IMPLEMENTING THE NEW NISPOM CHAPTER EIGHT

1
IMPLEMENTING THE NEW NISPOM CHAPTER EIGHT

• Albuquerque Seminar
• November 6, 2001
• John Waller
• Director of Security
• Syracuse Research Corporation
• waller_at_syrres.com

2
OBJECTIVES OF THIS PRESENTATION

• Familiarize you with the May 1, 2001 Chapter
  eight requirements
• Discuss the six steps involved in generating the
  documentation needed to apply for accreditation
  of an information system
• Refer you to resources that will help you
  implement the new chapter eight requirements
• Help you to understand that you must learn more
  about networking fundamentals and technical
  countermeasures to be an effective ISSM or ISSO

3
QUALIFYING CAVEAT

• This briefing is NOT an official government
  briefing
• We are talking about implementing Chapter 8 in a
  collateral environment - not a DCID 6/3
  environment
• This briefing represents the views and experience
  of one industrial security professional
• Please consult with your local IS rep for
  official guidance

4
FIRST - SOME CONCEPTS YOU SHOULD UNDERSTAND

• Confidentiality
• assurance that information is not disclosed to
  unauthorized entities or processes - SAFEGUARDING
• Integrity
• protection against unauthorized modification or
  destruction of information
• Availability
• timely, reliable access to data and information
  services for authorized users

5
POSITIONS OF RESPONSIBILITIES

• DSS ISSP - IS Security Professional
• formerly known as the DSS Computer Specialist
• ISSM - IS Security Manager
• designated by Management
• formerly known as the ISSR
• establishes, implements, monitors the IS Program
  and ensures compliance
• responsible for all IS security education
• identifies threats to the systems
• ensures periodic self-inspections
• ISSO - IS Security Officer
• may be appointed by the ISSM
• performs functions delegated to him/her by the
  ISSM

6
USERS

• GENERAL USERS
• individuals who can input information to or
  modify information on an IS or who can receive
  information from an IS without a reliable human
  review
• your engineers, scientists, and analysts
• PRIVILEGED USERS
• have access to IS control, monitoring or admin
  functions
• your Sys Admin, maintenance folks, the ISSM and
  ISSO
• a more dangerous group!!

7
LEVEL OF CONCERN

• A rating assigned to an Information System (IS)
• Reflects the sensitivity of the information and
  the consequences of the loss of CIA
• Basic, Medium or High
• Not that important in the overall scheme of
  things unless your contract dictates you must
  address integrity and availability issues

8
PROTECTION LEVELS

• Determined by the relationship between clearance
  levels, formal access approvals, NTK of users and
  the Level of Concern
• Unlike L-O-Cs, Protection Levels are very
  important!
• Protection levels translate into a set of
  requirements that must be implemented
• Higher protection levels are more expensive
• There are now four Protection Levels (PL-4 -
  High Risk - was added by the ISL)

9
SIX STEPS IN THE PREPARATION OF AN ACCREDITATION
PACKAGE

• (1) Determine the Levels of Concern
• - basic, medium, or high
• (2) Determine the Protection Level
• - one, two, three, or four (see new ISL)
• (3) Identify the technical security and
  information assurance requirements
• from a list of 15
• (4) Determine the interconnected systems and
  administrative requirements
• (5) Determine the needed documentation and
  testing activities
• (6) Put the documentation together and submit for
  accreditation

10
STEP ONE

• Determine the Levels of Concern

11
LEVELS OF CONCERN

• Levels of Concern reflect the consequences of the
  loss of Confidentiality, Integrity, or
  Availability
• Will need the help of the Sys Admin and users in
  determining the L-O-C
• It is not mandatory that all L-O-C be the same

12
L-O-C FOR CONFIDENTIALITY

• Based on the sensitivity of the information the
  IS maintains, processes, and transmits
• This is a concept we understand - safeguarding

13
DETERMINING THE LEVEL OF CONCERN FOR
CONFIDENTIALITY
FYI DCID 6/3 dictates that the Confidentiality
L-O-C will be High if you are processing
intelligence information - regardless of the
classification level
14
L-O-C FOR INTEGRITY

• You must get input from users to make this
  decision
• If the accuracy of the information is desired but
  only a reasonable degree of accuracy is
  necessary for mission accomplishment - the L-O-C
  may only be Basic
• However, if the information is used to program a
  RWR or Jammer, the L-O-C most likely should be
  High

15
DETERMINING THE LEVEL OF CONCERN FOR INTEGRITY
16
L-O-C FOR AVAILABILITY

• Again, you must consult with users who understand
  the impact on the mission when the information or
  the IS is not available
• If there is absolutely no tolerance for delay
  L-O-C is High
• If a delay of seconds to hours is tolerable
  L-O-C is Medium
• If a delay of days to weeks is OK L-O-C is
  Basic

17
DETERMINING LEVEL OF CONCERN FOR AVAILABILITY
18
STEP TWO

• Determine the Protection Level

19
PROTECTION LEVEL FOR CONFIDENTIALITY

• Note that PL only applies to Confidentiality
• You need to know four things
• the L-O-C
• the security clearance level of the users
• do all users have all required special briefings
  (CNWDI, NATO, etc.)?
• do ANY users not have a need-to-know for ALL
  information on the IS?

20
DETERMINING THE PROTECTION LEVEL FOR
CONFIDENTIALITY
If you look closely, you will see that the L-O-C
(for Confidentiality only) is actually
meaningless If you have just one user who does
not have the NTK or all of the required special
briefings for ALL the information on the system,
you must move from PL-1 to a higher PL
21
STEP THREE

• Identify the technical security and information
  assurance requirements

22
PROTECTION REQUIREMENTS

• Alternate power source
• Audit capability
• Backup and restoration of data
• Changes to data integrity
• Data transmission
• Access controls
• Identification and Authentication (IA)

• Resource Control
• Session controls
• Security documentation
• Separation of function requirements
• System Recovery
• System Assurance
• Security testing
• Disaster recovery

23
RESOURCE FOR LEARNING ABOUT PROTECTION
REQUIREMENTS

• Section 8-6 of Chapter 8
• very important that you understand the 15
  protective measures
• ask your IT folks to explain
• See Sandra Pattons technical briefing,
  Technical Requirements - what is Feasible? How
  Do I configure Security Features?
• http//www.cfisac.org/

24
WHICH (CONFIDENTIALITY) REQUIREMENTS MUST I
IMPLEMENT FOR MY PROTECTION LEVEL?
25
WHICH (INTEGRITY) REQUIREMENTS MUST I IMPLEMENT
FOR MY PROTECTION LEVEL?
There will be no requirements for protecting the
Integrity of the information unless not doing so
has a direct impact on protection measures for
Confidentiality (e.g., integrity of the password
file) or it is contractually mandated by the GCA
in the contract (NISPOM paragraph 8-400)
26
WHICH (AVAILABILITY) REQUIREMENTS MUST I
IMPLEMENT FOR MY PROTECTION LEVEL?
There will be no requirements for protecting the
Availability of the information unless not doing
so has a direct impact on protection measures
for Confidentiality (e.g., audit logs are not
available) or it is contractually mandated by
the GCA in the contract (NISPOM paragraph 8-400)
27
STEP FOUR

• Determine the interconnected systems and
  administrative requirements

28
TWO TYPES OF NETWORKS

• UNIFIED NETWORK
• accredited as a single entity, by a single CSA,
  and under a single SSP
• may be two machines but may be 400
• INTERCONNECTED NETWORK
• two or more separately-accredited systems and/or
  networks
• each IS or network has its own ISSM
• may be two machines but may be 400

29
ADMINISTRATIVE CONCERNS OF INTERCONNECTED NETWORKS

• Both ISSMs must be involved as both networks must
  be accredited as a unit
• Both CSAs must be involved
• The network SSP and accreditation must explicitly
  address the interconnection of these two networks
• Some type of Interconnection Security Agreement
  and/or MOA must be put in place

30
OPERATIONAL CONCERNS OF INTERCONNECTED NETWORKS

• Protection Level of one of the networks may need
  to be raised if all users on the second network
  do not have a NTK/special briefings for all
  information on the first network
• A Controlled Interface must be in place to
  adjudicate the differences between different
  security policies of the interconnected networks

31
ADMINISTRATIVE REQUIREMENTS

• Training (for maintenance folks also)
• Examining hardware and software
• Configuration management
• Protection against malicious code
• Marking hardware, output and media
• Manual review of human-readable output
• Media review and accountability
• Media purging and sanitizing
• Media declassification and release
• Physical security for the IS
• Overwriting media
• Degaussing media

• Release of memory components and boards
• Disposition of volatile memory components
• Disposition of non-volatile memory components
• Release of the IS from classified operations
• Co-Location with an unclassified IS
• Use of uncleared or under-cleared maintenance
  personnel (U.S. citizens)
• Remote maintenance
• TEMPEST concerns
• Unique vulnerabilities

32
STEP FIVE

• Determine the needed documentation

33
DOCUMENTATION

• IS Security Policy
• System Security Plan
• master SSP for similar systems
• generic in nature
• must be accredited by the CSA
• ISSM can then accredit subsequent similar systems
  under the Master Plan
• system protection profile (tailored to the
  specific IS environment your real world)
• system ID and Requirements
• hardware/software baselines
• configuration drawings
• upgrade/downgrade procedures and log
• maintenance log
• weekly audit log
• ISSM certification
• the SSP has been implemented
• the specified security controls in place have
  been properly tested
• the IS is functioning as described in the SSP

34
IS SECURITY POLICY

• Policy statement is required by paragraph 8-101b
• Responsibility of contractor management and an
  item that could be reviewed during inspections
• Should include
• company commitment to protecting classified
  information
• intent to adhere to the requirements of chapter 8
• provisions for disciplinary actions for employees
  that do not comply

35
THE SSP

• Take a look at the available SSP boilerplate
  available from the Florida Association of IS
  Security Reps (http//www.cfisac.org)
• Thoroughly review ISL-01L-1 dated 13 Feb, 2001
  before starting your SSP
• It will be beneficial to develop a Master SSP for
  similar systems (PL-1 and PL-2 only)
• Generic stuff applicable to all systems is
  included in the Master SSP
• Develop a Protection Profile for each IS - these
  will be slightly different for each system
• Conduct a realistic analysis of the
  vulnerabilities of each IS and implement
  countermeasures that mitigate these particular
  vulnerabilities - document unique vulnerabilities
  in the SSP
• Use the DSS SSP checklist (enclosure of their
  ISOM) to ensure you have addressed all areas of
  concern (copy available from your IS rep)

36
CONTENTS OF THE SYSTEM PROTECTION PROFILE

• System identification
• system owner, CSA, ISSM, ISSO
• description of system purpose and architecture
• System requirements specification
• classification levels, formal access approvals
  needed, levels of concern, protection levels,
  protection measures
• System-specific risks and vulnerabilities
• results of the risk assessment and
  countermeasures implemented to mitigate unique
  threats
• System configuration
• system architecture
• must reflect TODAYS configuration!!
• Connections to separately accredited networks and
  systems
• copy of MOU
• Security support structure (for interconnected
  networks)
• controlling interfaces, interconnection criteria,
  security requirements

37
CERTIFICATION

• What is it?
• Comprehensive analysis of technical and
  non-technical security features
• especially access controls and configuration
  management
• demonstrates compliance with the security
  requirements associated with the PL assigned to
  the IS
• A statement in the SSP for PL-1 systems
• Formal written assurance by the ISSM for PL-2
  systems
• Use the available certification test plan
  checklist

38
ISSM CERTIFICATION TEST

• Closed or Restricted Area is approved and
  security procedures are in place
• Clearance level, NTK, and special briefings for
  all users are verified
• Hardware components match the IS Profile hardware
  baseline
• Software resident on the IS matches the Software
  Baseline in the Profile
• All media has the appropriate security markings
• Media from all co-located systems in the area
  dedicated to unclassified processing is marked as
  unclassified
• IA/logon procedures are in place
• If automated IA is not possible, then list of
  authorized users is posted in the area
• Password routines (not required on standalones
  and small LANs)
• password length/composition/lifetime/masking
• general users cannot access password files
• Justifications for generic or group accounts

• Logon banner is technically implemented or
  prominently displayed in the area
• Lockouts for multiple failed logins occur
• Automated audit trails
• Activities that should be audited are being
  logged
• Virus detection software is installed and
  functional
• Access controls are in place for
  security-relevant objects
• If relevant, procedures are in place for
  clearance and sanitization of non-volatile memory
  or media
• A list of initial bad blocks/sectors has been
  generated and kept on removable media
• Procedures for remote connections are in place
• If used, procedures for a Protected Distribution
  System (PDS) are in place
• If requested, procedures for trusted downloading
  are in place and accredited by the CSA - not the
  ISSM
• Other areas of concern are addressed and
  procedures are certified to be in place and
  effective

39
USER ACKNOWLEDGEMENT OF RESPONSIBILITIES

• Paragraph 8-105 dictates that users will
  acknowledge, in writing, their responsibilities
  for the protection of the IS and classified
  information.
• Ensure this is accomplished AFTER provision of IS
  training to the user and BEFORE allowing him/her
  on the system
• Dont forget to train the IT Support personnel on
  the need for documentation when they replace
  defective components and to get them to sign an
  acknowledgement form
• also train them on need to protect new hardware
  destined for classified operations

40
STEP SIX

• Put it all together and submit your package for
  accreditation

41
WHO CAN ACCREDIT WHAT?

• Local IS reps (if trained) can accredit
• Standalone systems (DSS Level two)
• Standalone systems connected to a STU/STE (DSS
  Level three)
• Regional ISSPs must accredit
• Multi-user/LAN (DSS Level 4)
• I am told reps may be able to accredit these
  within a year (requires a 1 week course)

42
RECOMMENDED TRAINING OPPORTUNITIES

• DSS IS Security Procedures for Industry
• DSS regional and local workshops
• NCMS national and local seminars
• SANS Institute training
• Kickstart
• Security Essentials

43
OTHER NUGGETS THAT MAY BE USEFUL

• Trusted downloads
• Removing a lower classified or unclassified file
  from classified media
• If your SSP was accredited before May 1, 2001, it
  is good until May 1, 2004
• Accreditations are good for three years
• The ISSM is responsible for notifying the IS Rep
  that the three year accreditation is expiring
• If your IS Rep trusts your facility to
  self-accredit, the authority will be in writing
• If you have self-accreditation authority and your
  Master SSP includes trusted download procedures,
  you can self-accredit similar systems with
  trusted download procedures
• I am told accreditation process takes about 45
  days
• DSS can grant an interim authority to operate
• MFO requires a separate Master Plan for each
  facility
• Receipt/dispatch records for documents
  electronically transmitted under discussion

44
SUMMARY/SALIENT POINTS

• An ISSO can no longer write an SSP by him/herself
  - you need to consult with the Sys Admin and the
  users
• Protection measures for Integrity and
  Availability are not required unless in the
  contract or impact on Confidentiality
• Use available resources - SSP boilerplate/ISL
  01L-1/SSP checklists/certification test plan
• Train your IT folks on IS procedures - especially
  activities you must log in audit records
• You must understand network fundamentals to be an
  effective ISSM or ISSO
• EDUCATION, EDUCATION, EDUCATION!!!