Certification and Accreditation of systems - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

Certification and Accreditation of systems

Description:

Title III of the E-Government Act (Public Law 107-347), entitled Federal ... certify and accredit systems that will maintain the information assurance (IA) ... – PowerPoint PPT presentation

Number of Views:277
Avg rating:3.0/5.0
Slides: 29
Provided by: rose175
Category:

less

Transcript and Presenter's Notes

Title: Certification and Accreditation of systems


1
Certification and Accreditation of systems
  • DITSCAP (DIACAP), NIACAP, and NIST

2
CA Background
  • Title III of the E-Government Act (Public Law
    107-347), entitled Federal Information Security
    Management Act (FISMA), requires that all federal
    agencies develop and implement an agency-wide
    information security program designed to
    safeguard IT assets and data of the respective
    agency.
  • FISMA is specific in its requirements and it
    stipulates that the information security program
    must include documentation and reports that
    clearly describe the following
  • Periodic risk assessments
  • Information security policies and procedures
  • An assessment of threats, including their
    likelihood and impact
  • Policies and procedures for detecting security
    vulnerabilities
  • Evaluation and periodic testing of how well
    security policies are working
  • An inventory of software and hardware assets
  • Continued on next slide

3
CA Background (cont.)
  • Security awareness training and expected rules of
    behavior for end-users
  • An evaluation of the technical, management, and
    operational security controls
  • Procedures for reporting and responding to
    security incidents
  • A process for addressing any deficiencies
    reported
  • Contingency plans to ensure continuity of
    operations in the face of a disaster
  • FISMA forces federal agencies to understand the
    security of their systems and holds them
    accountable for resolving deficiencies. The
    methodologies that have evolved to address FISMA
    stipulations are sound ones and, though only
    federal agencies are required to abide by them,
    it would behoove financial institutions to adopt
    these methodologies to assess the security of
    their own systems.

4
CA
  • There are generally three methodologies used for
    CA initiatives
  • DITSCAP
  • NIACAP
  • NIST

5
DITSCAP (DIACAP)
  • DITSCAP (Defense Information Technology Systems
    Certification and Accreditation Process) based
    on a publication known as Defense Information
    Systems Certification and Accreditation
    regulation Department of Defense (DoD)
    Instruction 5200.40, this publication is mainly
    used by defense agencies.
  • DoDI 5200.40 implements policy, assigns
    responsibilities, and prescribes procedures for
    Certification and Accreditation (CA) of
    information technology in the Department of
    Defense, creates the DoD IT Security
    Certification and Accreditation Process (DITSCAP)
    for security CA of unclassified and classified
    IT, and Stresses the importance of a life-cycle
    management approach to the CA and
    reaccreditation of DoD IT.

6
DITSCAP (cont.)
  • DoDI 5200.40 was published on December 30th, 1997
    and is being replaced by the DoDD 8500 series.
  • The purpose of DITSCAP was to establish a
    standard to protect and secure the entities
    comprising the Defense Information Infrastructure
    (DII).

7
DITSCAP (cont.)
  • DITSCAP consists of four phases
  • Phase 1 Definition
  • Phase 2 Verification
  • Phase 3 Validation
  • Phase 4 Post Accreditation
  • Phase 1 activities include documenting the
    system mission, architecture, and environment
    identifying the threat defining the levels of
    effort identifying the Certification Authority
    (CA) and the Designated Approving Authority
    (DAA) and to document the necessary security
    requirements for CA. Phase 1 is completed by a
    documented agreement between the DAA, CA, program
    manager, and the user representative.
  • Phase 2 includes activities to verify compliance
    of the system with previously agreed security
    requirements.

8
DITSCAP (cont.)
  • Phase 3 includes activities to evaluate the fully
    integrated information system to validate
    operation of the system in a specified computing
    environment with acceptable residual risk.
    Validation will be complete with approval to
    operate.
  • Phase 4 consists of activities to monitor system
    management and operation to ensure that an
    acceptable level of residual risk is maintained.
    Security management, change management, and
    periodic compliance validation reviews are
    conducted.

9
(No Transcript)
10
DITSCAP (cont.)
  • As of July 6th, 2006 DITSCAP has been replaced
    with DIACAP. All new systems and systems
    undergoing certification are to transition to/use
    DIACAP immediately.
  • Systems with a phase one through phase three
    signed Systems Security Authorization Agreement
    (SSAA), not yet accredited, are to continue under
    DITSCAP, but must develop a plan to transition to
    DIACAP within 180 days.
  • Systems accredited under DITSCAP current within
    three years are to establish a strategy and
    schedule for transitioning to DIACAP within 180
    days of the DIACAP transition instruction
    (published July 6th, 2006).
  • Systems with a DITSCAP accreditation older than
    three years are to initiate DIACAP.

11
DIACAP
  • DoD information assurance certification and
    accreditation process (DIACAP) is the replacement
    for DITSCAP.
  • DIACAP currently has interim guides published,
    that became effective July 6th, 2006.
  • The purpose of DIACAP is to establish the DoD
    information assurance (IA) certification and
    accreditation (CA) process for authorizing the
    operation of DoD information systems consistent
    with the Federal Information Security Management
    Act (FISMA), DoD Directive (DoDD) 8500.1, and DoD
    Directive 8100.1 It supersedes DoD Instruction
    (DoDI) 5200.40 and DoD 8510.1-M supports
    net-centricity (the ability of users to easily
    discover, access, integrate, correlate and fuse
    information and data that support their mission
    objectives) through an effective and dynamic IA
    CA process and provides visibility and control
    of the implementation of IA capabilities and
    services, the CA process, and accreditation
    decisions authorizing the operation of DoD
    information systems, to include core enterprise
    services (CES) and web services-enabled software
    systems and applications.

12
DIACAP (cont.)
  • The DIACAP package is developed through DIACAP
    activity and maintained throughout a systems
    life cycle. Each DAA will determine what
    information is necessary to make an accreditation
    decision. Acquisition contracts must specify
    information assurance CA deliverables.
  • The DIACAP package should consist of a System
    Identification Profile (SIP), Implementation
    Plan, Supporting Documentation for Certification,
    DIACAP Scoreboard, and POAMs (if required).

13
DIACAP (cont.)
  • The SIP is compiled during the DIACAP
    registration and maintained throughout the system
    life cycle.
  • The SIP consists of various information about the
    system. Such as the system id, system component,
    government DoD component IA program, system name,
    system life cycle or acquisition phase,
    confidentiality level, mission criticality, etc.
    For a full list of the requirements and
    recommendations of information to be included in
    an SIP, refer to http//iase.disa.mil/ditscap/inte
    rim-ca-guidance.pdf

14
DIACAP (cont.)
  • The DIACAP scorecard is intended to convey
    information about the IA posture of a DoD
    information system in a format that can be easily
    understood by managers and be easily exchanged
    electronically.
  • The scorecard contains information such as the
    date of the accreditation, the accreditation
    decision for the system, the impact code for the
    controls (e.g. high, medium, etc.), the
    confidentiality level of the system, etc. an
    outline of the DIACAP scorecard is also contained
    in the DIACAP interim guidelines located at
    http//iase.disa.mil/ditscap/interim-ca-guidance.p
    df

15
DIACAP (cont.)
  • A plan of action and milestones (POAM) is a tool
    for identifying tasks that need to be
    accomplished. It specifies resources required to
    accomplish the elements of the plan, any
    milestones in meeting the task, and scheduled
    completion dates for the milestones.
  • The POAM documented should consist of
  • why the system needs to operate
  • any operational restrictions imposed to lessen
    the risk during the interim authorization
  • specific corrective actions necessary to
    demonstrate that all assigned IA Controls have
    been implemented correctly and are effective
  • the agreed upon timeline for completing and
    validating corrective actions
  • And the resources necessary and available to
    properly complete the corrective actions.

16
NIACAP
  • NIACAP stands for National Information Assurance
    Certification and Accreditation Process. It is
    based on a process published by the National
    Security Telecommunications and Information
    System Security Instruction known as NSTISSI No.
    1000.
  • NIACAP establishes a standard national process,
    set of activities, general tasks, and a
    management structure to certify and accredit
    systems that will maintain the information
    assurance (IA) and security posture of a system
    or site. NSTISSI 1000 provides an overview of the
    NIACAP process, roles of the people involved, and
    the documentation produced during the process.

17
NIACAP (cont.)
  • NSTISSI 1000 is designed to certify that the
    information system (IS) meets documented security
    requirements and will continue to maintain the
    accredited security posture throughout the system
    life cycle. The process should be adapted to
    include existing system certifications and
    evaluations of products.
  • The key to the NIACAP is the agreement between
    the IS program manager, Designated Approving
    Authority (DAA), certification agent (certifier),
    and user representative. These individuals are
    responsible for resolving critical schedule,
    budget, security, functionality, and performance
    issues. The NIACAP agreements are documented in
    the System Security Authorization Agreement
    (SSAA). The SSAA is used to guide and document
    the results of the Certification and
    Accreditation (CA).

18
NIACAP (cont.)
  • There are different types of accreditation
    depending on what is being certified. A system
    accreditation evaluates a major application or
    general support system. A site accreditation
    evaluates the applications and systems at a
    specific, self-contained location. A type
    accreditation evaluates an application or system
    that is distributed to a number of different
    locations. The NIACAP applies to each of these
    accreditation types and may be tailored to meet
    the specific needs of the organization and IS.
  • NIACAP is composed of four phases (these phases
    are very similar to the phases in DITSCAP, and
    are named the same). These phases are
    Definition, Verification, Validation, and Post
    Accreditation.
  • Phase 1, Definition, is focused on understanding
    the IS business case, environment, and
    architecture to determine the security
    requirements and level of effort necessary to
    achieve certification and accreditation.

19
NIACAP (cont.)
  • The objective of Phase 1 is to agree on the
    security requirements, CA boundary, schedule,
    level of effort, and resources required.
  • Phase 2, Verification, verifies the evolving or
    modified systems compliance with the information
    in the SSAA. The objective of Phase 2 is to
    ensure the fully integrated system will be ready
    for certification testing.
  • Phase 3, Validation, validates compliance of the
    fully integrated system with the security policy
    and requirements stated in the SSAA. The
    objective of Phase 3 is to produce the required
    evidence to support the DAA in making an informed
    decision to grant approval to operate the system
    (accreditation or Interim Approval to Operate
    (IATO)).

20
NIACAP (cont.)
  • Phase 4, Post Accreditation, starts after the
    system has been certified and accredited for
    operations. Phase 4 includes those activities
    necessary for the continuing operation of the
    accredited IS in its computing environment and to
    address the changing threats and small scale
    changes a system faces through its life cycle.
    The objective of Phase 4 is to ensure secure
    system management, operation, and maintenance to
    preserve an acceptable level of residual risk.

21
NIACAP (cont.)
  • Many organizations within a federal agency have
    significant roles in contributing to the secure
    development and operation of their IS. The NIACAP
    approach allows federal agencies to adapt the
    NIACAP roles into their respective organizational
    management structure to best manage the risks to
    the federal agencys mission throughout the IS
    life cycle system development, operation,
    maintenance, and disposal.
  • Many civilian agencies have used either the
    NIACAP or NIST methodologies, in the past, to
    evaluate there is. The current trend, however, is
    that most agencies are moving away from NIACAP
    and are instead following the new NIST
    methodology.

22
NIST
  • The National Institute of Standards and
    Technology (NIST) Special Publications are the
    most widely used of the different CA
    methodologies.
  • NIST develops and issues standards, guidelines,
    and other publications to assist federal agencies
    in implementing the Federal Information Security
    Management Act (FISMA) of 2002 and in managing
    cost-effective programs to protect their
    information and information systems.
  • The current NIST-SP used for the certification
    and accreditation of federal systems is NIST-SP
    800-53A.
  • NIST 800-53A divides the system development life
    cycle into five phases. system initiation, system
    development and acquisition, system
    implementation, system operations and
    maintenance, and system disposal.

23
NIST (cont.)
  • The purpose of NIST SP 800-53A is to provide
    guidelines for building effective security
    assessment plans and procedures to enable the
    assessment of security controls employed in
    information systems supporting the executive
    agencies of the federal government
  • NIST 800-53A divides security requirements into
    three categories based on the overall risk and
    sensitivity of the system. The system will be
    evaluated as either Low, Moderate, or High and
    the appropriate controls for the risk level are
    followed.

24
NIST (cont.)
  • An example of a government agency that follows
    NIST 800-53A is the DOT and FAA.
  • In order to fulfill the requirements/guidelines,
    DOT employs an Independent Security Certification
    Staff to audit its systems and recommend whether
    they be approved for implementation, authorized,
    re-certified, or denied authorization.
  • The ISCS accomplishes this through analyzing the
    Information System Security Plan of the
    organization being audited, and comparing to a
    Security Test and Evaluation (STE) based on NIST
    800-53A. The auditors will then perform tests on
    the systems being audited, and interview
    personnel responsible for the system, in order to
    conclude whether the system be certified.

25
NIST (cont.)
  • Once the ISCS has completed its audit of the
    system, the team will draw up various documents
    detailing their findings. These include a Risk
    Assessment document, POAMs, Risk Acceptances,
    STE, Executive Summary, etc. DOT requires that
    its systems perform Annual Assessments yearly,
    with full Certification and Authorizations (CAs)
    being performed every three years.
  • Once the package is complete it is sent to the
    Authorizing Official (AO, the designation of DAA
    is no longer used) for approval.

26
Conclusion
  • DITSCAP, DIACAP, NIACAP, and NIST are all used by
    government organizations in order to satisfy the
    requirements set forth by FISMA.
  • The requirements of each of these certification
    processes are constantly being updated as the
    need for security changes with technology.
  • NIST 800-53A recently replaced NIST 800-53, which
    in turn replaced NIST 800-26. DIACAP is currently
    in the process of replacing DITSCAP.

27
References
  • More information on these processes can be found
    at the following sites
  • http//iase.disa.mil/ditscap/interim-ca-guidance.p
    df (transition from DITSCAP to DIACAP)
  • http//csrc.nist.gov/groups/SMA/fasp/documents/ca
    /DLABSP/i520040p.pdf (DITSCAP)
  • http//www.cnss.gov/Assets/pdf/nstissi_1000.pdf
    (NIACAP)
  • http//csrc.nist.gov/publications/drafts/800-53A/S
    P-800-53A-tpd-final-sz.pdf (NIST 800-53A)

28
References (cont.)
  • Information used in this presentation was
    gathered from the following web sites
  • http//iase.disa.mil/ditscap/interim-ca-guidance.p
    df (transition from DITSCAP to DIACAP)
  • http//csrc.nist.gov/groups/SMA/fasp/documents/ca
    /DLABSP/i520040p.pdf (DITSCAP)
  • http//www.cnss.gov/Assets/pdf/nstissi_1000.pdf
    (NIACAP)
  • http//csrc.nist.gov/publications/drafts/800-53A/S
    P-800-53A-tpd-final-sz.pdf (NIST 800-53A)
  • http//www.intranetjournal.com/articles/200406/pij
    _06_23_04a.html (information on the uses of
    DITSCAP, NIACAP, and NIST)
Write a Comment
User Comments (0)
About PowerShow.com