Dr Christopher V' Feudo

1
Tailoring the CA Process to Small Programs
Dr Christopher V. Feudo NA-1, Senior Cyber
Security Consultant 3 March 2009
2
Agenda

• Introduction
• The What, Why, When, and How of CA
• What is ePegasus
• Tailoring CA for ePegasus
• RA, ISSP, STE
• Lessons Learned
• Conclusion

2
3

The Threat and the Players
3
4
Attack Sophistication vs. Intruder
Technical Knowledge
Tools
stealth / advanced scanning techniques
High
packet spoofing
identity theft
wireless attacks
Intruder Knowledge
sniffers
phishing, pharming attacks
sweepers
DDOS attacks
automated probes/scans
GUI
back doors
disabling audits
network mgmt. diagnostics
hijacking sessions
burglaries
exploiting known vulnerabilities
password cracking
Attack Sophistication
self-replicating code
Attackers
password guessing
Low
1980
1985
1995
2000
2005
2009
There are over 57000 Hacker Sites
4
5
What is Certification Accreditation

• Certification The comprehensive assessment of
  technical and non-technical security features and
  other safeguards associated with the use and
  environment of a system to establish whether the
  system meets a set of specified security
  requirements.
• Accreditation The formal declaration by the DAA
  that the system is approved to operate using a
  prescribed set of safeguards and should be
  strongly based on the residual risks identified
  during certification.
• Certification Accreditation CA is the process
  of formal assessment, testing (certification),
  and acceptance (accreditation) of system security
  controls that protect information systems and
  data stored in and processed by those systems.
• It is a process that encompasses the systems
  life cycle and ensures that the risk of operating
  a system is recognized, evaluated, and accepted.
  
• The CA process implements the concept of
  adequate security, or security commensurate
  with risk, including the magnitude of harm
  resulting from the unauthorized access, use,
  disclosure, disruption, modification, or
  destruction of information.

5
6
Why Spend the Time on a CA

• Certification and Accreditation is a federally
  mandated standard process to insure that national
  security information systems meet documented
  security requirements and maintain the accredited
  security posture throughout their system life
  cycle
• There are requirements CAs be done, References
  include
• OMB Circular A-130, Appendix 111
• Derived from guidance published in NIST SP 800
  series, including SP 800-37 SP 800-18 SP
  800-53 SP 800-60 FIPS 199 FIPS 200
• DOE 205 series DOE 205.9
• NAPS 14.1-C/14.2-C (for NNSA)
• The processes followed by the CA effort provide
  additional benefit to the system owner as well
• Demonstrating compliance with all federal
  directives and laws
• Establishment of a complete set of Security
  Requirements
• Independent verification of the correct
  implementation of the Security Requirements
• A formal analysis of the residual risk once all
  the Security Requirements have been met
• All of the various documentation associated with
  the development, deployment, and maintenance of
  the system as it relates to security is contained
  in one set of documents
• Improvement in systems in use through more
  informed selection of new systems, strengthening
  of software settings, and higher reliability.
• Improved and consistent processes for handling
  restoration from system corruption or failure.
• Identifies systems and functions performed by an
  organization to senior management.

6
7
Management Structure and Responsibilities

• NNSA PCSP is managed through a multi-tiered
  structure
• NNSA Chief Information Officer (CIO)
• Cyber Security Program Manager (CSPM)
• Site Office Manager
• DAAs Representative
• Designated Approving Authority
• Information System Security Officer Manager
  (ISOM)
• Information Systems Security Site Manager (ISSM)
• Information System Owner
• Information System Security Officer (ISSO)
• Application Owners and Data Stewards
• Users
• Certification Agent (CA)/Certifier

7
8
What is The CA Process
8
9
Reality Check - The CA Process
NAP 14.2-C Activities
Negotiate
9
9
10
Phase 1 Pre-Certification Checklist

• Has the scope of the CA effort been defined?
• Has the security/system categorization been
  determined and documented?
• Have the Minimum Set of Security Controls been
  identified?
• Have any additional controls been identified?
• Has a review of the approved ISA been done?
• Has a PIA been conducted, if required? 
• Has the Information System Security Plan been
  reviewed?
• Has the Risk Assessment been reviewed?
• Has the DAA approved the ISSP?
• Have any deviations (if applicable) been
  approved?

10
10
11
Phase 2 Verification Package Checklist

• STE completed report
• ISSP approval including ISAs
• Risk Assessment updated
• If Applicable or Required, include Completed PIA

11
11
12
Phase 3 Validation of CA Decision Checklist

• Has the STE Plan been created and approved?
• Has security testing been performed?
• Have Privacy Implications been reviewed (if
  required)?
• Has the approved ISA been reviewed?
• Has the STE Report been written?
• Has the Risk Evaluation been updated if required?
• If the ISSP has been updated, has the updated
  plan been approved by the DAA?
• Have the certification findings been documented?
• Has the certification package been forwarded to
  the ISSM?
• Has the ISSM reviewed the STE Report and
  forwarded it to the DAA?
• Has the DAA issued an accreditation decision?
• If so, has the DAA returned the CA package to
  the ISSM?

12
12
13
Phase 4 Post-Accreditation - Checklist

• Has the system owner maintained configuration
  control?
• Have all security-relevant changes to the system
  been approved by the DAA ?
• Have the hardware and software inventories been
  updated every time the system configuration
  changed?
• If major system changes have been implemented,
  has the system been re-accredited in its new
  configuration?
• If applicable, has a Plan of Action and
  Milestones (POAM) been Developed, and is it
  being monitored/update as required
• develop a Is the three-year anniversary of the
  system accreditation approaching?  If so, have
  plans for resources been made to begin the
  re-accreditation process?

13
13
14
How to Tailor the CA Process to ePegasus

• ePegasus is an online web-based application
  developed and maintained by the NNSA Albuquerque,
  NM Service Center.
• A unclassified web-based on-line tracking system
  for Issues, Correspondences, Actions, Lessons
  Learned, and Assessments Training and Reports
  tracking system.
• Selected by NNSA management for expansion to an
  enterprise wide system. The application is built
  using Microsofts Internet Information Server and
  uses Active Server Pages.
• The application has interfaces with the eight
  field offices and NNSA HQ. The application
  components are physically housed in the Service
  Center data center in Albuquerque, NM.
• ePegasus will provide a tool to enable NNSA
  organizations to share information and regularly
  assess the effectiveness of lessons learned
  processes to improve all work processes (e.g.,
  safety, security, etc) and associated management
  systems.

14
15
Tailoring

• Never had it/Never will need it (Criteria to be
  met)
• Template
• Policy Changes/Clarifications
• Downgrade/Upgrade (ie UCNI)

15
16
e-Pegasus CA Related Facts
Type of Accreditation System Accreditation Docum
ents Completed Information System Security Plan
(ISSP), Risk Assessment (RA) Report, STE Test
Plan, and STE Report Key Elements
Unclassified System (OUO and UCNI ), No
Personally identifiable information (PII) data,
Not accessible from Internet Confidentiality
Moderate Integrity Low Availability
Moderate System Categorization (based on high
water mark of the security objectives) Moderate
16
17
e-Pegasus Accreditation Type

• System accreditation - An accreditation method
  used for a single information system operating
  under a single ISSP Site Accreditation - An
  accreditation method used to accredit multiple
  instances of an information system Type
  Accreditation An accreditation method used to
  accredit multiple connections to one network,
  where the connections are located at different
  sites

17
18
e-Pegasus Participants
Key Participants Designated Approving Authority
- (DAA) Wayne Jones Information System Security
Site Manager (ISSM) - B. Chavez Certification
Agent (CA) - D. Acree Information System Owner/
Data Owner/Steward - Dr. L. Wilbanks Information
System Security Officer (ISSO) - D.
Breedlove System Administrator/User - Maggie
Wood CA Team Dr. Chris Feudo Lead Mark
Schaffer Doner Honrado (replaced Mark
Wallace) Steve Botzum Maggie Wood, Denise
Breedlove, and Melissa Ujczo-Kovachich.
18
19
e-Pegasus CA Development
Plan the Plan Used the 4 Phase Approach with
7 Key Steps
19
20
Phase 1 e-Pegasus CA
20
21
e-Pegasus Architecture/Boundary
21
22
CA Package

• RA Report
• Updated Risk Assessment
• ISSP Approved Plan
• STE Report

22
23
Why RA

• The purpose of this Risk Assessment (RA) Process
  document is to identify threats and
  vulnerabilities related to ePegasus, providing
  the Certification and Accreditation (CA) team
  with a repeatable procedure to conduct
  information technology risk assessments.
• The process described in this document is a key
  element of the entire risk management process by
  helping to identify and analyze risk.

23
24
Risk Assessment Process
24
25
17 Security Control Families
25
26
Threat Profile Matrix
26
27
e-Pegasus Risk Value
The likelihood that a potential vulnerability
could be exercised by a given threat source is
described as high, moderate, or low, along with
its weighted value.
27
28
RA Techniques Used
28
29
Why ISSP

• This NNSA ePegasus Information System Security
  Plan (ISSP) has a three-fold purpose
• It is an overview of the security requirements of
  the system and the controls in place or planned
  for meeting those requirements. The ISSP also
  delineates responsibilities and expected behavior
  of all individuals who access the system. The
  system security plan should be viewed as
  documentation of the structured process of
  planning adequate, cost-effective security
  protection for a system. It reflects input from
  various managers with responsibilities concerning
  the system, including information owners, the
  system owner, and the senior agency information
  security officers.
• Issuance of an accreditation Approval to Operate
  (ATO). The ISSP forms the basis for the issuance
  of an accreditation and Interim Approval to
  Operate (IATO) by NNSAs Designated Approving
  Authority (DAA).
• Certification and accreditation (CA)
  requirements This ISSP supports specific DOE
  certification and accreditation requirements.
  DOE-specific requirements are set forth primarily
  in the National Nuclear Security Administration
  (NNSA) National Policy Letters (NAPs),
  specifically the NAP 14.2-C document.

29
30
Why STE

• An STE involves planning and executing security
  tests and documenting the test results. Plan
  must be approved by DAA prior to starting the
  STE.
• The goals of the STE are to identify the
  security profile of the ePegasus system through
  hands-on testing in a controlled environment, and
  to assess whether the system security
  configuration and controls meet the requirements
  for accreditation.
• The STE also verifies compliance with NNSA
  baseline security requirements (BLSR).
• The STE results will be documented in an STE
  Report, which will serve as input to the ePegasus
  accreditation decision.
• This STE constitutes the baseline configuration
  testing guide for ePegasus in its System
  Development Lifecycle (SDLC). It will also
  validate the security posture of ePegasus.
• This validation will be the basis on which the
  Designated Approval Authority (DAA) will make an
  accreditation decision for the system.

30
31
ePegasus STE Control Summaries
31
32
STE Evaluation Schema
Source Column legend The actions in the Source
column in the following Detailed Procedures and
Results Tables are represented as follows I
Interview T- Test O Observation D-
Documentation supporting implementation
32
33
SECURITY TEST AND EVALUATION (STE) TEST CASE
33
34
Detailed Procedures and Results
34
35
Phase 2 e-Pegasus CA
35
36
STE Test Example e-Pegasus
36
37
Phase 3 and 4 e-Pegasus CA
DAA to sign 1530 hours 20 Feb 2009
In Process
In Process
TBD
37
38
Lessons Learned

• Version Control
• Watch out for copy and Paste
• Turn over of personnel
• Management support
• Common understanding of controls
• Understand what specific controls mean
• System owner to develop SSP
• CA team earlier involvement-C7A team and
  Security - Incoporate security activities for
  life cycle
• Determining boundary for CA critical
• Communication was essential milestones crucial
  Approval at every milestone
• Security Control testing
• Repeatable process
• Testers need to look at artifacts- not ask people
  if they do a required function
• Can become paperwork exercise w/little value
• Copies of artifacts should be maintained for
  reference
• Certification of a DOE system is the
  responsibility of the System Owner.

38
39
Risk Management Framework
39
40
System Security in the SDLC
40
41
Conclusion

• CA, if taken in its intended spirit, can be an
  invaluable tool to manage the security of a
  system throughout its life cycle.
• The importance of going through the formal
  process of certification and accreditation
  ensures that A clearly established set of
  security requirements is developed and
  implemented, any residual risk is minimized and
  clearly understood, and all aspects of the
  development and deployment of security controls
  and policies are annotated in one document

41
42
Food for Thought
Thinking Outside of the Box
Thinking Outside of the Box
HQ
NNSA
You cannot use the same
You cannot use the same
level of thought to solve a
level of thought to solve a
problem that you used in
problem that you used in
creating it.
creating it.
Albert Einstein
Albert Einstein
42
43
Tailoring the CA Process to Small Programs
Dr Christopher V. Feudo NA-1, Senior Cyber
Security Consultant 5 March 2009