Writing a Master SSP

1
Writing a Master SSP

• National Industrial Security Program Operating
  Manual (NISPOM) Compliant - New Chapter 8

Presented by Barbara Martin BAE SYSTEMS North
America (603) 885-5177 barbara.d.martin_at_baesystems
.com
2
The Goal

• Get your Master SSP Approved
• What is Florida Industrial Security Awareness
  Council (ISAC)
• What is the Florida Plan
• Making it Your Own
• The Devil is in the Details!
• Do I have to use the Florida Plan?
• Self-Accreditation Authority

3
Get Your Master SSP Approved

• The Process
• Write the Master SSP to a new IS
• Inspect the IS
• Make sure everything works as advertised
• Verify everything on the Certification
• Test Guide
• DSS inspects the IS to the new
• Master SSP
• DSS accredits the IS and approves the Master SSP

4
What is Florida Industrial Security Awareness
Council (ISAC)

• The Central Florida ISAC is a joint Government
  (Department of Defense, FBI) and Contractor group
  that meets once a month to plan and promote
  Security Education and Awareness to the Central
  Florida Contractor Community.
• http//www.cfisac.org
• So, why are we using their products?
• They are Great and they said we could!

5
What is the Florida Plan?

• It is a NISPOM compliant SSP
• Generic enough to fit most contractor sites
• Easily modified to reflect your company needs
• Partnered with DSS when written,
• so the comfort level is high when inspected
  against the format

6
Making it Your Own

• Section 1 - Introduction
• 1.1 Purpose
• Make sure you identify your company
• List only those attachments that apply
• Section 2 - Personnel Responsibilities
• 2.1 Contractor Management
• a. Identify location of Letter of
• Promulgation or how it is displayed
• b. Identify the ISSM

7
Making it Your Own - contd

• Section 3 - Certification Accreditation
• Details the process
• Section 4 - System Identification and
  Requirements Specification (SIRS)
• Discusses the System Profile
• Note Not everyone will use
• this format -
• Make it work for your company!

8
Making it Your Own - contd

• Section 5 - Protection Measures
• Provides the minimum requirements
• Change to meet your company policies and
  procedures (ex. BAE SYSTEMS changes passwords
  every 64 days, requirement is 12 months)
• 5.2.1 - Logon Banner -
• This is required - make sure it is on your
  systems
• Note If the system is not technically
• capable of displaying the logon banner,
  this
• banner will be prominently displayed
• in the area of the approved IS.

9
Making it Your Own - contd

• Section 6 - Personnel Security
• Covers Personnel Access to IS
• Security Education and rebriefing requirements
• Section 7 - Physical Security
• Restricted Areas
• Closed Areas

10
Making it Your Own - contd

• Section 8 - Maintenance
• Cleared Maintenance Personnel
• Uncleared (or Lower-Cleared Maintenance Personnel
• Section 9 - Media Controls (defines)
• Classified Media
• Protected Media
• Unclassified or Lower Classified Media
• Media Destruction

11
Making it Your Own - contd

• Section 10 - Output Procedures
• Hardcopy Output Review
• Media Review and Trusted Downloading
• Section 11 - Upgrade and Downgrade Procedures
• Periods Processing
• Upgrading/Preprocessing Objectives
• Downgrading/Postprocessing Objectives

12
Making it Your Own - contd

• Section 12 - Markings
• IS Hardware Components
• Unclassified Media
• Section 13 - Configuration Management and System
  Configuration
• Hardware / Software Description
• Hardware / Software Requirements
• Change Control Procedures for Hardware /
  Software

13
Making it Your Own - contd

• Section 14 - System Specific Risks and
  Vulnerabilities
• DAA will provide threat information
• These could be classified and must be handled
  accordingly
• Section 15 - Network Security
• Network Management
• Interconnection requirements
• Data Transmission Records
• Receipt and Dispatch Logs

14
The Devil is in the Details!

• The Protection Profile
• Has all the attachments
• Revision Log
• System ID and Requirements Specification
• Parts 1 and 2
• Hardware Baseline
• Configuration Diagram
• Software Baseline
• IS Briefing Form

15
The Devil is in the Details! - contd

• The Protection Profile - contd
• Upgrade Downgrade Procedure Record
• Maintenance, Operating System Log
• AIS Change Request Form
• BAE SYSTEMS Configuration Management Tool
• Weekly Audit Review Log
• ISSO Delegation Record
• IS Authorized Users List
• DSS Form 147

16
The Devil is in the Details! - contd

• The Protection Profile - contd
• IS Security Seal Log
• Information System Network Security Profile
• Receipt and Dispatch Record
• Certification Test Guide
• Sample Sanitization Procedure

17
Do I have to use the Florida Plan?

• No one is going to hold a gun to your head, but
  why not use it?
• They have a great web site with terrific
  presentations, boilerplates and overall good
  information
• We are all too busy - Why reinvent the wheel?
• A famous person once said,

If youre going to plagiarize, plagiarize from
the best!
18
Self-Accreditation Authorityon a lighter note

• DSS Criteria for Self-Accreditation Authority
• Take DSS Certification Course
• Submit DSS-Approved Master SSP
• Get Self-Accreditation Authority
• Doesnt work that way
• Do all you can and hope for the best!

19
Thank You