Sandra Patton

1
Central Florida ISAC July 25, 2001
NISPOM Chapter 8
(Yet Another Presentation on the Not so New
Chapter 8)

• Sandra Patton

2
Topics

• What you wont Hear Today
• FAISSR SSP, Latest and Greatest
• Tailoring the FAISSR SSP
• Chapter 8 Challenges
• Questions?

3
NOT TODAY . . .
4
Already Done

• Chapter 8 in Viewgraph Form
• San Diego ISAC http//www.sdisac.com
• Chapter 8 Old to New
• DSS http//ww.dss.mil
• Overview of FAISSR Plan
• CFISAC website http//www.cfisac.org
• Chapter 8 Technical Implementations
• CFISAC website http//www.cfisac.org
• Chapter 8 Briefing (ISSO User)
• CFISAC website http//www.cfisac.org

5
Disclaimer

• Just because I said it doesnt mean its the
  right way or the best way
• I am not a DSS representative
• There are many right ways to do things
• Suggestions and Helpful Hints

6
FAISSR PLAN
LATEST GREATEST
7
FAISSR Plans 101

• FAISSR Plan consists of two parts
• Master SSP One Per Facility/System Type
• Protection Profile One Per IS
• Two FAISSR Plans
• Master SSP for Non-Standalones
• SSP for Standalones Special Purpose ISs
• Changes made in the Master will flow into the
  Standalone Special Purpose (if applicable)

8
FAISSR Plans History

• Version 1.0 2/12/2001
• Unpublished
• Version 1.B 2/13/2001
• Updates prior to Release Published
• Version 2.0.1 5/23/2001
• Incorporated comments from DSS
• Version 3.0 7/5/2001
• The latest and greatest

9
Version 3.0

• Incorporates comments from
• California IS Security Organization (CISSO)
• North East Region ISSM Association (NERISSMA)
• Adds a separate Network Security Plan
• Contractor to Contractor NSP
• Government to Contractor MOU NSP
• Separate files in one Zipped file

10
Version 3.0

• Zipped File Contents
• Readme File
• Master SSP
• Protection Profile
• Contractor to Contractor NSP
• Government to Contractor MOU NSP
• Trusted Downloading Procedures
• Concordance file for updating index

- Use ONLY until DSS provides on website
11
Version 3.0

• OOPS, Not Yet Published .
• Watch the CFISAC website
• Most likely by August 3rd
• No requirement to update your master plan to
  latest FAISSR plan
• Review changes to FAISSR plan for applicability
  to your facility

12
TAILORING THE
FAISSR PLAN
13
Helpful Hints

• The PRIMARY purpose of the Master SSP is for
  certification accreditation of the IS
• Dont use the plan as your sole source of ISSO
  User training material
• Dont make too many changes
• DSS is familiar with the FAISSR plan
• Dont make too few changes
• DO NOT submit it with no changes
• Take ownership make some decisions
• Change optional and instructive statements to
  active have done or shall statements

14
Helpful Hints

• How much do I tailor?
• Large facility with many varied systems,
  programs, and physical area types
• General Master Plan Specifics in the individual
  IS Profiles and in Training materials
• Smaller facility with fewer programs, IS types
  and physical security options .
• More Specific Master Plan

15
The Mechanics

• Accept all changes, then verify track changes
  while editing is enabled
• After tailoring, document all of your changes in
  the Revision Log
• Provide to DSS
• Softcopy
• Hardcopy with tracked changes printed
• Hardcopy without tracked changes printed

16
Section by Section

• Cover Page
• Company Name Logo
• Table of Contents
• Update after tailoring
• Forward
• Remove completely or replace with
• Promulgated Security Policy
• Other general IS security information

17
Section by Section

• Revision Log
• Remove FAISSR changes and start by stating the
  FAISSR version that you are tailoring your plan
  from.
• Add your changes
• 1.0 Introduction
• Purpose Tailor to include company name and
  reference to company security manual. If
  applicable, modify listed attachments.

18
Section by Section

• For example
• This document serves as a Master SSP for all
  Protection Level 1 ISs accredited by the DSS
  within a contractor facility. It supplements the
  Contractors Facility Manual and provides
  instructions for the safeguarding of classified
  information while resident within or being
  processed by an Information System (IS).
• This document, which supplements the Acme
  Corporation Facility Security Manual, provides
  instructions for the safeguarding of classified
  information while resident within a Protection
  Level 1 accredited Information System (IS).

19
Section by Section

• 2.0 Personnel Responsibilities
• Contractor Management Tailor to include actual
  names and titles.
• ISSM ISSO Provide names contact
  information. Consider adding a separate ISSO
  section with specific written duties.
• Users Privileged Users OK as is. If you have
  specific rules or requirements place them here.
  Consider re-wording or removing optional
  statements.
• Although not required by the NISPOM, following
  are some guidelines .

20
Section by Section

• 3.0 Certification and Accreditation
• Certification If your users are more familiar
  with DSS, change DAA to DSS.
• CA of Similar Systems Remove if you do not
  have self-certification. Otherwise,
• DSS must accredit the first IS under the Acme
  Master SSP. Once the Master Acme SSP has been
  accredited, Joe ISSM may certify additional ISs
  that have similar Profiles.
• Self Inspections Replace recommendations with
  specifics.

21
Section by Section

• 4.0 SIRS - OK
• 5.0 Protection Measures
• Applicability of Logon Authentication Consider
  removing this section you will be making this
  decision.
• IA Management If you have a small environment,
  tailor this section to your specific procedures.
• Virus Detection Tailor to your companys virus
  detection policy.

22
Section by Section

• 5.0 Protection Measures (continued)
• Data Transmission Protection Remove if you do
  not anticipate the need.
• Audit Requirements Specify who will perform
  weekly reviews (ISSM or ISSO) will they be
  documented? If so, add to list of documented
  actions.
• Clearance Sanitization You may want to remove
  reference to DSS website.

23
Section by Section

• 6.0 Personnel Security
• Personnel access to IS OK as is or you can add
  more specifics. For example, the ISSO shall email
  Security to verify users clearance levels.
• Security Education OK as is or you can modify
  to discuss your specific IS training program.

24
Section by Section

• 7.0 Physical Security
• Physical Security OK as is. If you dont have
  or anticipate either Restricted Areas or Closed
  Areas remove the paragraph.
• 8.0 Maintenance
• Maintenance Do you want to be notified prior to
  maintenance actions? If so, state it here.

25
Section by Section

• 9.0 Media Controls
• Accountability Secret or Top Secret?
• Media Destruction Modify to your facilities
  procedures (note also tailor media destruction
  portion of Profile)
• 10.0 Output Procedures
• Remove reference to Trusted Downloading
  procedures on DSS website.
• 11.0 Upgrade Downgrade Procedures
• OK as is

26
Section by Section

• 12.0 Markings
• Replace Contractors security manual
• 13.0 CM Plan and System Configuration
• OK as is If your approved ISs are part of your
  facility wide CM procedures describe them here.

27
Section by Section

• 14.0 System Specific Risks Vulnerabilities
• OK as is
• 15.0 Network Security
• OK as is
• Data Transmission Records - Remove if you do not
  anticipate the need for any remote connections.

28
Tailoring the Profile

• System Identification and Requirements
  Specification (SIRS)
• Facility name, address, CAGE Code
• ISSM name and phone number
• Highest Classification Level of data
• Type of Area
• Media Destruction Methods
• Fill in static information and remove options
  not applicable to your facility.

29
Tailoring the Profile

• Forms Audit Records/Logs
• IS Access Authorization and Briefing Form
• Hardware and Software Maintenance Log
• Weekly audit review?

30
Time for a New IS

• Protection Profile
• Place an Initial entry in the Profile revision
  Log
• Complete all information in the SIRS
• Fill in the Hardware Baseline
• Insert a Configuration Diagram
• Fill in the Software Baseline
• Modify the Upgrade/Downgrade Procedure to the
  specific IS
• If applicable, Add
• IS Authorized Users List
• DSS Form 147
• Security Seal Log

• Sanitization Procedures
• Trusted Downloading Procedures
• Completed Network Security Plan

31
Chapter 8 Challenges
32
Technical Security Features

• Required for Non-Standalones . . .
• . . .When Technically Feasible
• Logon Authentication (e.g. passwords)
• Unique logon IDs
• Password Requirements
• Session Controls
• Logon Banner
• Account lockouts
• Extensive Auditing

33
Technically Feasible
1 SGI/IRIX ships with no passwords on system
accounts
34
Technically Feasible
SR Security Relevant Files All All Files
Problem, big impact on disk space possibly on
system performance
35
Technical Details

• Details of how to implement these features can be
  found in system documentation
• Hints for getting started on CFISAC website
  Engaging Technical Security on AIS page
• Some Operating Systems do not have these features
  by default
• NT Must convert from a FAT to NTFS file system
• HP-UX Must convert to trusted mode
• Solaris Must enable the Basic Security Module
• SGI/IRIX Must install the audit sub-system

36
Is it Really Feasible?

• Conflicts with System Design or Normal System
  Operations
• Production Systems
• Very common to find applications based on a
  single group or generic account with NO unique
  IDs
• Audit may impact performance requirements and
  disk space requirements
• Engineering Systems
• During formal Integration Test your testing
  environment needs to mirror what will be used in
  production

37
Is it Really Feasible?

• System Generated Passwords
• Very difficult to manage in a network environment
• NIS (Network Information Service) may be
  incompatible with enhanced security
  configurations (e.g. HP-UX trusted mode)
• Audit Access to Objects
• Security Relevant files vs All files
• Disk space and performance impacts
• Is it really useful information?

38
Challenges for ISSMs

• Certification of technical security features
• New requirement for ISSMs that requires some
  level of familiarity with operating systems
• Must re-certify for each change or added systems
• FAISSR Certification Test Guide provides a
  checklist
• Work with a knowledgeable system administrator
• Must Certify prior to submitting plan
• Hurry up wait (for up to 30 days)
• Classified media Cart before the horse

39
Questions?