NSTSSI Security Education Standards
4. PREPARING SSAA a. Access Control Policies 1) categorize access control policies; 2) describe access control policies; and 4) relate access control policies to appropriate "umbrella" guidance and policies. b. Security Policies and Procedures 1) define and understand the topics that security policies and procedures must address as part of the certification process; 2) discuss the impact of policy and procedures on risk and operations; 3) explain how the system operating policies and procedures define the implementation of the security requirements; 4) integrate the identified security policies and procedures (i.e., audit policies, access control policies) as minimum requirements into the ST&E plan; 5) interpret the relationship between security policy and procedures and the security requirements; 6) assist the DAA, program manager (PM), and user in understanding the security policies and procedures; and 7) describe the security solutions and implementations that meet the specified system security requirements. c. Documentation Policies 1) identify documentation policies that apply to the preparation of the SSAA; and 2) ensure that the appropriate documentation policies are followed in preparing the SSAA. d. Requirements Derivation 1) categorize security certification requirements; 2) discuss how technical and non-technical security requirements are derived; 3) identify requirements that are applicable to the system under certification and accreditation; 4) identify the source of the security requirements; 5) identify the source of the security requirements for use during negotiations, development of the SSAA, and compliance validation; 6) interpret security requirements for the specific mission, environment, data classification level, and architecture; 7) summarize the security requirements and construct a requirements traceability matrix (RTM); 8) use security requirements to assist in the development of ST&E plans; 9) verify that security certification requirements are included in the ST&E plan; and 10) explain the security requirements in order to develop a common understanding among the DAA, PM, and Certification Authority. e. Understand Mission 1) describe the system mission focusing on the security relevant features of the system required for the SSAA; 2) discuss the purpose of the system and its capabilities in the SSAA; 3) explain the impact of the mission statement on security requirements; 4) summarize the mission and prepare a summary for the SSAA; and 5) use the mission statement to identify applicable security certification requirements in the SSAA. f. Security Domains 1) identify any specific security domains as they apply to the system mission and function; and 2) relate the interactions between different security domains in support of the system mission and functions. g. System Description 1) appraise the system concept of operations (CONOPS); 2) assess the system's criticality and its impact on the level of risk that is acceptable; 3) define the system user's characteristics and clearances; 4) define the security clearances of the user population and the access rights to restricted information; 5) define the type of data and data sensitivity; 6) describe the system CONOPS and security CONOPS in the SSAA; 7) describe the system criticality in the SSAA; 8) describe the system functions and capabilities; 9) examine the mission to determine the national security classification of the data processed; 10) identify the system acquisition strategy and system life-cycle phase; and 11) use the data sensitivity and labeling requirements to determine the system classification. h. Environment and Threat Description 1) derive the system operating environment and threat descriptions from the mission documentation; and 2) prepare a description of potential threats based upon an analysis of the operating environment, and the system development environment for inclusion in the certification reports for the DAA. I. System Operating Environment 1) describe the administrative security procedures appropriate for the system being certified; 2) analyze the physical environment in which the system will operate; address all relevant parts of the system's environment, including descriptions of the physical, administrative, developmental, and technical areas; describe any known or suspected threats specifically to be considered for the described environment; 3) describe the security features that will be necessary to support site operations (the physical security description should consider safety procedures for personnel operating the equipment); 4) identify maintenance procedures needed to ensure physical security protection against unauthorized access to protected information or system resources; 5) identify procedures needed to counter potential threats that may come from inside or outside of the organization; 6) identify the physical support features of the facility, including air conditioning, power, sprinkler system, fences, and extension of walls from true-floor to true- ceiling construction, sensitive space, work space, and the building; 7) determine if training procedures match the users' levels of responsibility, and provide information on potential threats and how to protect information; and 8) identify aspects of physical security, such as a defined secure work area; the means used to protect storage media (e.g., hard drives and removable disks); protecting access to workstation ports (e.g., communication ports); a controlled area for shared resources (e.g., databases and file servers); and the means of protection used for cable plant and communication hubs and switches which are used to connect workstations and shared resources. j. System Development, Integration, and Maintenance Environment 1) describe the system development approach and the environment within which the system will be developed and maintained; 2) describe the information access and configuration control issues for the system; and 3) determine the appropriate types of system development and maintenance environments. k. Threat Description and Risk Assessment 1) define, in conjunction with the system owner, the potential threats that can affect the confidentiality, integrity, and availability of the system; clearly stating the nature of the threat that is expected, and where possible, the expected frequency of occurrence; 2) identify threats, such as penetration attempts by hackers, damage or misuse by disgruntled or dishonest employees, and misuse by careless or inadequately trained employees; 3) identify unintentional human error, system design weaknesses, and intentional actions on the part of authorized, as well as unauthorized users that can cause these events; and 4) describe insider threat, including the good intentions of a trusted employee who circumvents security in order to accomplish the job. l. System Architectural Description 1) describe the accreditation boundary of the system; 2) describe the system architecture including the configuration of any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information that includes computers, ancillary equipment, software, firmware, and similar procedures and services, including support services and related resources; 3) describe the system's internal interfaces and data flows; 4) identify and describe the system's external interfaces and the relationship between the interfaces and the system; 5) describe the proposed and appropriate hardware and its function (NOTE: hardware is the physical equipment, as opposed to programs, procedures, rules, and associated documentation); 6) describe the proposed and appropriate software and its intended use (NOTE: software includes the entire set of application programs, software procedures, software routines, and operating system software associated with the system; this includes manufacturer-supplied software, other commercial off-the-shelf software, and all program- generated application software); 7) determine the types of data and the general methods for data transmission (NOTE: if specific transmission media or interfaces to other systems are necessary, these needs may influence the security requirements for the system); 8) develop an overview of the internal system structure including the anticipated hardware configuration, application software, software routines, operating systems, remote devices, communications processors, networks, and remote interfaces; 9) develop diagrams or text to explain the flow of critical information from one component to another; 10) identify and include diagrams or text that clearly delineate the components that are to be evaluated as part of the C&A task; 11) identify components which are not to be included in the evaluation; and 12) prepare a high level overview of the types of hardware, software, firmware, and associated interfaces envisioned for the completed system. m. Identify C&A Organizations and Resources 1) enlist the assistance of a contractor team or other government organizations (NOTE: the CA has the responsibility to form the team, coordinate the C&A activities, conduct the analysis, and prepare or validate the SSAA); 2) identify the appropriate statutory authorities, and the resource and training requirements necessary to conduct the certification; 3) identify the organizations, individuals, and titles of the key authorities involved in the C&A process; 4) determine the certification team's roles and responsibilities; 5) form the C&A team after the CA knows the certification level and tasks required; 6) identify the roles of the certification team members as needed and their responsibilities; and 7) include team members who have composite expertise in the whole span of activities required, and who are independent of the system developer or PM. n. Tailor the Agency-specific C&A Guidelines (e.g., NIACAP, DITSCAP) and Prepare the C&A Plan 1) adjust and document the C&A guideline (e.g., NIACAP, DITSCAP) activities to fit the program strategy; 2) conduct a review of the C&A guideline plan and SSAA by the DAA, CA, PM, and user representative; 3) determine the skills needed to perform the analysis and the supporting documentation; 4) prepare a process diagram of the system life-cycle activities and identify the current phase of life-cycle activity; 5) schedule the C&A guideline activities to meet the system schedule (for example, if the system has already completed preliminary design, all C&A guideline phase one activities should be completed as soon as possible); 6) tailor the C&A process as agreed upon in the SSAA; 7) tailor the C&A guideline process to the system life-cycle at the current system phase or activity; 8) tailor the process to the incremental development strategy (if one is used); 9) tailor the security activities to system development activities to ensure that the security activities are relevant to the process and provide the required degree of analysis; 10) determine the appropriate certification analysis level and adjust the C&A guideline activities to the program strategy and system life-cycle; 11) determine where to focus the analysis and testing; and 12) identify the appropriate level of effort. o. Prepare SSAA Added Material 1) consolidate documentation, drawing together all pertinent materials into a logical, sequential, and coherent document which will support the DAA's decision to approve or disapprove; 2) identify constraints, assumptions, and dependencies of the C&A process being implemented; and 3) identify the conditions under which certification activities were accomplished. p. Requirements Traceability 1) develop the security certification test plan documentation; 2) develop the ST&E evaluation report documentation; 3) identify the source of the security requirements for use during negotiations, development of the SSAA, and compliance validation; 4) specify the required security evaluation documentation; 5) use security requirements to develop the ST&E plans and procedures; 6) develop security certification test procedures; and 7) outline any unique certification analysis documentation requirements.