Strategic Security Intelligence


NSTSSI Security Education Standards


Standards

Top - Help

Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved



                      MINIMAL INFOSEC PERFORMANCE STANDARD FOR THE DAA





Job functions using competencies identified in:


DoD 5200.28-M, Automated Data Processing Security Manual
NCSC-TG-027, Version 1, A Guide To Understanding Information System Security Officer
  Responsibilities For Automated Information Systems
NCSC-TG-029, Version 1, Introduction to Certification and Accreditation           
NCSC-TG-005, Trusted Network Interpretation
FIPS Publication 102, Guideline for Computer Security Certification and Accreditation.
  

The INFOSEC functions of a DAA are:


             (1)     granting final approval to operate an IS or network in a specified security mode;
             (2      reviewing the accreditation documentation to confirm that the residual risk is within acceptable
                     limits;
             (3)     verifying that each Information System complies with the IS security requirements, as reported by
                     the Information Systems Security Officer (ISSO);
             (4) ensuring the establishment, administration, and
coordination of security for systems that agency,
                     service, or command personnel or contractors operate;
             (5)     ensuring that the Program Manager (PM) defines the system security requirements for
                     acquisitions;
             (6)     assigning INFOSEC responsibilities to the individuals reporting directly to the DAA; 
             (7)     approving the classification level required for applications implemented in a network
                     environment;
             (8)     approving additional security services necessary to interconnect to external systems (e.g.,
                     encryption and non-repudiation);
             (9) reviewing the accreditation plan and sign the
accreditation statement for the network and each IS;
             (10) defining the criticality and sensitivity levels of
each IS;
             (11) reviewingthe documentation to ensure each IS supports
the security requirements as defined in the
                     IS and network security programs;
             (12) allocating resources to achieve an acceptable level of
security and to remedy security deficiencies;
             (13) establishing working groups, when necessary, to
resolve issues regarding those systems requiring
                     multiple or joint accreditation.  This may require 
documentation of conditions or agreements in
                     Memoranda of Agreement (MOA); and
             (14) ensuring that when classified or sensitive but
unclassified information is exchanged between
                     logically connected components, the content of this 
communication is protected from
                     unauthorized observation by acceptable means, such
as cryptography, and Protected Distribution
                     Systems (PDS).
Terminal Objective:

                     
Given a final report requesting approval to operate a hypothetical 
information system at a specified level of trust, the DAA will analyze
and judge the information for validity and reliability to ensure the
hypothetical system will operate at the proposed level of trust.  This
judgement will be made based on system architecture, system security
measures, system operations policy, system security management plan, and
provisions for system operator and end user training.


List of performance items under competencies

                                                                                               
In each of the competency areas listed below, the DAA shall perform the following functions: