Agency C

1
Agency CA ProcessStakeholder Quarterly Training
Presented by _______________ Date
2
Logistics

• Participants will receive three (3) hours of
  credit for this training.
• Please email ____________ and indicate in the
  subject line of the email CA Stakeholder
  Training so you can receive credit.

3
Agency CA Process - Stakeholder Training Table
of Contents

• What is CA and Why Bother with It?
• NIST-Compliant CA Process Risk Management
  Framework
• CA Approach in Seven Phases
• Agency Environment
• Background
• Key Stakeholders
• CA Team Roles and Responsibilities
• WinZip Procedures
• CA Process Timeline ELC Milestone Guidance
• Stakeholders CA Working/Validation Agenda
• Boundary/Scope Meeting
• Working Sessions
• NIST SP 800-53 Controls
• Validation Sessions
• Security Test Evaluation (STE)
• Test Training Exercise (TTE)
• Security Assessment Report (SAR)
• Risk Overview and Stakeholder Outbrief Sessions
• Critical Success Factors

4
Agency CA Process - Stakeholder Training
Certification Accreditation (CA)

• What is Certification and Accreditation?
• Certification is the comprehensive assessment of
  the management, operational, and technical
  security controls in an information system, made
  in support of security accreditation, to
  determine the extent to which the controls are
  implemented correctly, operating as intended, and
  producing the desired outcome with respect to
  meeting the security requirements for the
  system. (FIPS 200)
• Accreditation is the official management
  decision given by a senior agency official to
  authorize operation of an information system and
  to explicitly accept the risk to agency
  operations (including mission, functions, image,
  or reputation), agency assets, or individuals,
  based on the implementation of an agreed-upon set
  of security controls. (FIPS 200)

5
Agency CA Process - Stakeholder Training
Certification Accreditation (CA) (continued)

• Why bother with Certification and Accreditation?
• Its the LAW - Title III Public Law 107-347
  commonly known as Federal Information Security
  Management Act (FISMA) of 2002 mandates
  assessing the risk and magnitude of the harm
  that could result from the unauthorized access,
  use, disclosure, disruption, modification, or
  destruction of such information and information
  systems
• Federal Information Processing Standards
  Publication (FIPS) 199 mandates Standards for
  Security Categorization of Federal Information
  and Information Systems
• FIPS 200 mandates Minimum Security Requirements
  for Federal Information and Information Systems
• Systemic say to identify risks which should be
  mitigated or resolved
• To proactively protect the Agency from attacks
  and threats!!!

6
Agency CA Process - Stakeholder Training The
Agency NIST- Compliant CA Process

• The Agency has established a standardized
  Certification Accreditation Process
• That process aligned with Guidance Provided by
  the National Institute of Standards and
  Technology (NIST) and OMB
• It has been fully vetted by the business units
  through the business unit security PMOs
• It is robust and comprehensive
• It is a risk-based approach
• The process is solid, defensible, and produces
  documentation and includes comprehensive testing
  and reporting

7
Agency CA Process - Stakeholder Training The
Agency CA Process follows the NIST Risk
Management Framework

8
Agency CA Process - Stakeholder Training The
Agency CA Approach Consists of 7 Phases
Phase 1 Preparation Phase 2 Draft SSP, PIA,
ITCP Documents Phase 3 Finalize SSP, PIA, ITCP
Documents Phase 4 Develop STE Plan Phase 5
Execute STE Plan Phase 6 Assess Risk and
Finalize CA Package Phase 7 Maintenance and
Monitoring
9
Agency CA Process - Stakeholder Training
Agency Environment
Definitions Associated with Agency Information
Systems

• General Support System (GSS) infrastructure the
  application resides on
• An interconnected set of information resources
  under the same direct management control that
  shares common functionality, which normally
  includes hardware, software, information, data,
  components, communications, and people
• Application (General)
• A self-contained program that performs a
  well-defined set of tasks under user control, as
  opposed to a system program
• An application program (sometimes shortened to
  application) is any program designed to perform a
  specific function directly for the user or, in
  some cases, for another application program
• Applications process data
• Application types
• Major Application
• An application that requires special attention to
  security due to the risk and magnitude of harm
  resulting from the loss, misuse, or unauthorized
  access to or modification of the information in
  the application
• Note All federal applications require some
  level of protection Certain applications,
  because of the information in them, however,
  require special management oversight and should
  be treated as major applications Adequate
  security for other applications should be
  provided by security of the systems in which they
  operate
• Minor Application
• An application, other than a major application,
  that requires attention to security due to the
  risk and magnitude of harm resulting from the
  loss, misuse, or unauthorized access to or
  modification of the information in the application

10
Agency CA Process - Stakeholder Training
Agency Environment

• Security Categorization Definitions (potential
  impact)
• Low the loss of confidentiality, integrity, or
  availability could be expected to have a LIMITED
  adverse effect on organizational operations,
  organizational assets, or individuals
• Moderate - the loss of confidentiality,
  integrity, or availability could be expected to
  have a SERIOUS adverse effect on organizational
  operations, organizational assets, or individuals
• High - the loss of confidentiality, integrity, or
  availability could be expected to have a SEVERE
  or CATASTROPHIC adverse effect on organizational
  operations, organizational assets, or individuals

11
Agency CA Process - Stakeholder Training
Agency Environment
Security Controls provide

• Protection of Information Systems that support
  operations and assets of the organization to
  ensure the organization can
• Accomplish its assigned mission
• Protect its assets and PII data
• Fulfill legal responsibilities
• Maintain day-to-day operations
• Protect individuals
• The provide safeguards for people, systems, and
  applications throughout the organization
• NIST SP 800-60 and FIPS 199 mandate agencies to
  define the category of information systems
  according to potential risk impact level

12
NIST SP 800-53 Controls Agency Environment
Security Framework for Agency Applications,
Systems, Organization

• Security controls are an integral part of Agency
  applications, components, systems, and
  environment
• Organizational and Physical/Environmental and
  Media Protection controls support the foundation
  provided by Agency policies and procedures
• GSS/BU controls apply to applications and
  systems
• Application controls are specific to each
  application

Application

• System Integrity
• Access Controls
• Database Controls
• Auditing or Application Users
• Transactions

GSS/BU

• Database Controls
• Backup and Recovery
• Auditing of GSS Users

• Access Controls to OS
• Remote Access

Organizational and PE/MP Controls

• Security Policies
• Personnel Security
• Physical and Environmental

• Security Training and Awareness (portions)
• Incident Response (portions)
• Media Protection

13
Agency CA Process - Stakeholder Training
Background
The CA Process is lead by the CA Team. The CA
Team is divided into two sub-teams a
documentation team and an STE team. The
documentation team performs the following

• MS Project is used to plan, monitor, and track
  the performance of the CA process. A project
  plan is built based on the CA timeline for each
  application and system. The schedule and
  timeline has recently been updated to reflect
  lessons learned from the CA process conducted on
  prior applications and systems
• All applications/systems going through the CA
  process will have its own MS project schedule
• Standard process takes 126 business days for
  applications (Draft-Proposal)
• Process takes 140 business days for systems
  (Draft-Proposal)
• Schedules may vary slightly due to the following
• Categorization or complexity of the
  application/GSS
• Prior or partial CAs performed including
  changes made to the application
• Specific requests made by the Business Owner
• Comprehensive analysis of existing and
  developmental security controls and
  application/system components
• Develop and conduct an exercise of the
  Information Technology Contingency Plan (ITCP)
  through team collaboration
• Facilitation of testing, training, and exercises
  of equipment, systems, and applications to ensure
  Agency personnel understand the IT regulations
  and procedures

14
Key Application/System Stakeholders
Agency CA Process - Stakeholder Training Key
Stakeholders
Agency essential staff that represent
applications/systems
15
Agency CA Process - Stakeholder Training CA
Team Roles Responsibilities
16
Agency CA Process - Stakeholder Training CA
Team Roles Responsibilities
CA Team Roles and Responsibilities (continued)
17
Agency CA Process - Stakeholder Training
WinZip Procedures
Transmission of Data WinZip 9.0

• Issue
• Due to the sensitivity of the data, information
  such as IP addresses, network diagrams, etc.,
  should not be sent directly between the Agency
  network to the CA Documentation teams network.
  
• Solution
• WinZip 9.0 has been approved by the client as a
  secure way to encrypt attachments. Ensure that
  the BU POC has WinZip 9.0, since both sending and
  receiving ends must use this version to encrypt
  and decrypt attachments.
• Sending Information
• All emailed information should go through the BU
  POC. The BU POC will ensure that all information
  is encrypted and sent securely to the client
  inside the Agency network. (See next slides for
  how-to instructions.)
• Receiving Information
• All emailed information should go through the BU
  POC. The BU POC will ensure that all information
  is encrypted and sent securely to the team
  outside of the Agency network. (See next slides
  for how-to instructions.)

18
Agency CA Process - Stakeholder Training
WinZip Procedures
Encrypting WinZip 9.0

• How to encrypt using WinZip 9.0
• Zip file(s)
• When the zip prompt appears, select Encrypt
  added files
• Use the 256-bit AES Encryption option when
  encrypting
• Input password (note use standard team password)
• Once files are successfully zipped and encrypted,
  change the file extension from .zip to
  .change. If the .zip extension remains, often
  times the firewall will strip the attachment for
  various reasons
• Ensure when sending the email that recompress
  file is unchecked option is located in the
  lower left corner when attaching files in
  Microsoft Outlook

19
Agency CA Process - Stakeholder Training
WinZip Procedures
Decrypting WinZip 9.0

• How to decrypt using WinZip 9.0
• Instructions to open the attachment are as
  follows
• 1) Ensure the WinZip version is 9.0
• 2) Save file (e.g., to My Documents)
• 3) Change extension to '.zip'
• 4) Open zip file
• 5) Insert password
• 6) Open document contained in zip file

20
Agency CA Process - Stakeholder Training
Process Timeline
The CA Process performed on applications and
systems is divisible into phases and
deliverablesApplication and system deliverables
are broken down further into concrete activities
and tasks in the Microsoft Project schedule..
21
Agency CA Process - Stakeholder Training CA
ELC Milestone Requirements

• The CA Customer Liaison Team (CLT) (within the
  Agencys Security Organization) provides formal
  guidance and stakeholder education related to the
  Certification Accreditation deliverables by
  Enterprise Lifecycle (ELC) Milestones (MS)
• Below is a list of Certification Accreditation
  (CA) deliverables as required by the Agencys
  Security Organization. These deliverables build
  beginning in Milestone 1. A presentation
  describing deliverables by Milestone is available
  from the CLT.

• - Boundary/Scope Memo (BSM)
• System Security Plan (SSP)
• Privacy Impact Statement (PIA)
• Information Tech Contingency Plan (ITCP)
• Security Test Evaluation Plan (STE)
• Security Risk Assessment (SRA) (ITSecurity
  Engineering will produce)
• Interconnection Security Agreement (ISA)
• Security Assessment Report (SAR) produced
  after the completion of the STE

22
Agency CA Process - Stakeholder Training
Boundary/Scope Meeting
Boundary/Scope Table of Contents

• Overview
• Conduct Boundary/Scope Meeting

23
Agency CA Process - Stakeholder Training
Boundary/Scope Overview

• Purpose
• The purpose of the Boundary/Scope Meeting is to
  establish the scope of the application/systems
  CA review, confirm execution logistics, discuss
  the systems functionality and purpose, and
  identify all Stakeholders and CA Team members.
• Participants
• CA Team
• PM and/or Team Lead (Documentation, Tester,
  Privacy Engineering)
• SSP/ITCP/PIA Points of Contact (POCs)
• Stakeholders
• Business Unit Representatives
• Application POC
• Developers
• System Administrators
• DAA POC and/or BU POC
• Scheduling
• One hour is typically dedicated to the
  Boundary/Scope Meeting

24
Agency CA Process - Stakeholder Training
Boundary/Scope Conduct Boundary/Scope Meeting
The following activities will occur at the
Boundary/Scope Meeting

• Identify Participants
• Discuss purpose of the meeting
• Walk through the BSM
• Validate Application name, Business Unit (BU),
  and BU and DAA POCs
• Determine production and development environments
  and the location of the systems developers
• Discuss the appropriate location to conduct the
  working session
• Review proposed CA milestones and deliverables,
  determine black out dates, and establish if there
  is a hard deadline for completing the CA
• Verify and collect additional system information
  (i.e. system description, modules, and
  components)
• Identify or confirm changes to the system
• Identify all supporting General Support Systems
  (GSSs)
• Discuss the systems scope and security
  categorization
• Review POCs to obtain additional information
• Identify any black out dates
• Identify production deployment date when the
  system will be available for testing
• Walk through the working/validation agenda to
  identify folks to attend

25
Agency CA Process - Stakeholder Training
Boundary/Scope Conduct Boundary/Scope Meeting
The following activities will take place at the
Boundary/Scope Meeting (continued)

• Walk through the Working/Validation Agenda and
  obtain updates to the POCs who should attend each
  of the sessions
• Discuss Document Request List
• Ensure stakeholders send the CA Team all
  existing system documentation to prepare for the
  working session
• Examples of typical documents existing for the
  system/application
• System Security Plan (SSP)
• Information Technology Contingency Plan (ITCP)
• Technical Contingency Planning Document (TCPD)
• Risk Assessment
• Installation Guides
• User Manuals
• Design Documents
• Approved Deviation Requests
• Discuss Document Tracker
• The document tracker will be used to record all
  documentation that has been received by the CA
  Team
• Discuss use of e-mail naming convention and the
  use of WinZip for encrypting documents before
  sending via email CA Initiative Business
  Unit-Application Name

26
Agency CA Process - Stakeholder Training
Working Sessions
Working Sessions Table of Contents

• Overview
• Pre-Working Session Preparation
• Security Categorization
• Conduct SSP Working Sessions
• Day 1, Kickoff Meeting, Demo
• Remaining Days
• After Each Day
• ITCP Working Sessions
• PIA Working Sessions
• Post-Working Sessions

27
Agency CA Process - Stakeholder Training
Working Session Overview

• Purpose
• Gather information to develop/update the System
  Security Plan (SSP), IT Contingency Plan (ITCP),
  and Privacy Impact Assessment (PIA)
• Additional attention to AC-17 and MA-4 to ensure
  that any access by vendors, contractors, etc
  (such as call back, call home, etc) is documented
  
• Key Participants
• CA Team
• Documentation Team Lead (including leads for SSP,
  ITCP, PIA, Engineering)
• STE Team
• Stakeholders
• System POC(s)
• Developers
• System Administrators
• Business Unit POC
• Scheduling
• Dates determined by Boundary/Scope Meeting
• Typical duration of Working Session is 3 to 5
  days depending on complexity for Applications 10
  days for GSS

28
Agency CA Process - Stakeholder Training
Pre-Working Sessions Preparations
The following activities need to take place
before the Working Sessions

• Work with System POC(s) to finalize Working
  Session agenda, distribute to CA Team and
  Stakeholders, and send calendar invitations
• Kickoff meeting
• Demo
• SSP data gathering
• ITCP information gathering
• Coordinate with CA Team members and system POCs
• If traveling to a site
• Coordinate visitor request, laptop information,
  clearances, etc.
• Work with System POC(s) to reserve a conference
  room
• Review existing documentation and pre-populate
  the document templates
• Distribute documents to CA Team and Stakeholders
• Pre-populated documents v0.1
• PDF of CA Schedule

29
Agency CA Process - Stakeholder Training
Stakeholders CA Working/Validation Agenda
800am Documentation Team Arrives 900am Meeting
Kick Off

• Introductions
• GSS/APPs Boundary Scopes
• Finalize agenda/schedules
• Conduct CA Process Sessions

30

Agency CA Process - Stakeholder Training
Stakeholders CA Working/Validation Agenda
(continued)

• Conduct CA process as scheduled below
• Business Unit BU
• System Developer SD
• System Administrator SA
• Database Administrator - DBA

31

Agency CA Process - Stakeholder Training
Stakeholders CA Working/Validation Agenda
(continued)
32
Agency CA Process - Stakeholder Training
Stakeholders CA Working/Validation Agenda
(continued)

• Conduct CA process as scheduled below
• Business Unit BU
• System Developer SD
• System Administrator SA
• Database Administrator - DBA

33
Agency CA Process - Stakeholder Training
Stakeholders CA Working/Validation Agenda
(continued)
34
Agency CA Process - Stakeholder Training
Working Session Security Categorization

• Security Categorization is the foundational step
  to determining the level of effort required for a
  CA
• Security Categorization is performed early in the
  process (usually before the CA kicks off)
• Security Categorization is based on the
  information types processed, stored or
  transmitted by the system/application according
  to FIPS 199 and NIST SP 800-60

35
Agency CA Process - Stakeholder Training NIST
SP 800-53 Controls
The following tables address the specific minimum
Security Controls and Control Baselines as
defined by NIST 800-53
36
Agency CA Process - Stakeholder Training NIST
800-53 Controls (continued)
The following tables address the specific minimum
Security Controls and Control Baselines as
defined by NIST 800-53
37
Agency CA Process - Stakeholder Training NIST
800-53 Controls (continued)
The following tables address the specific minimum
Security Controls and Control Baselines as
defined by NIST 800-53
38
Agency CA Process - Stakeholder Training NIST
800-53 Controls (continued)
The following tables address the specific minimum
Security Controls and Control Baselines as
defined by NIST 800-53
39
Agency CA Process - Stakeholder Training NIST
800-53 Controls (continued)
The following tables address the specific minimum
Security Controls and Control Baselines as
defined by NIST 800-53
40
Agency CA Process - Stakeholder Training NIST
800-53 Controls (continued)
The following tables address the specific minimum
Security Controls and Control Baselines as
defined by NIST 800-53
PE security controls are assessed annually and
considered inherited unless the system is located
at a contractor site.
41
Agency CA Process - Stakeholder Training NIST
800-53 Controls (continued)
The following tables address the specific minimum
Security Controls and Control Baselines as
defined by NIST 800-53
42
Agency CA Process - Stakeholder Training NIST
800-53 Controls (continued)
The following tables address the specific minimum
Security Controls and Control Baselines as
defined by NIST 800-53
43
Agency CA Process - Stakeholder Training NIST
800-53 Controls (continued)
The following tables address the specific minimum
Security Controls and Control Baselines as
defined by NIST 800-53
44
Agency CA Process - Stakeholder Training NIST
800-53 Controls (continued)
The following tables address the specific minimum
Security Controls and Control Baselines as
defined by NIST 800-53
45
Agency CA Process - Stakeholder Training NIST
800-53 Controls (continued)
The following tables address the specific minimum
Security Controls and Control Baselines as
defined by NIST 800-53
46
Working Session Conduct SSP Working Sessions
FAgencyt Day (Kickoff Meeting, Demo)
The following activities will take place during
the Working Sessions

• Introductions
• Explain CA Process from start to finish and walk
  through the agenda and identify stakeholder roles
  that will need to participate
• Discuss NIST guidance, controls, etc.
• Explain common controls (GSS, Organizational, and
  PE Controls)
• Explain GSS-level controls
• Explain layout of SSP
• Section 2, System Identification
• Section 3, Management Controls
• Section 4, Operational Controls
• Section 5, Technical Controls
• System/Network Diagram
• Input/Output Diagram
• MOUs/ISAs (inquiry regarding connectivity to
  Agency system from outside of the Agency
  environment such as call back for maintenance or
  remote management)
• e-Authentication Questionnaire

47
Working Session Conduct SSP Working Sessions
First Day (Kickoff Meeting, Demo)
The following activities will take place during
the Working Sessions

• Gather information for Section 2 of SSP
• System Name, Unique Identifier
• System POCs
• Operational Status
• General Description/Purpose
• System Environment
• System Interconnections
• Demo/walk through of System
• Schedule during the Boundary Scoping Session

48
Agency CA Process - Stakeholder Training
Working Session Conduct SSP Working Sessions
The following activities will take place during
the Working Sessions (continued)

• Discuss remainder of SSP controls
• Management
• Operational
• Technical
• Discuss the impact of the following controls on
  the enterprise infrastructure/applications
• AC-17 (Remote Access) The organization
  authorizes, monitors, and controls all methods of
  remote access to the information system.
• MA-4 (Remote Maintenance) The organization
  authorizes, monitors, and controls any remotely
  executed maintenance and diagnostic activities,
  if employed.

49
Agency CA Process - Stakeholder Training
Working Session ITCP
ITCP Working Sessions

• Introductions
• Explain the different documentation (BIA, ITCP,
  TTE)
• Explain the process for developing the ITCP
• BIA including Recovery Time Objectives (RTO)
• ITCP
• TTE
• Begin Data Gathering for BIA
• Use ITCP/BIA Interview Guide
• Begin Data Gathering for ITCP
• Continue with ITCP/BIA Interview Guide
• Post-ITCP Working Session
• Let the System POCs know that you will follow up
  with an email listing any action items and
  requesting any information that has not yet been
  provided.

50
Agency CA Process - Stakeholder Training
Working Session ITCP
The BIA is a fact finding process that provides
the foundation for the ITCP

• A BIA is used to identify and prioritize the
  components of an application by linking them to
  the Agency business processes that they support
• A BIA is conducted during the initial phase of
  building an ITCP, and it is included as an
  appendix to the ITCP
• Interviews are conducted with key stakeholders to
  gather information about the application,
  including
• Determine what Agency-wide critical business
  processes (CBP) and administrative/infrastructure
  (A/I) processes the application supports
• Determine the Recovery Time Objective (RTO), the
  maximum amount of time that may elapse before
  unavailability of the application causes an
  unacceptable impact on the Business Unit
  sub-processes, and Recovery Point Objective
  (RPO), the point in time which sub-process data
  must be recovered
• Recovery priority and timeframe of recovery for
  application components (i.e., servers, files,
  etc.)
• This information is used to develop procedures
  and strategies for recovering the application, if
  disrupted

51
Agency CA Process - Stakeholder Training
Working Session ITCP
An ITCP establishes procedures to recover and
resume normal operations of an application
following a disruption.

• A full activation of the ITCP includes three
  phases
• Notification/Activation
• Notify proper personnel
• Detect and assess damage
• Activate the plan
• Recovery
• Identify and prioritize recovery activities
• Restore temporary IT operations
• Recover damage done to the original application
• Reconstitution
• Resume application processing capabilities to
  normal operations
• Deactivate the plan

52
Agency CA Process - Stakeholder Training
Working Session ITCP
The ITCP data gathering process

• Interviews are conducted with key stakeholders to
  gather information about the application,
  including
• Key personnel and their roles/responsibilities
• Threats to the application
• Damage assessment procedures
• Recovery procedures
• Concurrent processing procedures
• Off-site data storage details
• Backup procedures
• This information is used to develop procedures
  and strategies for recovering and resuming normal
  operations of the application, if disrupted
• Data gathering for General Support Systems (GSS)
  may require separate sections for components and
  major systems

53
Agency CA Process - Stakeholder Training
Working Session PIA
Privacy Impact Assessment (PIA) Purpose

• PIAs are completed on information systems
  collecting personally identifiable information
• Examples name, SSN, address, phone number,
  e-mail address, financial data and account
  numbers, biometric identifier, etc.
• PIAs ensure that
• The public is made aware of the information
  federal agencies collect about them
• Any impact these systems have on personal privacy
  is adequately addressed
• Only the necessary personal information is
  collected, nothing else
• Conducting PIAs will allow the Agency to identify
  which of its systems contain Information in
  Identifiable Form (IIF). For those systems
  containing IIF, the PIA will serve as a platform
  to
• Ensure that information handling conforms to
  applicable legal, regulatory, and policy
  requirements regarding privacy
• Determine the risks and effects of collecting,
  maintaining, and disseminating IIF in an
  electronic information system
• Examine and evaluate protections and alternative
  processes for handling information to mitigate
  potential privacy risks1
• 1 Taken from the definition of PIA in OMB
  Memorandum M-03-22, OMB Guidance for
  Implementing of the Privacy Provisions of the
  E-Government Act of 2002, September 26, 2003.

54
Agency CA Process - Stakeholder Training
Working Session PIA
Privacy Impact Assessment (PIA) Purpose
(continued)

• Additionally, conducting a PIA provides an
  opportunity to identify privacy risks associated
  with information systems. Formal PIAs provide a
  number of advantages over ad hoc evaluations.
  These advantages include
• Providing inputs (e.g., privacy risks) for
  required CA reporting documents, to include
  POAM, SAR, SSP (Appendix)
• Improving the understanding of a systems overall
  potential privacy risks, exposures, and
  liabilities
• Providing a reliable basis for decision making of
  policy and system design
• Generating and improving public confidence, at
  the organizational level, by anticipating and
  addressing privacy concerns
• Privacy Deliverables include
• Final Privacy Impact Assessment Questionnaire
• Privacy Memo (Officially signed by the Director
  of the Agency Office of Privacy) States all
  privacy risks where acceptable

55
Agency CA Process - Stakeholder Training
Working Session Conduct Working Sessions
After Each Day
The following activities will take place after
each day of the Working Sessions

• Prepare and distribute recap
• Attendees
• Action Items
• Information gathered by section and/or control
• Documents received
• For follow-up at the next working sessions
• Distribute soft copies of documents to entire
  team
• Update document tracker
• Include CDs, hard copies, soft copies,
• screen captures, etc.

56
Agency CA Process - Stakeholder Training
Working Session Post-Working Sessions
The following activities will take place after
each day of the Working Sessions (continued)

• Inform team of next steps
• One week for drafting SSP and ITCP
• Validation Session following drafting of
  documents (including PIA Working Session)
• Confirm or change Validation Session
• PIA Working Session
• Send calendar invitation

57
Agency CA Process - Stakeholder Training
Validation Sessions
Validation Sessions Table of Contents

• Overview
• Conduct Validation Session(s)
• Post-Validation Session(s)
• ITCP Validation Session(s)

58
Agency CA Process - Stakeholder Training
Validation Session Overview

• Purpose
• To validate the information documented in the
  System Security Plan (SSP), IT Contingency Plan
  (ITCP), and Privacy Impact Assessment (PIA) for
  accuracy, completeness, and validity
• Participants
• Stakeholders who were involved during the Working
  Sessions
• CA Team
• Duration
• Typically 2 to 4 hours to validate the SSP
• Typically 2 hours to validate the ITCP
• Typically 1 hour for PIA Working Session
• Note Refer to the GSS schedule template for
  Validation Session duration specifics.

59
Agency CA Process - Stakeholder Training
Conduct Validation Session(s)
The following activities will take place during
the Validation Session(s)

• Review outstanding action items to ensure all
  issues have been addressed
• Walk-through SSP to verify information is correct

60
Agency CA Process - Stakeholder Training ITCP
Validation Session(s)
ITCP Validation Session(s)

• Address any questions, comments, and input the
  attendees have regarding the draft ITCP
• Discuss any of your previous questions that
  followed the ITCP working session that are still
  outstanding
• Walk through the BIA and ITCP to validate
  existing information within the plan
• Recap any information that is still needed
  follow up with an e-mail covering the same
  information

61
Agency CA Process - Stakeholder Training ITCP
Validation Session(s)
The following activities will take place after
the Validation Session(s)

• Prepare and distribute recap
• Attendees
• Action Items
• Information gathered by section and/or control
• Documents received
• For follow-up at the next validation sessions
• Make updates as identified
• Obtain an email from DAA POC that all information
  is complete and accurate before finalizing the
  documents and sending to the CA Team and
  Stakeholders
• Distribute updated documents to CA Team and
  Stakeholders

62
Agency CA Process - Stakeholder Training
Security Test Evaluation (STE) Process
Purpose of conducting an STE

• The purpose of performing a Security Test and
  Evaluation (STE) is to evaluate the management,
  operational and technical controls of the
  application/system, determine the effectiveness
  of these controls in operation, and identify the
  vulnerabilities.
• An STE will provide important insight into the
  effectiveness of the security controls that are a
  part of each Agency application, system, or GSS.

63
Agency CA Process - Stakeholder Training
Security Test Evaluation (STE) Process
Security Categorization Impacts the Type of STE
Conducted

• The Application/System business owner identifies
  the information types processed, stored, or
  transmitted by the application/GSS to determine
  the impact levels for confidentiality, integrity,
  and availability of the application/GSS and then
  categorizes the application as Low, Moderate, or
  High.
• The type of STE that is conducted varies
  depending on the application or GSSs security
  categorization.

64
Agency CA Process - Stakeholder Training
Security Test Evaluation (STE) Process
Developing an STE Test Plan

• The STE Test Plan is based on the information
  collected from several key documents that are
  created as a part of the Certification and
  Accreditation (CA) process, such as
• System Security Plan (SSP) An SSP is a
  document that provides an
• overview of the security requirements of the
  system and describes the
• current implementation status (in place,
  planned, etc.) of the minimum
• security controls and roles and
  responsibilities.
• Information Technology Contingency Plan (ITCP)
  The ITCP is a
• document that contains a strategy, procedures,
  and technical
• measures that enable the recovery of IT
  systems, operations, and data
• after a disruption.
• Privacy Impact Assessment (PIA) The PIA is a
  process used to evaluate the
• impact that information systems have on an
  individual. The PIA process is
• designed to guide agency system developers and
  operators in assessing
• privacy through the early stages of
  development.

65
Agency CA Process - Stakeholder Training
Security Test Evaluation (STE) Process
Types of personnel that need to be involved in
developing an accurate SSP and ITCP and conduct a
thorough and complete STE

• Business primary Points of Contact (POC)
• Application developers
• Application administrators
• Operating system administrators
• Database administrators
• System operators
• Security administrators
• STE Team members

66
Agency CA Process - Stakeholder Training
Security Test Evaluation (STE) Process
ITCP

• An ITCP test is conducted in conjunction with an
  STE however, it is not part of the STE and is
  facilitated by the CA Documentation Team.
• Testing, Training, and Exercise (TTE), also
  known as a Table Top
• Exercise, usually includes the following
  testing areas
• - Preparations
• - Notification/Activation
• - Recovery
• - Reconstitution
• - Plan Deactivation
• Note The STE should always be conducted in the
  production environment. When this is not
  possible, this has to be raised by the BU
  stakeholders and resolved during the initial CA
  Working Sessions. When an STE is conducted in a
  development or test environment, rather than the
  production environment, those environments must
  replicate the production environment, and all
  technical tests will need to be retested once the
  production environment is available. This
  scenario requires additional funding to support
  the additional STE activity and must be
  identified early in the process.

67
Agency CA Process - Stakeholder Training
Security Test Evaluation (STE) Process
General STE Process Comments

• Throughout the STE process, BU personnel have
  numerous opportunities to review and provide
  input to the final SSP and ITCP that is used to
  develop the STE test plan for a particular
  application or GSS.
• BU personnel are given an opportunity to review
  and discuss the STE plan that is developed for a
  particular application or GSS.
• It is critical to the success of a STE that a
  stable and accurate SSP, ITCP, and Application or
  GSS Inventory are completed prior to beginning
  the STE testing of an application or GSS.
• The Agency conducts many STEs during each FISMA
  reporting cycle. This often means that several
  STEs will be occurring during the same time
  frame, which makes for a complex STE schedule.
  To minimize impact on the STE master testing
  schedule and to all the STE participants, it is
  important that all parties associated with each
  STE complete the work related to their STE in a
  manner that helps ensure that STE occurs within
  the projected master STE schedule timeframe.

68
Agency CA Process - Stakeholder Training
Security Test Evaluation (STE) Process
General STE Process Comments (continued)

• Stakeholders - assigning the right people to
  participate in the STE is critical to the
  success of the STE, and will minimize
  unnecessary findings. When the individual
  participating in a STE test does not know an
  answer to a STE question, or does not provide
  the correct information to answer the question,
  this will result in an STE finding.
  Stakeholders can avoid these types of unnecessary
  findings by assigning the right resources to
  participate in the STE and ensuring those key
  resources are present during the STE testing.
• After a STE is completed for an application or
  GSS, the results are provided to the CA
  Documentation Team for analysis and inclusion in
  the final CA package. BU stakeholders will
  receive the results prior to the Stakeholder
  Outbrief meeting conducted after that analysis
  and before the CA package is submitted to the
  Certification Agent and the Designated Approving
  Authority for review and signature.
• Issue Resolution Stakeholders will be given the
  opportunity to correct findings and provide
  additional evidence in a very short turnaround,
  prior to the stakeholder out brief. Instructions
  will be provided when the results are
  distributed.
• The STE Test Team members are not the personnel
  who make the determination as to whether an
  application or GSS is to receive an Authority to
  Operate (ATO) or an Interim Authority to Operate
  (IATO).

69
Agency CA Process - Stakeholder Training
Security Test Evaluation (STE) Process

• Types of Security Control Tests that are
  performed during an STE of an application or
  GSS
• Management
• Operational
• Technical
• These three types of controls are defined in
  NIST SP 800-53 and determined
• during the SSP development
• Some test sases will be Organizational or GSS
  Common Controls
• Technical and Operational Controls can include
  test cases related to many
• application/system areas such as
• - Auditing
• - Databases
• - COTS Products
• - Media Protection
• - Operating System
• - Telecommunications
• - Contingency Planning

70
Test, Training Exercise (TTE) Training
Pre-TTE
The following activities will take place before
the TTE
Invite TTE Attendees

• Application
• ITCP Director
• ITCP Coordinator
• Recovery Personnel including Database
  Administrators, System Administrators,
  Developers, and Production Support Staff
• Business Unit Personnel
• Test Team and Agencys Security Organization will
  be Observers
• GSS
• ITCP Plan Director
• ITCP Incident Commander
• ITCP Recovery Coordinator
• ITCP Component Coordinator
• ITCP BU Coordinator
• ITCP Application Recovery Teams
• ITCP Component Recovery Teams
• Business Unit Personnel
• Test Team and Agencys Security Organization will
  be Observers

71
Agency CA Process - Stakeholder Training Test,
Training Exercise (TTE) Training
TTE Table of Contents

• Overview

72
Agency CA Process - Stakeholder Training
TTE Training Overview
TTE Overview

• Designed to train essential personnel on the
  Information Technology Contingency Plan (ITCP)
  and to provide a forum to talk through a
  realistic emergency scenario whereby the ITCP
  needs to be activated and exercised
• Developed to prepare personnel for an emergency
  situation and to ensure key personnel have a
  forum to talk through their roles and
  responsibilities, discuss what they would do
  during the emergency situation, and communicate
  how they would respond to the events
• Created so lessons can be drawn and recorded from
  the exercise, changes can be made to the plan to
  represent the flow of information and
  communication among essential personnel, and
  staff will be prepared during the event of an
  actual emergency situation
• Implemented to enhance understanding of the key
  communication, coordination, and information
  necessary during the three key ITCP phases
  Notification/Activation, Recovery, and
  Reconstitution
• Upholds the following
• Public Law 107-347, E-Government Act of 2002, the
  Federal Information Security Management Act of
  2002 (FISMA 2002) which requires security
  awareness training, review of responsibilities
  regarding policies and procedures, periodic
  testing and training associated with upholding
  information security policies and principles, and
  requires a process for addressing policy and
  procedures deficiencies
• Federal Preparedness Circular FPC 65, Federal
  Executive Branch Continuity of Operations, June
  15, 2004 which requires regular testing,
  training, and exercises of the agencys
  equipment, personnel, systems, processes, and
  procedures during a COOP event
• National Institute Standards and Technology
  Special Publication 800-34, Contingency Planning
  Guide for Information Technology Systems, June
  2002

73
Agency CA Process - Stakeholder Training
Security Assessment Report (SAR)
SAR Table of Contents

• Overview

74
Agency CA Process - Stakeholder Training SAR
Overview

• Definition
• As defined within NIST SP 800-37, the SAR
  provides the results of assessing the security
  controls in the information system to determine
  the extent to which the controls are implemented
  correctly, operating as intended, and producing
  the desired outcome with respect to meeting the
  system security requirements. In addition, the
  SAR can also contain a list of recommended
  corrective actions.
• Purpose
• The purpose of the Security Assessment Report
  (SAR) is to provide the Certifier and the
  Designated Approving Authority with a more
  holistic view of risk regarding the
  GSS/application. It documents the security
  assessment activities that were performed on the
  application and the results of those activities
  including STE, PIA, e-Authentication Assessment,
  audits, and any other risk assessment activities
  (e.g. Risk Based Review).
• Duration
• Typically 5 days

75
Agency CA Process - Stakeholder Training Risk
Overview Activities
Risk Overview Table of Contents

• Risk Overview CA Package Preparation
• Risk Overview/Stakeholder Outbrief Activities
• Preparation of Final CA Package
• Stakeholder Outbrief Meeting

76
Agency CA Process - Stakeholder Training
Risk Overview CA Package Preparation

• CA Package Preparation
• Update all CA documentation to reflex the
  current information
• Put all files in the correct naming convention
• Ensure draft watermarks are removed
• Quality assurance
• Send documents to Agencys Security Organization
  and the CA mailbox

77
Agency CA Process - Stakeholder Training
Stakeholder Outbrief Meeting
The following activities will take place prior to
the Stakeholder Outbrief Meeting

• CA Documentation Team will update the documents
  based on the Risk Overview session
• CA Documentation Team will send the finalized
  CA package to the participants of the scheduled
  Stakeholder meeting
• For Applications send documents out 3 days
  prior to the stakeholders meeting
• For GSSs send documents out 5 days prior to the
  stakeholders meeting

78
The CA Process comes to its conclusion
Agency CA Process - Stakeholder Training
Stakeholder Conclusion

• After the Stakeholder Outbrief Meeting, the
  entire CA package goes to the Certifier for
  review, signature, and approval
• After Certifier signs the Certification Memo, CPO
  will then send the signed Certification memo and
  CA package to the business unit security PMO
  with a request to schedule the DAA Outbrief
• A DAA outbrief will be held to walk the DAA
  through the CA package and by the end of the
  session the DAAs approval and signature on the
  Accreditation memo will be requested
• By signing, the DAA agrees to all risks of the
  application or GSS during the CA process, and
  will work to develop strategies for addressing
  issues. A POAM will be created and updated,
  monitored, and progress reported quarterly by the
  business unit.

79
Critical Success Factors
Agency CA Process - Stakeholder Training A
Successful CA Process Depends on You

• Partnership between all stakeholders (Business
  Units) is Crucial in successfully completing
  Certification and Accreditation activities
• Engagement by business units to efficiently and
  effectively complete tasks
• Security documentation is only as good as the
  information provided
• Ultimately, the contents of the security
  documents are the responsibility of the business
  owner who will be responsible for maintaining the
  documents
• Establishing a baseline of NIST-compliant CA
  documents will have a positive impact on future
  costs
• Staying on schedule 1/3 of applications/GSSs
  must be certified each FISMA cycle (annually)

80
Agency CA Process - Stakeholder Training Your
role as a Key Stakeholder in CA

• Actively engage in the Boundary/Scope, Working,
  and Validation sessions
• Ensure you understand the questions and the
  evidence required
• Actively engage in the Security Test Evaluation
  (STE)
• Ensure you understand the test case questions
• Work closely with the STE Team to ensure your
  responses completely answer the test case
  question
• Elevate concerns early through the CA Team Lead
  or your business unit security PMO
• Help CPO ensure all of the right stakeholders are
  engaged throughout the process
• If you cannot answer the test case question, help
  the CA Test Team identify the right person to
  respond to that question
• The goal is to document the current
  implementation status of the security controls
  and then validate the current implementation
  status of the required security controls through
  independent testing
• It is not CPOs intent to trick people into
  providing the wrong response, it is to ensure the
  correct people are asked the right questions
• Understand the expectation for engagement and the
  time commitment at the kick off of the CA   

81
Agency CA Process - Stakeholder Training Who
are the right people and what will they do?

• The right people to participate in CA
  activities?
• Someone with a working knowledge of how the
  controls have been implemented for the
  application being assessed
• Someone with knowledge of how the application is
  managed and operated
• What will they do?
• Participants will need to attend conference
  calls/meetings as scheduled
• Participants will need to engage and provide
  input throughout the process
• Participants will need to provide evidence and
  documentation timely
• Participants will need to carefully review and
  provide feedback to the CA documentation as
  scheduled for the Stakeholder Outbrief

82
Agency CA Process - Stakeholder Training
Success Indicators and Expected Outcomes

• An added layer in the Agency defense in depth
  approach to security
• Consistent identification of risks
• presenting an opportunity to proactively resolve
  or mitigate weaknesses before they are exploited
  resulting in better security for the application
  and across the enterprise
• Reusable NIST-compliant test cases for
• Verification of resolution
• Continuous monitoring
• Informed stakeholders and DAA
• Solid, defensible NIST-compliant CA package
• Improved FISMA reporting, improved audit reviews,
  improved GAO reviews
• Demonstrates security commitment and
  accountability
• Facilitates E300 Funding

83
Questions?
Agency CA Process - Stakeholder Training