Strategic Security Intelligence


NSTSSI Security Education Standards


Standards

Top - Help

Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved


        4. PREPARING SSAA
                   
               
             a. Access Control Policies
                  

                   1)    categorize access control policies;
                   2)    describe access control policies; and
                   4)    relate access control policies to appropriate "umbrella" guidance and
policies.
   
             b. Security Policies and Procedures
                   

                   1)    define and understand the topics that security policies and procedures
must address as part of the certification process;
                   2)    discuss the impact of policy and procedures on risk and operations;
                   3)    explain how the system operating policies and procedures define the
implementation of the security requirements;
                   4)    integrate the identified security policies and procedures (i.e., audit policies,
access control policies) as minimum requirements into the ST&E plan;
                   5)    interpret the relationship between security policy and procedures and the
security requirements;                      
                   6)    assist the DAA, program manager (PM), and user in understanding the
security policies and procedures; and
                   7)    describe the security solutions and implementations that meet the specified
system security requirements.

   
             c.    Documentation Policies
                   

                   1)    identify documentation policies that apply to the preparation of the SSAA;
and
                   2)    ensure that the appropriate documentation policies are followed in 
preparing the SSAA.

                   
             d. Requirements Derivation
                   

                   1)    categorize security certification requirements;
                   2)    discuss how technical and non-technical security requirements are derived;   
                   3)    identify requirements that are applicable to the system under certification
and accreditation;
                   4)    identify the source of the security requirements;
                   5)    identify the source of the security requirements for use during negotiations,
development of the SSAA, and compliance validation;
                   6)    interpret security requirements for the specific mission, environment, data
classification level, and architecture;
                   7)    summarize the security requirements and construct a requirements
traceability matrix (RTM);
                   8)    use security requirements to assist in the development of ST&E plans;
                   9)    verify that security certification requirements are included in the ST&E
plan; and
                   10) explain the security requirements in order to develop a common
understanding among the DAA, PM, and Certification Authority.

             e.    Understand Mission
   
            
                   1)    describe the system mission focusing on the security relevant features of the
system required for the SSAA;
                   2)    discuss the purpose of the system and its capabilities in the SSAA;
                   3)    explain the impact of the mission statement on security requirements;
                   4)    summarize the mission and prepare a summary for the SSAA; and
                   5)    use the mission statement to identify applicable security certification
requirements in the SSAA.
                   
             f.    Security Domains

                   1)    identify any specific security domains as they apply to the system mission
and function; and
                   2)    relate the interactions between different security domains in support of the
system mission and functions.


            
               g. System Description


                     1)    appraise the system concept of operations (CONOPS);
                     2)    assess the system's criticality and its impact on the level of risk that is
acceptable;
                     3)    define the system user's characteristics and clearances;
                     4)    define the security clearances of the user population and the access rights
to restricted information;
                     5)    define the type of data and data sensitivity;
                     6)    describe the system CONOPS and security CONOPS in the SSAA;
                     7)    describe the system criticality in the SSAA;
                     8)    describe the system functions and capabilities;
                     9)    examine the mission to determine the national security classification of the
data processed;
                     10) identify the system acquisition strategy and system life-cycle phase; and
                     11) use the data sensitivity and labeling requirements to determine the system
classification.
                                                    
                                                                                    
               h. Environment and Threat Description


                     1)    derive the system operating environment and threat descriptions from the
mission documentation; and
                     2)    prepare a description of potential threats based upon an analysis of the
operating environment, and the system development environment for inclusion in the
certification reports for the DAA.
                                              
   
               I.    System Operating Environment
               

                     1)    describe the administrative security procedures appropriate for the system
being certified;
                     2)    analyze the physical environment in which the system will operate; address 
all relevant parts of the system's environment, including descriptions of the physical,
administrative, developmental, and technical areas; describe any known or suspected threats
specifically to be considered for the described environment;
                     3)    describe the security features that will be necessary to support site
operations (the physical security description should consider safety procedures for personnel
operating the equipment);
                     4)    identify maintenance procedures needed to ensure physical security
protection against unauthorized access to protected information or system resources;
                     5)    identify procedures needed to counter potential threats that may come from  
inside or outside of the organization;
                     6)    identify the physical support features of the facility, including air  
conditioning, power, sprinkler system, fences, and extension of walls from true-floor to true-
ceiling construction, sensitive space, work space, and the building;
                     7)    determine if training procedures match the users' levels of responsibility,
and provide information on potential threats and how to protect information; and    
                     8)    identify aspects of physical security, such as a defined secure work area; the
means used to protect storage media (e.g., hard drives and removable disks); protecting access
to workstation ports (e.g., communication ports); a controlled area for shared resources (e.g.,
                  
                                    
databases and file servers); and the means of protection used for cable plant and
communication hubs and switches which are used to connect workstations and shared
resources.
               j.    System Development, Integration, and Maintenance Environment

                     
                     1)    describe the system development approach and the environment within
which the system will be developed and maintained;
                     2)    describe the information access and configuration control issues for the
system; and
                     3)    determine the appropriate types of system development and maintenance
environments.
                     
               k. Threat Description and Risk Assessment

                  
                     1)    define, in conjunction with the system owner, the potential threats that can
affect the confidentiality, integrity, and availability of the system; clearly stating the nature of the
threat that is expected, and where possible, the expected frequency of occurrence;
                     2)    identify threats, such as penetration attempts by hackers, damage or
misuse by disgruntled or dishonest employees, and misuse by careless or inadequately trained
employees;
                     3)    identify unintentional human error, system design weaknesses, and
intentional actions on the part of authorized, as well as unauthorized users that can cause these
events; and
                     4)    describe insider threat, including the good intentions of a trusted employee
who circumvents security in order to accomplish the job. 
                     

               l.    System Architectural Description
                     1)    describe the accreditation boundary of the system;
                     2)    describe the system architecture including the configuration of any
equipment or interconnected system or subsystem of equipment used in the automatic
acquisition, storage, manipulation, management, movement, control, display, switching,
interchange, transmission, or reception of data or information that includes computers, ancillary
equipment, software, firmware, and similar procedures and services, including support services
and related resources;
                     3)    describe the system's internal interfaces and data flows;
                     4)    identify and describe the system's external interfaces and the relationship
between the interfaces and the system;
                     5)    describe the proposed and appropriate hardware and its function (NOTE:
hardware is the physical equipment, as opposed to programs, procedures, rules, and associated
documentation);
                     6)    describe the proposed and appropriate software and its intended use
(NOTE: software includes the entire set of application programs, software procedures, software
routines, and operating system software associated with the system; this includes
manufacturer-supplied software, other commercial off-the-shelf software, and all program-
generated application software);

                7)       determine the types of data and the general methods for data transmission
(NOTE: if specific transmission media or interfaces to other systems are necessary, these needs  
may influence the security requirements for the system);
                8)       develop an overview of the internal system structure including the
anticipated hardware configuration, application software, software routines, operating systems,
remote devices, communications processors, networks, and remote interfaces;
                9)       develop diagrams or text to explain the flow of critical information from one
component to another;
                10) identify and include diagrams or text that clearly delineate the components
that are to be evaluated as part of the C&A task;
                11) identify components which are not to be included in the evaluation; and   
                12) prepare a high level overview of the types of hardware, software, firmware,
and associated interfaces envisioned for the completed system.


             m. Identify C&A Organizations and Resources

                1)       enlist the assistance of a contractor team or other government organizations
(NOTE: the CA has the responsibility to form the team, coordinate the C&A activities, conduct
the analysis, and prepare or validate the SSAA);
                2)       identify the appropriate statutory authorities, and the resource and training
requirements necessary to conduct the certification;
                3)       identify the organizations, individuals, and titles of the key authorities
involved in the C&A process;
                4)       determine the certification team's roles and responsibilities;
                5)       form the C&A team after the CA knows the certification level and tasks
required;
                6)       identify the roles of the certification team members as needed and their
responsibilities; and
                7)       include team members who have composite expertise in the whole span of
activities required, and who are independent of the system developer or PM.
                
             n. Tailor the Agency-specific C&A Guidelines (e.g., NIACAP, DITSCAP) and
Prepare the C&A Plan
                

                1)       adjust and document the C&A guideline (e.g., NIACAP, DITSCAP) activities
to fit the program strategy;
                2)       conduct a review of the C&A guideline plan and SSAA by the DAA, CA, PM,
and user representative;
                3)       determine the skills needed to perform the analysis and the supporting
documentation;
                4)       prepare a process diagram of the system life-cycle activities and identify the
current phase of life-cycle activity;
                5)       schedule the C&A guideline activities to meet the system schedule (for
example, if the system has already completed preliminary design, all C&A guideline phase one
activities should be completed as soon as possible);
                6)       tailor the C&A process as agreed upon in the SSAA;
                7)       tailor the C&A guideline process to the system life-cycle at the current
system phase or activity;
                8)       tailor the process to the incremental development strategy (if one is used);


                     9)    tailor the security activities to system development activities to ensure that
the security activities are relevant to the process and provide the required degree of analysis;
                     10) determine the appropriate certification analysis level and adjust the C&A
guideline activities to the program strategy and system life-cycle;
                     11) determine where to focus the analysis and testing; and
                     12) identify the appropriate level of effort.
                

               o. Prepare SSAA Added Material


                     1)    consolidate documentation, drawing together all pertinent materials into a
logical, sequential, and coherent document which will support the DAA's decision to approve or
disapprove;
                     2)    identify constraints, assumptions, and dependencies of the C&A process
being implemented; and   
                     3)    identify the conditions under which certification activities were
accomplished.
                                                    
                                                                                     
               p.    Requirements Traceability

                
                     1)    develop the security certification test plan documentation;
                     2)    develop the ST&E evaluation report documentation;
                     3)    identify the source of the security requirements for use during negotiations,
development of the SSAA, and compliance validation;
                     4)    specify the required security evaluation documentation;
                     5)    use security requirements to develop the ST&E plans and procedures;
                     6)    develop security certification test procedures; and
                     7)    outline any unique certification analysis documentation requirements.