NSTSSI Security Education Standards |
MINIMAL INFOSEC PERFORMANCE STANDARD FOR THE DAA Job functions using competencies identified in: DoD 5200.28-M, Automated Data Processing Security Manual NCSC-TG-027, Version 1, A Guide To Understanding Information System Security Officer Responsibilities For Automated Information Systems NCSC-TG-029, Version 1, Introduction to Certification and Accreditation NCSC-TG-005, Trusted Network Interpretation FIPS Publication 102, Guideline for Computer Security Certification and Accreditation. The INFOSEC functions of a DAA are: (1) granting final approval to operate an IS or network in a specified security mode; (2 reviewing the accreditation documentation to confirm that the residual risk is within acceptable limits; (3) verifying that each Information System complies with the IS security requirements, as reported by the Information Systems Security Officer (ISSO); (4) ensuring the establishment, administration, and coordination of security for systems that agency, service, or command personnel or contractors operate; (5) ensuring that the Program Manager (PM) defines the system security requirements for acquisitions; (6) assigning INFOSEC responsibilities to the individuals reporting directly to the DAA; (7) approving the classification level required for applications implemented in a network environment; (8) approving additional security services necessary to interconnect to external systems (e.g., encryption and non-repudiation); (9) reviewing the accreditation plan and sign the accreditation statement for the network and each IS; (10) defining the criticality and sensitivity levels of each IS; (11) reviewingthe documentation to ensure each IS supports the security requirements as defined in the IS and network security programs; (12) allocating resources to achieve an acceptable level of security and to remedy security deficiencies; (13) establishing working groups, when necessary, to resolve issues regarding those systems requiring multiple or joint accreditation. This may require documentation of conditions or agreements in Memoranda of Agreement (MOA); and (14) ensuring that when classified or sensitive but unclassified information is exchanged between logically connected components, the content of this communication is protected from unauthorized observation by acceptable means, such as cryptography, and Protected Distribution Systems (PDS). Terminal Objective: Given a final report requesting approval to operate a hypothetical information system at a specified level of trust, the DAA will analyze and judge the information for validity and reliability to ensure the hypothetical system will operate at the proposed level of trust. This judgement will be made based on system architecture, system security measures, system operations policy, system security management plan, and provisions for system operator and end user training. List of performance items under competencies In each of the competency areas listed below, the DAA shall perform the following functions: