harm resulting from the loss, misuse, or unauthorized access to or modification of information.…provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls.” |
|
|
What determines a systems criticality?
|
mission
|
|
|
What determines a systems sensitivity?
|
confidentiality, integrity and availability
|
|
|
What is Public Law 107-347, Title III?
|
The E-Government Act of 2002, Federal Information Security Management Act
|
|
|
What does the E-Government Act of 2002 establish?
|
~ OMB has Oversight over E-Government
-Federal Government (Organizations and IG’s) must report IA status to OMB annually and quarterly -OMB provides reports to Congress annually -Congressional Cyber Security Grade ~ NIST publishes Standards and Guidelines ~ All Federal Government must follow NIST C&A processes, with the exception of Defense and Intelligence organizations. |
|
|
What does the 2000 update to OMB Circular A-130 add?
|
~ Risk-based approach to assess and react to threat and
vulnerabilities ~ Security Plans and identification and correction of deficiencies ~ Incident Response capabilities ~ Interruption planning and continuity support ~ Technical controls consistent with NIST guidance ~ Periodic review of status and controls ~ Information sharing (MA only) and public access controls ~ Responsibility assignment ~ Periodic reporting of operational and security status |
|
|
What does M-00-13 establish?
|
Privacy Policies and Data Collection on Fed. Websites
A continuation and update of M-99-18 to add the mention of “cookies” and their impact, and to add as mandatory compliance with the Children’s Online Privacy Act (COPA-98) (2000). |
|
|
What does M-01-08 establish?
|
Implementing GISRA (2001) – superseded by FISMA
Provides guidance to agency heads regarding GISRA implementation |
|
|
What does M-02-01 establish?
|
Guidance for Preparing and Submitting Security Plans
of Action and Milestones (Oct 2001) |
|
|
What are the required components of a POA&M according to OMB?
|
Weakness
POC Resources Required Scheduled Completion Date Milestones with Completion Dates Changes to Milestones Indentified in CFO Audit or other review? Status |
There are 8 columns
|
|
What are the required components of a DIACAP POA&M?
|
Weakness
CAT (Severity Code) IA Control and Impact Code POC Resources Required Scheduled Completion Date Milestones with Completion Dates Changes to Milestones Indentified in CFO Audit or other review? Status Comments |
There are 11 columns
|
|
DoD 5200.28 ~ Title, Date issued and what superseded it?
|
Security Requirements for Automated Information Systems, March 21, 1989
(updated under DOD 8500 series) |
|
|
DoD CIO Policy 10-8460 ~ Title and date
|
Global Information Grid –Network Operations
Aug 24, 2000 |
|
|
What are the types of DoD Issuances?
|
~ Directives (DoDD): policy documents that establish
or describe requirements, missions, authorities, etc. ~ Memoranda (from SecDef): they direct implementation of policy, legislation, EO; becomes DoDD 180 days later unless subject is classified or temporary. ~ Instructions (DoDI): describe policy implementation ~ Administrative (DoD AI): support supplement to DoDI ~ Publication (DoDP): provides procedures for DoDI |
|
|
What is DIAP?
|
Defense-Wide IA Program. Mission is to ensure
that information assets are protected through unified IA activities using D-in-D approaches in support of GIG Net-Centricity. |
|
|
What is DISA?
|
Defense Information Systems Agency.
Responsible for all aspects of systems engineering and support of GIG. Provides IASE as the clearinghouse location for all DoD IA info. |
|
|
What is NIAD?
|
NSA IA Directorate. Provide required capability
to support survival and success of all DoD missions. |
|
|
What is DARPA?
|
R&D for DoD. Operates the OASIS program
to provide robust capability to enable survival of DoD AIS against a sophisticated and motivated adversary. |
|
|
What is the high-level list of DoD IA Policy series?
|
~ 8500: General Policy
~ 8510: IA Certification and Accreditation ~ 8520: Security Management ~ 8530: Computer Network Defense ~ 8540: Interconnectivity ~ 8550: Network and Web ~ 8560: IA Monitoring ~ 8570: Education, Training, and Awareness |
There are 8
|
|
Describe DoDP 8500.1
|
Information Assurance (2003)
Supersedes: 5200.28,5200.28M, 5200.28STD and CIO Memorandum 6-8510. Applies to all DoD owned or controlled AIS Establishes policy and assigns responsibilities to achieve IA goals through Defense-in-Depth and integrates people, technology, and operations to support GIG. |
|
|
Describe DoDI 8500.2
|
IA Implementation (2003)
Accompanies: 8500.1 Information Assurance Provides guidance on how to implement 8500.1 policy to establish layered defenses IAW with principles underlying GIG and D-in-D, defines controls for MAC levels, and defines Robustness levels ~ Basic (~ to CC EAL 2) ~ Medium (~ to CC EAL 4) ~ High (~ to CC EAL 6) |
|
|
Describe DoDD 8570.1
|
IA Training, Certification, and
Workforce Management (2004) This directive describes the program for training and certification (qualifications, requirements, metrics, and more) for ensuring adequate security knowledge and skill in assigned duty positions. |
|
|
Describe DoDM 8570.1M
|
IA Workforce Improvement
Program (Change 1, 5/2008) This manual accompanies DoDD 8570.1, and provides details necessary to implement the program. |
|
|
Describe DoDI 500.2-R
|
Mandatory Procedures for Major
Defense Acquisition Programs (MDAPS) & Major Automated Information System (MAIS) Acquisition Programs (2001) This has been superseded effective December 2008, and replaced by DoDI 5000.02., which also cancels DoDI 5000.2 (2003) It called for consideration of risks and IA functions, capabilities, and features to be given consideration in the acquisition process of COTS and GOTS products. |
|
|
Describe DoDI 5200.40
|
DITSCAP (1997)
DoD C&A standard that outlines an iterative four-step process to accomplish the mission of operational deployment of assured systems: 1. Definition: document al aspects of system context 2. Verification: Compliance status determination 3. Validation: all activities required to prove status 4. Post-Accreditation: Mgmt of SSAA, change, and continual monitoring of compliance state (This has been superseded by DoDI 8510.01 DIACAP effective November 2007.) |
|
|
What is the CNSS?
|
NSTISSC was established by NSDD 42a (1990) in order to
implement provisions and requirements of NSDD 42, renamed to CNSS by EO 13231 in 2001, in order to: ~ Considers technical matters and develop operating policies, procedures, guidelines, instructions, and standards; ~ Assess the overall security posture of and disseminate information on threats to and vulnerabilities of national security systems; ~ Review and approve all standards, techniques, systems, and equipment related to the security of national security systems, and, ~ To examine U.S. national security systems and evaluate their vulnerability to foreign interception and exploitation, and oversee mitigating action. |
|
|
What are the CNSS issuance types and purpose?
|
Policy: assigns responsibilities and
establishes criteria (NSTISSP/CNSSP); Directives: Establish or describe policy, programs assign authority or responsibilities (NSTISSD/CNSSD); Instructions: Describe implementation or intention of policy (NSTISSI/CNSSI); Memoranda: To provide guidance or explanation of policy or other issuance (NSTISSAM/CNSSAM) |
|
|
Describe NTISSP 6
|
Issued 1994, Established the requirement for all
Federal agencies operating NSS to have a C&A program; implemented through NSTISSI 1000. |
|
|
Describe NSTISSP 7
|
Issued 1995, Specified functional, management, and
technical requirements to produce a secure electronic messaging system for conduct of official business: Additional guidance issued to implement by Y2000 To be government-wide interoperable across all NSS Required this to be accomplished through common standards and procedures |
|
|
Describe NSTISSP 11
|
Issued 2003, States policy that IA shall be done through
COTS and GOTS products, and that such products are to be evaluated through CC processes: ~ Must achieve more than simply confidentiality; ~ COTS/GOTS should be used as more readily available; ~ IA achievement must evolve beyond traditional view; ~ OCONUS CC partner evals for EAL 1-4 accepted w/o NIAP ~ NIAP required as well for EAL 5-7 product requirements Exceptions allowed: ~ Any COTS/GOTS acquired prior to policy effective date; ~ Recognition of the complexities of technology and evaluation process |
|
|
Describe NCSC-5
|
Issued 1981, Governs use of crypto-materials in high-risk
environments. Specifies requirements for equipment selection, use, evacuation, destruction (to prevent loss), P2P keying (no netting or common-user), and only minimum necessary. |
|
|
Describe NSTISSP 200
|
Issued 1987, sets policy that, in essence, requires all
NSS to comply with C2-level requirements. Defines AIS, TCB, TCSEC (now must meet EAL 4). |
|
|
Describe NSTISSP 101
|
Issued 1999, Sets national policy that all military voice
radio and sensitive civilian government voice systems must be secure; threats must be assessed and security implemented must be commensurate. |
|
|
Describe CNSSP 14
|
Issued 2002, Governs release of IA products and
services to non-USFG members, and specifies methods and controls by which this can, as appropriate, be done. |
|
|
Describe NSTISSD-500
|
Issued 1993, Specifies requirements for all USFG
departments to implement programs to address ongoing needs for education, awareness, and training for NSS. |
|
|
Describe NSTISSI 4011
|
Issued 1994, Course content InfoSec profession
|
|
|
Describe CNSSI 4012
|
Issued 2004, For senior system managers (DAAs).
Supersedes NSTISSI 4012 (1997) |
|
|
Describe CNSSI 4013
|
Issues 2004, For Sysadmins. Supersedes NSTISSI
4013 (1997) |
|
|
Describe CNSSI 4014
|
Issued 2004, For ISSOs. Supersedes NSTISSI 4014
(1997). |
|
|
Describe NSTISSI 4015
|
Issued 2000, Standards for Systems Certifiers
|
|
|
Describe NACSI 6002
|
Issued 1984, Protection of USFG contractor
communications. In essence enforces the requirement for contractors to protect their communications (contract related) to the same level as the agency, and then charge that agency for the cost of meeting those requirements. |
|
|
Describe NSTISSI 7003
|
Issued 1994, Protected distribution systems.
This refers to systems that are used to transmit unencrypted traffic (NSI) through lower-cleared areas, and how, when, and where they can be used. |
|
|
Describe NSTISSI 1000
|
Issued 2000, Establishes minimum national
standards for C&A processes, and provides guidance on how to implement NSTISSP 6. Describes the NIACAP |
|
|
Describe NSTISSAM CompuSec 1-98
|
Issued 1998, Describes the role of
firewalls and other enclave boundary protections IAW with Defense in Depth principles. Names firewall types: packet, proxy, and hybrid of these. |
|
|
Describe NSTISSAM CompuSec 1-99
|
Issued 1999,Describes the
decision to transition from TCSEC to CC, recognition of technology advances and evaluation independence needs. |
|
|
Describe NSTISSAM InfoSec 1-00
|
Issued 2000, States that the policy
shall be that all applications or devices processing as Unclassified NSS that use crypto must use a form validated against FIPS 140 or the CC. |
|
|
Describe NSTISSAM InfoSec 2-00
|
Issued 2000, Describes the policy and
a strategy for using the NIAP to evaluate COTS using commercial labs. All units evaluated must be reviewed by NIAP for compliance with the CC, and a separate NIAP evaluation is optional. |
|
|
Describe CNSSAM 1-04
|
Issued 2004, Provides guidance to all agencies
that a multilayer/multivendor approach to IA architecture is desirable, as long as the overall architecture and engineering is performed in a sound and well-executed manner (to ensure optimal integration and interoperability). |
|
|
What is NIST's role in the USFG?
|
Establishes an Information Assurance
Technology Framework (IATF) Continuing Key Areas: ~ Developing security standards, guidelines, and associated methods and techniques for information services, including metrics as in SP 800-53 ~ Conduct security research – understand vulnerabilities and develop new security techniques |
|
|
NIST SP 800-12
|
(1995): Introduction to Computer Security
Basic information and guidance (from OECD) on principles and practices: ~ Supports org mission and is part of sound management ~ Cost-effective with a comprehensive, integrated approach ~ Responsibility and accountability are explicit |
|
|
NIST SP 800-14
|
Generally Accepted Principles and Practices for Securing Information Technology Systems (GASSP)
(1996) Provides father and deeper explanation and guidance of the topics introduced in 800-12 Among other things, addresses risk management, SLC planning, incident response, training and awareness |
|
|
NIST SP 800-16
|
Information Technology Security Training Requirements: A Role~ and Performance-Based Model
|
|
|
NIST SP 800-18
|
Guide for Developing Security Plans for Federal Information Systems (SSP)
Complies with and implements OMB A130 Appendix III and CSA 87 SSP Purpose: ~ Describe requirements of the particular AIS ~ Delineate responsibilities and required behaviors of users Three primary tasks: ~ Preparation of the plan itself ~ Notification and resource identification ~ Plan analysis, update, and acceptance Defines Major Application (MA) and General Support System (GSS) |
|
|
NIST SP 800-27 REV A
|
Engineering Principles for IT Security, Baseline
Provides a listing of engineering principles (33) to be used to achieve appropriate levels of InfoSec Tied very closely to the principles stated in 800-12 and 800-14 Specifies a five phase model for employing these principles: ~ Initiation ~ Development/Acquisition ~ Implementation ~ O&M Phase ~ Disposal |
|
|
NIST SP 800-30
|
Risk Management Guide for Information Technology Systems
1. System Characterization 2. Vulnerability Identification 3. Threat Identification 4. Control Analysis 5. Likelihood Determination 6. Impact Analysis 7. Risk Determination 8. Control Recommendations 9. Results Documentation |
|
|
What steps of SP 800-30 can be performed in parallel?
|
2. Vulnerability Identification
3. Threat Identification |
|
|
NIST SP 800-34 REV 1
|
Contingency Planning Guide for Federal Information Systems
|
|
|
NIST SP 800-37 REV 1
|
Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (RMF)
|
|
|
NIST SP 800-39
|
Managing Information Security Risk: Organization, Mission, and Information System View (Enterprise Risk)
|
|
|
NIST SP 800-40
|
Creating a Patch and Vulnerability Management Program (Vulnerability Management)
|
|
|
NIST SP 800-41
|
Guidelines on Firewalls and Firewall Policy
|
|
|
NIST SP 800-47
|
Security Guide for Interconnecting Information Technology Systems
~ Establishes guidelines (including tasks and subtasks) to plan, establish, maintain, and terminate interconnections between AIS that are owned and operated by different organizations. ~ Addresses all stages of interconnection lifecycle. ~ Does not address classified AIS. |
|
|
NIST SP 800-50
|
Building an Information Technology Security Awareness and Training Program
|
|
|
NIST SP 800-53 REV 3
|
Recommended Security Controls for Federal Information Systems and Organizations
~ Provides a catalogue of security controls for federal information systems (NSS). ~ Recommends baseline security controls for federal information systems (IAW FIPS Publication 199 risk levels) ~ Provides guidelines for agency-directed tailoring of baseline security controls Incorporates security controls from many public and private sector sources ~ CC Part 2 ~ ISO/IEC 27001 ~ COBIT ~ GAO FISCAM ~ CMS (healthcare) ~ D/CID 6-3 Requirements ~ DoD Policy 8500 ~ BITS Functional packages |
|
|
NIST SP 800-53A REV1
|
Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans
Provides guidance for agencies to consistently map impact levels to information types and sensitivities and provide methods for evaluating the effectiveness of deployed controls in IT systems. Applicable to all Federal AIS other than NSS Operating as intended Implemented Effectively Providing desired outcome |
|
|
NIST SP 800-54
|
Border Gateway Protocol Security
|
|
|
NIST SP 800-59
|
Guideline for Identifying an Information System as a National Security System (NSS)
|
|
|
NIST SP 800-60
|
Guide for Mapping Types of Information and Information Systems to Security Categories: (2 Volumes)
Volume 1: Guide Provides guidance for agencies to consistently map impact levels to information types and sensitivities Applicable to all Federal AIS other than NSS Information types are based on OMB Federal Enterprise Architecture PMO Consolidated Reference Model, Version 2.3 (2007) Volume 2: Appendices Contains Appendices, References, Provisional impact Assignment levels, Legislative sources, and Rationale |
|
|
NIST SP 800-61
|
Computer Security Incident Handling Guide
|
|
|
NIST SP 800-63
|
Electronic Authentication Guideline
|
|
|
NIST SP 800-64
|
Security Considerations in the System Development Life Cycle (SDLC)
|
|
|
NIST SP 800-66
|
An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
|
|
|
NIST SP 800-70 REV 1
|
National Checklist Program for IT Products: Guidelines for Checklist Users and Developers
|
|
|
NIST SP 800-88
|
Guidelines for Media Sanitization
|
|
|
NIST SP 800-92
|
Guide to Computer Security Log Management
|
|
|
NIST SP 800-94
|
Guide to Intrusion Detection and Prevention Systems (IDPS)
|
|
|
NIST SP 800-100
|
Information Security Handbook: A Guide for Managers
|
|
|
NIST SP 800-115
|
Technical Guide to Information Security Testing and Assessment
|
|
|
NIST SP 800-117
|
Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.0
|
|
|
NIST SP 800-122
|
Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
|
|
|
NIST SP 800-126 REV 2
|
The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1
|
|
|
NIST SP 800-128 (DRAFT)
|
DRAFT Guide for Security Configuration Management of Information Systems
|
|
|
NIST SP 800-137 (DRAFT)
|
DRAFT Information Security Continuous Monitoring for Federal Information Systems and Organizations
|
|
|
NIST SP 800-55 REV 1
|
Performance Measurement Guide for Information Security
|
|
|
NIST SP 800-45 V2
|
Guidelines on Electronic Mail Security
|
|
|
FIPS 199
|
Standards for Security Categorization of Federal Information and Information Systems
Establishes standards to be used by Federal agencies to categorize information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels and potential impacts using this general formula: AIS Impact levels (using a H, M, L scale): SC (AIS) = {(Conf,impact),(Integ,impact)(Avail,impact) Result is system high, Moderate or Low. Using NIST 800-53 provides system Control Baseline |
|
|
What are the FIPS 199 impact levels?
|
Low
Moderate High |
|
|
What document(s) is/are used to categorize systems for FISMA?
|
FIPS 199
|
|
|
What document(s) is/are used to provide mapping guidelines recommending the types of information and information systems to be included in each category described in FIPS 199?
|
NIST SP 800-60
|
|
|
What document(s) is/are used to develop minimum information security requirements (i.e., management, operational, and technical security controls) for information and information systems in each category?
|
NISP SP 800-53 and FIPS 200
|
|
|
FIPS 200
|
Minimum Security Requirements for Federal Information and Information Systems
Specifies minimum security requirements in 17 areas that are to be met using controls outlined in SP800-53. These are mandatory. No provision for waivers is made. Complements FIPS 199 |
|
|
What document(s) is/are used to define how C&A is performed under FISMA?
|
NIST SP 800-37 & NIST SP 800-53A
|
|
|
What NIST publications support FISMA?
|
~ FIPS 140: Crypto module requirements
~ FIPS 197: AES ~ FIPS 199: System Categorization ~ FIPS 200: Minimum Security Requirements FIPS 201 ~ SP 800-37: C&A ~ SP 800-53: Minimum Controls ~ SP 800-53A: Verification Procedures ~ SP 800-60: Mapping Guidance |
|
|
FIPS 46
|
DES is permitted on legacy AIS only – and thus is
still relevant to the ISSEP |
|
|
FIPS 81
|
Triple DES is a FIPS approved algorithm of choice.
Encourages transition to TDES as rapidly as prudent strategy and budgets permit |
|
|
FIPS 140
|
Establishes requirements that must be met by
modules to be used or considered for use in SBU systems, including voice systems. Describes a hierarchical system of increasing levels; Has a waiver procedure that allows relief in the event that a) adverse mission impact or b) financial impact |
|
|
What are the hierarchy levels of FIPS 140?
|
1: lowest, executable on a general purpose system;
2: Includes 1, adds tamper-evidence features, AIS is EAL2 & up 3: Includes 2, adds mechanisms to prevent Rev-eng, and requires identity-based authentication; EAL3 and up 4: Includes 3, adds environmental protections (temp, voltage); EAL4 and higher |
|
|
FIPS 197
|
Specifies that AES is a FIPS approved algorithm of choice.
For use on SBU, but not classified information and AIS. Has a waiver procedure that allows relief in the event that a) adverse mission impact or b) financial impact [For classified and financial data must use Type 1 crypto (AES 256 or better) |
|
|
FIPS 199 low impact characteristics?
|
limited adverse effect
|
|
|
FIPS 199 moderate impact characteristics?
|
serious adverse effect
|
|
|
FIPS 199 high impact characteristics?
|
sever or catastrophic adverse effect; threat to human life, or result in loss of major assets
|
|
|
What key components are considered with each level of impact in FIPS 199?
|
Mission
Financial impact Asset impact Personnel security |
|
|
What are options are available to manage risk?
|
~ Risk Assumption
~ Risk Avoidance ~ Risk Limitation ~ Research and Development ~ Risk Transference |
|
|
NIST SP 800-37
|
Guidelines for the Security C & A of Federal Information Systems (2004)
~ Issued by NIST under the authority of FISMA- 2002, and is consistent with OMB A-130. ~ Establishes guidelines (including tasks and subtasks) to certify and accredit information systems supporting the executive branch of the federal government ~ Applicable to non-national security information systems as defined in the FISMA of 2002 ~ Replaces FIPS Publication 102 (withdrawn 2005) |
|
|
What are the SP 800-53 control classes?
|
Management security controls (aka Administrative)
-Policy, standards, baselines, guidelines, procedures Technical security controls (aka Logical) ~ Hardware, software, firmware components and devices -Often provides basic support enabling other controls to function correctly Operational controls (aka Physical) ~ Include leading industry practices and procedural guidance |
|
|
What are the types of controls in each class of 800-53 controls?
|
Preventive
Detective Corrective Compensating Deterrent Supplemental |
|
|
What are the primary types of 800-53 controls?
|
Preventive
Detective Corrective |
|
|
What are the secondary types of 800-53 controls?
|
Compensating
Deterrent Supplemental |
|
|
What are the 800-53 Management Controls?
|
Security Assessment and Authorization (CA)
Planning (PL) Risk Assessment (RA) System and Services Acquisition (SA) Program Management (PM) |
|
|
What are the 800-53 Operational Controls?
|
Awareness and Training (AT)
Configuration Management (CM) Contingency Planning (CP) Incident Response (IR) Maintenance (MA) Media Protection (MP) Physical and Environmental Protection (PE) Personnel Security (PS) System and Information Integrity (SI) |
|
|
What are the 800-53 Technical Controls?
|
Access Control (AC)
Audit and Accountability (AU) Identification and Authentication (IA) System and Communications Protection (SC) |
|
|
What is the Common Criteria?
|
The CC is a collection of generic security requirements
(statements) to aid in the specification of product or system security attributes (Functional and Assurance) Common Criteria (CC) approach offers: ~ Security focus to individual network components ~ Software Applications CC Evaluated Products (EAL/EPL) ~ Evaluate Security Posture ~ Isolate Product by Defining Interface Boundary |
|
|
What is the consumers role in Common Criteria?
|
Support procurement of evaluated products
|
|
|
What is the Developers/Integrators role in Common Criteria?
|
Support development to meet requirements
|
|
|
What is the evaluators role in Common Criteria?
|
Use the CC as a basis for evaluation of products
|
|
|
What is the Auditor/Certifier/Accreditors role in Common Criteria?
|
to support specific needs for security specifications
|
|
|
What is Common Criteria derived from?
|
ISO/IEC 15408
Rainbow series was too rigid and did not take many things into account and expensive evaluations ITSEC provided more flexibility, but added more complexity with its attempts Made up from: ~ TCSEC ~ ITSEC ~ Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) ~ Federal Criteria from US, UK, Germany, France, Canada |
|
|
What are the Common Criteria evaluation ratings?
|
EAL 1: Functionally tested
EAL 2: Structurally tested EAL 3: Methodically tested and checked EAL 4: Methodically designed, tested and reviewed EAL 5: Semi-formally designed and tested EAL 6: Semi-formally verified, designed, and tested EAL 7: Formally verified, designed, and tested |
|
|
What are the components of the Common Criteria?
|
Protection Profile
~ Description of needed security solution Target of Evaluation ~ Product proposed to provide needed security solution Security Target ~ Written by vendor explaining security functionality and assurance mechanisms that meet the needed security solution Packages – Evaluation Assurance Levels (EAL) ~ Security requirements are bundled into packages for re-use ~ Reqs to be met to achieve specific EAL ratings |
|
|
What are the sets of requirements used in Common Criteria?
|
Security functional requirements (performance)
Security assurance requirements (pedigree) |
|
|
What areas comprise the security functional requirements of the Common Criteria?
|
~ Identification and authentication
~ Audit ~ Resource utilization ~ Trusted paths/channels ~ User data protection ~ Security management ~ TOE access ~ Communications ~ Privacy ~ Protection of the TOE security functions ~ Cryptographic support |
|
|
What areas comprise the security assurance requirements of the Common Criteria?
|
~ Guidance documents and manuals
~ Configuration management ~ Vulnerability assessment ~ Delivery and operation ~ Life cycle support ~ Assurance maintenance ~ Development ~ Testing |
|
|
What are the steps of the Common Criteria methodology?
|
1. Evaluate the conditions between the evaluated
product and the present situation. 2. Evaluate the differences of the conditions for regression and/or independent testing. 3. Determine if additional security requirements are required for the present situation. 4. Analyze the security impact of the interfaces. 5. Performed the testing and/or analysis. |
There are 5 steps
|
|
What is the intended scope/application of the Common Criteria?
|
A paradigm used to specify security properties
of IT products and systems that address ~ unauthorized disclosure (confidentiality, privacy) ~ unauthorized modification (integrity) ~ loss of use (availability) The basis for comparison of the results of independent evaluations Applicable to IT security functions implemented by hardware, software, and firmware |
|
|
How do consumers use the Common Criteria?
|
They need to document user requirements in the protection profile
~ Part I: structure for PP ~ Part II & III: guidance for formulating and determining reqs |
|
|
How do developers use the Common Criteria?
|
They need to develop security equipments into products
~ Part I: development and formulating reqs ~ Part II & III: interpreting requirements -> commonality |
|
|
How do evaluators use the Common Criteria?
|
They need to prepare the ST for testing
~ Part I: structure for PPs and STs ~ Part II & III: mandatory statement of eval criteria |
|
|
What are the documents that make up the Common Criteria?
|
Part 1 ~ Intro and General Model
Part 2 ~ Security Functional Reqs Part 3 ~ Security Assurance Reqs |
|
|
How is Part 1 of the Common Criteria organized?
|
Scope, Glossary, Overview
Security Context & CC Approach Security Concepts, Environment & Objectives Evaluation Results Appendix A: History Appendix B: Specification of Protection Profiles (PPs) Appendix C: Specification of Security Targets (STs) |
|
|
What is a Protection Profile?
|
~ Answers the question:
“What do I need in a security solution?” ~ Implementation independent for a class of products or systems ~ Protection Profile authors: anyone who wants to state IT security needs (e.g., commercial consumer, consumer groups) anyone who supplies products which support IT security needs…..anyone. PP makes a statement of implementation independent security needs ~ a generic OS with DAC, Audit, and I&A |
|
|
What is a Security Target?
|
~ Answers the question:
“What does a developer provide in a security solution?” ~ Implementation dependent and version specific ~ Security Target authors: ~ Product vendors, developers, integrators Knowledge of implementation details required ST defines the implementation dependent capabilities of a specific product, e.g. – Microsoft NT 4.0.0.2 (TOE) – Sun OS 4.7.4 (TOE) |
|
|
What is the Common Criteria security environment?
|
Security Environment defined with consideration
to the: ~ Purpose and function of the TOE ~ Environment in which the TOE operates (IT & Non-IT) –IT Environment – Security services or capabilities provided by IT systems or products that are not part of the TOE –Non-IT Environment – Security implemented by personnel ~ Assets to be protected Assumptions ~ The security aspects of the environment in which the TOE will be used or is intended to be used. Threats ~ The ability to exploit a vulnerability by a threat agent. Organizational Security Policies (OSPs) ~ A set of rules, procedures, practices, or guidelines imposed by an organization upon its operations. |
|
|
What is the Common Criteria security objectives?
|
Objectives establish the basis for the selection of
security requirements (functional & assurance) Objective are completely based upon the statement of the Security Environment Objectives ~ Support Assumptions ~ Counter Threats (eliminate, minimize, monitor) ~ Enforce OSPs Objectives are the “focal point” of the PP/ST |
|
|
What are Common Criteria security functional requirements?
|
Levied upon functions of the TOE that
support IT security; their behavior can generally be observed |
|
|
Name the Common Criteria security functional requirements classes
|
~ Security Audit (FAU)
~ Communication (FCO) ~ Cryptographic Support (FCS) ~ User Data Protection (FDP) ~ Identification & Authentication (FIA) ~ Security Management (FMT) ~ Privacy (FPR) ~ Protection of the TOE Security Functions (FPT) ~ Resource Utilization (FRU) ~ TOE Access (FTA) ~ Trusted Path/Channels (FTP) |
|
|
How are Common Criteria security functional requirements organized?
|
Class
Family Component Element FIA_UID.1.1 (class_famly.component.element) |
|
|
What are the types of Common Criteria component relationships?
|
~ Dependency relationship ~ other component support
(functional & assurance) ~ Hierarchy relationship ~ between components within a class |
|
|
What are the types of Common Criteria operations on functional components?
|
~ Assignment ~ “fill in the blank”
~ Selection ~ “select from a list” ~ Iteration ~ “repetitive use” ~ Refinement ~ “tailor/modify” |
|
|
What is the Common Criteria definition of assurance?
|
Grounds for confidence that an IT
product or system meets its security objectives. |
|
|
According to Common Criteria, why do we care about assurance?
|
Vulnerabilities arising from …
Requirements ~ Insufficient or ineffective requirements Construction ~ Incorrect design decisions ~ Errors in implementation Operation ~ Inadequate controls |
|
|
Name the Common Criteria security assurance requirements classes
|
TOE Assurance:
Configuration Mgt (ACM) Delivery and Operation (ADO) Development Docs (ADV) Guidance Documents (AGD) Life-Cycle Support (ALC) Testing (ATE) Vulnerability Assessment (AVA) Maintenance of Assurance (AMA) Specs Assurance: Protection Profile Eval (APE) Security Target Eval (ASE) |
|
|
How are Common Criteria security assurance requirements organized?
|
Class
Family Component Element Element Identifier ADV_LLD.3.1(D,C,E) (class_famly.component.element(element id)) |
|
|
What are the Common Criteria assurance packages?
|
Basic Assurance Level ~ EAL 1 & 2
~ Limited vendor involvement ~ Functional & independent testing Medium Assurance Level ~ EAL 3 & 4 ~ Development environment controls ~ High-level design documentation High Assurance Level ~ EAL 5, 6, & 7 ~ Additional CM requirements ~ Analysis based on entire TSF implementation ~ Covert channel analysis ~ Modular and layered TOE design ~ Automated CM ~ Formal methods of functional specification & high-level design |
|
|
What NIST publication is characterized by 8 principles and 14 practices?
|
NISP SP 800-14, Generally accepted Principles and Practices for Securing Information Technology Systems (GASSP)
|
|
|
Name the principles of the 800-14
|
1 Computer Security Supports the Mission of the Organization
2 Computer Security is an Integral Element of Sound Management 3 Computer Security Should Be Cost-Effective 4 Systems Owners Have Security Responsibilities Outside Their Own Organizations 5 Computer Security Responsibilities and Accountability Should Be Made Explicit 6 Computer Security Requires a Comprehensive and Integrated Approach 7 Computer Security Should Be Periodically Reassessed 8 Computer Security is Constrained by Societal Factors Review pages 669-670 of the ISC2 ISSEP book |
|
|
Name the first 7 practices of the 800-14
|
1. Have policies to enforce compliance with
organizational security practices 2. Managing computer security at multiple levels administered by central oversight 3. Manage organizational risks by assessing threats and taking steps to reduce their effects 4. Manage security by planning a system’s life cycle 5. Implement security practices to manage personnel 6. Prepare for contingencies and disasters 7. Deploy a security incident response system |
|
|
Name the last 7 practices of the 800-14
|
8. Perform security awareness training
9. Apply security principles to all operational aspects of the organization 10. Implement physical and environmental security 11.Enforce effective user identification and authentication 12.Control logical access to systems 13.Maintain audit trails 14. Implement cryptography to protect sensitive data Review pages 671 - 673 of the ISC2 ISSEP |
|
|
What are the phases of the NIST 800-37 C&A process?
|
Initiation
Security Certification Security Accreditation Continuous Monitoring |
|
|
What are the key roles of the NIST 800-37?
|
~ Authorizing Official
~ Authorizing Official Designated Representative ~ Senior Agency Information Security Officer ~ Information System Owner ~ Information System Security Officer ~ Certification Agent ~ User Representative |
|
|
According to NIST 800-37, what is role of the authorizing official?
|
~ Reviews and approves the security plan for the
information system ~ Determines residual risk to agency operations or assets based on information generated during the security certification ~ Makes security accreditation decisions and signs associated transmittal letter for accreditation package (authorizing official only) [GOVT ONLY!!!] ~ Reviews security status reports from continuous monitoring operations ~ Initiates security reaccreditation actions |
|
|
According to NIST 800-37, what is role of the Senior Agency Information Security Officer?
|
~ Carrying out the Chief Information Officer responsibilities
under FISMA. ~ Possessing professional qualifications, including training and experience, required to administer the information security program functions; ~ Primary duty Information System Security. ~ Heading an office with the mission & resources. ~ Serve as the authorizing official's designated representative. ~ Serves as the CIO’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. |
|
|
According to NIST 800-37, what is role of the Information System Owner?
|
~ Represents the interests of the user community
~ Prepares security plan and conducts risk assessment ~ Informs agency officials of the need for security certification and accreditation of the information system; ensures appropriate resources are available ~ Provides the necessary system-related documentation to the certification agent ~ Prepares plan of action (and milestones) to reduce or eliminate vulnerabilities in the information system ~ Assembles final security certification package; submits to authorizing official |
|
|
According to NIST 800-37, what is role of the Information System Security Officer?
|
~ Serves as principal staff advisor to the system owner
on all matters involving the security of the information system ~ Manages the security aspects of the information system and, in some cases, oversees the day-to-day security operations of the system ~ Assists the system owner in: – Developing and enforcing security policies for the information system – Assembling the security certification package – Managing and controlling changes to the information system and assessing the security impacts of those changes |
|
|
According to NIST 800-37, what is role of the Certification Agent?
|
~ Provides an independent assessment of the
security plan ~ Evaluates the security controls in the information system to determine: – The effectiveness of those controls in a particular environment of operation – The vulnerabilities in the system after the implementation of such controls ~ Provides recommended corrective actions to reduce or eliminate vulnerabilities in the information system |
|
|
According to NIST 800-37, what is role of the User Representative?
|
~ Represents the operational interests and
mission needs of the user community ~ Identifies mission and operational requirements ~ Serves as the liaison for user community throughout the life cycle of the information system ~ Assists in the security certification and accreditation process, when needed |
|
|
What are the tasks of the 800-37?
|
Task 1: Preparation
Task 2: Notification and Resource Identification Task 3: System Security Plan Analysis, Update, and Acceptance Task 4: Security Control Assessment Task 5: Security Certification Documentation Task 6: Security Accreditation Decision Task 7: Security Accreditation Documentation Task 8: Configuration Management and Control Task 9: Security Control Monitoring Task 10: Status Reporting and Documentation |
|
|
What tasks are associated with the Initiation Phase of the 800-37?
|
Task 1: Preparation
Task 2: Notification and Resource Identification Task 3: System Security Plan Analysis, Update, and Acceptance |
|
|
What tasks are associated with the Security Certification Phase of the 800-37?
|
Task 4: Security Control Assessment
Task 5: Security Certification Documentation |
|
|
What tasks are associated with the Security Accreditation Phase of the 800-37?
|
Task 6: Security Accreditation Decision
Task 7: Security Accreditation Documentation |
|
|
What tasks are associated with the Continuous Monitoring Phase of the 800-37?
|
Task 8: Configuration Management and Control
Task 9: Security Control Monitoring Task 10: Status Reporting and Documentation |
|
|
What are the subtasks of Task 1 of the 800-37?
|
Subtask 1.1: Information System Description
Subtask 1.2: Security Categorization Subtask 1.3: Threat Identification Subtask 1.4: Vulnerability Identification Subtask 1.5: Security Control Identification Subtask 1.6: Initial Risk Determination |
|
|
List the responsible role, reference and output of 800-37 subtask 1.1
|
Information System Owner, 800-18 + 800-59, first section of the SSP
|
|
|
List the responsible role, reference and output of 800-37 subtask 1.2
|
Information System Owner, FIPS 199 + 800-60, security categorization report
|
|
|
List the responsible role, reference and output of 800-37 subtask 1.3
|
Information System Owner, 800-30 + 800-60, threat section of RAR
|
|
|
List the responsible role, reference and output of 800-37 subtask 1.4
|
Information System Owner, 800-30 + 800-60, vulnerability section of the RAR
|
|
|
List the responsible role, reference and output of 800-37 subtask 1.5
|
Information System Owner, FIPS 200 + 800-53, second section of the SSP
|
|
|
List the responsible role, reference and output of 800-37 subtask 1.6
|
Information System Owner, 800-30, RAR
|
|
|
What are the subtasks of Task 2 of the 800-37?
|
Subtask 2.1: Notification
Subtask 2.2: Planning and Resources |
|
|
List the responsible role, reference and output of 800-37 subtask 2.1
|
Information System Owner, 800-37, SSP
|
|
|
List the responsible role, reference and output of 800-37 subtask 2.2
|
Authorizing Official
SAISO/CISO Information System Owner Certification Agent, 800-37, Approved SSP |
|
|
What are the subtasks of Task 3 of the 800-37?
|
Subtask 3.1: Security Categorization Review
Subtask 3.2: System Security Plan Analysis Subtask 3.3: System Security Plan Update Subtask 3.4: System Security Plan Acceptance |
|
|
List the responsible role, reference and output of 800-37 subtask 3.1
|
Authorizing Official
SAISP/CISO Certification Agent, 800-60, Approved SecCat |
|
|
List the responsible role, reference and output of 800-37 subtask 3.2
|
Authorizing Official
SAISP/CISO Certification Agent, 800-18, Draft SSP |
|
|
List the responsible role, reference and output of subtask 3.3
|
Information System Owner, 800-18, Final SSP
|
|
|
List the responsible role, reference and output of 800-37 subtask 3.4
|
Authorizing Official
SAISP/CISO, 800-37, Approved SSP |
|
|
What are the subtasks of Task 4 of the 800-37?
|
Subtask 4.1: Documentation and Supporting Materials
Subtask 4.2: Methods and Procedures Subtask 4.3: Security Assessment Subtask 4.4: Security Assessment Report |
|
|
List the responsible role, reference and output of 800-37 subtask 4.1
|
Information System Owner
Certification Agent, 800-37, ST&E |
|
|
List the responsible role, reference and output of 800-37 subtask 4.2
|
Certification Agent, 800-53A, ST&E
|
|
|
List the responsible role, reference and output of 800-37 subtask 4.3
|
Certification Agent, 800-53A + 800-30, vulnerability assessment report
|
|
|
List the responsible role, reference and output of 800-37 subtask 4.4
|
Certification Agent, 800-53A, SAR
|
|
|
What are the subtasks of Task 5 of the 800-37?
|
Subtask 5.1: Findings and Recommendations
Subtask 5.2: System Security Plan Update Subtask 5.3: Plan of Action and Milestones Preparation Subtask 5.4: Accreditation Package Assembly |
|
|
List the responsible role, reference and output of 800-37 subtask 5.1
|
Certification Agent, 800-53A, SAR
|
|
|
List the responsible role, reference and output of 800-37 subtask 5.2
|
Information System Owner, 800-18, SSP
|
|
|
List the responsible role, reference and output of 800-37 subtask 5.3
|
Information System Owner, OMB M02-01, POA&M
|
|
|
List the responsible role, reference and output of 800-37 subtask 5.4
|
Information System Owner, 800-37 + OMB M02-01, SAR + SSP + POA&M
|
|
|
What are the subtasks of Task 6 of the 800-37?
|
Subtask 6.1: Final Risk Determination
Subtask 6.2: Risk Acceptability |
|
|
List the responsible role, reference and output of 800-37 subtask 6.1
|
Authorizing Official, 800-37, Questions
|
|
|
List the responsible role, reference and output of 800-37 subtask 6.2
|
Authorizing Official, 800-37, AO ATO Decision Letter
|
|
|
What are the subtasks of Task 7 of the 800-37?
|
Subtask 7.1: Security Accreditation Package Transmission
Subtask 7.2: System Security Plan Update |
|
|
List the responsible role, reference and output of 800-37 subtask 7.1
|
Authorizing Official, 800-37, Security Accreditation Package
|
|
|
List the responsible role, reference and output of 800-37 subtask 7.2
|
Information System Owner, 800-37, Updated SSP and POA&M
|
|
|
What are the subtasks of Task 8 of the 800-37?
|
Subtask 8.1: Documentation of Information System Changes
Subtask 8.2: Security Impact Analysis |
|
|
List the responsible role, reference and output of 800-37 subtask 8.1
|
Information System Owner, 800-37, Change requests
|
|
|
List the responsible role, reference and output of 800-37 subtask 8.2
|
Information System Owner, 800-30, Change approvals
|
|
|
What are the subtasks of Task 9 of the 800-37?
|
Subtask 9.1: Security Control Selection
Subtask 9.2: Selected Security Control Assessment |
|
|
List the responsible role, reference and output of 800-37 subtask 9.1
|
Information System Owner, 800-53A, Continuous monitoring plan
|
|
|
List the responsible role, reference and output of 800-37 subtask 9.2
|
Information System Owner, 800-53A, Continuous monitoring reports
|
|
|
What are the subtasks of Task 10 of the 800-37?
|
Subtask 10.1: System Security Plan Update
Subtask 10.2: Plan of Action and Milestones Update Subtask 10.3: Status Reporting |
|
|
List the responsible role, reference and output of 800-37 subtask 10.1
|
Information System Owner, 800-18 + 800-37, Updated SSP
|
|
|
List the responsible role, reference and output of 800-37 subtask 10.2
|
Information System Owner, OMB M02-01, Updated POA&M
|
|
|
List the responsible role, reference and output of 800-37 subtask 10.3
|
Information System Owner, 800-37, System security status report to AO
|
|
|
According to the IATF, how is IA implemented in the system life cycle?
|
System Life Cycle is a process by which systems are
developed, from pre-concept to deployment and disposal IA objectives are to achieve levels of confidentiality, integrity and availability commensurate with the type and value of data, mission requirements, support organization, etc. The processes: ~ Generally Accepted System Security Principles (GASSP) ~ Security in the System Life Cycle (SLC) ~ Common IT Security Practices ~ NIST Engineering Principles ~ ISSE, CMM, and IATF |
|
|
List the first 7 NIST Engineering Principles
|
1. Establish a sound security policy as the
“foundation” for design 2. Treat security as an integral part of the overall design 3. Clearly delineate the physical and logical security boundaries governed by associated security policies 4. Reduce risk to an acceptable level 5. Assume that external systems are insecure 6. Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness 7. Ensure no single point of vulnerability |
|
|
List NIST engineering principles 8 -14
|
8. Implement tailored system security measures to
meet organizational security goals 9. Strive for simplicity 10.Design and operate an IT system to limit vulnerability and to be resilient in response 11.Minimize the system elements to be trusted 12.Implement security through a combination of measures distributed physically and logically 13.Provide assurance that the system is, and continues to be, resilient in the face of expected threats 14.Limit or contain vulnerabilities |
|
|
List NIST engineering principles 15-20
|
15.Formulate security measures to address multiple
overlapping information domains 16.Isolate public access systems from mission critical resources 17.Use boundary mechanisms to separate computing systems and network infrastructures 18.Where possible, base security on open standards for portability and interoperability 19.Use common language in developing security requirements 20.Design and implement audit mechanisms to detect authorized use and to support incident investigations |
|
|
List NIST engineering principles 21-27
|
21.Design security to allow for regular adoption of
new technology, including a secure and logical technology upgrade process 22.Authenticate users and processes to ensure appropriate access control decisions both within and across domains 23.Use unique identities to ensure accountability 24.Implement least privilege 25.Do not implement unnecessary security mechanisms 26.Protect data during all the transaction’s phases 27.Strive for operational ease of use |
|
|
List NIST engineering principles 28-33
|
28.Develop and exercise contingency or disaster
recovery procedures to ensure appropriate availability 29.Consider custom products to achieve adequate security 30.Ensure security in the shutdown or disposal of a system 31.Protect against all likely classes of “attacks” 32.Identify and prevent common errors and vulnerabilities 33.Ensure that developers are trained to develop secure software |
|
|
Name the 3 IATF key principles
|
1 Always keep Problem and Solution spaces
separate. ~ Problem Space: desired end-product functionality ~ Solution Space: how that functionality will be provided 2 Customer’s mission/business needs defines Problem. ~ Includes mission, compliance requirements, constraints... ~ Takes into account threats, risks, operational efficiencies... 3 SE and SSE collaborate to define the Solution, which is driven by the Problem space. ~ Must satisfy operational as well as security requirements ~ Must include trade-offs and flexibility to assure mission success |
|
|
What are the DODAF architecture views?
|
All view (AV)
Operational view (OV) Systems view (SV) Technical view (TV) |
|
|
What does the DODAF OV convey?
|
Information flows
Indentifies what needs to be accomplished and who does it |
|
|
What does the DODAF SV convey?
|
systems and interconnections
Relates systems and characteristics to operational needs |
|
|
What does the DODAF TV convey?
|
rules governing the arrangements, interactions and interdependence of system parts or elements
Prescribes standards and conventions |
|
|
What are the 6 fundamental steps DODAF calls for when building and architecture?
|
1 - Determine the intended use of the architecture
2 - Determine scope of architecture 3 - Determine characteristics to be captured 4 - Determine views and products to be built 5 - Gather data and build the requisite products 6 - Use architecture for intended purpose |
|
|
What is the ISSE process definition?
|
Discovering users’ requirements and designing systems
that meet the requirements effectively and securely |
|
|
What are the 6 elements of the systems engineering process?
|
Discover Needs
Refine Requirements Design Architecture Detailed Design Implement System Assess Effectiveness |
|
|
What are the 6 elements of the systems security engineering process?
|
Discover system protection needs
Define system security requirements Design system security architecture Develop detailed security design Implement system security Assess system security effectiveness |
|
|
What is the Information Assurance Technology Framework?
|
Provides an integrated process (involving technical
and non-technical aspects) for developing and deploying IT systems with intrinsic and appropriate security measures in order to meet the organization’s mission. It defines the requirements for the TCB hardware, software, and firmware, and applies the processes to achieve a layered protection architectural strategy known as “Defense in Depth”, to defend the: ~ Computing Environment ~ Enclave Boundary ~ Network and Infrastructure ~ Supporting Infrastructures |
|
|
What 3 areas does the IATF technical process focus on?
|
~ People - those authorized to perform to work
~ Technology – the tools and technologies used ~ Operations – the processes and activities |
|
|
What is the goal of IATF?
|
“Defense in Depth” implementation
|
|
|
What are the principles of defense in depth?
|
Defense in multiple places: to protect against internal and
external threats Layered defenses: to ensure adversaries must negotiate multiple impediments to gain access and achieve attack goals Security robustness: the assurance and relative strength of the security component against anticipated threats Deploy KMI/PKI: deployment of robust key management infrastructures and PKI technologies Deploy intrusion detection systems: use of IDS and similar technologies to detect intrusions, evaluate information and results, and take or support taking action. |
|
|
What is the technology goal of defense in depth?
|
Appropriate tools and technologies must be
acquired and applied prudently to achieve program goals: ~ Security policy and principles ~ IA architectures and standards ~ IA Architecture framework areas ~ Specification criteria for product selection ~ IA criteria (security, interoperability, and PKI) ~ Acquisition and integration of evaluated products ~ System risk assessments |
|
|
What are the focus areas of defense in depth?
|
Defend the computing environment
~ Clients, servers, applications, and other AIS components Defend the enclave boundaries ~ A collection of AIS under single authority/policy ~ Assume highest mission assurance category Defend the networks & infrastructure ~ Networks and support systems providing interconnection between locations or enclaves Defend the supporting infrastructures ~ Defense with KMI/PKI with detect-response capability (IDS/IPS/IDP) |
|
|
What does defense in depth seek to protect?
|
~ People
~ Technology ~ Operations |
|
|
What must management commit to for defense in depth to work?
|
Management must demonstrate its commitment
to achieving success in IA programs through ~ Policies and procedures ~ Roles and Responsibilities ~ Commitment of resources ~ Training and awareness ~ Physical security and countermeasures ~ Personnel security programs and controls ~ Personal accountability ~ Sanctions and penalties |
|
|
What must be performed to make defense in depth work for operations?
|
The activities required to perform and maintain the
effective security posture are daily, and include ~ Visible and enforced current security policy ~ Certification and accreditation ~ Readiness assessments ~ Security assessments ~ Infrastructure protection ~ Security management ~ Key management ~ Monitoring and reacting to threats ~ Attack sensing and warning response ~ Recovery and reconstitution |
|
|
What is the general approach to defense in depth?
|
~ Conduct risk assessments.
~ Deploy cost-effective, risk-based security. ~ Use commercial off-the-shelf (COTS) products. ~ Education, training, and awareness. ~ Continuous monitoring. ~ Employ multiple means of threat mitigation. ~ Implement a robust IA posture to cope with the unexpected. ~ Only trustworthy personnel have access. ~ Have effective incident response plan. |
|
|
What is a countermeasure?
|
A targeted control [response] to a single threat
|
|
|
What are the 3 categories of information according to IATF?
|
Public
Private Classified |
|
|
What is the IATF definition of an information system?
|
An “Information System”:
~ Also referred to as: Automated Information System (AIS), Information Technology System ~ “Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data and includes computer software, firmware, and hardware.” |
|
|
What is the IATF definition of a security engineer?
|
“A Security Engineer, through engineering
discipline and process, helps build dependable systems in the face of malice, error, or mischance.” “As a discipline, it focuses on tools, processes, and methods needed to design, implement, and test complete systems, and to adapt existing systems as their environment evolves.” |
|
|
What is the IATF definition of a threat?
|
The likelihood that the impact of an unwanted
incident will be realized |
|
|
What is the IATF definition of a vulnerability?
|
An inherent or intrinsic flaw or weakness in a
system, its subsets, or components (hardware, software, or firmware) that can be exploited by a threat |
|
|
What is the IATF definition of impact?
|
An adverse operational impairment or loss caused by the
materialization of a threat |
|
|
What is the IATF definition of risk?
|
The quantification of a) probability that a threat will
materialize and cause impact, or b) the estimate of potential financial loss (exposure) an organizational unit might experience in a scenario |
|
|
What is the IATF definition of trust?
|
~ All protection mechanisms work cohesively to process
sensitive data for all authorized users and maintain the required level of protection ~ Consistent enforcement of policy through all states |
|
|
What is the IATF definition of assurance?
|
~ Degree of confidence that the system will act in a
correct and predictable manner in all possible computing situations ~ Known inputs produce expected results through all states |
|
|
What is the engineering definition of a system?
|
a combination of elements designed to
function as a unit to perform a function |
|
|
What is the engineering definition of a structure?
|
formulation of systems or processes
to perform a function or achieve an objective |
|
|
What is the engineering definition of a function?
|
a description of work that a system
must perform to meet customer requirements |
|
|
What is the engineering definition of a purpose?
|
knowledge used to perform a function
|
|
|
Study slide 199
|
Study slide 199
|
|
|
Study slide 200
|
Study slide 200
|
|
|
What is the equation for an instance of risk?
|
instance = threat x vulnerability x impact
|
|
|
What are the parts of the NSTISSI-4009 Risk Management Cycle?
|
~ Identify and value assets in context
~ Assess the risk/threat environment ~ Develop Risk Management Plan ~ Implement Risk Management Actions ~ Monitor to ensure continued correct performance and operation ~ Periodically re-evaluate the risk environment and act as required |
|
|
What are the risk management actions of Phase 1 of the SLC?
|
Phase 1 (Initiation) – Identified risks are used to support the
development of the system requirements, including security requirements, and a security concept of operations (strategy) |
|
|
What are the risk management actions of Phase 2 of the SLC?
|
Phase 2 (Development/Acquisition) – The risks identified
during this phase can be used to support the security analyses of the IT system that may lead to architecture and design tradeoffs during system development |
|
|
What are the risk management actions of Phase 3 of the SLC?
|
Phase 3 (Implementation) – The risk management process
supports the assessment of the system implementation against its requirements and within its modeled operational environment. Decisions regarding risks identified must be made prior to system operation |
|
|
What are the risk management actions of Phase 4 of the SLC?
|
Phase 4 (Operation/Maintenance) – Risk management
activities are performed for periodic system reauthorization (or reaccreditation) or whenever major changes are made to an IT system in its operational, production environment (i.e., new system interfaces) |
|
|
What are the risk management actions of Phase 5 of the SLC?
|
Phase 5 (Disposal) – Risk management activities are
performed for system components that will be disposed of or replaced to ensure that the hardware and software are properly disposed of, that residual data is appropriately handled, and that system migration is conducted in a secure and systematic manner |
|
|
What are the inputs to step 1 of the SP 800-30 Risk Assessment Activities?
|
~ Hardware
~ Software ~ Systems interfaces ~ Data and information ~ People ~ Systems mission |
|
|
What are the inputs to step 2 of the SP 800-30 Risk Assessment Activities?
|
~ History of system attack
~ Data from intelligence agencies, NIPC, OIG, FedCIRC, mass media |
|
|
What are the inputs to step 3 of the SP 800-30 Risk Assessment Activities?
|
~ Reports from prior risk assessments
~ Any audit comments ~ Security requirements ~ Security test results |
|
|
What are the inputs to step 4 of the SP 800-30 Risk Assessment Activities?
|
~ Current controls
~ Planned controls |
|
|
What are the inputs to step 5 of the SP 800-30 Risk Assessment Activities?
|
~ Threat-source motivation
~ Threat capacity ~ Nature of vulnerability ~ Current controls |
|
|
What are the inputs to step 6 of the SP 800-30 Risk Assessment Activities?
|
~ Mission impact analysis
~ Asset criticality assessment ~ Data criticality ~ Data Sensitivity |
|
|
What are the inputs to step 7 of the SP 800-30 Risk Assessment Activities?
|
~ Likelihood of threat exploitation
~ Magnitude of impact ~Adequacy of planned or current controls |
|
|
What are the outputs to step 1 of the SP 800-30 Risk Assessment Activities?
|
~ System boundary
~ System functions ~ System and data criticality ~ System and data sensitivity |
|
|
What are the outputs to step 2 of the SP 800-30 Risk Assessment Activities?
|
~ Threat statement
|
|
|
What are the outputs to step 3 of the SP 800-30 Risk Assessment Activities?
|
~ List of potential vulnerabilities
|
|
|
What are the outputs to step 4 of the SP 800-30 Risk Assessment Activities?
|
~ List of current and planned controls
|
|
|
What are the outputs to step 5 of the SP 800-30 Risk Assessment Activities?
|
Likelihood rating
|
|
|
What are the outputs to step 6 of the SP 800-30 Risk Assessment Activities?
|
Impact rating
|
|
|
What are the outputs to step 7 of the SP 800-30 Risk Assessment Activities?
|
Risks and associated risk levels
|
|
|
What are the outputs to step 8 of the SP 800-30 Risk Assessment Activities?
|
Recommended controls
|
|
|
What are the outputs to step 9 of the SP 800-30 Risk Assessment Activities?
|
Risk Assessment Report
|
|
|
What is the DoD 500.2-R definition of Systems Engineering?
|
The systems engineering process shall:
~ Transform approved operational requirements into an integrated system design solution through concurrent consideration of all life-cycle needs ~ Ensure the integration of all operational, functional, and physical interfaces, and that system definition and design reflect the requirements for all system elements ~ Characterize and manage technical risks ~ Apply engineering principles to identify security vulnerabilities and contain information assurance as well as enforce protection risks associated with these vulnerabilities |
|
|
What is security engineering?
|
It is the application of traditional
systems engineering processes to the specific problems and issues regarding assurance and security of systems and information. |
|
|
What are the goals of security engineering?
|
~ Understand Security Risks
~ Establish Security Needs ~ Develop Security Guidance ~ Determine Acceptable Risks ~ Establish Assurance |
|
|
Who practices security engineering?
|
~ Developers
~ Product vendors ~ Integrators ~ Buyers ~ Security evaluation organizations ~ System administrators ~ Consulting/service organizations |
|
|
When is security engineering practiced?
|
throughout all phases of the SDLC
|
|
|
What activities should be included/considered in security engineering?
|
Operations Security
Information Security Network Security Physical Security Personnel Security Administrative Security Communications Security Emanations Security Computer Security |
|
|
What are the system lifecycle phases of IEEE-1220?
|
1. Development: the initial phases of planning and executing system
definition tasks required to meet the evolving customer need 2. Manufacturing: the activities necessary to produce models and prototypes to demonstrate the planned design functionality 3. Test: performance validation of prototype or the pre-commission version of the produced solution to measure customer satisfaction 4. Distribution: delivery and commissioning of the produced solution in the planned operational environment(s) 5. Operations: the produced solution performing as intended/expected 6. Support: sustaining maintenance of the produced solution 7. Training: all tasks, tools, and technologies employed to prepare and sustain human knowledge and proficiency in the produced solution 8. Disposal: the disposal, retirement, or recycling of the original produced solution in a secure and environmental sound manner |
|
|
What is the goal of activity 1 of the IATF ISSE process?
|
Discover Information Protection Needs
Ascertain why the system needs to be built – what needs the system must fulfill. |
|
|
What is the goal of activity 2 of the IATF ISSE process?
|
Define System Security Requirements
Define the system in terms of what the system needs to be able to do. |
|
|
What is the goal of activity 3 of the IATF ISSE process?
|
Define System Security Architecture
Use previously documented information to choose the types of security components that will perform specific security function. This process is the core of designing the security architecture. |
|
|
What is the goal of activity 4 of the IATF ISSE process?
|
Develop Detailed Security Design
Based on the security architecture, begin to design the system to be able to do what it needs to. |
|
|
What is the goal of activity 5 of the IATF ISSE process?
|
Implement System Security
Build/Implement the system so it does what it is suppose to do. |
|
|
What is the goal of activity 6 of the IATF ISSE process?
|
Assess Security Protection Effectiveness
Assess the degree to which the system, as it is defined, designed, and implemented, meets the needs. This assessment activity occurs during and with all the other activities in the ISSE process. |
|
|
What is the goal of activity 7 & 8 of the IATF ISSE process?
|
Plan and Manage Technical Effort
~ Planning the technical effort occurs throughout the ISSE process. ~ ISSE must review each of the following areas to scope support to the customer in conjunction with the other activities. ~ Requires a unique skill set, and is likely to be assigned to senior-level personnel. |
|
|
List the tasks and subtasks of IATF ISSE Activity 1
|
Task - 01.1 Analyze organizations mission
Task - 01.2 Determine relationship and importance of information to mission Task - 01.3 Identify legal and regulatory requirements Task - 01.4 Identify classes of threats Task - 01.5 Determine impacts Task - 01.6 Identify security services Task - 01.7 Document the information protection needs Task - 01.8 Document security management roles and responsibilities Task - 01.9 Identify design constraints Task - 01.10 Assess information protection effectiveness Subtask - 01.10.1 Provide/present documented information protection needs to the customer Subtask - 01.10.2 Obtain concurrence from the customer in the information protection needs Task - 01.11 Support system C&A Subtask - 01.11.1 Identify DAA/Accreditor Subtask - 01.11.2 Identify Cert Authority/Certifier Subtask - 01.11.3 Identify C&A and acquisition processes to be applied Subtask - 01.11.4 Ensure accreditors and certifiers concurrence in the information protection needs |
|
|
List the tasks and subtasks of IATF ISSE Activity 7
|
Task - 07.1 Estimate the project scope
Task - 07.2 Identify resources and availability Task - 07.3 Identify roles and responsibilities Task - 07.4 Estimate project costs Task - 07.5 Develop project schedule Task - 07.6 Identify technical activities Task - 07.7 Identify deliverables Task - 07.8 Define management interfaces Task - 07.9 Prepare technical management plan Task - 07.10 Review project plan Task - 07.11 Obtain customer agreement |
|
|
List the tasks and subtasks of IATF ISSE Activity 8
|
Task - 08.1 Direct technical effort
Task - 08.2 Track project resources Task - 08.3 Track technical parameters Task - 08.4 Monitor progress of technical activities Task - 08.5 Ensure quality of deliverables Task - 08.6 Manage configuration elements Task - 08.7 Review project performance Task - 08.8 Report project status |
|
|
What are the ISSE duties during Initiation?
|
The need for a system is expressed and the purpose
of the system is documented: ~ Discover information protection needs ~ Define system security requirements ~ Categorize/characterize the system (as intended in final form) ~ Conduct a Sensitivity Assessment ~ Prepare a Security Plan (initial very general working plan) ~ Initiate Risk Assessment activities All items are documented and become part of the system history and build baseline documentation. |
|
|
What tasks must the ISSE complete while Discovering Information Protection Needs?
|
~ Develop an understanding of the customer’s mission or
business ~ Help the customer determine what information management is needed to support the mission or business ~ Create a model of that information management, with customer concurrence ~ Document the results as the basis for defining information systems that will satisfy the customer’s needs |
|
|
What are the key documents/components produced when discovering information protection needs?
|
Business/Mission
~ Mission Needs Statement (MNS) ~ Concept of Operations (CONOPS) Information Management Model (IMM) ~ Users or members ~ Rules, privileges, roles, and responsibilities ~ Information objects being managed Information Protection Policy (IPP) ~ Protection needs that support Mission/Business ~ Security service requirements |
|
|
What constitutes the requirements baseline?
|
To determine the customer’s needs:
~ Define the mission need ~ Define the information management to create an Information Management Model (IMM) ~ Define the Information Protection Policy (IPP) Results become the basis for creating an Information Management Policy that meets the customer’s needs |
|
|
What is Harm To Information (HTI)?
|
considers the value of
the information and the degree of harm to the mission if the information were disclosed, modified, destroyed, or unavailable when needed |
|
|
What are Potentially Harmful Events (PHE)?
|
considers the
existence of malicious adversaries, their degree of motivation, and the potential for accidents and natural disasters |
|
|
What is an Information Management Policy?
|
The ISSEP documents:
~ Information threats ~ Security services and priorities ~ Roles and responsibilities Information Protection Policy (IPP) basis for IMP Information Management Policy (IMP) ~ Information Flow ~ Access and Privileges |
|
|
What are the parts of the requirements hierarchy?
|
~ Business Mission
~ Functions ~ Architecture ~ Components ~ Design ~ Specifications ~ Implementation |
|
|
List the parts of the requirements hierarch from most abstract to most specific.
|
~ Business Mission
~ Functions ~ Architecture ~ Components ~ Design ~ Specifications ~ Implementation |
|
|
What are the ISSE duties during Development or Acquisition phase?
|
The system is designed, purchased, programmed,
developed, or otherwise constructed ~ Design system security architecture ~ Develop detailed security design ~ Incorporate Security Requirements Into Specifications ~ Make-Buy decisions are made: – Procurement (component or turn-key) – Program – Build All items are documented and become part of the system history and build baseline documentation. Previously recorded items are updated or replaced as required to ensure accuracy. |
|
|
What tasks must the ISSE complete while defining system security requirements?
|
The ISSEP defines a solution set that satisfies
the information protection needs of the IPP A solution set consists of: ~ The System Context ~ A Concept of Operations (CONOPS) ~ The System Requirements |
|
|
What are the ISSE duties during the Implementation phase?
|
The system is tested and installed or fielded
~ Install and configure selected controls and countermeasures ~ Enable and test all controls required in the design documentation ~ Verification and validation of controls functionality ~ Security Testing All items are documented and become part of the system history and build baseline documentation. Previously recorded items are refined, updated or replaced as required to ensure accuracy. ~ Design system security architecture |
|
|
What tasks must the ISSE complete while designing system security architecture?
|
~ Performs functional analysis of potential architectures
to meet requirements from Step 2 ~ Allocates security services ~ Selects security mechanisms ~ Identifies elements of the system to be protected ~ Allocates security functions to those elements ~ Describes the relationships between the elements |
|
|
What tasks must be performed as part of the detailed design?
|
~ Design must satisfy customer-specified design
constraints and the security requirements ~ Design should project the schedule and cost of long-lead items and life-cycle support ~ Design should be under configuration control ~ Design should include a revised security CONOPS ~ Trade-offs must consider priorities, cost, schedule, performance, and residual security risks ~ Failures to satisfy security requirements must be reported to C&A authorities |
|
|
What tasks must the ISSE complete when developing a detailed security design?
|
~ Allocating security mechanisms to system security
design elements ~ Identifying candidate products ~ Qualifying element and system interfaces ~ Developing system specifications |
|
|
When does the Operations & Maintenance phase official being?
|
When the AO signs and issues the ATO
|
|
|
What are the ISSE duties during the Operation & Maintenance phase?
|
The system is being modified by the addition or
removal of components, features, or changes in them: ~ Security Operations and Administration ~ Operational Assurance and measurement ~ Audits and Monitoring and subsequent corrective actions ~ Assessment of controls effectiveness ~ Configuration and change management All items are documented and become part of the system history and operational baseline documentation. Previously recorded items are updated or replaced as required to ensure accuracy. |
|
|
What factors should be considered when selecting components?
|
~ Current and future availability
~ Cost ~ Form factor ~ Reliability ~ Potential risk to system due to component failure ~ Conformance to design specifications ~ Compatibility with existing components ~ Satisfying evaluation criteria |
|
|
What tasks must the ISSE complete during implementation?
|
~ Provides inputs to C&A process activities
~ Reviews evolving system life cycle support plans ~ Reviews operational procedures for users ~ Reviews maintenance training for administrators ~ Assesses information protection measures in preparation for the final system effectiveness assessment |
|
|
What tasks must the ISSE complete testing?
|
~ Participation in the testing of protection mechanisms
and functions ~ Verification that the system implementation does protect against the threats identified in the original threat assessment ~ Application information protection assurance mechanisms related to system implementation and testing practices ~ Continuing risk management ~ Supporting the C&A processes |
|
|
What tasks must the ISSE complete during the disposal phase?
|
This involves the final disposition of data,
hardware, and software ~ Information archiving ~ Data transferral to new operational environment ~ Media Sanitization ~ Retirement or destruction ~ Recycling All items are documented and become part of the system history and operational baseline documentation. Previously recorded items are updated or replaced as required to ensure accuracy. |
|
|
Why use the CMM approach?
|
Accepted way of defining practices and improving
capability Increasing use in acquisition as an indicator of capability ROI for software indicates success |
|
|
Why was the SSE-CMM developed?
|
Objective:
~ advance security engineering as a defined, mature, and measurable discipline Project Goal: ~ Develop a mechanism to enable: – selection of appropriately qualified security engineering providers – focused investments in security engineering practices – capability-based assurance |
|
|
List the organizational capability measures?
|
~ Level 1 (Performed Informally)
1.1 Base Practices are Performed ~ Level 2 (Planned and Tracked) 2.1 Planning Performance 2.2 Disciplined Performance 2.3 Verifying Performance 2.4 Tracking Performance ~ Level 3 (Well-Defined) 3.1 Defining a Standard Process 3.2 Perform the Defined Process 3.3 Coordinate the Process ~ Level 4 (Quantitatively Controlled) 4.1 Establishing Measurable Quality Goals 4.2 Objectively Managing Performance ~ Level 5 (Continuously Improving) 5.1 Improving Organizational Capability 5.2 Improving Process Effectiveness |
|
|
How does the SSE-CMM define best practices at the domain level?
|
~ process areas
~ base practices |
|
|
How does the SSE-CMM define best practices at the organizational capability level?
|
~ implementation of process areas
~ institutionalization of process areas |
|
|
What are the SSE-CMM process categories?
|
Engineering processes
Project processes Organizational Processes |
|
|
What are the SSE-CMM organizational process areas?
|
~ Define Organization’s Security Engineering Process
~ Improve Organization’s Security Engineering Process ~ Manage Security Product Line Evolution ~ Manage Security Engineering Support Environment ~ Provide Ongoing Skills and Knowledge ~ Coordinate with Suppliers |
|
|
What are the SSE-CMM project process areas?
|
~ Ensure Quality
~ Manage Configurations ~ Manage Program Risk ~ Monitor and Control Technical Effort ~ Plan Technical Effort |
|
|
What are the SSE-CMM engineering technical "base" process areas?
|
PA01 – Administer Security Controls
PA02 – Assess Security Impacts PA03 – Assess Security Risk (to CIA and other information assets) PA04 – Assess Threat PA05 – Assess Vulnerability PA06 – Build Assurance Argument PA07 – Coordinate Security PA08 – Monitor Security Posture PA09 – Provide Security Input PA10 – Specify Security Needs PA11 – Verify and Validate Security |
|
|
What are the classes of attacks?
|
~ Passive attacks can result in the disclosure of data to an
attacker without the knowledge of the user ~ Active attacks include attempts to circumvent protection features to execute a deliberate attack ~ Close-in attacks occur when an attacker is in physical close proximity to resources to launch an attack ~ Insider attacks can be malicious or non-malicious: – Malicious insiders intend to deliberately attack an asset – Non-malicious attacks typically result from lack of knowledge ~ Distribution attacks focus on the malicious modification of resources during production or distribution |
|
|
What is the first line of defense for a passive attack?
|
Link and network layer and
encryption and traffic flow security |
|
|
What is the first line of defense for a active attack?
|
Defend the enclave
boundaries |
|
|
What is the first line of defense for a insider attack?
|
Physical and personnel
security |
|
|
What is the first line of defense for a close-in attack?
|
Physical and personnel
security |
|
|
What is the first line of defense for a distribution attack?
|
Trusted software development
and distribution |
|
|
What is the second line of defense for a passive attack?
|
Security-enabled
applications |
|
|
What is the second line of defense for a active attack?
|
Defend the computing
environment |
|
|
What is the second line of defense for a insider attack?
|
Authenticated access
controls, audit |
|
|
What is the second line of defense for a close-in attack?
|
Technical surveillance
countermeasures |
|
|
What is the second line of defense for a distribution attack?
|
Run time integrity
controls |
|
|
What is the major goal of C&A?
|
Enabling more consistent, comparable, and
repeatable assessments of security controls in federal information systems |
|
|
What are the objectives of C&A?
|
To achieve more secure information systems
within the federal government by: ~ Enabling more consistent, comparable, and repeatable assessments of security controls in federal information systems ~ Promoting a better understanding of agency-related mission risks resulting from the operation of information systems ~ Creating more complete, reliable, and trustworthy information for authorizing officials in order to facilitate more informed accreditation decisions |
|
|
What is the NSTISSI 4009 definition of Certification?
|
“The comprehensive evaluation of the technical
and non-technical security features of an AIS and other safeguards, made in support of the accreditation process, to establish the extent to which a particular design and implementation meets a specified set of security requirements.” |
|
|
What are the characteristics of certification?
|
Formal process for testing systems against a set of
security requirements Performed by an independent reviewer instead of someone who was involved with building or operating the system The amount of rigor employed may vary depending on the system level or operational context. |
|
|
What is accreditation?
|
The decision given by the designated senior agency
official to authorize operation of an information system: ~ In a particular security mode ~ Using a prescribed set of controls ~ Against a defined threat ~ At an acceptable level of risk ~ For a specific period of time The official explicitly accepts the risk to agency assets based on the implementation of these security conditions. [remember the phrase "and the nation"] |
|
|
What is the NSTISSI 4009 definition of Accreditation?
|
“A formal declaration by the DAA that an AIS is
approved to operate in a particular security mode using a prescribed set of safeguards.” |
|
|
What are the significant benefits of C&A?
|
More consistent, comparable, and repeatable
security evaluations More complete, reliable technical information for information system accreditation authorities, leading to better understanding of complex systems and associated risks and vulnerabilities Greater availability of competent certification services for customers Assessments by accredited organizations can form the basis for cyber insurance policy decisions |
|
|
What is the NSTISSI 4009 definition of an Automated Information System (AIS)?
|
“Any equipment or interconnected system or
subsystem of equipment used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data and includes computer software, firmware, and hardware.” |
|
|
What is Information Assurance?
|
Measures that protect and defend information and
information systems by ensuring their availability, integrity, confidentiality, authentication and non-repudiation. This includes providing for restoration of information systems by incorporating the following capabilities: protection, detection, and reaction. |
|
|
What is Availability?
|
Timely, reliable access to data and information services for
authorized users. |
|
|
What is Integrity?
|
Quality of an IS reflecting the logical correctness and
reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data. |
|
|
What is confidentiality?
|
Assurance that information is not disclosed to unauthorized
individuals, processes, or devices. |
|
|
What is Access Control?
|
Limiting access to information system resources only to
authorized users, programs, processes, or other systems. |
|
|
What is Authentication?
|
Security measure designed to establish the validity of a
transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information. |
|
|
What is Non-Repudiation?
|
Assurance the sender of data is provided with proof of
delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the data. |
|
|
What are the accreditation options?
|
1 - System: accreditation evaluates a major system
application or a clearly defined independent system. 2 - Type: accreditation evaluates a common application or system that is distributed to a number of different locations. 3 - Site: accreditation evaluates applications and systems at a specific, self-contained location. |
|
|
What are C&A artifacts?
|
System policies, documentation, plans, test
procedures, test results, and other evidence that express or enforce the information assurance (IA) posture of the DoD IS, make up the certification and accreditation (C&A) information, and provide evidence of compliance with the assigned IA controls. |
|
|
What is C&A from the DoD's perspective?
|
The standard DoD approach for:
~ identifying information security requirements, ~ providing security solutions, and ~ managing the security of DoD information systems. |
|
|
What are the general steps of the C&A process?
|
~ Define problem
~ Risk assessment ~ Implement controls ~ Certification ~ Accreditation ~ Ops/maintenance ~ Disposal |
|
|
What Acts support C&A?
|
Privacy Act of 1974
Computer Security Act of 1987 Clinger-Cohen Act of 1996 ~ Information Technology Management Reform Act ~ Defines National Security Systems NIST SP800-59 |
|
|
What Government document requires C&A?
|
OMB Circular A-130
~ Management of Federal Information Resources, Appendix III, December 24, 1985 ~ Mandatory implementation of Computer Security Act and FISMA requirements – 3-year reviews ~ Defines "adequate security" |
|
|
What is "adequate security"?
|
“security commensurate with the risk and magnitude of the
harm resulting from the loss, misuse, or unauthorized access to or modification of information.…provide appropriate confidentiality, integrity, and availability, through the use of cost effective management, personnel, operational, and technical controls.” |
|
|
What executive order mandates C&A?
|
Executive Order 13231, 16 October 2001
Critical Infrastructure Protection in the Information Age |
|
|
What law is the most recent overarching requirement for C&A?
|
FISMA
~ (Federal Information Security Management Act) - Title III of E-Government Act of 2002 (Public Law 107-347) ~ OMB has Oversight over E-Government – Federal Government (Organizations and IG’s) must report IA status to OMB annually and quarterly – OMB provides reports to Congress annually – Congressional Cyber Security Grade ~ NIST publishes Standards and Guidelines ~ All Federal Government must follow NIST C&A processes, with the exception of Defense and Intelligence organizations. |
|
|
What does DITSCAP stand for?
|
Defense Information Technology Security
Certification and Accreditation Process |
|
|
What instruction created DITSCAP?
|
DoDI 5200.40, 30 December 1997
~ Applies to all DoD systems |
|
|
What are the phases of DITSCAP?
|
o Definition
o Verification o Validation o Post-accreditation |
|
|
What document further defined DITSCAP?
|
DoD 8510.1-M DITSCAP Application Manual, July 00
~ Implementation guidance ~ Deliverable format |
|
|
What is the document created by DITSCAP called?
|
System Security Authorization Agreement (SSAA)
|
|
|
What activities occur in phase 1 of DITSCAP/NIACAP?
|
~ Determine requirements
~ Define boundaries ~ Tailor the process & scope the effort ~ Draft the SSAA |
|
|
What activities occur in phase 2 of DITSCAP/NIACAP?
|
~ System development activities
~ Initial certification analysis ~ Document results in SSAA |
|
|
What activities occur in phase 3 of DITSCAP/NIACAP?
|
~ Test installed system
~ Evaluate procedural, physical, personnel, CM etc. procedures ~ Document results |
|
|
What activities occur in phase 4 of DITSCAP/NIACAP?
|
~ Operate the system
~ Security operations ~ CM & change control ~ Maintain SSAA |
|
|
What does NIACAP stand for?
|
National Information Assurance Certification and
Accreditation Process |
|
|
What instruction created NIACAP?
|
NSTISSI No. 1000, April 2000
Applies to all National Security Systems (NSSs) |
|
|
What are the phases of NIACAP?
|
Definition
Verification Validation Post-accreditation |
|
|
What is the document created by NIACAP called?
|
System Security Authorization Agreement (SSAA)
|
|
|
What document defines the NIST C&A process?
|
Guide for the Security Certification and
Accreditation of Federal Information Systems NIST 800-37, May 2004 ~ Applies to all Federal Systems |
|
|
What are the phases of the NIST C&A process (800-37)?
|
Initiation
Certification Accreditation Continuous Monitoring |
|
|
What are the key documents produced in the NIST C&A process (800-37)?
|
SSP – System Security Plan, NIST SP800-18
ST&E – Security Test and Evaluation – NIST SP800-53A SAR – System Assessment Report – NIST 800-37 POA&M – Program of Actions & Milestones – OMB 02-1 |
|
|
What does DIACAP stand for?
|
DoD Information Assurance Certification and
Accreditation Process |
|
|
What are the major components of DIACAP?
|
~ Process (DoDI 8510)
~ Automation (eMASS) ~ Guidance and Collaboration (Knowledge Service) |
|
|
What instruction created DIACAP?
|
DoDI 8510.01, 28 November 2007
~ Applies to all DoD systems |
|
|
What are the phases of DIACAP?
|
~ Initiation and Planning IA C&A
~ Implement and Validate Assign IA Controls ~ Make Certification Determination and Accreditation Decision ~ Maintain Authorization to Operate and Conduct Reviews ~ Decommission |
|
|
What are the key documents produced by DIACAP?
|
~ System Identification Profile (SIP) [Description/Registration]
~ DIACAP Implementation Plan (DIP) [Implement/Validate] ~ POA&M [correction/mitigation] ~ Scorecard [risk assessment] |
|
|
What are the supporting resources for DIACAP?
|
Knowledge Service
eMASS and other tools |
|
|
What is the NSTISSI 4009 definition of Program Manager?
|
“The PM represents the interests of the AIS, and is
responsible for the AIS throughout its lifecycle; ensures the security requirements are integrated in order to achieve an acceptable level of risk as documented in the SSAA, and keeps all participants informed of AIS lifecycle actions, security requirements and user needs.” |
|
|
What is the NSTISSI 4009 definition of Designated Approving Authority?
|
“The primary government official responsible for
implementing system security. An executive with the authority to formally assume responsibility for operating an AIS or network at an acceptable level of risk, and to balance the needs of the system with the security risks.” |
|
|
What is the NSTISSI 4009 definition of User Representative?
|
“Official with the authority to formally assume
responsibility for operating an AIS or network at an acceptable level of risk.” |
|
|
What is the NSTISSI 4009 definition of Information Systems Security Officer?
|
“Person responsible to the designated approving
authority who ensures that security of an information system is implemented through its design, development, operation, maintenance, and secure disposal stages.” |
|
|
What is the DoDI 5200.40 definition of System Security Authorization Agreement?
|
“A description of the system mission, target environment,
target architecture, security requirements, and applicable data access policies. It also describes the applicable set of planning and certification actions, resources, and documentation required to support the certification and accreditation. It is the vehicle that guides the implementation of INFOSEC requirements and the resulting certification and accreditation actions.” |
|
|
What does the SSAA document?
|
~ The operating environment and the threat
~ The AIS security architecture and the C&A boundary of the AIS to be accredited ~ The agreement among the parties involved ~ All requirements necessary for accreditation ~ Condenses and consolidates the documentation requirements (CONOPS, tests, etc) ~ The overall C&A plan (NIACAP/DITSCAP) ~ The test plans, results, and residual risk ~ The baseline security configuration document |
|
|
What are the characteristics of an SSAA?
|
~ Describes the operating environment and threat
~ Describes the system security architecture ~ Establishes the C&A boundary of the system ~ Documents the formal agreement among the DAA, certifier, program manager, and user representative ~ Documents all requirements necessary for accreditation ~ Documents test plans and procedures, certification results, and residual risk ~ Forms the baseline security configuration document |
|
|
What are the main tasks of DITSCAP phase 1?
|
~ Define system functions, requirements, and
interfaces ~ Define information category and classification ~ Prepare the system architecture description ~ Identify principle C&A roles & responsibilities ~ Define C&A level of effort ~ Draft SSAA ~ Agree on the method for implementing security requirements (documented in SSAA) |
|
|
What are the phases of the 800-37 Rev 1?
|
~ Categorize
~ Select ~ Implement ~ Assess ~ Authorize ~ Monitor |
|
|
What are the key deliverables of the 800-37 Rev 1?
|
SSP, SAR, POA&M
|
|
|
In the Definition phase of DITSCAP (Determine mission needs), what documents/information is needed?
|
~ System Requirements and Capabilities
~ System Mission, Function, Interfaces ~ Organizations operating system ~ Operational environment ~ Information types and classifications ~ Expected System Life Cycle ~ System User Characteristics ~ Intended system/network interfaces |
|
|
What actions are required in Task 1 of DITSCAP Definition: Determine Mission Needs?
|
Registration begins with preparing the business, mission, or operational
functional description as well as system description and system identification. The information collected during the preparation activity is evaluated and applicable information assurance requirements are determined. |
|
|
What actions are required in Task 2 of DITSCAP Definition: Determine Mission Needs?
|
Inform the DAA, Certifier, and user representative that the system will
require C&A support (register the system). |
|
|
What actions are required in Task 3 of DITSCAP Definition: Determine Mission Needs?
|
Prepare the environment and threat description. Threats should be assessed
against the specific business functions and system description to determine the required protection. The threat, and subsequent vulnerability assessments, must be used in establishing and selecting the IA policy objectives that will counter the threat. |
|
|
What actions are required in Task 4 of DITSCAP Definition: Determine Mission Needs?
|
Prepare system architecture description, describe the C&A boundaries, and
document relationships with external systems or equipment. |
|
|
What actions are required in Task 5 of DITSCAP Definition: Determine Mission Needs?
|
Determine the system security requirements. The risk management and
vulnerability assessment actions commence. A risk management process may also be installed in an effective, understandable, and repeatable manner. |
|
|
What actions are required in Task 6 of DITSCAP Definition: Determine Mission Needs?
|
Tailor the C&A tasks, determine the level of effort, and prepare a C&A plan.
The C&A team determines the level of effort by evaluating the security requirements and the degree of assurance needed in areas such as confidentiality, integrity, availability, and accountability. The planned level of effort is targeted at addressing the security requirements and fulfilling the mission of the program. |
|
|
What actions are required in Task 7 of DITSCAP Definition: Determine Mission Needs?
|
Identify organizations involved in C&A and the resources required.
|
|
|
What actions are required in Task 8 of DITSCAP Definition: Determine Mission Needs?
|
Develop the draft SSAA during the registration activities to consider the
program’s system development approach and life cycle stage, existing documentation and environment, architecture and business functions, and documentation on users and data classification and categorization. |
|
|
In the Definition phase of DITSCAP (Registration), what information is needed?
|
Information collected
Security requirements determined Threat Assessment started Level of effort of C&A determined Prepare system description with boundaries Determine acquisition strategy & life cycle Assess impact of life cycle on certification |
|
|
In the Definition phase of DITSCAP (Registration), what tasks must be performed?
|
Determine classification and types of information
Determine clearances and access requirements Identify system class and security requirements Identify organizations supporting DITSCAP Tailor DITSCAP activities Determine scope, level of effort, and schedule |
|
|
In the Definition phase of DITSCAP (negotiation), who needs to participate?
|
Key members are:
~ Designated Approving Authority ~ Program Manager ~ Certifying Agent ~ User Representative Information Systems Security Officer Strategy agreed upon ~ Not a bargaining session! ~ Everyone understands roles ~ No surprises |
|
|
In the Definition phase of DITSCAP (negotiation), what needs to happen?
|
Clearly defines
~ Requirements ~ Approach ~ Level of Activity Approval of SSAA ~ Designated Approving Authority ~ Program Manager ~ User Representative |
|
|
What are the objectives of the DITSCAP SSAA?
|
~ Phase 1 End Product (refined in later phases)
~ Document the formal agreement among the DAA, the CA, the user representative, and the program manager ~ Document all requirements necessary for accreditation ~ Document all security criteria for use throughout the IT system life-cycle ~ Minimize documentation requirements by consolidating applicable information into the SSAA ~ Document the DITSCAP plan |
|
|
What are the main tasks of DITSCAP phase 2?
|
~ System Architecture Analysis
~ Software Design Analysis ~ Network Connection Rule Compliance ~ Integrity Analysis of Integrated Products ~ Life Cycle Management Analysis ~ Security Requirements Validation Procedures ~ Vulnerability Evaluation ~ Refine/modify SSAA |
|
|
In the Verification phase of DITSCAP, what are the goals?
|
Verify system compliance with requirements
Refine the SSAA, if needed Refine analysis ~ System development ~ Modifications ~ Certifications Review and refine SSAA, if necessary ~ Hardware details ~ Software details Certification analysis ~ Corresponds to Life Cycle activity ~ Verification by analysis, investigation, comparison |
|
|
In the Verification phase of DITSCAP, what are the certification actions?
|
System Architecture
Analysis Software Design Analysis Network Connection Rule Compliance Product Integrity Analysis Life Cycle Management Vulnerability Assessment Actions Completion gives: ~ Documented security specification ~ Comprehensive test plan ~ All interconnection requirements implemented Vulnerability assessment impacts Configuration Management ~ “Good configuration management builds good security; good security application establishes good configuration management.” |
|
|
In the Verification phase of DITSCAP, what are the completion actions?
|
Review certification analysis results upon
conclusion of each life cycle development milestone Significant deviation from SSAA, revert to Definition Phase to resolve problems |
|
|
What are the main tasks of DITSCAP phase 3?
|
~ ST&E* (Implementation of security reqs, I&A, AC, Audits…)
~ Penetration Testing (Exploitation, Insider/Outsider) ~ COMSEC Compliance Evaluation (reqs, integration) ~ System Management Analysis (Maintain Mgmt/CM/Arch) ~ Contingency Plan Evaluation (Backup, COOP…) ~ Site Accreditation Survey (SSAA compliance, environment) ~ Risk Management Review (acceptable risks to CIAA**) ~ Develop Certification Report and Recommendation for Accreditation: – System Certified: Yes or No (based on meeting SSAA reqs) – If Certified, Recommend: IATO or full accreditation ~ Ends with accreditation decision from DAA |
|
|
In the Validation phase of DITSCAP, what are the goals?
|
~ Review the SSAA to ensure requirements and
agreements are current ~ Evaluation of the IT system ~ Formal system certification test and security accreditation actions |
|
|
In the Validation phase of DITSCAP, what are the evaluation actions?
|
~ System Security Testing and Evaluation
~ Penetration Testing ~ TEMPEST (EMSEC) and Red/Black Verification ~ Validation System Management Analysis ~ Site Accreditation Surveys ~ Personnel Security ~ Physical Security ~ Environmental Security ~ Contingency Plan Examination ~ Risk Management Review ~ Recommendation and documentation to DAA Security Findings Deficiencies Risks of Operation |
|
|
In the Validation phase of DITSCAP, what are the possible accreditation decisions?
|
Denial
IATO ATO |
|
|
What are the main tasks of DITSCAP phase 4?
|
Review configuration & security management
~ Follow change mgmt documented in SSAA ~ Determine if system security mgmt continues to support mission and architecture Conduct risk management review ~ Assess if risk to CIAA is being maintained at an acceptable level Conduct compliance validation if needed ~ Ensure continued compliance w/SSAA reqs, current threat assessment, and concept of operations Maintain SSAA |
|
|
What are the roles and responsibilities of NIACAP?
|
~ DAA – Designated Approving Authority
~ Program Manager ~ Certifier ~ User Representative |
|
|
What NIACAP establish?
|
NIACAP establishes a standard national process
to certify and accredit systems that will maintain the IA of a system |
|
|
What are the NIACAP levels of certification?
|
~ Level 1: Basic security review
~ Level 2: Minimum analysis ~ Level 3: Detailed analysis ~ Level 4: Comprehensive analysis Level is determined by criticality, C.I.A. requirements, business mission, CI involvement, data processed, user types, accountability and other factors. The higher on such scales, the more comprehensive the C&A. |
|
|
Why was DIACAP established?
|
Providing a standard C&A approach.
Giving guidance on managing and disseminating enterprise standards and guidelines for: ~ IA design, implementation, configuration, validation, operational sustainment, and reporting. ~ Implementing and maintaining security through the IS’s Life-Cycle Accommodating diverse information systems in a dynamic environment. |
|
|
What is a DIACAP SIP?
|
System Identification Profile (SIP)
The SIP is compiled during: ~ DIACAP registration ~ Maintained throughout the system life cycle. Provides detailed description of: ~ System mission ~ Components and Information ~ Location and Environment ~ Connections ~ Players |
|
|
What is a DIACAP DIP?
|
DIACAP Implementation Plan (DIP)
Contains the IS’s: ~ Assigned IA controls ~ Implementation status ~ Responsible entities ~ Resources ~ Estimated completion date The plan may reference: ~ Supporting implementation material ~ Artifacts |
|
|
What does the DICAP DIP do?
|
How each assigned IA control is implemented
Implementation follows guidelines described in the DIACAP KS |
|
|
What information is included in the DIACAP DIP?
|
IA Control #
IA Control Subject Area IA Control Name IA Control Text (Requirement) Threat/Vulnerability/ Countermeasure General Implementation Guidance System-specific Guidance Resource |
|
|
What is a DIACAP Scorecard?
|
~ Summary report that succinctly conveys
information on the IA posture of the system in a format that can be exchanged electronically. ~ Documents the accreditation decision and must be signed, either manually or with a DoD PKI-certified digital signature. ~ The Scorecard contains a listing of all IA controls and their status of either C, NC, or NA. ~ Additional data elements may be specified by CIOs, DAAs, or other enterprise users of the Scorecard |
|
|
What is a DICAP POA&M?
|
~ Is a management tool.
~ Primary purpose assist agencies in identifying, assessing, prioritizing, and monitoring security weaknesses found in programs and systems, along with the progress of corrective efforts for those vulnerabilities. ~ OMB requires agencies to prepare IT Security POA&Ms for all programs and systems in which an IT security weakness has been found. ~ Agency CIOs must report their progress on at least a quarterly basis to OMB. |
|
|
What tasks are part of DIACAP Activity 1?
|
Initiate and Plan IA C&A
~ Create the System Identification Plan (SIP) ~ Register system with DoD Component IA Program ~ Assign IA controls ~ Assemble DIACAP Team ~ Initiate DIACAP Implementation Plan (DIP) |
|
|
What tasks are part of DIACAP Activity 2?
|
Implement and Validate Assigned IA Controls
~ Execute DIP ~ Conduct validation activities ~ Plan of Action and Milestones (POA&M) ~ Compile validation results in DIACAP Scorecard |
|
|
What tasks are part of DIACAP Activity 3?
|
Make Certification Determination and
Accreditation Decision ~ Make certification determination ~ Make accreditation decision |
|
|
What tasks are part of DIACAP Activity 4?
|
Maintain Authorization to Operate and Conduct
Reviews ~ Maintain situational awareness ~ Maintain IA posture ~ Conduct annual reviews ~ Initiate reaccreditation |
|
|
What tasks are part of DIACAP Activity 5?
|
Decommission
~ Retire the system ~ Update/remove registration with DoD Component IA Program |
|
|
What is the GIG?
|
Global Information Grid
Globally interconnected, end-to-end set of information capabilities, associated processes, and personnel for collecting, processing, storing, disseminating, and managing information for all. Provides capabilities from all locations, interfaces to coalition, allied, and non-DoD users and systems. |
|
|
What does the GIG support?
|
Supports National Security, Intelligence Community
and DoD Mission Areas (MA) functions: ~ Enterprise Information Environment MA (EIEMA) ~ Business MA (BMA) ~ Warfighting MA (WMA) ~ Defense Intelligence MA (DIMA) |
|
|
What is the DICAP TAG?
|
Technical Advisory Group (TAG)
~ A formally chartered body established by ASD-NII and DoD CIO to examine and address common C&A issues, including changes to the baseline IA controls, across the DoD Component IA programs, IA Communities of Interest (COIs), and other GIG entities. ~ The DIACAP TAG also maintains configuration control and management of the DIACAP and all its supporting content on the DIACAP KS. |
|
|
What is the role of the DIACAP IA Senior Leadership?
|
IA Senior Leadership (IASL)
~ Provides the integrated planning, coordination, and oversight of the Department's IA programs to assure the availability, integrity, authentication, confidentiality, and non-repudiation of the Department's mission essential and mission support information and the reliability DII. |
|
|
What does the DIACAP apply to?
|
DIACAP applies to DoD-owned information
systems and DoD-controlled information systems operated by a contractor or other entity on behalf of the DoD that receive, process, store, display, or transmit DoD information, regardless of classification or sensitivity |
|
|
What does the DIACAP NOT apply to?
|
DIACAP does not apply to DoD systems that
process: ~ Sensitive Compartmented Information (SCI) ~ Special Access Program (SAP) information ~ Nuclear Command and Control Extremely Sensitive Information (NC2-ESI) |
|
|
What are the DIACAP roles and responsibilities?
|
Principal Accrediting Authority (PAA)
PAA Representative Designated Approving Authority (DAA) Heads of DoD Components Chief Information Officer (CIO) Senior Information Assurance Official (SIAO) Certifying Authority (CA) – (e.g., validators, analysts, CA representatives (CAR)). Program Executive Officer (PEO) Program/System Manager (PM/SM) Information Assurance Manager (IAM) Information Assurance Officer (IAO) User Representative (UR) |
|
|
What is the PAA?
|
The senior official representing the interests of a
GIG MA regarding C&A ~ Represent the interests of the MA and, as required, issue accreditation guidance specific to the MA, consistent with this Instruction. ~ Appoint flag-level (e.g., general officer, senior executive) PAA Representatives to the DISN/GIG Flag Panel. ~ Resolve accreditation issues within their respective MAs and work with other PAAs to resolve issues among MAs, as needed. ~ Designate DAAs for MA ISs, if required, in coordination with appropriate DoD Components. |
|
|
What is the PAA Representative?
|
Appointed by PAA
~ Serve as a member of the DISN/GIG Flag Panel. ~ Provide MA-related guidance to DAAs, Milestone Decision Authorities (MDA), the DSAWG, and the DIACAP TAG. ~ Advise the corresponding MA PAAs and assist the DoD CIO and SIAO in assessing the effectiveness of GIG IA capabilities. |
|
|
What do the Heads of DoD Components do to support DIACAP?
|
~ Ensures DoD ISs under their purview comply
with the DIACAP. ~ Operates only accredited ISs. ~ Complies with all accreditation decisions, including denial of authorization to operate (DATO), and enforce authorization termination dates (ATD). ~ Ensures that an annual assessment of the DoD Component IA program is conducted. ~ Appoints DAAs for DoD ISs under their purview. |
|
|
What is the role of the DAA in DIACAP?
|
The official with the authority to formally assume
responsibility for operating a system at an acceptable level of risk. ~ ATO ~ IATO ~ DATO ~ IATT Responsible for the Mission and Resources Must be a Government Employee |
|
|
What is the role of the CIO in DIACAP?
|
Appoints the DoD Component SIAO.
Ensures ~ Implementation and validation of IA controls through the DIACAP are incorporated in the IS’s life-cycle management processes. ~ C&A status of the ISs are visible to the ASD(NII)/DoD CIO and PAAs. ~ Collaboration and cooperation between the DoD Component IA program and the PAA and DAA structure. ~ PM or SM is identified for each IS. Establishes and manages an IT Security POA&M program. |
|
|
What is the role of the SIAO in DIACAP?
|
Senior IA Officer (SIAO)
~ Establishes and enforces the DoD Component IA program’s C&A process. ~ The single IA coordinator for joint or Defense-wide programs that are deploying ISs to DoD Component enclaves ~ Ensures participation in the DIACAP TAG. ~ Tracks C&A status of Component ISs. ~ Establishes and manages a coordinated IA certification process. ~ Is the certifying authority (CA) or formally delegating CA for ISs and oversees CA experts. |
|
|
What is the role of the PM, SM and PEO in DIACAP?
|
~ Implements the DIACAP for assigned DoD ISs.
~ Plans and budgets for IA controls implementation, validation, and sustainment throughout the system life cycle, including timely and effective configuration and vulnerability management. ~ Develops, tracks, resolves, and maintains the DIACAP Implementation Plan (DIP) for assigned ISs. ~ Enforces DAA accreditation decisions for hosted or interconnected DoD ISs. |
|
|
What is the role of the PM, SM and PEO in DIACAP?
|
Ensures that:
~ Each assigned DoD ISs has a designated IA manager (IAM) with the support, authority, and resources to satisfy their responsibilities. ~ Information system security engineering is employed to implement or modify the IA component of the system architecture in compliance with the IA component of the GIG Architecture and to make maximum use of enterprise IA capabilities and services. ~ IT Security POA&M development, tracking, and resolution. ~ Annual reviews of assigned ISs required by FISMA are conducted. |
|
|
What is the role of the user representative in DIACAP?
|
~ Represents the operational interests of the user
community in the DIACAP. ~ Supports the IA controls assignment and validation process to ensure user community needs are met. |
|
|
Who are the members of the certifying team in DIACAP?
|
Certifying Authority (CA)
~ The senior official having the authority and responsibility for the certification of information systems governed by a DoD Component IA program. ~ Make the certification recommendation to the DAA ~ Can be the SIAO. CA Representative/Analyst ~ Delegated the responsibility of reviewing and assessing the DIACAP package for compliance and risk. Validator ~ Individual responsible for conducting a validation procedure. |
|
|
What is the role of the ISSE in DIACAP?
|
Information Systems Security Engineer
~ An individual that performs the Information Systems Security Engineering functions. ~ Works with system architects, engineers, and developers to ensure that IA controls are designed and implemented into a system throughout the development process. |
|
|
What is the role of the IAM in DIACAP?
|
~ Support the PM or SM in implementing DIACAP.
~ Advise and inform the DoD Component IA program on ISs C&A status and issues. ~ Comply with the DoD Component IA program’s information and process requirements. ~ Provide direction to the IA Officer (IAO). ~ Coordinate with the organization’s SM to ensure issues affecting the organization’s overall security are addressed appropriately. ~ Similar to the IA title Information Systems Security Manager (ISSM) used else where. |
|
|
What is the role of the IAO in DIACAP?
|
~ An individual responsible to the IAM for ensuring
that the appropriate operational IA posture is maintained for a DoD information system or organization. ~ While the title IAO is favored within the DoD, it may be used interchangeably with other IA titles (e.g., Information Systems Security Officer, Information Systems Security Custodian, Network Security Officer, or Terminal Area Security Officer). |
|
|
What are the DIACAP risks?
|
Risks are assessed to determine the impact upon:
~ Integrity (MAC) ~ Availability (MAC) ~ Confidentiality (CL) |
|
|
What is a Mission Assurance Category?
|
Applicable to DoD information systems, the
mission assurance category (MAC) reflects the importance of information relative to the achievement of DoD goals and objectives, particularly the warfighters' combat mission. MACs are primarily used to determine the requirements for availability and integrity. The DoD has three defined MAC Levels: ~ MAC I ~ MAC II ~ MAC III |
|
|
What are the details of MAC I?
|
Availability (HIGH), Integrity (HIGH), Most Stringent Protection Measures
|
|
|
What are the details of MAC II?
|
Availability (MEDIUM), Integrity (HIGH), Beyond Best Practices
|
|
|
What are the details of MAC III?
|
Availability (BASIC), Integrity (BASIC), Commensurate with Commercial Best Practices
|
|
|
What are the Confidentiality Levels (CLs)?
|
Classified:
~ Kept secret in the interest of national defense or foreign policy. ~ Includes Confidential, Secret, and Top Secret. Sensitive: ~ could adversely affect the national interest or the conduct of Federal programs, or the privacy of individuals. Public: ~ has been reviewed and approved for public release by the information owner. |
|
|
What types of information are recognized by DIACAP?
|
Sensitive
~ Controlled Unclassified Information (CUI) ~ Loss of confidentiality, integrity, availability, could have serious, sever, or catastrophic adverse impact [includes critical infrastructure data] ~ Types: Personnel, Financial, Payroll, Operational, Medical, and Privacy Act [PII] Non-Sensitive ~ Approval must be gained prior to release |
|
|
What EO defines classified information?
|
EO 12356
|
|
|
What is the damage the loss of "top secret" would cause?
|
cause exceptionally grave damage to the national
security |
|
|
What is the damage the loss of "secret" would cause?
|
cause serious damage to the national security
|
|
|
What is the damage the loss of "confidential" would cause?
|
cause damage to the national security
|
|
|
What are confidentiality levels used for?
|
Used to establish requirements for:
~ individual security clearances or background investigations requirements ~ access approvals ~ need-to-know determinations ~ interconnection controls and approvals ~ acceptable methods by which users may access the system (e.g., intranet, Internet, wireless) ~ appropriate security controls |
|
|
What are the details of CL: Classified?
|
Robustness (HIGH), Security: NSA-approved cryptography
and key management |
|
|
What are the details of CL: Sensitive?
|
Robustness (MEDIUM), Security: NIST/FIPS approved
cryptography and NSA approved key management |
|
|
What are the details of CL: Public?
|
Robustness (BASIC), Security: NIST/FIPS-approved
cryptography and key management |
|
|
What are DIACAP IS Controls?
|
An objective IA condition of integrity, availability or
confidentiality achieved through the application of specific safeguards or through the regulation of specific activities that is expressed in a specified format, i.e., a control number, a control name, control text, and a control class. Specific management, personnel, operational, and technical controls are applied to each DoD information system to achieve an appropriate level of integrity, availability, and confidentiality in accordance with reference OMB A-130. |
|
|
What are the objective conditions for DIACAP IA Controls?
|
~ objective condition is testable
~ compliance is measurable, and ~ activities required to achieve the IA Control are assignable and thus accountable. |
|
|
How are DIACAP IA controls assigned?
|
Assignment of the controls are made according
with: ~ MAC ~ CL |
|
|
How are DIACAP IA controls laid out?
|
Are laid out in:
~ IA Control Subject Areas ~ IA Control Names |
|
|
List the DIACAP IA control areas, their acronym and number of controls?
|
Security Design and Configuration, DC, 31
Identification and Authentication, IA, 9 Enclave and Computing Environment, EC, 48 Boundary Defense, EB, 8 Physical and Environmental, PE, 27 Personnel, PR, 7 Continuity, CO, 24 Vulnerability and Incident Management, VI, 3 |
|
|
Study slide 398
|
Study slide 398
|
|
|
Study slide 399
|
Study slide 399
|
|
|
What is the robustness level of a DIACAP MAC I system?
|
HIGH
|
|
|
What is the robustness level of a DIACAP MAC II system?
|
MEDIUM
|
|
|
What is the robustness level of a DIACAP MAC III system?
|
BASIC
|
|
|
How are DIACAP IA control robustness levels numbered?
|
1 -3 where 3 is HIGH robustness. The opposite of MAC levels
|
|
|
List the DIACAP IA controls associated with Security Design and Configuration
|
Procedural Review DCAR-1 Availability
Acquisition Standards DCAS-1 Confidentiality Best Security Practices DCBP-1 Integrity Control Board DCCB-2 Integrity Configuration Specification DCCS-2 Integrity Compliance Testing DCCT-1 Availability Dedicated IA Services DCDS-1 Integrity Functional Architecture for AIS Applications DCFA-1 Integrity HW Baseline DCHW-1 Availability Interconnection Documentation DCID-1 Integrity IA Impact Assessment DCII-1 Integrity IA for IT Services DCIT-1 Integrity Mobile Code DCMC-1 Integrity Non-repudiation DCNR-1 Integrity |
|
|
List the DIACAP IA controls associated with Security Design and Configuration
|
Partitioning the Application DCPA-1 Integrity
IA Program and Budget DCPB-1 Availability Public Domain Software Controls DCPD-1 Availability Ports, Protocols, and Services DCPP-1 Availability CM Process DCPR-1 Integrity IA Documentation DCSD-1 Availability System Library Management Controls DCSL-1 Integrity Security Support Structure Partitioning DCSP-1 Integrity Software Quality DCSQ-1 Integrity Specified Robustness – Medium DCSR-2 Confidentiality System State Changes DCSS-2 Integrity SW Baseline DCSW-1 Availability |
|
|
What guidance/instructions are reference for the DIACAP IA controls?
|
DoD 5200.1-R, "DoD Information Security Program," January
1997, i.e., Storage, Access, Classification, etc. DoD Directive C-5200.5 COMSEC activities ASD(C3I) Memorandum, dated June 4, 2001, "Disposition of Unclassified DoD Computer Hard Drives." DoD Directive S-5200.19, DoD TEMPEST DoD Instruction O-8530.2, defines reportable incidents, outlines a standard operating procedure for incident response. IATF, IA Technical Framework, Protection Profile Consistency Guidance for High, Medium, and Basic Robustness NIST FIPS 140-2, validated cryptography |
|
|
What is a compensating control?
|
Management, operational, and technical controls
employed in lieu of recommended controls that provides equivalent or comparable protection for an information system. |
|
|
What is a DIACAP CAT Severity Code?
|
Indicates:
~ Risk level associated with non-compliance, and ~ Urgency with which corrective action must be completed. CA assigns the CAT codes to a system security weakness during certification analysis. How serious are these codes: ~ A CAT I rating for a MAC I or MAC II must, at a minimum, be classified CONFIDENTIAL. ~ CAT II weaknesses must be reviewed for their classification level. |
|
|
What are Category I Severity Code Weakness?
|
Allows:
~ Primary security protections to be bypassed. ~ Immediate access by unauthorized personnel or unauthorized assumption of super-user privileges. Only Component CIO can ~ authorize operation of a system with a Cat I weakness and then only through an IATO. System must be ~ critical to military operations and failure to deploy will preclude mission accomplishment. ~ Copy of authorization must be sent to DoD SIAO. |
|
|
What are Category II Severity Code Weakness?
|
A weakness that can lead to unauthorized system
access or activity. Usually are corrected or mitigated to a point where any residual risk is acceptable. Can be granted an ATO ~ Only when clear evidence exists that that deficiency can be mitigated within 180 days of the accreditation decision. ~ Only one 180 day extension allowed. DAA ~ Will normally issue a DATO if not corrected or mitigated in 360 consecutive days. |
|
|
What are Category III Severity Code Weakness?
|
CAT III
~ One that if corrected will improve the system’s IA posture. DAA ~ Will determine if these types of weaknesses will be corrected or if the risk will be accepted. CAT IIIs accepted by DAA will be documented in the POA&M: ~ Marked N/A in the scheduled completion date column. ~ Note acceptance by DAA in the milestone column ~ Note risk accepted in the status column |
|
|
What are the types of DIACAP packages?
|
Comprehensive Package
~ Used for the CA recommendation ~ Includes all the information resulting from the DIACAP process Executive Package ~ Less than the Comprehensive package ~ Used for an accreditation decision ~ Provided to others in support of accreditation or other decisions, such as connection approval Actual Artifact Formats: ~ Each DAA will determine what information is necessary to make an accreditation decision and what format they want it presented in. |
|
|
What documents constitute a DIACAP Comprehensive Package?
|
SIP, DIP, Supporting Certification Documentation, Scorecard, POA&M
|
|
|
What documents constitute a DIACAP Executive Package?
|
SIP, Scorecard, POA&M
|
|
|
What is the DICAP Knowledge Service?
|
~ A Web-based, DoD PK-enabled DIACAP
knowledge resource that provides current GIG IA C&A. ~ A library of tools, diagrams, process maps, documents, etc., to support and aid in execution of the DIACAP. ~ A collaboration workspace for the DIACAP user community to develop, share and post lessons learned & best practices. ~ A source for IA news and events and other IA related information resources. |
|
|
What is included in the validation procedures?
|
IA Control #
Procedure Name Procedure Objective Procedure Script Expected Results |
|
|
What is a STIG?
|
Security Technical Implementation Guides (STIG)
~ Provides the guidance needed to development, integration, and updating of secure applications. ~ Subjects: development, design, testing, maintenance, configuration management, education, and training. |
|
|
What are the families of STIGs?
|
~ Infrastructure
~ Operating System ~ Database ~ Web and Application Services ~ Desktop Application |
|
|
What is technical project management?
|
Project Management is a structured, pro-active
management approach for finite undertakings that produce a unique product, service, or other result. |
|
|
What are the characteristics of technical project management?
|
It is characterized by the application of
knowledge, skills, tools, and techniques in detailed planning and execution of the endeavor. |
|
|
How is technical project management accomplished?
|
It is accomplished through integrated and
logically flowing processes to perform initiating, planning, executing, monitoring, controlling, and close-out activities while balancing competing demands for quality, scope, schedule, and cost. |
|
|
What is a project framework?
|
The Project Framework illustrates and
combines all elements necessary to begin, manage, and conclude a project. It starts as a skeleton with basic contents and evolves and expands as the project proceeds. |
|
|
What is a scope statement?
|
A formal definition agreed to by all stakeholders
in the project, describing what is to be done, why it is being undertaken, who will be engaged to do the work and when the whole venture should be completed. |
|
|
What is milestone identification?
|
Refers to the process of identifying those
discrete steps in a project which represent major steps of achievement, and are generally tied to progress payments. |
|
|
What is a work breakdown structure?
|
This step consists of both the decomposition
of all the work associated with milestone achievement into individual work tasks, as well as the identification of all dependencies. |
|
|
What is a baseline project plan?
|
This is the final set of project documents which
collectively represents the foundation “agreement” from which work will proceed to its desired end-product or solution. Changes to the baseline should be managed carefully and precisely to avoid unwanted or unforeseen impacts. |
|
|
What are change management procedures?
|
Formal change management is vital in order to
avoid unplanned or unmanaged impacts occurring that adversely effect the project schedule or resource profiles. All changes considered must be reviewed and formally agreed to by all parties after discussing issues and risks, and before proceeding with the proposed modifications. Prevents “scope creep”. |
|
|
Define activity
|
A discrete element of work performed during the course of a
project. Has measured duration, cost, and resource requirements. Often subdivided into tasks. |
|
|
Define baseline
|
Officially approved version of the plan (cost, schedule, or
technical) for a project, a work package, or an activity, plus or minus approved scope changes. Normally altered or updated through changes in scope, funding, schedule, requirements, etc. through the Change Management process. |
|
|
Define critical path
|
Series of activities that determines the duration of the project.
In a deterministic model, the critical path is usually defined as those activities with float equal to zero. It is the longest path through the project. See critical path method. |
|
|
Define critical path method (CPM)
|
A network analysis technique used to assess the degree of
flexibility (float) through multiple scheduling paths in project duration in order to determine overall project duration, and task start/end dates (early-late). |
|
|
Define decision tree analysis
|
The decision tree is a diagram that describes a decision
under consideration and the implications of choosing one or another of the available alternatives, incorporating risk, value, scheduling and potential outcomes variables |
|
|
Define deliverable
|
A measurable, tangible, verifiable outcome, result, or item
that must be produced to complete a project or part of a project. |
|
|
Define deming cycle
|
Another name for the “Plan-Do-Check-Act” model popularized by W.
Edwards Deming as a continual quality management tool. |
|
|
Define dependency
|
An action, input, or outcome (cost, schedule, or other factor)
that creates a cause-and-effect relationship between two or more aspects of a project. Can result in a slippage, acceleration, overrun, or similar result in the effected element. |
|
|
Define estimate
|
An assessment of the likely quantitative result; as in cost,
schedule, outcome, plus or minus some percent or ROM. |
|
|
Define life-cycle costing
|
The concept of including acquisition, operating, and disposal
costs when evaluating various alternatives. |
|
|
Define network analysis
|
The process of identifying early and late start and finish dates for
the uncompleted portions of project activities. See also critical path method, program evaluation and review technique, and graphical evaluation and review technique. |
|
|
Define pareto diagram
|
A histogram, ordered by frequency of occurrence, that shows
how many results were generated by each identified cause. |
|
|
Define PERT chart
|
The term is commonly used to refer to a project network
diagram. |
|
|
Define PERT
|
Program Evaluation and Review Technique (PERT):
An event-oriented network analysis technique used to estimate program duration when there is uncertainty in the individual activity duration estimates. PERT applies the CPM using durations that are computed by a weighted average of optimistic, pessimistic, and most likely duration estimates. PERT computes the standard deviation of the completion date from those of the path’s activity durations. Also known as the Method of Moments Analysis. |
|
|
Define project
|
A temporary endeavor undertaken to create a unique product,
service, or result. |
|
|
Define project life-cycle
|
A collection of generally sequential project phases whose
name and number are determined by the control needs of the organization or organizations involved in the project. |
|
|
Define project network diagram
|
Any schematic display of the logical relationships of project
activities. Always drawn from left to right to reflect project chronology. Often referred to as a PERT chart. |
|
|
Define project plan
|
A formal, approved document used to guide both project execution and
project control. The primary uses of the project plan are to document planning assumptions and decisions, facilitate communication among stakeholders, and document approved scope, cost, and schedule baselines. A project plan may be produced or presented in a summary or detail form. |
|
|
Define project risk management
|
The systematic process of identifying, analyzing, and responding to
project risk (produced by any element that threatens to cause adverse impact to cost, schedule, resource utilization, or overall project failure). It includes the processes of risk management planning, risk identification, qualitative risk analysis, quantitative risk analysis, risk response planning, and risk monitoring and control. |
|
|
Define project schedule
|
The planned dates for performing activities and the planned
dates for meeting milestones. |
|
|
Define project scope
|
The work that must be done to deliver a product with the
specified features and functions. Also, The sum of the products and services to be provided as a project. See project scope and product scope. |
|
|
Define schedule control
|
Controlling changes to the project schedule.
|
|
|
Define scope change control
|
Controlling changes to project scope (“creep”) so that the rate of
change does not exceed the rate of progress. |
|
|
Define stakeholder
|
Individuals and organizations that are actively involved in the
project, or whose interests may be positively or negatively affected as a result of project execution or project completion. They may also exert influence over the project and its results. |
|
|
Define statement of work (SOW)
|
A narrative description of products or services to be supplied
under contract. |
|
|
Define task
|
A generic term for work that is not included in the work
breakdown structure, but potentially could be a further decomposition of work by the individuals responsible for that work. Also, lowest level of effort on a project. |
|
|
Define work breakdown structure (WBS)
|
A deliverable-oriented grouping of project elements that
organizes and defines the total work scope of the project. Each descending level represents an increasingly detailed definition of the project work. |
|
|
Define work package
|
A deliverable at the lowest level of the work breakdown structure,
when that deliverable may be assigned to another project manager to plan and execute. This may be accomplished through the use of a subproject where the work package may be further decomposed into activities. |
|
|
Technical Project Management Roles and Responsibilities (provider/project): System Owner
|
System owner – verifier of product design and purpose. Has
overall accountability for system (final result). Has the CHECKPOINT FUNCTION to APPROVE changes in scope, products, results, functionality, etc. |
|
|
Technical Project Management Roles and Responsibilities (provider/project): User POC
|
User POC – represents intended end-user community and
provides conduit for communication, approval, and changes. Has the CHECKPOINT FUNCTION to APPROVE. |
|
|
Technical Project Management Roles and Responsibilities (provider/project): Project Manager
|
Project Manager – overall responsibility for project work,
progress and control, staffing and resource utilization. |
|
|
Technical Project Management Roles and Responsibilities (provider/project): Planner
|
Planner – provides administrative support of planning effort.
Collects metrics to report status of “planned to actual” regarding resources, cost, and schedules. |
|
|
Technical Project Management Roles and Responsibilities (provider/project): Quality Manager
|
Quality Manager – owns QM plan and all QA activities.
Has CHECKPOINT FUNCTION to APPROVE items impacting QA |
|
|
Technical Project Management Roles and Responsibilities (provider/project): Configuration Manager
|
Configuration Manager – owns CM plan and related
activity |
|
|
Technical Project Management Roles and Responsibilities (provider/project): Testers
|
Testers – conduct full range of tests for product
performance at various stages (SUT, IVTE, etc), and final acceptance testing to assure ultimate success |
|
|
Technical Project Management Roles and Responsibilities (USFG/customer): Federal Technical Monitor
|
Federal Technical Monitor – has responsibility to oversee
and assure SOW composition, project cost-control, timely performance, standards compliance, plans analysis, approvals, stakeholder coordination and representation |
|
|
Technical Project Management Roles and Responsibilities (USFG/customer): Federal Program Manager
|
Federal Program Manager – general oversight of program
and assurance of funding, plan approval, deliverables acceptance and approval, issue escalation and resolution |
|
|
Technical Project Management Roles and Responsibilities (USFG/customer): Federal Project Manager
|
Federal Project Manager – daily involvement in
performance or oversight of configuration management, change, management, requirements management, risk management, and QA. |
|
|
What are the program manager responsibilities?
|
The PM has the lead for all activities involving:
~ Cost ~ Schedule ~ Performance ~ Security The PM works directly with: ~ Development ~ Maintenance ~ Configuration management ~ Quality Assurance ~ Test verification and validation |
|
|
What is necessary for successful implementation?
|
early planning
|
|
|
What are the steps for SSE planning?
|
~ Definition of program requirements
~ Development of a Program Management Plan (PMP) ~ Identification of SSE requirements ~ Preparation of a detailed Systems Engineering Management Plan (SEMP) |
|
|
What are the ISSEP planning phase activities?
|
~ Reviewing, setting, and agreeing to project scope
~ Defining appropriate management structure ~ Assessing and determining resource requirements ~ Developing schedules and discovering dependencies ~ Setting performance milestones and metrics |
|
|
List the specific planning phase tasks (steps 1-3)?
|
1. Estimation of project scope: must be as concise and as
accurate as possible (will evolve). Must include assessment of complexity regarding human, technology, and other factors. 2. Identification of resources and constraints: this will include skills, technology, physical assets, and requires addressing the question of “in-house” or “out-source”. 3. Identifying roles and responsibilities: clearly establishing who will do what, skill levels, rotation, etc. |
|
|
List the specific planning phase tasks (steps 4-6)?
|
4. Estimation of project cost: As much art as science.
Should use cost models where feasible and historical cost where possible. WBS are used to collect and estimate cost factors. 5. Developing schedules: Setting start-finish dates for optimistic, pessimistic, and probable completion. 6. Identify Technical Activities: Define the work at the task level, sequencing and linking, establishing methods and materials required. |
|
|
List the specific planning phase tasks (steps 7-9)?
|
7. Identify deliverables: Must have clear definitions of
WHAT is due, required content, format, and success criteria. 8. Define Management Interfaces: Communications planning and channels must be established as early as possible for flow of PM information on all subjects. 9. Preparation of Technical Mgmt. Plan (TEMP): Included in the overall PMP and SEMP, and integrates technical execution with overall systems engineering and PM. |
|
|
List the specific planning phase tasks (steps 10-11)?
|
10. Review of overall Project Mgmt. Plan (PMP): This
overarching plan integrates consistently and coherently all aspects of project execution, schedule, and resource. All actions and changes roll up into this from subsidiary plans. It evolves and changes as the project moves forward. 11. Obtain customer agreement: All aspects must be in accordance with customer requires and expectations, and includes: ~ Environmental analysis ~ Feasibility analysis ~ Scope, requirements, and deliverables verification ~ Customer approval |
|
|
What process groups are part of the management phase of technical management?
|
controlling
executing |
|
|
What are management phase activities?
|
~ Managing change: requesting, implementing, rejecting
~ Managing configurations: documents, deliverables, etc. ~ Managing corrective actions: identifying, applying ~ Managing updates: scope, PMP, performance plans, etc. ~ Managing expectations: effective, timely communication ~ Managing risk: identifying, tracking, mitigating |
|
|
List the specific management phase tasks (steps 1-3)?
|
1. Directing technical effort: the management of the
actual technical (engineering, designing, etc) work and production of deliverables. 2. Tracking resources: Using all necessary tools and feedback mechanisms to ensure timely accurate knowledge of the “planned to actual” consumption rates. 3. Tracking performance: Continuous awareness and access to performance metrics (cost, schedule, earned value, customer satisfaction) to ensure timely action |
|
|
List the specific management phase tasks (steps 4-6)?
|
4. Monitoring progress: Evaluation of overall progress
toward completion of short-term, mid-term, and long-term objectives and deliverables IAW plans and requirements. 5. Ensuring quality: Evaluation of quality indicators to ensure timely awareness and correction of issues and unacceptable variances. 6. Managing Configuration elements: Continuous management and control of changes to baselines, documentation, products, and other items. |
|
|
List the specific management phase tasks (steps 7-8)?
|
7. Evaluation of performance: Review and assessment of
overall aspects of performance in technical, schedule, cost, human resources, and other areas of performance measurement for the project. 8. Status reporting: providing all stakeholders with timely progress reports, including status of technical changes, cost profiles, staffing/skills requirements, quality indicators, schedule changes or slippage, scope changes, and corrective actions. |
|
|
What does project monitoring provide?
|
Project Monitoring activities provide for metrics
collection, evaluation, comparison, and reporting on all aspects of project performance to stakeholders (includes owners, sponsors, staff, and others). |
|
|
What does effective and timely monitoring provide?
|
Effective and timely monitoring is crucial to
facilitating problem resolution, corrective action planning and execution, and provides the analytical basis for understanding and correcting variances to baseline. |
|
|
What three project management activities occur in parallel?
|
Managing Project Execution
Milestone Achievement Continuous Risk Assessments |
|
|
What is managing project execution?
|
This is the part where the Project Manager
assumes ownership and accountability for project success. He uses “referent” authority to influence all the key participants and steer the whole venture towards a successful conclusion. |
|
|
What is milestone achievement?
|
To the extent that milestones are generally
achieved in a serial rather than a parallel fashion, one milestone must normally be fully completed before the next can commence. Consequently, the project manager is obliged to focus heavily on whatever is the current milestone. Remember - payments are frequently tied to milestone achievement. |
|
|
What is continuous risk assessments?
|
In line with a highly preventive management
approach, continual risk assessments need to be carried out to identify risk categories, risk events, likelihood of occurrence, priorities for attention and mitigation strategies. |
|
|
What is project closeout?
|
This step is extremely important because
close-out and final payment can often be difficult, if not planned properly. Some tips below on how to close-out effectively. ~ Understand the acceptance criteria for close-out. ~ Initiate early talks to gain clear visibility of any concerns. ~ Work to ensure that problem areas are cleared up in time. ~ Seek opportunities for the client to gain leverage after completion. ~ Avoid paying sub-contractors until customer accepted work. ~ Do lessons learned exercise to capture improvement ideas. ~ Be sure to thank all the outstanding contributors. |
|
|
What are the prescribed technical management documents?
|
~ Statement of Work (SOW)
~ Project/Program Management Plan (PMP) ~ The Systems Engineering Management Plan (SEMP) ~ Work Breakdown Structure (WBS) ~ Statement of Milestones ~ Cost, Schedule, Resource and other projections ~ Quality Management Plan (QMP or QA Plan) ~ Configuration Management Plan (CMP) ~ Project Risk Management Plan (RMP) |
|
|
What is a Statement of Work (SOW)?
|
The SOW provides the details regarding what is to
be performed or delivered as a result/product: ~ Summary statement of the tasks to be accomplished ~ Identification of the input requirements from other tasks ~ References to applicable specifications, standards, procedures, and related documentation ~ Description of specific results to be achieved and a proposed schedule of delivery Often is used to measure contractual obligations and compliance. |
|
|
What is a Program Management Plan (PMP)?
|
The PMP covers all the planning a high level and
leads to low-level planning for specific activities |
|
|
What are the major components of a PMP?
|
~ Systems Engineering Management Plan (SEMP)
~ Security Systems Engineering Plan (SSEP) ~ Work Breakdown Structure (WBS) ~ Costing and budgeting plans ~ Testing plans |
|
|
What is a Systems Engineering Management Plan (SEMP)?
|
The SEMP is the integrated “living” master plan that
provides the central repository that binds together all subordinate plans, tasks, and other work elements. It contains: ~ Who is doing a thing or things ~ What things are done, in progress, to start… ~ When these things will start, or finish ~ Where the people, resources, documentation etc. are ~ How things are being organized and accomplished (The RFP/SOW contain and outline the “why” ) |
|
|
In general what is included in the SEMP?
|
~ Baselines for cost, schedule, and resources
~ Requirements analysis and Planned Deliverables ~ Standards and procedures (e.g. ISO, MIL, NIST) ~ Business case trade-offs, cost-effectiveness analyses ~ Project taxonomy and glossary ~ Organizational structure (internal and external relationships) ~ Allocations & constraints (resource, technical, scheduling, etc) ~ Design requirements validation (Is it what we want?) ~ Functional analysis and verification (Does it do what it is supposed to do?) ~ Life-cycle support information and considerations (transition and operational) |
|
|
What is a Work Breakdown Structure (WBS)?
|
WBS describes how all the essential tasks of the
project will be defined (including dependencies), assigned, and scheduled to members of the team. |
|
|
In general, who many hierarchical activity levels are assigned to a WBS and what are they?
|
3 levels
~ Level 1 – Identifies the entire program scope of work to be produced ~ Level 2 – Identifies the various activities and categories of the entire program ~ Level 3 – Identifies the specific tasks of each category |
|
|
What is a statement of milestones?
|
Statement of Milestones derives from the SOW,
and describes in detail: ~ What is to be delivered by which activities and to whom ~ What the agreed deliverable content will be ~ The schedule on which the milestone will be achieved All of which is subject to alteration and variance by change or environmental factors |
|
|
What is cost control?
|
Cost control requires effective management,
including: ~ Cost estimating ~ Cost accounting ~ Cost monitoring ~ Cost analysis and reporting ~ Control functions |
|
|
What is schedule estimating?
|
Schedule Estimating requires knowledge of
technical task execution and interdependencies, and uses: ~ Activity definition (what must be done) ~ Activity sequencing (order, precursors, successors) ~ Resource requirements and estimation ~ Activity duration ~ Input requirements and output expectations ~ Risk factors to schedule, cost, flow |
|
|
What is a Quality Management Plan?
|
The QMP is the authoritative plan (integrates upward into
the SEMP) that provides the central control for how “quality” is to be achieved throughout the project and in the final delivered product(s) and deliverables. |
|
|
What is the definition of quality?
|
“Quality” is defined as “the degree to which a set of
inherent characteristics [of performance, of appearance, or other] satisfy a set of requirements”. |
|
|
What is quality management?
|
“Quality Management” is the process by which
stakeholder needs, wants, and expectations are transformed into requirements that can then be executed and met by the project. “Quality Control” processes monitor and track this. |
|
|
What are the components of a QMP?
|
The QMP will contain the framework necessary to
implement, monitor, correct, and report on this aspect of overall project management and deliverables: ~ Standards to be employed (i.e. ISO 9000 or 10006) ~ Data elements and metrics to be collected ~ Analytical processes to be used (stat, financial, etc) ~ Benchmarks, comparators, KPI, CSF and other analytics ~ Corrective Action Plans and progress reports ~ An interface to the Change Management process to assure awareness and capture of impacts to the SEMP |
|
|
What is a configuration management plan (CMP)?
|
The CMP is the authoritative plan (that integrates upward
into the SEMP) that provides the central control for how changes (in their infinite variety) will be identified, evaluated, escalated, implemented, tracked and controlled continuously throughout the SEMP execution. |
|
|
Why must change be managed?
|
Change as a factor having impact on all aspects of the
project must be recognized as inevitable, but must be managed to avoid unacceptable deviations and adverse impact to schedule, cost, quality, or other factors that ultimately compromise achievement of project objectives. |
|
|
What are the components of a CMP?
|
CMP as used by DoD describes a process with five
components regarding configuration items (CI) and managing the potential impact of change to operations: ~ Management and Planning: approved and documented in PMP ~ CI Identification: selection criteria and documentation ~ Configuration Control: the CM process to ensure no unmanaged change occurs ~ Status Accounting: the system for tracking change to baseline ~ Verification and Audit: provides interface and feedback to QA/QM |
|
|
What is a risk management plan (RMP)?
|
RMP describes the plan (that integrates upward into the
SEMP) for identifying risks, threats-agents, physical, environmental, and other sources of risk are anticipated or identified throughout the project lifecycle, including: ~ Assessment and review processes and responsible roles ~ Reporting and documentation, including CM input ~ Controls and countermeasures use to mitigate, reduce, and avoid The RMP uses NIST SP 800-30 and OMB A130 as base requirements and guidance. |
|
|
What is a Test and Evaluation Master Plan (TEMP)?
|
Test and Evaluation Master Plan (TEMP) – Overall
description of test objectives: ~ Requirements for testing ~ Data to be collected and measured ~ Categories of tests ~ Methods and procedures to be used ~ Resources required for tests |
|
|
What are the general types of tests documented in a TEMP?
|
General types of tests:
~ Preproduction (from initial stages forward) ~ Acceptance (customer acceptance and approval) ~ Operational (O&M SLC support) |
|
|
What is DT&E?
|
Developmental testing (DT&E):
~ Analytical: conducted very early in SLC using automated techniques and simulation ~ Type 1: laboratory bench-testing, intended to verify performance and physical characteristics |
|
|
What is OT&E?
|
Operational testing (OT&E):
~ Type 2: done in latter stages of detailed design (SUT) ~ Type 3: performed at initial qualification and prior to completion of production (IVT&E) ~ Type 4: performed during operations and lifecycle support phases |
|
|
What is a PERT schedule?
|
The Program Evaluation and Review Technique
(PERT) is a scheduling tool that defines the critical path (in red) through a project (zero float or slack) |
|
|
Draw a PERT node and example PERT schedule with critical path
|
Check slide 501
|
|
|
What is a Requirements Traceability Matrix (RTM)?
|
Facilitates derivation of requirements from sources
(laws, FIPS, project needs, etc), showing source, object, rationale, verification, validation, and execution, traceable from the result back to the source |
|
|
What is a Gnatt chart?
|
Gantt Charts depict project schedules and milestones in a
horizontal calendar, and shows task linkage, dependencies, start-finish relationships, task overlap, slack and other project attributes graphically (most often used PM tool) |
|
|
Name the development models recognized by ISSEP
|
Water fall model
Vee model Spiral model |
|
|
What are the pros and cons of the waterfall development model?
|
PRO: Structured and understandable
CON: Rigid and not flexible CON: Hard to manage complex projects |
|
|
What are the pros and cons of the Vee development model?
|
PRO: Like IATF
PRO: Very flexible for adapting new stuff CON: Lots of documentation |
|
|
What are the pros and cons of the spiral development model?
|
PRO: Very flexible - prototyping
CON: Needs strong management CON: Prone to “Production Paradox” |
|
|
What are the basic forms of risk?
|
~ Project Risk [criticality]: systematic and non-systematic risk
factors that specifically threaten the timely, correct, and cost-effective completion of the project ~ IT Risk [sensitivity]: normal factors of risk that threaten to disrupt the CIA attributes of the IT involved (either as product or as support to the project. |
|
|
Why is unmanaged change a risk?
|
The rate of unmanaged change will eventually exceed the
rate of progress and endanger the project. |
|
|
What are the sources of change?
|
Change has various sources: some is necessary, some
otherwise. Change is a serious risk factor of positive and negative dimensions, and if not controlled can result in: ~ Increased cost ~ Scope creep ~ Schedule slippage ~ Excessive resource consumption ~ Unacceptable deliverables (content or quality) ~ Overall failure to complete on time, on budget, or at all |
|
|
What are the SSE-CMM project and organization process areas?
|
PA12 – Ensure Quality
PA13 – Manage Configuration PA14 – Manage Project Risk (threats to project success) PA15 – Monitor and Control Technical Effort PA16 – Plan Technical Effort PA17 – Define Organization’s SE Process PA18 – Improve Organization’s SE Process PA19 – Manage Product Line Evolution PA20 – Manage SE Support Environment PA21 - Provide On-going skills and knowledge PA22 - Coordinate with Suppliers |
|
|
What is the CMM IDEAL model?
|
This model from C-M corresponds to an implementation
approach for achievement of the CMM levels: I – Initiating: Lays foundation quality and process improvements (CCM-1) D – Diagnosing: Methods determine “AS IS” relative to the “TO BE” (CMM-2) E – Establishing: Planning how to attain the chosen level of maturity (CMM-3) A – Acting: Executing the plan and achieving the desired results (CMM-4) L – Learning: Continually improving what you do and how you do it (CMM-5) |
|
|
What do the early phase levels of CMM provide?
|
Early phase levels and processes lay foundations for
committed organizations to begin building in managerial, technological, and operational structures and controls to enable growth, advancement, and achievement of the higher levels |
|
|
What are the early phase levels of CMM?
|
Levels 1 & 2
|
|
|
What do the later phase levels of CMM provide?
|
Institutionalize processes, methods, techniques and tools to
continue building managerial, technological, and operational structures and controls to maintain advancements and continually learn and improve |
|
|
What are the later phase levels of CMM?
|
Levels 3 - 5
|
|
|
What are the major sections of an IEEE 1220 SEMP?
|
I Scope
II Applicable Documents III Systems Engineering Process (SEP) Application IV Transitioning Critical Technologies V Integration of Systems Engineering Effort VI Additional Systems Engineering Activities VII Notes Appendices |
|
|
What are the subsections of section III of an IEEE 1220 SEMP?
|
Systems Engineering Process Planning
Requirements Baseline Validation Functional Analysis Functional Verification Synthesis Design Verification Systems Analysis Control |
|
|
What are the subsections of section V of an IEEE 1220 SEMP?
|
Organizational Structure
Required Systems Engineering Integration Tasks |
|
|
What are the subsections of section VI of an IEEE 1220 SEMP?
|
Long-lead Items
Design to Cost Value Engineering Systems Integration Design Interface with Other Life-cycle Support Functions Safety Plan Other Plans and Controls |
|
|
What are the subsections of section VII of an IEEE 1220 SEMP?
|
General Background Information
Acronyms and Abbreviations Glossary |
|
|
What are the subsections of section "Systems Engineering Process Planning" of an IEEE 1220 SEMP?
|
Major Deliverable and Results
Integrated Database Specification Baseline Process Inputs Technical Objectives System Breakdown Structure (SBS) Training Standards and Procedures Resource Allocation Constraints Work Authorization Requirements Analysis |
|
|
What are the subsections of section "Systems Analysis" of an IEEE 1220 SEMP?
|
Trade-off Analysis
System/Cost-Effectiveness Analysis Risk Management |
|
|
What are the subsections of section "Control" of an IEEE 1220 SEMP?
|
Design Capture
Interface Management Data Management Systems Engineering Master Schedule Technical Performance Measurement Technical Reviews Supplier Control Requirements Traceability |
|