NSTSSI Security Education Standards |
ANNEX A MINIMAL INFOSEC PERFORMANCE STANDARD FOR SYSTEM CERTIFIERS Job Functions Using Competencies Identified In: NSTISSI 1000, National Information Assurance Certification and Accreditation Process (NIACAP) DoD Instruction 5200.40, DoD Information Technology (IT) Security Certification and Accreditation (C&A) Process (DITSCAP) NCSC-TG-029, Version 1, Introduction to Certification and Accreditation FIPS Publication 102, Guideline for Computer Security Certification and Accreditation NCSC-TG-031, Certification and Accreditation Process Handbook for Certifiers I942-TR-002, Version 1, Accreditor's Guideline SC-2610-143-93, DoD Intelligence Information Systems (DoDIIS) Site Certifier's Guide DoDIIS Security Certification and Accreditation Guide Job Functions The INFOSEC functions of System Certifiers are performed during the following phases of the certification process: 1. Documenting Mission Need The System Certifiers need to develop a comprehensive understanding of the mission and the functional responsibilities in order to ensure the success of the C&A processes. Certifiers must possess a global understanding of the C&A process, the system, and the mission it supports. 2. Conducting Registration Registration involves the collection of information needed to address the certification process in a repeatable, understandable, and effective manner. These tasks involve gathering information to determine the security requirements and the level of effort necessary to accomplish C&A. The level of effort is influenced by the degree of assurance needed in the areas of confidentiality, integrity, accountability, and availability. Certifiers must consider the mission, environments, system life-cycle, existing documentation, risk, architecture, users, data classifications, external interfaces, etc. 3. Performing Negotiation Negotiation is involved in every facet of the C&A process. Given the potentially large numbers of people and functional organizations involved, Certifiers must draw upon many sub- disciplines and roles to accomplish this mission. To this end, Certifiers must possess broad, well-developed negotiation skills. Negotiation skills are especially important for determining methodologies, defining the scope of the certification process, and acquiring the resources necessary to support the mission. Effective written and oral communication skills, flexibility, creativity, political acumen, and objectivity all contribute to effective negotiation activities. 4. Preparing the System Security Authorization Agreement (SSAA) Certifiers are part of a team composed of the Certification Authority, the program sponsor, a threat specialist, and others. This team prepares the SSAA, a document that describes the planned operating condition of the system being certified and the expected residual risk in operating the system. The Designated Approving Authority (DAA) approves the SSAA and the system is then implemented with the security requirements that have been determined for it. It is important to note that the SSAA is a living document, and as such will require periodic maintenance throughout the life-cycle management of the system. 5. Supporting Systems Development During the systems development phase of a system certification, the Certifiers are responsible for evaluating the design of the system and ensuring that the security requirements are being properly addressed and satisfied. The specific activities are a function of the overall program strategy, the life-cycle management process, and the position of the information system in the life-cycle. As in the Certification Analysis phase, the system development activities ensure that the requirements of the SSAA are followed during each life-cycle phase of the development and modification of the information system. 6. Performing Certification Analysis Certification Analysis is the process of interacting with the system developer or owner/operator, and reviewing the documentation to carefully assess the functionality of the developing system, ensuring that it meets the security requirements as defined for its users, environment, connectivity, and other technical and non-technical factors in the SSAA. 7. Certification Evaluation Security certification evaluation is the process whereby the Certifiers verify and validate through formal security testing and evaluation (ST&E), that the implementation of the information system (IS) complies with the technical and non-technical security requirements stated in the SSAA, and that any observed deficiencies are fully documented and presented to the DAA for consideration in the accreditation decision. 8. Developing Recommendation to the DAA The Certifiers prepare appropriate documentation regarding all findings resulting from the ST&E, and recommends to the DAA the degree to which the evaluated system satisfies all the defined security requirements. In addition, this documentation offers the Certifier's opinion concerning any identified residual risk that may preclude accreditation of the system for operation. 9. Compliance Validation The Certifier's focus during this phase is the audit of the accredited IS, which is operating under the approval of the DAA, who has accepted any identified residual risk. Therefore, the Certifiers audit operations to ensure they remain consistent with the DAA- accepted level of risk. 10. Maintenance of the SSAA The Maintenance of the SSAA function involves determining whether or not any IS implementation changes that dictate a need to recertify the implementation of the IS will require an update of the SSAA. If changes occur that dictate a need for a recertification effort, then the Certifier functions as defined in the C&A process are again performed for these changes, or for the entire IS as necessary. Additionally, Certifiers must ensure that the recertification effort is reported to the DAA for continued approval to operate. Terminal Objective: Given an information system, the System Certifiers will explain and apply a recognized methodology leading to the security certification of that system in accordance with a prescribed set of criteria (i.e., the International Common Criteria), and provide an accreditation recommendation to the DAA for consideration in the accreditation decision. To be acceptable, the certification must be performed in accordance with applicable INFOSEC regulations, policies and guidelines. List of Performance Items Under Competencies In each of the competency areas listed below, the System Certifiers shall perform the following functions: