Strategic Security Intelligence

NSTSSI Security Education Standards


Top - Help

Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved


               a. System Certification Memorandum of Understanding (MOU) or Other

                     1)    propose the development of an MOU or other appropriate instruments;
                     2)    describe the purpose, scope, and contents of a particular MOU or other
                     3)    identify the respective parties and their roles;
                     4)    discuss anticipated challenges to an MOU or other instruments;
                     5)    explain the various details of an MOU or other instruments;
                     6)    interpret the agreements specified in an MOU or other instruments;
                     7)    use an MOU or other instruments to define the responsibilities and
requirements for team members with specialized knowledge;
                     8)    use an MOU or other instruments to assist in SSAA and other policy
                     9)    comply with the requirements of a system certification MOU or other
                     10) verify the integrity of an MOU or other instruments; and
                     11) report the status of MOUs or other instruments to the DAA.

               b. Collect Security Requirements

                     1)    describe the security requirement collection process;
                     2)    research security requirements; and
                     3)    describe to the DAA, program management office (PMO), etc., the
appropriate requirements for system security.                                          

               c.    Knowledge and/or Awareness of Security Laws Required for System Being

                  1) explain the applicable laws, statutes, and regulations;
                  2) discuss how the system will operate according to legal mandates; and
                  3) identify the organizational point of contact for legal advice.
            d. Audit Collection Requirements

                  1)    describe the audit collection requirements relative to system certification;
                  2)    assist in the identification of audit requirements.            

            e.    Coordination with Related Disciplines

                  1)    discuss the role of related security disciplines in the overall protection of the
                  2)    describe the related security disciplines and how they apply to the
certification of the system; and
                  3)    identify the related disciplines needed for the certification team.

            f.    Configuration Control Policies
                  1)    advise in the development of configuration control policies;
                  2)    assess the system configuration control plan against policy; and
                  3)    report to the DAA the deficiencies/discrepancies in the configuration control

            g. Contingency Planning

                  1)    assess the need for contingency planning;
                  2)    propose contingency planning activities;
                  3)    discuss the contingency planning process;
                  4)    assess contingency planning; and
                  5)    report to the DAA any discrepancies or deficiencies in contingency plans.
            h. Personnel Selection

                  1)    explain the criteria for personnel selection for the certification team; and
                  2)    perform personnel selection for the certification team based on the requisite
skills for the IS involved.

            i.    Roles and Responsibilities

                  1)    identify and define the roles and responsibilities of the certification team;
                  2)    propose the roles and responsibilities of individual certification team

            j.    Scope and Parameters of the Certification

                     describe, define, and present the scope and parameters of the certification.

               k. Set Certification Process Boundaries

                     1)    define and describe the certification process boundaries; and
                     2)    identify and propose the boundaries of the certification process.
               l.    Risk Management
                     1)    select the appropriate risk management methodology for the IS to be
                     2)    discuss the risk management methodology and threat mitigation using
examples and explanations; and
                     3)    describe the risk management methodology appropriate to the certification
of the system.

               m. System Description

                     verify that the system description is consistent with the documented mission
               n. System Security Policy
                     1)    ensure the development and inclusion of a comprehensive system security
policy; and
                     2)    assess policy to ensure it conforms with applicable laws and directives and
data owner requirements.

               o. Budget/Resources Allocation

                     1)    define and describe budget elements related to the certification process; and
                     2)    identify the resource requirements necessary to accomplish the certification
               p. Timeline/Scheduling

                     1)    establish certification milestones; and
                     2)    relate the milestones to roles and responsibilities.

               q. Life-Cycle System Security Planning                                

                     1)    assess life-cycle security planning against requirements, directives and
                     2)    describe life-cycle security planning; and
                     3)    assist in life-cycle security planning with respect to the certification