 NSTSSI Security Education Standards |
| NSTSSI Security Education Standards |
2. CONDUCTING REGISTRATION
a. System Certification Memorandum of Understanding (MOU) or Other
Instruments
1) propose the development of an MOU or other appropriate instruments;
2) describe the purpose, scope, and contents of a particular MOU or other
instruments;
3) identify the respective parties and their roles;
4) discuss anticipated challenges to an MOU or other instruments;
5) explain the various details of an MOU or other instruments;
6) interpret the agreements specified in an MOU or other instruments;
7) use an MOU or other instruments to define the responsibilities and
requirements for team members with specialized knowledge;
8) use an MOU or other instruments to assist in SSAA and other policy
development;
9) comply with the requirements of a system certification MOU or other
instruments;
10) verify the integrity of an MOU or other instruments; and
11) report the status of MOUs or other instruments to the DAA.
b. Collect Security Requirements
1) describe the security requirement collection process;
2) research security requirements; and
3) describe to the DAA, program management office (PMO), etc., the
appropriate requirements for system security.
c. Knowledge and/or Awareness of Security Laws Required for System Being
Evaluated
1) explain the applicable laws, statutes, and regulations;
2) discuss how the system will operate according to legal mandates; and
3) identify the organizational point of contact for legal advice.
d. Audit Collection Requirements
1) describe the audit collection requirements relative to system certification;
and
2) assist in the identification of audit requirements.
e. Coordination with Related Disciplines
1) discuss the role of related security disciplines in the overall protection of the
system;
2) describe the related security disciplines and how they apply to the
certification of the system; and
3) identify the related disciplines needed for the certification team.
f. Configuration Control Policies
1) advise in the development of configuration control policies;
2) assess the system configuration control plan against policy; and
3) report to the DAA the deficiencies/discrepancies in the configuration control
policy.
g. Contingency Planning
1) assess the need for contingency planning;
2) propose contingency planning activities;
3) discuss the contingency planning process;
4) assess contingency planning; and
5) report to the DAA any discrepancies or deficiencies in contingency plans.
h. Personnel Selection
1) explain the criteria for personnel selection for the certification team; and
2) perform personnel selection for the certification team based on the requisite
skills for the IS involved.
i. Roles and Responsibilities
1) identify and define the roles and responsibilities of the certification team;
and
2) propose the roles and responsibilities of individual certification team
members.
j. Scope and Parameters of the Certification
describe, define, and present the scope and parameters of the certification.
k. Set Certification Process Boundaries
1) define and describe the certification process boundaries; and
2) identify and propose the boundaries of the certification process.
l. Risk Management
1) select the appropriate risk management methodology for the IS to be
certified;
2) discuss the risk management methodology and threat mitigation using
examples and explanations; and
3) describe the risk management methodology appropriate to the certification
of the system.
m. System Description
verify that the system description is consistent with the documented mission
need.
n. System Security Policy
1) ensure the development and inclusion of a comprehensive system security
policy; and
2) assess policy to ensure it conforms with applicable laws and directives and
data owner requirements.
o. Budget/Resources Allocation
1) define and describe budget elements related to the certification process; and
2) identify the resource requirements necessary to accomplish the certification
process.
p. Timeline/Scheduling
1) establish certification milestones; and
2) relate the milestones to roles and responsibilities.
q. Life-Cycle System Security Planning
1) assess life-cycle security planning against requirements, directives and
laws;
2) describe life-cycle security planning; and
3) assist in life-cycle security planning with respect to the certification
requirements.