NSTSSI Security Education Standards |
2. CONDUCTING REGISTRATION a. System Certification Memorandum of Understanding (MOU) or Other Instruments 1) propose the development of an MOU or other appropriate instruments; 2) describe the purpose, scope, and contents of a particular MOU or other instruments; 3) identify the respective parties and their roles; 4) discuss anticipated challenges to an MOU or other instruments; 5) explain the various details of an MOU or other instruments; 6) interpret the agreements specified in an MOU or other instruments; 7) use an MOU or other instruments to define the responsibilities and requirements for team members with specialized knowledge; 8) use an MOU or other instruments to assist in SSAA and other policy development; 9) comply with the requirements of a system certification MOU or other instruments; 10) verify the integrity of an MOU or other instruments; and 11) report the status of MOUs or other instruments to the DAA. b. Collect Security Requirements 1) describe the security requirement collection process; 2) research security requirements; and 3) describe to the DAA, program management office (PMO), etc., the appropriate requirements for system security. c. Knowledge and/or Awareness of Security Laws Required for System Being Evaluated 1) explain the applicable laws, statutes, and regulations; 2) discuss how the system will operate according to legal mandates; and 3) identify the organizational point of contact for legal advice. d. Audit Collection Requirements 1) describe the audit collection requirements relative to system certification; and 2) assist in the identification of audit requirements. e. Coordination with Related Disciplines 1) discuss the role of related security disciplines in the overall protection of the system; 2) describe the related security disciplines and how they apply to the certification of the system; and 3) identify the related disciplines needed for the certification team. f. Configuration Control Policies 1) advise in the development of configuration control policies; 2) assess the system configuration control plan against policy; and 3) report to the DAA the deficiencies/discrepancies in the configuration control policy. g. Contingency Planning 1) assess the need for contingency planning; 2) propose contingency planning activities; 3) discuss the contingency planning process; 4) assess contingency planning; and 5) report to the DAA any discrepancies or deficiencies in contingency plans. h. Personnel Selection 1) explain the criteria for personnel selection for the certification team; and 2) perform personnel selection for the certification team based on the requisite skills for the IS involved. i. Roles and Responsibilities 1) identify and define the roles and responsibilities of the certification team; and 2) propose the roles and responsibilities of individual certification team members. j. Scope and Parameters of the Certification describe, define, and present the scope and parameters of the certification. k. Set Certification Process Boundaries 1) define and describe the certification process boundaries; and 2) identify and propose the boundaries of the certification process. l. Risk Management 1) select the appropriate risk management methodology for the IS to be certified; 2) discuss the risk management methodology and threat mitigation using examples and explanations; and 3) describe the risk management methodology appropriate to the certification of the system. m. System Description verify that the system description is consistent with the documented mission need. n. System Security Policy 1) ensure the development and inclusion of a comprehensive system security policy; and 2) assess policy to ensure it conforms with applicable laws and directives and data owner requirements. o. Budget/Resources Allocation 1) define and describe budget elements related to the certification process; and 2) identify the resource requirements necessary to accomplish the certification process. p. Timeline/Scheduling 1) establish certification milestones; and 2) relate the milestones to roles and responsibilities. q. Life-Cycle System Security Planning 1) assess life-cycle security planning against requirements, directives and laws; 2) describe life-cycle security planning; and 3) assist in life-cycle security planning with respect to the certification requirements.