Certification and Accreditation of systems

1
Certification and Accreditation of systems

• DITSCAP (DIACAP), NIACAP, and NIST

2
CA Background

• Title III of the E-Government Act (Public Law
  107-347), entitled Federal Information Security
  Management Act (FISMA), requires that all federal
  agencies develop and implement an agency-wide
  information security program designed to
  safeguard IT assets and data of the respective
  agency.
• FISMA is specific in its requirements and it
  stipulates that the information security program
  must include documentation and reports that
  clearly describe the following
• Periodic risk assessments
• Information security policies and procedures
• An assessment of threats, including their
  likelihood and impact
• Policies and procedures for detecting security
  vulnerabilities
• Evaluation and periodic testing of how well
  security policies are working
• An inventory of software and hardware assets
• Continued on next slide

3
CA Background (cont.)

• Security awareness training and expected rules of
  behavior for end-users
• An evaluation of the technical, management, and
  operational security controls
• Procedures for reporting and responding to
  security incidents
• A process for addressing any deficiencies
  reported
• Contingency plans to ensure continuity of
  operations in the face of a disaster
• FISMA forces federal agencies to understand the
  security of their systems and holds them
  accountable for resolving deficiencies. The
  methodologies that have evolved to address FISMA
  stipulations are sound ones and, though only
  federal agencies are required to abide by them,
  it would behoove financial institutions to adopt
  these methodologies to assess the security of
  their own systems.

4
CA

• There are generally three methodologies used for
  CA initiatives
• DITSCAP
• NIACAP
• NIST

5
DITSCAP (DIACAP)

• DITSCAP (Defense Information Technology Systems
  Certification and Accreditation Process) based
  on a publication known as Defense Information
  Systems Certification and Accreditation
  regulation Department of Defense (DoD)
  Instruction 5200.40, this publication is mainly
  used by defense agencies.
• DoDI 5200.40 implements policy, assigns
  responsibilities, and prescribes procedures for
  Certification and Accreditation (CA) of
  information technology in the Department of
  Defense, creates the DoD IT Security
  Certification and Accreditation Process (DITSCAP)
  for security CA of unclassified and classified
  IT, and Stresses the importance of a life-cycle
  management approach to the CA and
  reaccreditation of DoD IT.

6
DITSCAP (cont.)

• DoDI 5200.40 was published on December 30th, 1997
  and is being replaced by the DoDD 8500 series.
• The purpose of DITSCAP was to establish a
  standard to protect and secure the entities
  comprising the Defense Information Infrastructure
  (DII).

7
DITSCAP (cont.)

• DITSCAP consists of four phases
• Phase 1 Definition
• Phase 2 Verification
• Phase 3 Validation
• Phase 4 Post Accreditation
• Phase 1 activities include documenting the
  system mission, architecture, and environment
  identifying the threat defining the levels of
  effort identifying the Certification Authority
  (CA) and the Designated Approving Authority
  (DAA) and to document the necessary security
  requirements for CA. Phase 1 is completed by a
  documented agreement between the DAA, CA, program
  manager, and the user representative.
• Phase 2 includes activities to verify compliance
  of the system with previously agreed security
  requirements.

8
DITSCAP (cont.)

• Phase 3 includes activities to evaluate the fully
  integrated information system to validate
  operation of the system in a specified computing
  environment with acceptable residual risk.
  Validation will be complete with approval to
  operate.
• Phase 4 consists of activities to monitor system
  management and operation to ensure that an
  acceptable level of residual risk is maintained.
  Security management, change management, and
  periodic compliance validation reviews are
  conducted.

9
(No Transcript)
10
DITSCAP (cont.)

• As of July 6th, 2006 DITSCAP has been replaced
  with DIACAP. All new systems and systems
  undergoing certification are to transition to/use
  DIACAP immediately.
• Systems with a phase one through phase three
  signed Systems Security Authorization Agreement
  (SSAA), not yet accredited, are to continue under
  DITSCAP, but must develop a plan to transition to
  DIACAP within 180 days.
• Systems accredited under DITSCAP current within
  three years are to establish a strategy and
  schedule for transitioning to DIACAP within 180
  days of the DIACAP transition instruction
  (published July 6th, 2006).
• Systems with a DITSCAP accreditation older than
  three years are to initiate DIACAP.

11
DIACAP

• DoD information assurance certification and
  accreditation process (DIACAP) is the replacement
  for DITSCAP.
• DIACAP currently has interim guides published,
  that became effective July 6th, 2006.
• The purpose of DIACAP is to establish the DoD
  information assurance (IA) certification and
  accreditation (CA) process for authorizing the
  operation of DoD information systems consistent
  with the Federal Information Security Management
  Act (FISMA), DoD Directive (DoDD) 8500.1, and DoD
  Directive 8100.1 It supersedes DoD Instruction
  (DoDI) 5200.40 and DoD 8510.1-M supports
  net-centricity (the ability of users to easily
  discover, access, integrate, correlate and fuse
  information and data that support their mission
  objectives) through an effective and dynamic IA
  CA process and provides visibility and control
  of the implementation of IA capabilities and
  services, the CA process, and accreditation
  decisions authorizing the operation of DoD
  information systems, to include core enterprise
  services (CES) and web services-enabled software
  systems and applications.

12
DIACAP (cont.)

• The DIACAP package is developed through DIACAP
  activity and maintained throughout a systems
  life cycle. Each DAA will determine what
  information is necessary to make an accreditation
  decision. Acquisition contracts must specify
  information assurance CA deliverables.
• The DIACAP package should consist of a System
  Identification Profile (SIP), Implementation
  Plan, Supporting Documentation for Certification,
  DIACAP Scoreboard, and POAMs (if required).

13
DIACAP (cont.)

• The SIP is compiled during the DIACAP
  registration and maintained throughout the system
  life cycle.
• The SIP consists of various information about the
  system. Such as the system id, system component,
  government DoD component IA program, system name,
  system life cycle or acquisition phase,
  confidentiality level, mission criticality, etc.
  For a full list of the requirements and
  recommendations of information to be included in
  an SIP, refer to http//iase.disa.mil/ditscap/inte
  rim-ca-guidance.pdf

14
DIACAP (cont.)

• The DIACAP scorecard is intended to convey
  information about the IA posture of a DoD
  information system in a format that can be easily
  understood by managers and be easily exchanged
  electronically.
• The scorecard contains information such as the
  date of the accreditation, the accreditation
  decision for the system, the impact code for the
  controls (e.g. high, medium, etc.), the
  confidentiality level of the system, etc. an
  outline of the DIACAP scorecard is also contained
  in the DIACAP interim guidelines located at
  http//iase.disa.mil/ditscap/interim-ca-guidance.p
  df

15
DIACAP (cont.)

• A plan of action and milestones (POAM) is a tool
  for identifying tasks that need to be
  accomplished. It specifies resources required to
  accomplish the elements of the plan, any
  milestones in meeting the task, and scheduled
  completion dates for the milestones.
• The POAM documented should consist of
• why the system needs to operate
• any operational restrictions imposed to lessen
  the risk during the interim authorization
• specific corrective actions necessary to
  demonstrate that all assigned IA Controls have
  been implemented correctly and are effective
• the agreed upon timeline for completing and
  validating corrective actions
• And the resources necessary and available to
  properly complete the corrective actions.

16
NIACAP

• NIACAP stands for National Information Assurance
  Certification and Accreditation Process. It is
  based on a process published by the National
  Security Telecommunications and Information
  System Security Instruction known as NSTISSI No.
  1000.
• NIACAP establishes a standard national process,
  set of activities, general tasks, and a
  management structure to certify and accredit
  systems that will maintain the information
  assurance (IA) and security posture of a system
  or site. NSTISSI 1000 provides an overview of the
  NIACAP process, roles of the people involved, and
  the documentation produced during the process.

17
NIACAP (cont.)

• NSTISSI 1000 is designed to certify that the
  information system (IS) meets documented security
  requirements and will continue to maintain the
  accredited security posture throughout the system
  life cycle. The process should be adapted to
  include existing system certifications and
  evaluations of products.
• The key to the NIACAP is the agreement between
  the IS program manager, Designated Approving
  Authority (DAA), certification agent (certifier),
  and user representative. These individuals are
  responsible for resolving critical schedule,
  budget, security, functionality, and performance
  issues. The NIACAP agreements are documented in
  the System Security Authorization Agreement
  (SSAA). The SSAA is used to guide and document
  the results of the Certification and
  Accreditation (CA).

18
NIACAP (cont.)

• There are different types of accreditation
  depending on what is being certified. A system
  accreditation evaluates a major application or
  general support system. A site accreditation
  evaluates the applications and systems at a
  specific, self-contained location. A type
  accreditation evaluates an application or system
  that is distributed to a number of different
  locations. The NIACAP applies to each of these
  accreditation types and may be tailored to meet
  the specific needs of the organization and IS.
• NIACAP is composed of four phases (these phases
  are very similar to the phases in DITSCAP, and
  are named the same). These phases are
  Definition, Verification, Validation, and Post
  Accreditation.
• Phase 1, Definition, is focused on understanding
  the IS business case, environment, and
  architecture to determine the security
  requirements and level of effort necessary to
  achieve certification and accreditation.

19
NIACAP (cont.)

• The objective of Phase 1 is to agree on the
  security requirements, CA boundary, schedule,
  level of effort, and resources required.
• Phase 2, Verification, verifies the evolving or
  modified systems compliance with the information
  in the SSAA. The objective of Phase 2 is to
  ensure the fully integrated system will be ready
  for certification testing.
• Phase 3, Validation, validates compliance of the
  fully integrated system with the security policy
  and requirements stated in the SSAA. The
  objective of Phase 3 is to produce the required
  evidence to support the DAA in making an informed
  decision to grant approval to operate the system
  (accreditation or Interim Approval to Operate
  (IATO)).

20
NIACAP (cont.)

• Phase 4, Post Accreditation, starts after the
  system has been certified and accredited for
  operations. Phase 4 includes those activities
  necessary for the continuing operation of the
  accredited IS in its computing environment and to
  address the changing threats and small scale
  changes a system faces through its life cycle.
  The objective of Phase 4 is to ensure secure
  system management, operation, and maintenance to
  preserve an acceptable level of residual risk.

21
NIACAP (cont.)

• Many organizations within a federal agency have
  significant roles in contributing to the secure
  development and operation of their IS. The NIACAP
  approach allows federal agencies to adapt the
  NIACAP roles into their respective organizational
  management structure to best manage the risks to
  the federal agencys mission throughout the IS
  life cycle system development, operation,
  maintenance, and disposal.
• Many civilian agencies have used either the
  NIACAP or NIST methodologies, in the past, to
  evaluate there is. The current trend, however, is
  that most agencies are moving away from NIACAP
  and are instead following the new NIST
  methodology.

22
NIST

• The National Institute of Standards and
  Technology (NIST) Special Publications are the
  most widely used of the different CA
  methodologies.
• NIST develops and issues standards, guidelines,
  and other publications to assist federal agencies
  in implementing the Federal Information Security
  Management Act (FISMA) of 2002 and in managing
  cost-effective programs to protect their
  information and information systems.
• The current NIST-SP used for the certification
  and accreditation of federal systems is NIST-SP
  800-53A.
• NIST 800-53A divides the system development life
  cycle into five phases. system initiation, system
  development and acquisition, system
  implementation, system operations and
  maintenance, and system disposal.

23
NIST (cont.)

• The purpose of NIST SP 800-53A is to provide
  guidelines for building effective security
  assessment plans and procedures to enable the
  assessment of security controls employed in
  information systems supporting the executive
  agencies of the federal government
• NIST 800-53A divides security requirements into
  three categories based on the overall risk and
  sensitivity of the system. The system will be
  evaluated as either Low, Moderate, or High and
  the appropriate controls for the risk level are
  followed.

24
NIST (cont.)

• An example of a government agency that follows
  NIST 800-53A is the DOT and FAA.
• In order to fulfill the requirements/guidelines,
  DOT employs an Independent Security Certification
  Staff to audit its systems and recommend whether
  they be approved for implementation, authorized,
  re-certified, or denied authorization.
• The ISCS accomplishes this through analyzing the
  Information System Security Plan of the
  organization being audited, and comparing to a
  Security Test and Evaluation (STE) based on NIST
  800-53A. The auditors will then perform tests on
  the systems being audited, and interview
  personnel responsible for the system, in order to
  conclude whether the system be certified.

25
NIST (cont.)

• Once the ISCS has completed its audit of the
  system, the team will draw up various documents
  detailing their findings. These include a Risk
  Assessment document, POAMs, Risk Acceptances,
  STE, Executive Summary, etc. DOT requires that
  its systems perform Annual Assessments yearly,
  with full Certification and Authorizations (CAs)
  being performed every three years.
• Once the package is complete it is sent to the
  Authorizing Official (AO, the designation of DAA
  is no longer used) for approval.

26
Conclusion

• DITSCAP, DIACAP, NIACAP, and NIST are all used by
  government organizations in order to satisfy the
  requirements set forth by FISMA.
• The requirements of each of these certification
  processes are constantly being updated as the
  need for security changes with technology.
• NIST 800-53A recently replaced NIST 800-53, which
  in turn replaced NIST 800-26. DIACAP is currently
  in the process of replacing DITSCAP.

27
References

• More information on these processes can be found
  at the following sites
• http//iase.disa.mil/ditscap/interim-ca-guidance.p
  df (transition from DITSCAP to DIACAP)
• http//csrc.nist.gov/groups/SMA/fasp/documents/ca
  /DLABSP/i520040p.pdf (DITSCAP)
• http//www.cnss.gov/Assets/pdf/nstissi_1000.pdf
  (NIACAP)
• http//csrc.nist.gov/publications/drafts/800-53A/S
  P-800-53A-tpd-final-sz.pdf (NIST 800-53A)

28
References (cont.)

• Information used in this presentation was
  gathered from the following web sites
• http//iase.disa.mil/ditscap/interim-ca-guidance.p
  df (transition from DITSCAP to DIACAP)
• http//csrc.nist.gov/groups/SMA/fasp/documents/ca
  /DLABSP/i520040p.pdf (DITSCAP)
• http//www.cnss.gov/Assets/pdf/nstissi_1000.pdf
  (NIACAP)
• http//csrc.nist.gov/publications/drafts/800-53A/S
  P-800-53A-tpd-final-sz.pdf (NIST 800-53A)
• http//www.intranetjournal.com/articles/200406/pij
  _06_23_04a.html (information on the uses of
  DITSCAP, NIACAP, and NIST)