28 December 1998
Source:
http://web7.whs.osd.mil/corres.htm
Department of DefenseINSTRUCTION NUMBER 5200.40 December 30, 1997 ASD(C3I) SUBJECT: DoD Information Technology Security Certification and Accreditation Process (DITSCAP) References: (a) DoD Directive 5200.28, Security Requirements for Automated Information Systems (AISs), March 21, 1988 (b) Public Law 100-235, Computer Security Act of 1987, January 8, 1988 (c) Office of Management and Budget Circular No. A-130, Management of Federal Information Resources, February 8, 1996 (d) Director of Central Intelligence 1/16, Security Policy on Intelligence Information in Automated Systems and Networks, March 14, 1988 (e) through (m), see enclosure E1. 1. PURPOSE This Instruction: 1.1. Implements policy, assigns responsibilities, and prescribes procedures under reference (a) for Certification and Accreditation (C&A) of information technology (IT), including automated information systems, networks, and sites in the Department of Defense. 1.2. Creates the DoD IT Security Certification and Accreditation Process (DITSCAP) for security C&A of unclassified and classified IT to implement references (a) through (d). 1.3. Stresses the importance of a life-cycle management approach to the C&A and reaccreditation of DoD IT. 2. APPLICABILITY AND SCOPE This Instruction: 2.1. Applies to the Office of the Secretary of Defense (OSD), the Military Departments, the Chairman of the Joint Chiefs of Staff, the Combatant Commands, the Inspector General of the Department of Defense (IG, DoD), the Defense Agencies, and the DoD Field Activities (hereafter referred to collectively as the DoD Components), their contractors, and agents. 2.2. Shall be used by milestone decision authorities when acquiring IT. 2.3. Shall apply to the acquisition, operation and sustainment of any DoD system that collects, stores, transmits, or processes unclassified or classified information. It applies to any IT or information system life cycle, including the development of new IT systems, the incorporation of IT systems into an infrastructure, the incorporation of IT systems outside the infrastructure, the development of prototype IT systems, the reconfiguration or upgrade of existing systems, and legacy systems. 3. DEFINITIONS Terms used in this Instruction are defined in enclosure E2. 4. POLICY This Instruction implements the policies defined in DoD Directive 5200.28, Pub. L. 100-235 (1987), OMB Circular A-130, DCID 1/16, and DoD Directive 5220.22 (references (a) through (e)). 5. RESPONSIBILITIES 5.1. The Assistant Secretary of Defense for Command, Control, Communications, and Intelligence shall: 5.1.1. Oversee and review implementation of this Instruction. 5.1.2. Review, oversee, and formulate overall policies that govern DoD security practices and programs to implement the DITSCAP as the standard DoD process for conducting IT C&A. 5.1.3. Promulgate standards, establish support and training, and manage the transition to the DITSCAP. 5.1.4. Conduct an annual assessment and/or review of the DITSCAP and consider proposed changes. 5.1.5. Ensure that each designated approving authority (DAA) implements and maintains the DITSCAP for security C&A of DoD Component and DoD contractor IT and networks under their jurisdiction. 5.2. The OSD Principal Staff Assistants and the Chairman of the Joint Chiefs of Staff, in respective areas of responsibility, shall ensure DoD Component compliance with the DITSCAP. 5.3. The Director, Defense Information Systems Agency shall: 5.3.1. Maintain DITSCAP procedural information in support of security C&A of DoD Component and DoD contractor IT systems and networks. 5.3.2. In coordination with the National Security Agency (NSA), implement, operate, and maintain an on-line information assurance support environment (IASE). 5.3.3. In coordination with NSA, provide assistance such as information system security engineering, security solutions, and security guidance to the DoD Components in the use of DITSCAP. 5.3.4. Provide DITSCAP training for the DoD Components. 5.3.5. Support the annual review of the DITSCAP. 5.4. The Heads of the DoD Components shall: 5.4.1. Implement the DITSCAP for security C&A of DoD Component and DoD contractor IT systems and networks in accordance with DoD Directive 5200.28, Pub. L. 100-235 (1987), OMB Circular A-130, DCID 1/16, DoD Directive 5220.22, DoD 5220.22-M, DoD 5220.22-M-Sup. and Chairman of the Joint Chiefs of Staff S3231.01 (references (a) through (h)) as applicable. 5.4.2. Provide assistance, and support to their respective Service or Agency constituents, in the implementation of the DITSCAP. 5.4.3. Assign responsibility to implement the standard C&A process to DAA responsible for accrediting each IT and network under their jurisdiction. 5.4.4. Support the annual review of the DITSCAP. 6. PROCEDURES 6.1. Approach. This Instruction defines the activities leading to security C&A. The activities are grouped together in a logical sequence. This Instruction presents the objectives, activities, and management of the DITSCAP process. 6.2. Objective. The objective of the DITSCAP is to establish a DoD standard infrastructure-centric approach that protects and secures the entities comprising the Defense Information Infrastructure (DII). The set of activities presented in the DITSCAP standardize the C&A process for single IT entities that leads to more secure system operations and a more secure DII. The process considers the system mission, environment, and architecture while assessing the impact of operation of that system on the DII. 6.3. C&A Process. The DITSCAP, enclosures E2. through E8., defines a process that standardizes all activities leading to a successful accreditation. The principal purpose of that process is to protect and secure the entities comprising the DII. Standardizing the process will minimize risks associated with nonstandard security implementations across shared infrastructure and end systems. The IASE has been developed as the mechanism to support the implementation of the DITSCAP activities. The DITSCAP process shall consist of the following four phases: 6.3.1. Phase 1, Definition. The Definition phase shall include activities to document the system mission, environment, and architecture; identify the threat; define the levels of effort; identify the certification authority (CA) and the DAA; and document the necessary security requirements for C&A. Phase 1 shall culminate with a documented agreement, between the program manager, the DAA, the CA, and the user representative of the approach and the results of the phase 1 activities. 6.3.2. Phase 2, Verification. The Verification phase shall include activities to verify compliance of the system with previously agreed security requirements. For each life-cycle development activity, DoD Directive 5000.1 (reference (i)), there is a corresponding set of security activities, enclosure E3., that shall verify compliance with the security requirements and evaluate vulnerabilities. 6.3.3. Phase 3, Validation. The Validation phase shall include activities to evaluate the fully integrated system to validate system operation in a specified computing environment with an acceptable level of residual risk. Validation shall culminate in an approval to operate. 6.3.4. Phase 4, Post Accreditation. The Post Accreditation phase shall include activities to monitor system management and operation to ensure an acceptable level of residual risk is preserved. Security management, change management, and periodic compliance validation reviews are conducted. 6.4. Life-Cycle and Tailoring. The DITSCAP process applies to all systems requiring C&A throughout their life-cycle. It is designed to be adaptable to any type of IT system and any computing environment and mission. It may be adapted to include existing system certifications, evaluated products, use new security technology or programs, and adjust to the applicable standards. The DITSCAP may be mapped to any system life-cycle process but is independent of the life-cycle strategy. The DITSCAP is designed to adjust to the development, modification, and operational life-cycle phases. Each new C&A effort begins with phase 1, Definition, and ends with phase 4, Post Accreditation, in which follow-up actions ensure that the approved information system or system component continues to operate in its computing environment in accordance with its accreditation. The activities defined in these four phases are mandatory. However, implementation details of these activities may be tailored, and where applicable, integrated with other acquisition activities and documentation. Systems are categorizing into a set of system classes to support definition of standard security requirements and procedures, and to facilitate reuse of previous certification evidence. 7. INFORMATION REQUIREMENTS 7.1. The Systems Security Authorization Agreement (SSAA) Outline identified at enclosure E6., of this Instruction, is exempt from licensing in accordance with paragraph E.4.b, of DoD 8910.1-M (reference (j)). The annual assessment to review and consider proposed changes to the standard C&A process, procedures and tools is exempt from licensing in accordance with paragraph E.4.c. of DoD 8910.1-M (reference (j)). 8. EFFECTIVE DATE 8.1. This Instruction is effective immediately. 8.2. This instruction shall be reviewed annually. Enclosures - 8 1. References 2. Definitions 3. DITSCAP Description 4. Management Approach 5. Acronyms and Abbreviations 6. SSAA Outline 7. ITSEC System Class Description 8. DITSCAP Components Overview E1. ENCLOSURE 1 REFERENCES, continued (e) DoD Directive 5220.22, Industrial Security Program, November 1, 1986 (f) DoD 5220.22-M, National Industrial Security Program Operating Manual, January 1995, authorized by DoD Directive 5220.22 (g) DoD 5220.22-M-Sup, National Industrial Security Program Operating Manual (NISPOMSUP), December 29, 1994, authorized by DoD Directive 5220.22, December 8, 1980 (h) Chairman, Joint Chiefs of Staff S3231.01, Safeguarding the Single Integrated Operational Plan (U), November 30, 1993 (i) DoD Directive 5000.1, Defense Acquisition, March 15, 1996 (j) DoD 8910.1-M, DoD Procedures for Management of Information Requirements, November 28, 1986, authorized by DoD Directive 8910.1, June 11, 1993 (k) National Information Systems Security (INFOSEC) Glossary, National Security Telecommunications and Information Systems Security Instruction (NSTISSI) 4009, August 1997 1 (l) Subsection 552a of title 5, United States Code (m) Department of Defense Technical Architecture Framework for Information Management (TAFIM), Volume 6, DoD Goal Security Architecture (DGSA), 30 April 1996 2 1 Available from the National Security Telecommunications And Information Systems Security Committee Secretariat (V503), 9800 Savage Road STE 6716, Fort Meade MD 20755-6716. 2 Available from the DISA Information Systems Security Program Management Office, 701 Courthouse Road, Arlington, VA 22204-2199. E2. ENCLOSURE 2 DEFINITIONS E2.1. Terms Terms used in this Instruction are selected from the NSTISSI 4009 (reference(k)) definitions when possible. Where new terms are used, the revised or new definitions will be submitted as changes to reference (k). E2.1.1. Accountability. Property that allows auditing of IT system activities to be traced to persons or processes that may then be held responsible for their actions. Accountability includes authenticity and non-repudiation. E2.1.2. Accreditation. Formal declaration by the DAA that an IT system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk. E2.1.3. Architecture. The configuration of any equipment or interconnected system or subsystems of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information; includes computers, ancillary equipment, and services, including support services and related resources. E2.1.4. Acquisition Organization. The Government organization that is responsible for developing a system. E2.1.5. Assurance. Measure of confidence that the security features, practices, procedures and architecture of an IT system accurately mediates and enforces the security policy. E2.1.6. Authenticity. The property that allows the ability to validate the claimed identity of a system entity. E2.1.7. Availability. Timely, reliable access to data and information services for authorized users. E2.1.8. Certification. Comprehensive evaluation of the technical and non-technical security features of an IT system and other safeguards, made in support of the accreditation process, to establish the extent that a particular design and implementation meets a set of specified security requirements. E2.1.9. Certification Authority (CA). The official responsible for performing the comprehensive evaluation of the technical and non-technical security features of an IT system and other safeguards, made in support of the accreditation process, to establish the extent that a particular design and implementation meet a set of specified security requirements. E2.1.10. Computing Environment. The total environment in that an automated information system, network, or a component operates. The environment includes physical, administrative, and personnel procedures as well as communication and networking relationships with other information systems. E2.1.11. Communications Security (COMSEC). Measures and controls taken to deny unauthorized persons information derived from telecommunications and ensure the authenticity of such telecommunications. Communications security includes cryptosecurity, transmission security, emission security, and physical security of COMSEC material. E2.1.12. Confidentiality. Assurance that information is not disclosed to unauthorized persons, processes, or devices. E2.1.13. Configuration Control. Process of controlling modifications to a IT systems hardware, firmware, software, and documentation to ensure the system is protected against improper modifications prior to, during, and after system implementation. E2.1.14. Configuration Management. Management of security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the life-cycle of the IT. E2.1.15. Configuration Manager. The individual or organization responsible for Configuration Control or Configuration Management. E2.1.16. Data Integrity. The attribute of data that is related to the preservation of its meaning and completeness, the consistency of its representation(s), and its correspondence to what it represents. E2.1.17. Defense Information Infrastructure (DII). The DII is the seamless web of communications networks, computers, software, databases, applications, data, security services, and other capabilities that meets the information processing and transport needs of DoD users in peace and in all crises, conflict, humanitarian support, and wartime roles. E2.1.18. Designated Approving Authority (DAA or Accreditor). Official with the authority to formally assume the responsibility for operating a system or network at an acceptable level of risk. E2.1.19. Developer. The organization that develops the information system. E2.1.20. DoD Information Technology Security Certification and Accreditation Process (DITSCAP). The standard DoD process for identifying information security requirements, providing security solutions, and managing information system security activities. E2.1.21. Emissions security (EMSEC). Measures taken to deny unauthorized persons information derived from intercept and analysis of compromising emanations from crypto-equipment or an IT system. E2.1.22. Environment. Aggregate of external procedures, conditions, and objects effecting the development, operation, and maintenance of an IT system. E2.1.23. Evolutionary Program Strategies. Generally characterized by design, development, and deployment of a preliminary capability that includes provisions for the evolutionary addition of future functionality and changes, as requirements are further defined, DoD Directive 5000.1 (reference (i)). E2.1.24. Governing Security Requisites. Those security requirements that must be addressed in all systems. These requirements are set by policy, directive, or common practice set; e.g., by E.O, OMB, the OSD, a Military Service or a DoD Agency. Those requirements are typically high-level. While implementation will vary from case to case, those requisites are fundamental and shall be addressed. E2.1.25. Grand Design Program Strategies. Characterized by acquisition, development, and deployment of the total functional capability in a single increment, reference (i). E2.1.26. Incremental Program Strategies. Characterized by acquisition, development, and deployment of functionality through a number of clearly defined system increments that stand on their own, reference (i). E2.1.27. Information Category. The term used to bound information and tie it to an information security policy. E2.1.28. Infrastructure-Centric. A security management approach that considers information systems and their computing environment as a single entity. E2.1.29. Information Security Policy. The aggregate of public law, directives, regulations, rules, and regulate how an organization manages, protects, and distributes information. For example, the information security policy for financial data processed on DoD systems may be in U.S.C., E.O., DoD Directives, and local regulations. The information security policy lists all the security requirements applicable to specific information. E2.1.30. Information System. Any telecommunication or computer-related equipment or interconnected system or subsystems of equipment that is used in the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of voice and/or data, and includes software, firmware, and hardware. E2.1.31. Information System Security Officer (ISSO). The person responsible to the DAA for ensuring the security of an IT system is approved, operated, and maintained throughout its life-cycle in accordance with the SSAA. E2.1.32. Information Technology (IT). The hardware, firmware, and software used as part of the information system to perform DoD information functions. This definition includes computers, telecommunications, automated information systems, and automatic data processing equipment. IT includes any assembly of computer hardware, software, and/or firmware configured to collect, create, communicate, compute, disseminate, process, store, and/or control data or information. E2.1.33. Information Technology Security (ITSEC). Protection of information technology against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats. Protection and maintenance of confidentiality, integrity, availability, and accountability. E2.1.34. Integrator. An organization or individual that unites, combines, or otherwise incorporates information system components with another system(s). E2.1.35. Integrity. Quality of an IT system reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data. It is composed of data integrity and system integrity. E2.1.36. Legacy Information System. An operational information system that existed before to the implementation of the DITSCAP. E2.1.37. Maintainer. The organization or individual that maintains the information system. E2.1.38. Maintenance Organization. The organization that keeps an IT system operating in accordance with prescribed laws, policy, procedures and regulations. In the case of a contractor maintained system, the maintenance organization is the government organization responsible for, or sponsoring the operation of the IT system. E2.1.39. Mission. The assigned duties to be performed by a resource. E2.1.40. Non-Developmental Item (NDI). Any item that is available in the commercial marketplace; any previously developed item that is in use by a Department or Agency of the United States, a State or local government, or a foreign government with which the United States has a mutual defense cooperation agreement; any item described above, that requires only minor modifications in order to meet the requirements of the procuring Agency; or any item that is currently being produced that does not meet the requirements of definitions above, solely because the item is not yet in use or is not yet available in the commercial market place. E2.1.41. Other Program Strategies. Strategies intended to encompass variations and/or combinations of the grand design, incremental, evolutionary, or other program strategies, DoD Directive 5000.1 (reference (i)). E2.1.42. Program Manager. The person ultimately responsible for the overall procurement, development, integration, modification, or operation and maintenance of the IT system. E2.1.43. Risk. A combination of the likelihood that a threat will occur, the likelihood that a threat occurrence will result in an adverse impact, and the severity of the resulting impact. E2.1.44. Risk Assessment. Process of analyzing threats to, and vulnerabilities of, an IT system, and the potential impact that the loss of information or capabilities of a system would have on national security. The resulting analysis is used as a basis for identifying appropriate and effective measures. E2.1.45. Risk Management. Process concerned with the identification, measurement, control, and minimization of security risks in IT systems to a level commensurate with the value of the assets protected. E2.1.46. Security. Measures and controls that ensure confidentiality, integrity, availability, and accountability of the information processed and stored by a computer. E2.1.47. Security Inspection. Examination of an IT system to determine compliance with security policy, procedures, and practices. E2.1.48. Security Process. The series of activities that monitor, evaluate, test, certify, accredit, and maintain the system accreditation throughout the system life-cycle. E2.1.49. Security Requirements. Types and levels of protection necessary for equipment, data, information, applications, and facilities to meet security policy. E2.1.50. Security Specification. Detailed description of the safeguards required to protect an IT system. E2.1.51. Security Test and Evaluation (ST&E). Examination and analysis of the safeguards required to protect an IT system, as they have been applied in an operational environment, to determine the security posture of that system. E2.1.52. Sensitive Information. Information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (reference (l)), but that has not been specifically authorized under criteria established by an E.O. or an Act of Congress to be kept secret in the interest of national defense or foreign policy. E2.1.53. System. A set of interrelated components consisting of mission, environment, and architecture as a whole. E2.1.54. System Entity. A system subject (user or process) or object. E2.1.55. System Integrity. Quality of an IT system to perform its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. E2.1.56. System Security Authorization Agreement (SSAA). A formal agreement among the DAA(s), the CA, the IT system user representative, and the program manager. It is used throughout the entire DITSCAP to guide actions, document decisions, specify ITSEC requirements, document certification tailoring and level-of-effort, identify potential solutions, and maintain operational systems security. E2.1.57. TEMPEST. Short name referring to investigation, study, and control of compromising emanations from IT equipment. E2.1.58. Threat. Any circumstance or event with the potential to cause harm to an IT system in the form of destruction, disclosure, adverse modification of data, and/or denial of service. E2.1.59. Threat Assessment. Formal description and evaluation of threat to an IT system. E2.1.60. Trusted Computing Base (TCB). Totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination responsible for enforcing a security policy. E2.1.61. User. Person or process authorized to access an IT system. E2.1.62. User Representative. The individual or organization that represents the user or user community in the definition of information system requirements. E2.1.63. Utility. An element of the DII providing information services to DoD users. Those services include Defense Information Systems Agency Mega-Centers, information processing, and wide-area network communications services. E2.1.64. Validation. Determination of the correct implementation in the completed IT system with the security requirements and approach agreed on by the users, acquisition authority, and the DAA. E2.1.65. Verification. The process of determining compliance of the evolving IT system specification, design, or code with the security requirements and approach agreed on by the users, acquisition authority, and the DAA. E2.1.66. Vulnerability. Weakness in an information system, or cryptographic system, or components (e.g., system security procedures, hardware design, internal controls) that could be exploited. E2.1.67. Vulnerability Assessment. Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation. E3. ENCLOSURE 3 DITSCAP DESCRIPTION E3.1. DITSCAP OVERVIEW E3.1.1. The DITSCAP establishes a standard process, set of activities, general task descriptions, and a management structure to certify and accredit IT systems that will maintain the security posture of the DII. The DITSCAP focuses on protecting the DII by presenting an infrastructure-centric approach for C&A. The DITSCAP is designed to be adaptable to any type of IT and any computing environment and mission. The process should be adapted to include existing system certifications and evaluated products. E3.1.2. The process is designed to certify that the IT system meets the accreditation requirements and that the system will continue to maintain the accredited security posture throughout the system life-cycle. The users of the process shall align the process with the program strategy and integrate the process activities into the system life-cycle. While DITSCAP maps to any system life-cycle process, its four phases are independent of the life-cycle strategy. E3.1.3. The key to the DITSCAP is the agreement between the IT system program manager,3 the DAA, the CA, and the user representative. These managers resolve critical schedule, budget, security, functionality, and performance issues. This agreement is documented in the SSAA that is used to guide and document the results of the C&A. The objective is to use the SSAA to establish a binding agreement on the level of security required before the system development begins or changes to a system are made. 3 The term program manager will be used throughout this document to refer to the acquisition organization's program manager during the system acquisition, the system manager during the operation of the system, or the maintenance organization's program manager when a system is undergoing a major change. The DAA is also referred to as the accreditor throughout this document. Figure E3-1. The DITSCAP. E3.2. DITSCAP PHASES E3.2.1. The DITSCAP is composed of four phases: Definition, Verification, Validation, and Post Accreditation. (See figure E3-1.) Phase 1, Definition, is focused on understanding the mission, environment, and architecture to determine the security requirements and level of effort necessary to achieve accreditation. The objective of phase 1 is to agree on the intended system mission, environment, architecture, security requirements, certification schedule, level of effort, and resources required. Phase 2, Verification, verifies the evolving or modified system's compliance with the information agreed on in the SSAA. The objective of phase 2 is to produce a fully integrated system ready for certification testing. Phase 3, Validation, validates compliance of the fully integrated system with the information stated in the SSAA. The objective of phase 3 is to produce the required evidence to support the DAA in making an informed decision to grant approval to operate the system; e.g., accreditation. Phases 1, 2, and 3 are the DITSCAP process engine. Those phases are repeated as often as necessary to produce an accredited system. Phase 4, Post Accreditation, includes those activities necessary for the continuing operation of the accredited IT system in its computing environment and to address the changing threats a system faces through its life-cycle. Phase 4 starts after the system has been certified and accredited for operations. The objectives of phase 4 are to ensure secure system management, operation, and maintenance to preserve an acceptable level of residual risk. E3.2.2. The phases are comprised of activities. The activities include various procedures and tasks. Each phase and activity shall be performed for every system. The procedures and tasks in each process activity may be tailored and scaled to the system and its associated acceptable level of residual risk. The procedures and tasks should be tailored and integrated with on-going systems acquisition activities to best fit the mission, environment, system architecture, and programatic considerations. In that manner, the process maintains flexibility to deal with different acquisition strategies, and operational scenarios; e.g., rapid deployment. E3.2.3. An ITSEC system class structure has been established, enclosure E7., that groups systems into classes to allow new developments to draw on previous experience. The system class approach makes it possible to establish class repositories to store information on other similar C&A efforts. As systems are certified and accredited, the approved solutions and documentation may be filed in a class repository. When a new system development begins, or an existing system is to be revised, the class repository may be accessed. That will facilitate rapid determination of system security policy and security requirements based on the group or class into that the system falls. The repository can also provide insight into the previous certification efforts and documentation of the approved solutions. E3.2.4. The subparagraph E3.3. through E3.6., describe the process phases, activities, and tasks required. Enclosure E8. summarizes these process components. Additional details on the process may be found in the IASE. The IASE has been established to assist DITSCAP users in the use of the DITSCAP and to support the implementation of standard C&A practices throughout the Department of Defense. E3.3. PHASE 1, DEFINITION E3.3.1. Phase 1 tasks define the ITSEC C&A level of effort, identify the DAA and the CA, and culminate with an agreement, by the program manager, the DAA, the CA, and the user representative, on the method for implementing the security requirements. That agreement is documented in the SSAA, which shall describe the system mission, target environment, target architecture, security requirements, and applicable data access policies. The SSAA shall describe the applicable set of planning and certification actions, resources, and documentation required for the C&A. The SSAA is the vehicle that guides the implementation of ITSEC requirements and the resulting C&A actions. The SSAA outline, enclosure E6., lists information that should be included. E3.3.1.1. Phase 1, figure E3-2, contains three process activities, document mission need, registration, and negotiation. Phase 1 starts with the input of the mission need statement (or other justification for the system) and ends by producing the SSAA. The process activities provide the pathway to understanding the IT system requiring C&A; documenting the ITSEC requirements; developing a security architecture approach; and determining the scope, level of effort, documentation required, and schedule for the planning and certification actions. Any level of change to existing systems shall initiate the process. During the registration and negotiation activities, the program manager, the DAA, the CA, and the user representative will determine what actions shall follow that system change. Figure E3-2. DITSCAP Phase 1 Definition Activities. E3.3.2. Document Mission Need. Documenting mission need is the process activity that initializes the DITSCAP. Initialization occurs when an information system is developed or modified in response to an identified operational requirement or mission need. The mission need, figure E3-3, is either a document or compilation of information stating the requirements of the system and describing its intended capabilities. Those capabilities include functions the system should perform, desired interfaces and capabilities associated with those interfaces, the information to be processed, the operational organizations supported, the intended operational environment, and the operational threat. Typically, the mission need is described in a high-level requirements document before the DITSCAP is initiated. Figure E3-3. Mission Need Security Relevant Information. Mission Need Statement 1. System mission, functions, and system interfaces. 2. Operational Organization. 3. Information category and classification. 4. Expected system life-cycle. 5. System users characteristics. 6. Operational environment. E3.3.3. Registration. Registration is the process activity in phase 1 that initiates the dialogue among the program manager, the DAA, the CA, and the user representative. As part of the Registration tasks, information is collected and evaluated, applicable ITSEC requirements are determined, risk management and vulnerability assessment actions begin, and the level of effort required for C&A is determined and planned. Registration shall begin with a review of the mission need and concludes with preparation of an initial draft of the SSAA. Figure E3-4. Tasks Performed During Registration. Registration Tasks 1. Inform the DAA, the CA, and the user representative that the system will require C&A support; e.g., register the system. 2. Prepare mission description and system identification. 3. Prepare the environment and threat description. 4. Prepare system architecture description and C&A boundary. 5. Determine ITSEC system class. 6. Determine the system security requirements. 7. Identify organizations that will be involved in the C&A and identify resources required. 8. Tailor the DITSCAP tasks, determine the C&A level-of-effort, and prepare a DITSCAP plan. 9. Develop the draft SSAA. E3.3.3.1. Registration tasks, figure E3-4, guide the collection of necessary information to address the process in a repeatable, understandable, and effective manner. Those tasks identify information necessary for determining security requirements and the level of effort to accomplish the C&A that is influenced by the degree of assurance needed in the areas of confidentiality, integrity, availability, and accountability. Registration shall consider the system development approach, system life-cycle stage, existing documentation, mission, environment (including the threat assessment), architecture, users, data classification and categories, external interfaces, and mission criticality. Mission-system relationships may vary from a single system supporting a single mission, to a single system supporting multiple missions, to a multiple systems supporting multiple missions, to a multiple systems supporting a single mission. A crucial piece of information for the accreditation is the identification of the roles that the system shall support in the encompassing enterprise mission. E3.3.3.2. Most of that information can be obtained from examining the mission need and functional requirement documents. That information is used to determine the system class (see enclosure E7.). The various system classes are associated with minimum-security requirements and specific actions that shall be performed. The system class approach establishes minimum-security requirements as a function of mission(s), environment, and system architecture. The DITSCAP provides the capability to normalize high-level requirements through the use of the system class structure. The system class approach supports the identification of other similar systems that have undergone C&A, to analyze previously approved security requirements and solutions. That supports the reuse of their security requirement definitions, draws from their architecture approaches, and promotes reuse of applicable C&A information. Determining the applicable system class is essential to the development of the minimal security requirements necessary for the certification and eventual accreditation of the system. E3.3.3.3. A key task in registration is to prepare an accurate description of the system and its development, operating and maintenance environment under consideration. While the details of the system or the environment may not be clear at the onset of a system development, the system shall be defined in enough detail to accurately portray the systems general concept and boundaries. That description shall define what is included in the accreditation boundary (e.g. system boundary, facilities, and equipment), and the external interfaces with other equipment or systems. Currently known threats shall be assessed against the specific system mission and a description to determine the necessary protection required. The threat, and subsequent vulnerability assessments, shall be used in establishing and selecting the ITSEC policy objectives that will counter the threat. E3.3.3.4. The key roles in the DITSCAP are the program manager of the organization responsible for the system, the DAA, the CA, and the user representative. As a system progresses through the life-cycle phases, system responsibility (engineering and funding) may change. During acquisition, that responsibility may be the acquisition organization that will be represented by the systems program manager. During the operations and maintenance phase of the system, that responsibility may be the system manager or in the case of a major upgrade, the maintenance organization who will be represented by the upgrade program manager. The DAA is usually a senior operational commander with the authority and ability to evaluate the system operations in view of the security risks. The CA, security teams, etc. are the technical experts that support the C&A process. The system users may be part of a single organization or a large diverse community. In either case, for DITSCAP purposes, the user representative will represent their interests. E3.3.3.5. To maintain the goal of a standard DoD process, the DITSCAP was developed in a manner that it can readily be applied to any system program strategy, (grand design, incremental, evolutionary, etc.) or life-cycle management process, DoD Directive 5000.1 (reference (i)). During phase 1, the application of the DITSCAP shall be tailored to the system program strategy, the life-cycle management process, and to adjust to systems that have progressed in their life-cycle. Tailoring adapts the security tasks to the systems life-cycle phase and program strategy. The process generally has been described as if it were to be applied to a new system with a grand design program strategy. In that case the DITSCAP phase 1 would be initiated during the phase 0, concept exploration and definition phase, and tailored to support the ensuing system milestone decisions. Legacy systems shall enter the DITSCAP process when they are in need of compliance validation or undergo a modification that may impact the security posture. For example, if the system is in the operations and support phase, and the IT system is not accredited, the DITSCAP would be initiated with phase 1. The process would be tailored, the SAA would developed, and on agreement between the system program manager, the DAA, the CA, and the user representative, the process would move to applicable phase 2 and phase 3 activities. That capability permits the certification effort to be scaled to fit the size and complexity of the system while remaining responsive to the operational requirements driving the information system development or modification. The certification analysis tasks can be tailored to work with all DoD program strategies. E3.3.3.6. Certification tasks, based on analysis of the characteristics of the IT and the security requirements, are defined for each system class. Certification tasks are grouped into four certification levels to provide guidance on the recommended minimum tasks. Use of enclosure E7. is strongly recommended as the method to determine the certification level. The DAA, the CA, the program manager, and the user representative may tailor the certification tasks and level of effort to the IT system mission, environment, architecture, programmatic considerations, and level of acceptable risk. For example, the three managers may choose to condense the time scale to meet operational needs, or to use previously approved security solutions and reduce the corresponding certification tasks. As the system development or maintenance progresses, new issues may emerge, and phase 1 may be revisited for new agreements or additional tailoring. The DAA, the CA, the program manager, and the user representative each represent different views and as such provide the checks and balances to ensure the minimum-security requirements are met. Therefore, it is important the SSAA be kept current to reflect each of these tailoring decisions. E3.3.3.7. The SSAA is prepared during registration. The preparation of the SSAA shall have all parties involved or represented, including the CA, program sponsor, threat specialist, etc. When registration planning activities are concluded, the draft is submitted to the DAA, the program manager, and the user representative. The draft SSAA is used as a guide to establish the basis for discussions during the negotiation activities among the DAA, the CA, the program manager, and the user representative. E3.3.4. Negotiation. Negotiation is the process activity of the DITSCAP, where all the participants involved in the information system's development, acquisition, operation, security certification, and accreditation agree on the implementation strategy to be used to satisfy the security requirements identified during system registration. The key parties who must reach agreement during the negotiations are the program manager, the DAA, the CA, and the user representative. 4 The negotiation tasks are shown in figure E3-5. Figure E3-5. Negotiation Tasks. Negotiation Tasks 1. Review initial SSAA. 2. Conduct the certification requirements review. 3. Approve final SSAA. E3.3.4.1. A review of the initial SSAA is performed by the DAA. The DAA shall conduct a complete review of the draft SSAA and all aspects that may impact C&A. The CA is responsible for the comprehensive evaluation of the technical and nontechnical security features of the IT. The CA is regarded as the technical expert in the discussions that consider tradeoffs between security requirements, cost, availability, and schedule to manage security risk. 4 It is recognized these managers may chose to designate someone to represent them in the negotiations. (In some cases the DAA may designate the CA to act in his or her behalf.) Unless noted otherwise, the terms will be used interchangeably to mean the principle or their designated representative. E3.3.4.2. A certification requirements review (CRR) shall be held for the principals involved in the C&A process. As a minimum, the program manager, the user representative, the DAA, and the CA shall attend the CRR. The review shall include the information documented in the SSAA; i.e., mission and system information, operational and security functionality, operational environment, system class, security policy, system security requirements, known security problems or deficiencies, and other security relevant information. While that review may be held with other system reviews, the intent of the CRR is to assist the organization responsible for IT system in preparing for the certification actions. The CRR review shall result in an agreement regarding the level of effort and the approach that will be taken to implement the security requirements. E3.3.4.3. Negotiation is NOT a consideration of which security requirements to implement and which to delete. For example, any system connected to the DII, or any network, shall comply with the connection rules for those systems that it is to be connected. The purpose of negotiation is to ensure that all participants understand their roles and responsibilities and that the SSAA properly and clearly defines the approach and level of effort. Negotiation ends when the responsible organizations adopt the SSAA and concur that those objectives have been reached. E3.3.5. SSAA. The objectives of the SSAA, shown in figure E3-6, are to document the conditions of C&A for an IT system. The SSAA is a formal agreement among the DAA(s), the CA, the IT system user representative, and the program manager. It is used throughout the entire DITSCAP to guide actions, document decisions, specify ITSEC requirements, document certification tailoring and level of effort,5 identify possible solutions, and maintain operational systems security. The SSAA shall identify all costs relevant to the C&A process and the program manager shall add a C&A funding line item to the program budget to ensure the funds are available. Funding shall cover any travel or program contractor costs associated with certification, test development, testing and accreditation. Where multiple accreditors may be involved, an agreement between the accreditors may be necessary. That agreement must be included with the SSAA. Since the SSAA is an agreement among Government entities, to be binding on the government's contractors, the provisions must be included in contractual documents between the Government and any contractors. 5 Supporting C&A teams may be useful to support the accreditor. Figure E3-6. SSAA Objectives. SSAA 1. Document the formal agreement among the DAA(s), the CA, the user representative, and the program manager. 2. Document all requirements necessary for accreditation. 3. Document all security criteria for use throughout the IT system life-cycle. 4. Minimize documentation requirements by consolidating applicable information into the SSAA (security policy, concept of operations (CONOPS), plans, architecture description, etc.). 5. Document the DITSCAP plan. E3.3.5.1. The SSAA is intended to reduce the need for extensive documentation by consolidation of security related documentation into one document. That eliminates the redundancy and potential confusion as multiple documents describe the system, security policy, system and security architecture, etc. When feasible, the SSAA can be tailored to incorporate other documents as appendices or by reference to the pertinent document. An outline of the SSAA is found in enclosure E6. E3.3.5.2. Each IT system shall have a SSAA. The physical characteristics of the SSAA will depend on the system class and level of effort needed for C&A. The SSAA can be as simple as a single coordinated message or as complex as a detailed system security plan. For generic accreditations, a single SSAA may be prepared for the system, but the description of the operating environment will need to reflect each proposed operation location. The goal is to produce a SSAA that will be the basis of agreement throughout the system's life-cycle. E3.3.5.3. The four parties to the negotiation have the authority to tailor the SSAA to meet the characteristics of the IT, operational requirements, security policy, and prudent risk management. The SSAA must be flexible enough to permit adjustment throughout the system's life-cycle as conditions warrant. New requirements may emerge from design necessities, existing requirements may need to be modified, or the DAA's overall view of acceptable risk may change. When that occurs, the program manager, the DAA, the CA, and the user representative shall ensure the SSAA is updated to accommodate the new components. Common sense must be applied to the rules. The SSAA is developed in phase 1 and updated in each phase as the system development progresses and new information becomes available. In this sense, the SSAA is regarded as a living document. The completed SSAA contains those items that must be agreed on by the DAA, the CA, the user representative, and the program manager. The support organizations must understand each of these essential items. E3.4. Phase 2, Verification. The process activities of phase 2 verify the evolving system's compliance with the requirements agreed on in the SSAA. (See figure E3-7.) That phase consists of those process activities that occur between the signing of the initial version of the SSAA and the formal C&A of the system. Phase 2 process activities include continuing refinement of the SSAA, system development or modification, certification analysis, and analysis of the certification results. E3.4.1. Refine the SSAA. Phase 2 starts with a review of the SSAA. All participants shall at minimum, read the SSAA. A detailed review shall be completed if there has been considerable time delay since the completion of phase 1, or if new people are now involved in the C&A. That review continues throughout phase 2 as the development or modification of the system progresses. At each stage of the development or modification, the SSAA shall be refined by adding details to reflect the current state of the system. Any changes in the system that affect its security posture must be submitted to the DAA, the CA, the program manager, and the user representative for approval and execution in the revised SSAA. As the development or modification progresses and specific information on to the certification effort becomes available, the SSAA shall be updated to include more specific details. At each subsequent stage of the IT systems development or modification, increasing details about the hardware and software architecture become available. That design information shall be added to the SSAA as justification to support the agreed on level of certification actions. Figure E3-7. DITSCAP Phase 2, Verification Activities. E3.4.2. System Development Activity. System development activities are those activities required to develop and integrate the IT system components. The specific activities are a function of the overall program strategy, the life-cycle management process, and the position of the information system in the life-cycle. The certification analysis activity in phase 2 is intended to ensure that the requirements of the SSAA are followed during each life-cycle phase of the development and modification of the information system. Each system development activity task has a corresponding phase 2 certification analysis task. The system development activity and certification analysis tasks ensure that the requirements in the SSAA are met. E3.4.3. Certification Analysis. Certification analysis is the process activity that determines if the IT system is ready to be evaluated and tested under phase 3, validation. Because the DITSCAP is a success-oriented process, this process activity ensures that the development, modification, and integration efforts will result in a certifiable and accreditable information system before phase 3 begins. E3.4.3.1. The certification analysis tasks that occur during the process activity, certification analysis, are shown in figure E3-8. Those certification tasks verify by analysis, investigation, and comparison methodologies that the IT design implements the SSAA requirements and that the IT components that are critical to security function properly. Those tasks compliment the functional testing certification tasks that occur during phase 3. While every system may be considered certifiable, the goal is to produce systems with an acceptable level of risk. Figure E3-8. Certification Tasks During Verification. Certification Tasks 1. System architecture analysis. 2. Software design analysis. 3. Network connection rule compliance analysis. 4. Integrity analysis of integrated products. 5. Life-cycle management analysis. 6. Vulnerability assessment. E3.4.3.2. As a result of completion of the phase 2 certification analysis, the system should have a documented security specification, a comprehensive test plan, and written assurance that all network and other interconnections requirements have been implemented. Commercial off-the-shelf (COTS) and government off-the-shelf (GOTS) products used in the system design shall have been validated to assure that they have been integrated properly and that their functionality meets the security needs of the system. A vulnerability assessment will have been conducted and will have concluded that the infrastructure needs of the system; e.g., configuration management, will be accommodated throughout the IT life-cycle. On acceptance of the vulnerability assessment, the C&A task proceeds to phase 3, that contains the formal system certification test and security accreditation actions. E3.4.3.3. All analysis tasks, applicable for that system class, are to be completed. The intensity of the certification analysis tasks are scaled to the complexity of the IT design, the sensitivity of the information processed, and the criticality of the information system's intended mission. The specific certification tasks may be tailored to the IT program strategy, its life-cycle management process, and the position of the information system in its life-cycle. Certification tasks are tailored to the system development activities to ensure that the former are relevant to the process and provide the required degree of analysis to ensure conformance with the SSAA. Tailoring also gives DITSCAP the flexibility to adjust the level of effort to fit the operational need. In that manner, tailoring permits the DITSCAP to remain responsive to national agency and military department priorities. Phase 2 certification tasks may vary from completion of a minimal checklist to in-depth analysis as determined by the system class.emsp; The certification tasks are discussed in paragraphs E3.4.3.3.1 through E3.4.3.3.6. below. E3.4.3.3.1. System Architecture Analysis. The objective of this certification task is to ensure that the system architecture complies with the architecture description agreed on in the SSAA. Analysis of system level information reveals how effectively the security architecture implements the security policy and requirements. The interfaces between this and other systems shall be identified. Those interfaces must be evaluated to assess their effectiveness in maintaining the security posture of the infrastructure. E3.4.3.3.2. Software Design Analysis. The software design certification task shall evaluate how well the software reflects the security requirements of the SSAA and the security architecture of the system. That certification task may include a detailed analysis of software specifications and software design documentation. The TCB shall be identified and analyzed for proper and full implementation of the security requirements. The task shall assess whether the critical security features e.g., identification and authentication, access controls, and auditing, are implemented correctly and completely. E3.4.3.3.3. Network Connection Rule Compliance Analysis. The connection of an information system to a network requires that the particular system will not adversely affect the security posture of the network. Connection also requires that the network will not adversely affect the IT systems own security posture. That certification task evaluates the intended connections to other systems and networks to ensure the system design will enforce specific network security policies and protect the IT system from adverse confidentiality, integrity, availability, and accountability impacts. E3.4.3.3.3.1. Network analysis may include the evaluation of intended interfaces for compliance with the security connection rules not only for the network, but also for the information system. The system concept of operations (SSAA section 1) shall be examined to identify all the connections and interfaces intended for the system. It is important to determine if connections exist that were not in the initial concept, but are to be added after the initial fielding or modification of the system. The interfaces to the networks or to other systems shall be evaluated to determine if the system and network security can be maintained at both ends of the interface. They also shall be evaluated to ensure that end-to-end connection constructs are maintained and security connection rules are applied. Test plans and procedures shall be developed to validate compliance with the network connection rules. E3.4.3.3.4. Integrity Analysis of Integrated Products (COTS, GOTS, or Non-Developmental Item (NDI. This certification task evaluates the integration of COTS, GOTS, or NDI software, hardware, and firmware to ensure that their integration into the system design complies with the system security architecture, and the integrity of each product is maintained. E3.4.3.3.4.1. Integrated product analysis shall include the identification, and may include the verification of the security functionality, of each product. That certification task shall determine whether or not evaluated products are being used for their intended purpose. Integrity product analyses shall include an examination of the system and subsystem interfaces, information flows, and applicable use of selectable product features. All interfaces and information flows are examined to identify how they access the products. E3.4.3.3.5. Life-Cycle Management Analysis. This certification task ensures that change control and configuration management practices are, or will be, in place and are sufficient to preserve the integrity of the security relevant software and hardware. During the system development, or maintenance, the development approach, procedures, and engineering environment are assessed and the life-cycle plans are evaluated. Proposed contingency, continuity of operations, and back-up plans shall be evaluated for feasibility. That may require examining the following types of documents or procedures shown in figure E3-9. Figure E3-9. Life-Cycle Management Documentation. Life-Cycle Management Documentation 1. Computer Resource Management Plan (CRMP). 2. Computer Resources Life-Cycle Management Plan (CRLCMP). 3. Configuration identification procedures. 4. Configuration control procedures. 5. Configuration status accounting procedures. 6. Configuration audit procedures and reports. 7. Software engineering (development approach and engineering environment) procedures. 8. Trusted distribution plans. 9. Contingency, continuity of operations, and back-up plans. E3.4.3.3.6. Vulnerability Assessment. This certification task shall evaluate security vulnerabilities with regard to confidentiality, integrity, availability, and accountability and recommends applicable countermeasures. The DAA should determine the acceptable level of risk to protect the system commensurate with its value to the Department of Defense. 6 In phase 2, the vulnerability assessment concentrates on the progress in implementing the security requirements of the SSAA. It reviews the SSAA at the beginning of phase 2 and concludes with notifying the CA and the DAA that the information system is ready for C&A evaluation and testing. E3.4.3.3.6.1. During vulnerability assessment, each of the vulnerabilities and discrepancies isolated during the evaluation of the system architecture, system design, network interfaces, product integration, and configuration management practices is analyzed to determine its susceptibility to exploitation, the potential rewards to the exploiter, the probability of occurrence, and any related threat. The analysis should use techniques such as static penetration, or active penetration testing to determine the ability to exploit the vulnerabilities. The residual risk, that portion of risk that remains after security measures have been applied, shall be determined by ranking the evaluated vulnerabilities against threat, ease of exploitation, potential rewards to the exploiter, and a composite of the three areas. All residual risks shall be identified and evaluated. The evaluation shall indicate the rationale as to why the risk should be accepted or rejected, and the operational impacts associated with these risks. E3.4.3.3.6.2. Coordination among the program manager, the DAA, the CA, and the user representative ensures that the residual risk does not exceed the level of risk established by the DAA. That level of risk that shall now be documented in the SSAA is called the "acceptable level of residual risk." If the risk exceeds the maximum acceptable risk, the system shall fail the C&A. 6 An acceptable level of residual risk is based on the relationship of the threat to the system and the information processed, to the information system's mission, environment, and architecture; and its security confidentiality, integrity, availability, authenticity, and nonrepudiation objectives. E3.4.4. Assess Analysis Results. At the conclusion of each life-cycle development milestone, the certification analysis results are reviewed for SSAA compliance. If the results indicate significant deviation from the SSAA, the DITSCAP shall revert to phase 1 to resolve the problems. If the results are acceptable, the DITSCAP proceeds to the next development task or to government acceptance and security testing; i.e., DITSCAP phase 3. Figure E3-10. DITSCAP Phase 3, Validation Activities. E3.5. Phase 3, Validation. Phase 3 process activities, shown in figure E3-10, validate that the preceding work has produced an information system that operates in a specified computing environment with an acceptable level of residual risk. This phase consists of process activities that occur after the system is integrated and culminates in the accreditation of the IT system. Phase 3 includes a review of the SSAA, an evaluation of the integrated IT system, certification, and accreditation. E3.5.1. Refine the SSAA. Phase 3 begins with a review of the SSAA to ensure that its requirements and agreements still apply. That review shall continue throughout phase 3 as the integrated system is subjected to successive levels of evaluation. At each stage of the integrated IT systems acceptance, the SSAA shall be refined by adding details to reflect the current state of the system. Required changes shall be submitted to the DAA, the CA, the program manager, and the user representative so that the revised agreement may be approved and executed. E3.5.2. Certification Evaluation of the Integrated System. This process activity is to certify that the fully integrated and operational system complies with the requirements stated in the SSAA and may be operated with an acceptable level of residual risk. During this process activity, certification tasks, shown in figure E3-11 are performed on the integrated operational system to ensure that the IT system is functionally ready for operational deployment. The certification tasks and the extent of the tasks will depend on the level of certification analysis agreed on in the SSAA. E3.5.2.1. Phase 3 certification tasks shall include certification of the software, firmware, and hardware and inspections of operational sites to ensure their compliance with the physical security, procedural security, TEMPEST, and COMSEC requirements. Phase 3 includes tasks to certify the compatibility of the computing environment with the description provided in the SSAA. DITSCAP flexibility permits the certification actions to be scaled to the type of IT system being evaluated and tailored to the program strategy used in the development or modification of the system. Subparagraphs E3.5.2.1.1. through E3.5.2.8. describe the certification tasks that may be included in the evaluation of the integrated system. Figure E3-11. Certification Tasks During Validation. Certification Tasks 1. Security Test and Evaluation. 2. Penetration testing. 3. TEMPEST and Red-Black verification. 4. Validation of COMSEC compliance. 5. System management analysis. 6. Site accreditation survey. 7. Contingency plan evaluation. 8. Risk-based management review. E3.5.2.1.1. System Security Test and Evaluation. The objective of the ST&E is to assess the technical and non-technical implementation of the security design and to ascertain that security features affecting confidentiality, integrity, availability, and accountability have been implemented in accordance with the SSAA, and perform properly. System ST&E shall validate the correct implementation of identification and authentication, audit capabilities, access controls, object reuse, trusted recovery, and network connection rule compliance. Individual tests shall evaluate system conformance with the requirements, mission, environment, and architecture defined in the SSAA. Test plans and procedures shall address all the security requirements and the results of the testing will provide sufficient evidence of the amount of residual risk. These results shall validate the proper integration and operation of all security features. E3.5.2.1.1.1. When a system is deployed to multiple locations, the ST&E may occur at a central integration and test facility. When use of such a facility is not possible, the integrated system may be tested at one of the intended-operating sites. Software and hardware security tests of common system components at multiple sites are not recommended. The system installation and security configuration should be tested at operational sites. E3.5.2.1.2. Penetration Testing. For applicable system classes, penetration testing is strongly recommended to assess the system's ability to withstand intentional attempts to circumvent system security features by exploiting technical security vulnerabilities. Penetration testing may include insider and outsider penetration attempts based on common vulnerabilities for the technology being used. E3.5.2.1.3. TEMPEST and Red-Black Verification. TEMPEST and Red-Black verification may be required to validate that the equipment and site meet the security requirements. In these situations the site may be inspected to determine if adequate practices are being followed, and the equipment may be subjected to TEMPEST testing. E3.5.2.1.4. Validation of COMSEC Compliance. This certification task validates that COMSEC approval has been granted and approved COMSEC key management procedures are used. COMSEC analysis evaluates how well the SSAA defined COMSEC requirements are integrated into the system architecture and the site management procedures. E3.5.2.1.5. System Management Analysis. The system management infrastructure shall be examined to determine whether it adequately supports the maintenance of the environment, mission, and architecture described in the SSAA. Infrastructure components, that may provide insight into security of operations at the site, include the system and security management organizations, security training and awareness, and the configuration management organization and processes. The roles and responsibilities assigned to ISSO shall be examined to ensure that the responsibilities are consistent with the procedures identified in the SSAA. The system and security management organization shall be examined to determine the ability of the ISSO to report security incidents and implement security changes. E3.5.2.1.5.1. Knowledge of the security management structure may provide insight into the emphasis the organization places on secure operation of the computing environment. It also shall provide an indication of effectiveness of the security personnel. Security training and awareness shall be examined to provide insight into potential security problem areas. E3.5.2.1.5.2. An effective configuration management program is mandatory if an established secure posture is to be maintained. This certification task evaluates the change control and configuration management practices to determine their ability to preserve the integrity of the security relevant software and hardware. A system baseline that identifies all information hardware, software, and firmware components and external interfaces, provides for future security evaluations and establishes a known reference point from which to make future accreditation decisions. Configuration management practices shall include periodic reverification of the system configuration to ensure unauthorized changes have not occurred. E3.5.2.1.6. Site Accreditation Survey. The site accreditation survey task shall ensure that the site operation of the information system is accomplished in accordance with the SSAA. The site accreditation survey shall validate that the operational procedures for the IT, environmental concerns, and physical security pose no unacceptable risks to the information being processed. Where the IT system may not be confined to a fixed site; i.e., tactical or mobile systems and embedded system in ships or aircraft, the IT system shall be examined in representative sites or environments. E3.5.2.1.7. Contingency Plan Evaluation. The contingency plan evaluation task analyzes the contingency, back-up, and continuity of service plans to ensure the plans are consistent with the requirements identified in the SSAA. Periodic testing of the contingency plan is required by DoD Directive 5200.28 (reference (a)) for critical systems and is encouraged for all systems. E3.5.2.1.8. Risk Management Review. The risk-based management review task assesses the operation of the system to determine if the risk to confidentiality, integrity, availability, and accountability is being maintained at an acceptable level. The risk management review shall assess the system vulnerabilities with respect to the documented threat, ease of exploitation, potential rewards, and probability of occurrence. The operational procedures and safeguards shall be evaluated to determine their effectiveness and ability to offset risk. This is the final review before developing the recommendation to the DAA. E3.5.3. Develop Recommendation to the DAA. This process activity begins after completion of all certification tasks and ends with the accreditation decision by the DAA. The purpose is to consolidate the findings developed during certification of the integrated system, submit the CA's report to the DAA, and produce the DAA accreditation decision. E3.5.3.1. CA's Recommendation. If the CA concludes that the integrated IT satisfies the SSAA technical requirements, the CA issues a system certification. That is a certification that the IT system has complied with the agreed on security requirements. Supplemental recommendations also might be made to improve the system's security posture. Such recommendations should provide input to future system enhancements and change management decisions. E3.5.3.1.1. In some cases, the CA may uncover security deficiencies, but continue to believe that the short-term system operation will present no unacceptable risks. The CA may recommend accreditation with the understanding that deficiencies will be corrected in a specified period. These deficiencies shall be reflected in the SSAA and an agreement obtained on the conditions under which the system may be operated and the date by when the deficiencies will be remedied. E3.5.3.1.2. If the CA determines that the system does not satisfy the SSAA and that short-term risks are unacceptable, the CA shall recommend that the IT system not be accredited. E3.5.4. DAA Accreditation Decision. The CA's recommendation, the DAA authorization to operate, supporting documentation, and the SSAA form the accreditation package. The supporting documentation may vary between system classes. That documentation, at minimum, shall include security findings and deficiencies and risks of operation. The accreditation package must contain all information necessary to support the recommended decision. If the decision is to accredit, the decision shall include the security parameters under which the information system in its computing environment is authorized to operate. If the system does not meet the requirements stated in the SSAA, but mission criticality mandates that the system become operational, a temporary approval may be issued. Use of the temporary approval requires a return to phase 1 to negotiate accepted solutions, schedule, necessary security actions, and milestones. E3.5.4.1. When the system accreditation has been issued, the acquisition organization normally will move the responsibility for the SSAA to the system operator or the maintenance organization for the information system. When a decision is made to accredit the system, the DITSCAP begins phase 4. If the DAA withholds accreditation, the decision shall state the specific reasons for denial and, if possible, provide suggested solutions. The DITSCAP then reverts to phase 1 to resolve the issues. E3.5.4.2. Since it is difficult to accredit mobile systems at all possible locations, the DAA may issue a generic accreditation for a typical operating environment. The generic accreditation is the official authorization to employ identical copies of a system in a specified environment. The SSAA shall be modified to include a statement of residual risk and clearly define the intended operating environment. The SSAA shall identify specific uses of the system, operational constraints and procedures under which this system may be operated. In that case the DAA would include a statement with the accreditation, such as, This system is supplied with a generic accreditation. With the generic accreditation, the operators assume the responsibility to monitor the environment for compliance with the environment as described in the accreditation documentation. E3.6. Phase 4, Post Accreditation. E3.6.1. Phase 4 contains process activities necessary to continue to operate and manage the system so that it will maintain an acceptable level of residual risk, figure E3-12. Post-accreditation process activities shall include ongoing maintenance of the SSAA, system operations, change management, and compliance validation. E3.6.1.1. Phase 4 begins after the system has been integrated into the operational computing environment and accredited. Phase 4 shall continue until the information system is removed from service, a major change is planned for the system, or a periodic compliance validation is required. In the first case, the DITSCAP responsibilities of the acquisition organization shift to the system manager or designated maintenance organization. In the other two cases, the DITSCAP reverts to phase 1. Figure E3-12. DITSCAP Phase 4, Post Accreditation. E3.6.2. Maintenance of the SSAA. As in the preceding phases, the SSAA shall be kept current. Phase 4 shall begin with a review of the SSAA to ensure that all requirements and agreements are still applicable. The user representative, the DAA, the CA, and the program manager must approve revisions to the SSAA. On approval the necessary changes to the mission, environment, and architecture are documented in the SSAA. Figure E3-13 summarizes the SSAA maintenance tasks. Figure E3-13. SSAA Maintenance Tasks. SSAA Maintenance Tasks 1. Review SSAA. 2. Obtain approval of changes. 3. Document changes. E3.6.3. System Operation. The second process activity of phase 4, system operation, concerns the secure operation of the IT system and the associated computing environment, figure E3-14. System maintenance tasks ensure that the IT system continues to operate within the stated parameters of the accreditation. Secure system management depends on the organization and its procedures. Site operations staff and the ISSO are responsible for maintaining an acceptable level of residual risk. That is done by addressing security considerations when changes are made to either the information system baseline or to the baseline of the computing environment operational site. The ISSO is responsible for determining the extent that a change affects the security posture of either the information system or the computing environment, for obtaining approval of security-relevant changes, and for documenting the implementation of that change in the SSAA and site operating procedures. Users are responsible for operating the system under the security guidelines established in the SSAA. Figure E3-14. System Operation Tasks. System Operation Tasks 1. System maintenance. 2. System security management. 3. Contingency planning. E3.6.3.1. Secure system management is an ongoing process that manages risk against the IT, the computing environment, and its resources. Effective management of the risk continuously evaluates the threats that the system is exposed, evaluates the capabilities of the system and environment to minimize the risk, and balances the security measures against cost and system performance. Secure system management preserves the acceptable level of residual risk based on the relationship of mission, environment, and architecture of the information system and its computing environment. Secure system management is a continuous review and approval process that involves the users, ISSOs, acquisition or maintenance organizations, and the DAA. E3.6.3.2. Contingency planning is the task that develops a plan for emergency response, backup operations, and post-disaster recovery. That task shall ensure the availability of critical resources that will support the continuity of operations in an emergency situation. The operations and maintenance organizations, with the knowledge and approval of the ISSO, should develop contingency plans. E3.6.4. Change Management. After an IT system is approved for operation in a specific computing environment, changes to the IT system and the computing environment must be controlled, figure E3-15. While changes may adversely affect the overall security posture of the infrastructure and the IT system, change is ongoing as it responds to the needs of the user and new technology developments. As the threats become more sophisticated or focused on a particular asset, countermeasures must be strengthened or added to provide adequate protection. Therefore, change is required to maintain an acceptable level of residual risk. Figure E3-15. Change Management Tasks. Change Management Tasks 1. Support system configuration management. 2. Risk-based management review E3.6.4.1. Accreditation is based on security assumptions that tie certified hardware and software of each system to the configuration of the computing environment. Changes in the information system configuration, operational mission, computing environment, or to the computing environment's configuration may invalidate the security assumptions. E3.6.4.2. The ISSO and system users shall support the system configuration management process. They shall be involved in the change management process to ensure that changes do not have an adverse affect on the security posture of the system and its associated IT. The strategy for managing change shall be defined in the SSAA. The ISSO shall review and approve changes relating to security and document the implementation of a change in the SSAA. Changes that significantly affect the system security posture must be forwarded to the DAA, the CA, the user representative, and the program manager (phase 1 of the DITSCAP). E3.6.5. Compliance Validation. Periodic review of the operational system and its computing environment shall occur at the predefined intervals, defined in the SSAA. 7 The purpose of this process activity, figure E3-16, is to ensure the continued compliance with the security requirements, current threat assessment, and concept of operations as stated and agreed on in the SSAA. The compliance review should ensure that the contents of the SSAA adequately address the functional environment into which the IT has been placed. Figure E3-16. Compliance Validation Tasks. Compliance Validation Tasks 1. Physical security analysis. 2. Review the SSAA. 3. Risk-based management review. 4. Procedural analysis. 5. Compliance reverification. 7 OMB, DoD, Service, and Agency directives have mandatory recertification and reaccreditation requirements. These requirements shall be included in the SSAA, governing security requisites. E4. ENCLOSURE 4 MANAGEMENT APPROACH E4.1. MANAGEMENT OVERVIEW E4.1.1. The management approach for DITSCAP focuses on management at the applicable systems level to execute DITSCAP for a given system. 8 The management concept integrates existing roles in the C&A process. The concept includes system program or operations management, senior operational staff, users, and working level security managers. The DITSCAP provides visibility into the process to all mangers responsible for system development, operation, maintenance, security, and to system users. E4.1.1.1. The key roles in the DITSCAP are the system program manager, the DAA, the CA, and the user representative. The program manager represents the interests of the system acquisition or maintenance organization with engineering, schedule, and funding responsibility; or the system operations organization with responsibility for daily operations, performance, and maintenance. The organization the program manager represents is usually determined by the phase in the life-cycle of the system. The DAA is usually a senior operational commander with the authority and ability to evaluate the operational needs for the system in view of the security risks. The DAA must have the authority to oversee the operations and use of systems under his/her purview. The DAA represents the interests of mission need, controls the operating environment, and defines the system level security requirements. The CA provided the technical expertise to conduct the certification. The interests of the systems users are vested in the user representative. In the DITSCAP process, the user representative, at minimum, is concerned with system availability, access, integrity, functionality, and performance. 8 This description does not attempt to define the management structure within the Department of Defense, Services, or Agencies that may be necessary to oversee the C&A of DoD systems. E4.1.1.2. These managers cooperate to provide the most capable IT system with an acceptable (tolerable) level of risk. They, and their staff, develop and approve the security requirements, manage the C&A process, and review the results. The DITSCAP allows these four managers to tailor and scope the C&A efforts to the particular mission, environment, system architecture, threats, funding, schedule, and criticality of the system. That standard approach establishes the ability to reuse both the technical and non-technical analysis, documentation, and architecture from certification or recertification efforts for similar systems. E4.2. DITSCAP MANAGEMENT ROLES AND FUNCTIONS E4.2.1. The organizations involved in the development, fielding, operation, and maintenance of secure IT systems include the acquisition and maintenance organizations, system operator(s), DAA(s), and the users. The key roles in these organizations involved in the C&A process, are the program manager of the organization responsible for the system i.e., the system owner, the DAA, the CA, and the user representative. The organization with engineering and funding responsibility for the system, may change, as a system progresses through the life-cycle phases. During acquisition, this responsibility may be the acquisition organization that will be represented by the systems acquisition program manager. During the systems operations and maintenance phase that responsibility may be the system manager. In the case of a major upgrade, the system may be turned over to a maintenance organization. The upgrade program manager would then represent the maintenance organization. The DAA should be a senior member of the operational chain-of-command where the system is operating. The system users may be part of a single organization or a large diverse community. In either situation, for DITSCAP purposes, the user representative will represent the users interests. E4.2.1.1. The key parties throughout the DITSCAP are the program manager, the DAA, the CA, and the user representative. They shall reach agreement during phase 1 negotiation and approve the SSAA. During phases 2, 3, and 4, if the system is changed, or any of the agreements delineated in the SSAA are modified, the four key parties return to phase 1 negotiation and subsequent revision of the SSAA. E4.2.1.2. The CA, the ISSO, the threat developer, and the security working groups shall support the C&A process. They provide the security technical expertise to support the DAA, the program manager, and the user representative. E4.2.1.3. The DITSCAP roles, shown in table E4-1, are described in paragraphs E4.2.2. through E4.2.4. below. The discussion describes the functional relationships and integration of these roles, but is not intended to describe organization or command functions. During the life-cycle of a system, some of these roles may be assumed by a variety of organizations. In some cases, the three roles may be performed by three separate organizations. In other cases, some roles may be combined; i.e., the user representative and the program manager roles may be performed in the same organization. Table E4-1. Management Responsibilities by DITSCAP Phase. Phase Program Manager DAA and CA User Representative Phase 1 Initiate security dialogue with DAA, the CA, and the user representative. Define system schedule and budget. Define and/or validate system performance, availability, and functionality requirements. Support DITSCAP tailoring and level of effort determination. Draft or support drafting of the SSAA. Reach agreement on the SSAA. Approve the SSAA. Define ITSEC accreditation requirements. Obtain threat assessment. Begin vulnerability and risk assessments. Assign the CA. Support DITSCAP tailoring and determine the level of effort. Draft or support drafting of the SSAA. Reach agreement on the SSAA. Approve the SSAA. Validate and/or define system performance, availability and functionality requirements. Support DITSCAP tailoring and level of effort determination. Reach agreement on the SSAA. Approve the SSAA. Phase 2 Review the SSAA. Develop system or system modifications. Support certification actions. Review certification results. Revise system as applicable. Review the SSAA. Evaluate developing system. CA performs certification actions. CA assesses vulnerabilities. CA reports results to the program manager, the DAA, and the user representative. Maintain the SSAA. Review the SSAA. Support certification actions. Support certification actions. Table E4-1. Management Responsibilities by DITSCAP Phase. Phase Program Manager DAA and CA User Representative Phase 3 Review the SSAA. Test integrated system. Support certification actions. Review certification results. Revise system as applicable. Support SSAA revisions. Review the SSAA. Evaluate developing system. CA performs certification actions. Assess vulnerabilities and residual risk. CA reports results to the program manager, the DAA, and the user representative. CA develops recommendation to the DAA. CA prepares accreditation package. Review the SSAA. Issue decision. Review the SSAA. Support certification actions. Review certification results. Support SSAA revisions. Phase 4 Review SSAA periodically. Operate system as described in the SSAA. Maintain an acceptable level of residual risk. Submit proposed changes to the user representative, the ISSO, the DAA, and the CA, as applicable. Support compliance validation. Review the SSAA. Review proposed changes Oversee compliance validation. Review the SSAA. Oversee system operation as described in the SSAA. Maintain an acceptable level of residual risk. Continuously review threat, system vulnerabilities and residual risk. Review and approve proposed changes. Submit significant changes to the DAA and the CA. Perform compliance validation actions. E4.2.2. Program Management Roles. The acquisition and/or maintenance organizations are responsible for IT system requirements development, architecture, design, procurement, fielding, maintenance and configuration management. The acquisition organization, figure E4-1, is the lead government organization responsible for the development and fielding of IT. After fielding, the system operator will normally designate a system manager (program manager) to oversee the operations and management of the system. If the system is formally turned over to a maintenance organization, the maintenance organization assumes the roles and functions previously assigned to the acquisition organization. The program manager is the lead for all these activities with responsibilities for cost, schedule, and performance responsibilities. The program managers function in the DITSCAP is to ensure security requirements are integrated into the IT architecture in a way that will result in an acceptable level of risk to the operational infrastructure. The program manager, the DAA, and the CA shall coordinate their efforts to determine which organization will prepare the initial SSAA. Figure E4-1. Acquisition and Maintenance Organization Program Manager Security Management Relationships. E4.2.2.1. The PM works directly with the development integration, maintenance, configuration management, quality assurance, test independent verification and validation, and SETA organizations. The PM drafts or supports the drafting of the SSAA and coordinates security requirements with the DAA, the CA, and the user representative. The PM continuously keeps all DITSCAP participants informed of acquisition and development action, security requirements, and user needs. E4.2.3. Security Roles and Responsibilities. Execution of the DITSCAP encompasses multiple security roles, figure E4-2, that at minimum include the DAA, the CA, and the ISSO. Additionally various security support teams may be formed to support the C&A of large systems. Together these roles establish an IT system security posture that will operate at an acceptable level of residual risk to the Department of Defense. E4.2.3.1. The DAA is the official responsible for ensuring that IT systems provide an acceptable level of risk in the operational computing environment. In reaching that decision, the DAA is supported by the CA, threat developer, ISSO, and security teams. Those roles shall evaluate the technical and non-technical aspects of the design, installation, and operation of the IT system. They also shall support the evaluation of the impact of the operation of the system on the security posture of the DII. From the perspective of a single system, all security related organizations support the DAA. Figure E4-2. Security Management Relationships. E4.2.3.2. The DAA shall coordinate the development of the initial SSAA with the program manager. The initial SSAA may be prepared by either organization. In phase 2 and 3 the responsibility for the SSAA updates, maintenance and addition of the certification results shall become the responsibility of the CA. Where the IT system may involve multiple DAAs, agreements shall be established between the cognizant DAAs. Those agreements form an integral portion of the SSAA. In most cases, it will be advantageous to designate a lead DAA to represent the DAAs in developing and maintaining the IT system. E4.2.3.3. The CA shall support the DAA for the comprehensive evaluation of the technical and non-technical security features of the IT system. When tasked by the DAA, the CA is responsible for preparation of the SSAA, and the software, hardware, TEMPEST, COMSEC, physical, and procedural evaluations. The CA shall be independent from the organization responsible for the system. Organizational independence of the CA eases the potential of conflicts of interest and permits an impartial evaluation. E4.2.3.4. The CA shall have staff who are technically knowledgeable in IT system design, security design, and the security policies and procedures that satisfy the ITSEC requirements. Although all the technical capabilities may not be available in the CA's organization, the CA is responsible for obtaining the necessary support and providing the necessary oversight of the certification effort. Security teams may be formed to support the C&A or any portion of the process; e.g., security testing. The composition, roles, responsibilities, schedule, and funding of those teams should be defined in the SSAA. E4.2.3.5. The ISSO is responsible for the secure operation of the system. The ISSO responsibilities will be discussed in the next section. E4.2.4. User Roles and Responsibilities. The IT system user resides in a computing environment with either direct or indirect accesses to the information and IT system resources that comprise the computing environment's infrastructure. Users are at all levels and echelons within DoD. The users are responsible for the identification of the operational requirements and the secure operation of certified and accredited IT systems, in accordance with the SSAA. Figure E4-3. User Community Management Relationships. E4.2.4.1. The user representative is the liaison for the user or the user community, particularly during the initial development of a system. The user representative, figure E4-3, is the individual or organization that represents the user community in the specification, acquisition and maintenance of IT system. The user representative defines the system mission and functionality and is responsible for ensuring that the user's interests are maintained throughout system development, modification, integration, acquisition, and deployment. E4.2.4.2. The security focal point in the user community is usually the ISSO who is responsible for the secure operation of the IT system within the environment agreed on in the SSAA. The ISSO ensures the IT system is employed and operated according to the SSAA through integration of all the security disciplines (COMPUSEC, COMSEC, EMSEC, personnel, physical, and administrative procedures) to maintain an acceptable level of residual risk. E4.2.4.3. Since the operational scenarios in the DoD Components may vary to a wide degree, the exact location and number of ISSO(s) in a single command or Agency may vary. ITSEC management may require a single ISSO to coordinate the actions of IT systems at multiple sites or environments, or may require the appointment of an ISSO for each site or environment. User organizations shall assign the ISSO(s) to an organizational position where the ISSO has direct access to applicable decision makers. The ISSO shall not be directly assigned to the organization responsible for the daily IT system operations. The ISSO should be separate from the system administration organization but at an equal level within the information resource management unit. E5. ENCLOSURE 5 ACRONYMS AND ABBREVIATIONS E5.1. Acronyms and abbreviations The acronyms and abbreviations in this enclosure are used throughout this instruction. E5.1.1. ASAP As soon as possible E5.1.2. CA Certification Authority E5.1.3. C&A Certification and Accreditation E5.1.4. CINC Commander-in-Chief E5.1.5. COMPUSEC Computer Security E5.1.6. COMSEC Communications Security E5.1.7. CONOPS Concept of Operations E5.1.8. COTS Commercial Off-The-Shelf E5.1.9. CRLCMP Computer Resources Life-Cycle Management Plan E5.1.10. CRMP Computer Resource Management Plan E5.1.11. CRR Certification Requirements Review E5.1.12. DAA Designated Approving Authority E5.1.13. DCID Director of Central Intelligence Directive E5.1.14. DGSA DoD Goal Security Architecture E5.1.15. DII Defense Information Infrastructure E5.1.16. DITSCAP DoD Information Technology Security Certification and Accreditation Process E5.1.17. EMSEC Emissions Security E5.1.18. GOTS Government Off-The-Shelf E5.1.19. IASE Information Assurance Support Environment E5.1.20. INFOSEC Information System Security E5.1.21. ISSO Information Systems Security Officer E5.1.22. IT Information Technology E5.1.23. ITSEC Information Technology Security E5.1.24. NDI Non-Developmental Item E5.1.25. NSTISSI 4009 National Telecommunications and Information Systems Security (INFOSEC) Glossary E5.1.26. OMB Office of Management and Budget E5.1.27. OSD Office of the Secretary of Defense E5.1.28. SCI Sensitive Compartmented Information E5.1.29. SETA Systems Engineering, Testing, and Analysis E5.1.30. SSAA System Security Authorization Agreement E5.1.31. ST&E Security Test and Evaluation E5.1.32. TAFIM Technical Architecture Framework for Information Management E6. ENCLOSURE 6 SSAA OUTLINE E6.1. SSA outline The SSAA is a living document that represents the formal agreement among the DAA, the CA, the user representative, and the program manager. The SSAA is developed in phase 1 and updated in each phase as the system development progresses and new information becomes available. At minimum, the SSAA should contain the information in the following sample format: 1. MISSION DESCRIPTION AND SYSTEM IDENTIFICATION 1.1. System name and identification. 1.2. System description. 1.3. Functional description. 1.3.1. System capabilities. 1.3.2. System criticality. 1.3.3. Classification and sensitivity of data processed. 1.3.4. System user description and clearance levels. 1.3.5. Life-cycle of the system. 1.4. System CONOPS summary. 2. ENVIRONMENT DESCRIPTION 2.1. Operating environment. 2.2. Software development and maintenance environment. 2.3. Threat description. 3. SYSTEM ARCHITECTURAL DESCRIPTION 3.1. Hardware. 3.2. Software . 3.3. Firmware . 3.4. System interfaces and external connections. 3.5. Data flow (including data flow diagrams). 3.6. TAFIM DGSA, (reference (m)), security view. 3.7. Accreditation boundary. 4. ITSEC SYSTEM CLASS 4.1. Interfacing mode. 4.2. Processing mode. 4.3. Attribution mode. 4.4. Mission-reliance factor. 4.5. Accessibility factor. 4.6. Accuracy factor. 4.7. Information categories. 4.8. System class level. 4.9. Certification analysis level. 5. SYSTEM SECURITY REQUIREMENTS 5.1. National and DoD security requirements. 5.2. Governing security requisites. 5.3. Data security requirements. 5.4. Security CONOPS. 5.5. Network connection rules. 5.5.1. To connect to this system. 5.5.2. To connect to the other systems defined in the CONOPS. 5.6. Configuration and change management requirements. 5.7. Reaccreditation requirements. 6. ORGANIZATIONS AND RESOURCES 6.1. Identification of organizations. 6.1.1. DAA. 6.1.2. CA. 6.1.3. Identification of the user representative. 6.1.4. Identification of the organization responsible for the system. 6.1.5. Identification of the program manager or system manager. 6.2. Resources. 6.2.1. Staffing requirements. 6.2.2. Funding requirements. 6.3. Training for certification team. 6.4. Roles and responsibilities. 6.5. Other supporting organizations or working groups. 7. DITSCAP PLAN 7.1. Tailoring factors. 7.1.1. Programmatic considerations. 7.1.2. Security environment. 7.1.3. IT system characteristics. 7.1.4. Reuse of previously approved solutions. 7.1.5. Tailoring summary. 7.2. Tasks and milestones. 7.3. Schedule summary. 7.4. Level of effort. 7.5. Roles and responsibilities. Appendices shall be added to include system C&A artifacts. Optional appendices may be added to meet specific needs. Include all documentation that will be relevant to the systems' C&A. APPENDIX A. Acronym list APPENDIX B. Definitions APPENDIX C. References APPENDIX D. Security requirements and/or requirements traceability matrix APPENDIX E. Security test and evaluation plan and procedures APPENDIX F. Certification results APPENDIX G. Risk assessment results APPENDIX H. CAs recommendation APPENDIX I. System rules of behavior APPENDIX J. Contingency plan(s) APPENDIX K. Security awareness and training plan APPENDIX L. Personnel controls and technical security controls APPENDIX M. Incident response plan APPENDIX N. Memorandums of agreement - system interconnect agreements APPENDIX O. Applicable system development artifacts or system documentation APPENDIX P. Accreditation documentation and accreditation statement E7. ENCLOSURE 7 ITSEC SYSTEM CLASS DESCRIPTION E7.1. INTRODUCTION E7.1.1. Within the Department of Defense, IT systems perform a wide variety of functions to ensure a mission is accomplished and harm is prevented. The information and processes used to perform those functions, regardless of their classification, helps the Department of Defense to operate more efficiently and accomplish its missions. The information and processes shall be afforded an applicable level of protection for confidentiality, integrity, availability, and accountability. Determination of the proper level of protection shall be based on the perceived value of the information and processes. That value is related to the adverse impact, either fiscal, or operational, or both that the loss, alteration, denial of access, or unauthorized access have on DoD missions. E7.1.2. Security requirements have been established to ensure that information systems provide the required degree of protection. The security requirements are primarily a function of the system mission (operational functions and data processed; etc.), environment (operating and maintenance environment; i.e., the physical and procedural controls for using the system), and architectural concept (stand-alone system, networked and distributed processing; etc.). The degree that systems comply with security requirements produces a level of assurance that the specific information will be protected commensurate with its value to the Department of Defense. The evaluation of information systems to determine the level of assurance requires knowing the ITSEC policy, the way systems permit access to information, and the operational environment for the systems. E7.1.3. Even though specifics for any given system may, or will differ, these groupings allow one to consider and reuse issues, risks, requirements, solutions, implementations, and analyses from other systems within its class or in related tasks. They provide the ability to compare and contrast systems both within a class or in related tasks. That class structure bounds the security problem and permits security requirements to be grouped to satisfy individual class conditions. E7.1.4. Technology now provides the Department of Defense with the ability to distribute IT processing locations and access the information processing points from anywhere in the world. It is now possible for one information system to affect other widely distributed systems and the security qualities of confidentiality, integrity, availability, and accountability anywhere in the world. Connection to the communications infrastructure is a prime consideration in evaluating risk. The ITSEC class structure considers a systems security posture as both a single entity and in relationship to other systems. E7.2. ITSEC CLASSES E7.2.1. An ITSEC system class is a profile of system characteristics derived from considering how the same characteristics applied to the systems operation data affects community mission outcome. System classes group information systems with others of similar missions, operating environments, architectures, and data. Systems are grouped by their interaction with other systems, the way that users and processes must access different types of data, and the security policies that control access of specific information categories. The intent is to group systems by the amount of risk exposure within the system; i.e., capability to contain risk. Members of a class may share common security policies, requirements, and levels of assurance. E7.2.1.1. Grouping systems into classes provides many benefits over examining each system on its own merits and determining the individual security requirements to satisfy the specific problem. Examining each system as a single entity is time consuming and resource intensive. Experience has shown that similar systems, information processed, and environment, exhibit similar security requirements to provide an acceptable level of residual risk. Establishing a common set of criteria permits a class repository to be established so that new developments may draw from applicable past experience. That will allow security policy to be determined rapidly and security requirements to be assigned quickly, based on the group or class into which the system falls. This more economical approach supports standardization by grouping systems into categories of similar risk. It also promotes the development of common or reusable security solutions because all systems of a class will share common mission, policy, data, and security requirements. When a new system development begins, or an existing system is to be revised, the class repository may be accessed to obtain the policy and security requirements. This should eliminate the need for lengthy meetings to define the security policy and requirements. The class repository also may provide lessons learned relative to successful security architectures, certification approaches, and tools used. However, it will not delete any of the activities required to determine if the system may be certified. Nor shall system class membership eliminate the system engineering tradeoff decisions between implementation of physical controls and technical countermeasures. E7.2.1.2. The ITSEC class decision process shall begin by considering the impact of the IT system on other systems. It shall then consider system user interaction, mission, and data types. To consider the impact on other systems, the risk of the specific system to other systems must be accessed. That approach to ITSEC evaluation and C&A focused on infrastructure, shall determine the universal risk to other systems, not just the specific system under consideration. E7.2.1.3. Table E7-1 provides a form for determining the ITSEC class for a system. It resolves several security discriminating characteristics for a system by first considering the same characteristics for the operation and data associated with the system. This shall be done with direct consideration of the infrastructure where the system is connected. The characteristics for the system shall be chosen to be adequate to accommodate the operation, the data, and associated infrastructure considerations. The characteristics include; interfacing mode, processing mode, attribution mode, accessibility factor, accuracy factor, and information categories. Specific alternatives are selectable for each characteristic shown in table E7-1. Table E7-1. ITSEC Class Characteristics. Characteristic Operation Data Infra- structure System Alternatives Interfacing Mode Benign, Passive, or Active Processing Mode Dedicated Level, Compartmented Level, System High, or Multi-level Attribution Mode None, Rudimentary, Basic, or Comprehensive Mission-Reliance Factor None, Cursory, Partial, or Total Accessibility Factor Reasonable, Soon, ASAP, or Immediate Accuracy Factor Not-applicable, Approximate, or Exact Information Categories Unclassified, Sensitive (Privacy Act, Financially Sensitive, Administrative, Proprietary, or Other), Collateral Classified, or Compartmented/Special Access Classified E7.2.1.4. The selections for each characteristic will associate systems with similar security requirements for C&A. The concept of class implies that systems and associated C&A activities may be grouped. Classes permit the comparison of systems and use of previous experience from systems in the same or similar classes. E7.2.2. Interfacing Mode. The interfacing mode categorizes interaction. The question concerns containment of risk; e.g., if a problem were to occur with the operation, data, or system, what would be the risk to other operations, data, or systems with that it interacts, respectively. The interactions of systems may be through either physical or logical relationships. Those relationships are referred to as benign, passive, or active. E7.2.2.1. Benign. Connotes free of interaction; i.e., no physical or logical relationships. All relationships are restricted to a closed community. E7.2.2.2. Passive. Connotes limited to indirect interaction, and may or may not have physical relationships, but with tightly controlled logical relationships. An example is a terminal with receive only sessions. (The passive case permits lower-level protocols to support passive interactions.) E7.2.2.3. Active. Connotes direct interaction, with both physical and logical relationships. The active case may allow multiple interactive sessions with multiple operations, systems, infrastructures, or data. E7.2.3. Processing Mode. The processing mode distinguishes the way processing, transmission, storage, or data is handled. It reflects the use of the system by one or more different sets of users or processes. The alternatives are: dedicated level, compartmented level, system high level, and multi-level. Each of the modes exhibit unique security qualities. E7.2.3.1. Dedicated Level. Connotes processing, transmission, or storage is within a single information category. (All users and processes have a valid security clearance for all processes and data, and all users or processes have the same need to know. Access controls are equal for all users and processes.) E7.2.3.2. Compartmented Level. Connotes that processing, transmission, storage, or data is handled across different information categories with single-level access by individual users or processes at any given time. (All users and processes have a valid clearance for the most restricted information processed in the system, and a valid need-to-know for the information that the user or process will have access. Access controls are different for each user and process.) E7.2.3.3. System High. Connotes that processing, transmission, storage, or data while actually across different information categories, is handled as if it were in a single information category or processing domain. (All users and processes have valid security clearance to all processes and data. All users and processes may not have the same need to know. Access controls are equal for all users and processes.) E7.2.3.4. Multilevel. Connotes that processing, transmission, storage, or data is handled across different information categories with simultaneous access by individual users or processes. (All users and processes may not have the same clearances or need to know. Access controls are different for each user and process.) E7.2.4. Attribution Mode. The attribution mode distinguishes the degree or complexity of accountability required to establish authenticity and nonrepudiation. Four alternatives are: rudimentary, selected, and comprehensive. E7.2.4.1. None. Means no processing, transmission, storage, or data carries the ability to attribute them to users or processes. E7.2.4.2. Rudimentary. Means the most basic processing, transmission, storage, or data carries the ability to attribute them to users or processes. E7.2.4.3. Selected. Means some processing, transmission, storage, or data carries the ability to attribute them to users or processes. E7.2.4.4. Comprehensive. Means all or almost all processing, transmission, storage, or data carries the ability to attribute them to users or processes. E7.2.5. Mission-Reliance Factor. The mission-reliance factor relates the degree that the success of the mission relies on the operation, data, infrastructure, or system. The criticality of the mission in a broader context is independent of that factor and is used separately. Four alternatives selectable are: none, cursory, partial, or total. E7.2.5.1. None. Means that the mission is not dependent on the specific aspect; i.e., the operation, data, infrastructure, or system. E7.2.5.2. Cursory. Means that the mission is dependent on the specific aspect; i.e., the operation, data, infrastructure, or system, is cursory. E7.2.5.3. Partial. Means that the mission is partially dependent on the specific aspect; i.e., the operation, data, infrastructure, or system. E7.2.5.4. Total. Means that the mission is totally dependent on the specific aspect; i.e., the operation, data, infrastructure, or system. E7.2.6. Accessibility Factor. The accessibility factor relates the degree that the operation, data, infrastructure, or system needs to be available from a security perspective. Here, availability concerns are those that relate to security risks; i.e., non-tolerable operational impacts, and does not include those that are only performance concerns. Four alternatives are selectable: reasonable, soon, ASAP, or immediate. E7.2.6.1. Reasonable. Means that the specific aspect; i.e., the operation, data, infrastructure, or system, must be available in reasonable time to avoid operational impacts. E7.2.6.2. Soon. Means that the specific aspect; i.e., the operation, data, infrastructure, or system, must be available soon (timely response) to avoid operational impacts. E7.2.6.3. ASAP. Means that the specific aspect; i.e., the operation, data, infrastructure, or system, must be available as soon as possible (quick response) to avoid operational impacts. E7.2.6.4. Immediate. Means that the specific aspect; i.e., the operation, data, infrastructure, or system, must be available immediately (on demand) to avoid operational impacts. E7.2.7. Accuracy Factor. The accuracy factor relates the degree that the integrity of operation, data, infrastructure, or system is needed from a security perspective. Here, integrity concerns are those that relate to security risks; i.e., non-tolerable operational impacts, and does not include those that are only performance concerns. Three alternatives are selectable: not-applicable, approximate, or exact. E7.2.7.1. Not-Applicable. Means that the degree of integrity for a specific aspect; i.e., the operation, data, infrastructure, or system, is irrelevant as to operational impacts. E7.2.7.2. Approximate. Means that the degree of integrity for a specific aspect; i.e., the operation, data, infrastructure, or system, must be approximate in order to avoid operational impacts. E7.2.7.3. Exact. Means that the degree of integrity for a specific aspect; i.e., the operation, data, infrastructure, or system, must be exact in order to avoid operational impacts. E7.2.8. Information Category. The mission of each system will determine the information that is processed. The mission and information will influence the environment and security requirements applicable to each information category. Information categories are defined by their relationships with common management principles and security requirements promulgated by the security policy for each information category. Processing, transmission, storage, and data of more than one category of information shall not create a new category but shall instead inherit and shall satisfy all the security requirements of the assigned categories. Each of the identified categories may carry additional restrictions or special handling conditions; e.g., NATO-releasable or NOFORN. The information categories are defined as follows: E7.2.8.1. Unclassified. This category of information includes all information that is not classified and is not sensitive as defined in paragraph E7.2.8.2. below. E7.2.8.2. Sensitive Information. This category includes information, the loss misuse, or unauthorized access to or modification that could adversely affect the national interests or the conduct of federal programs, or the privacy that individuals are entitled under 5 U.S.C. 552a (reference(l)), but that has not been specifically authorized under criteria established by an E. O. or an Act of Congress to be kept secret in the interest of national defense or foreign policy. Systems that are not national security systems, but contain sensitive information are to be protected in accordance with the requirements of the Pub. L. 100-235 (reference(b)). In many cases, it may be useful to further characterize the sensitive information by determining the subcategory. This may indicate additional national, DoD, Service, or Agency requirements that are imposed by processing that type of information. The subcategories are: E7.2.8.2.1. Privacy Act. This category includes all information covered by reference (l) and also includes medical, pay, personnel information, etc. Information may be either classified or unclassified. Privacy Act information requires handling according to a common sensitivity. Privacy Act information usually requires system and information access control. E7.2.8.2.2. Financially Sensitive. This category includes financially and contractually sensitive information. Information may be either classified or unclassified. Financially sensitive category information requires handling according to a common sensitivity, and may require special assurance mechanisms such as two-person verification of transactions. Financially sensitive category information requires system and information access control. E7.2.8.2.3. Proprietary. This category includes information provided by a source or sources under the condition that it not be released to other sources. This information may require system or information access control. E7.2.8.2.4. Administrative and/or Other. This category includes DoD information associated with housekeeping activities, information marked For Official Use Only, and unclassified information that does not fall into any of the other information categories. E7.2.8.3. Collateral Classified. This category includes all classified information not included in the Compartmented and/or Special Access Category. E7.2.8.4. Compartmented and/or Special Access Classified. This category includes all information that requires special access and a security clearance. Examples include sensitive compartmented information, Single Integrated Operations Plan-Extremely Sensitive Information, and special access programs. E7.2.9. Each of the identified categories may carry additional restrictions or special handling conditions; e.g., NATO-releasable or NOFORN. E7.3. SECURITY REQUIREMENTS E7.3.1. Successful implementation of secure systems depends on defining security requirements early. All ITSEC disciplines (COMPUSEC, COMSEC, EMSEC, physical, and personnel) must be considered in the requirements definition process to arrive at a complete set of requirements. This permits the program manager, the user representative, and the DAA to evaluate cost versus risk tradeoffs successfully and assign security requirement implementation to hardware or software components, or procedures. E7.3.2. While all systems share a common set of minimum security requirements, some systems will inherit additional requirements based on their mission and function. Additionally, some systems, based on mission and function, may need a higher level of assurance that security requirements have been implemented successfully. That is a basic distinction among the classes. E7.3.3. When a system is identified with a class of similar systems, the class repository may be accessed for a common set of ITSEC requirements. This eliminates the need for the program manager of each system to develop the security requirements independently from myriad security instructions and directives and forward them to the DAA for approval. The question then remains, how will these requirement sets be developed? E7.3.4. The approach is twofold. E7.3.4.1. Existing systems will be analyzed to determine their classes. Those systems that have been accredited may be used as "models" for others of the class. Their ITSEC requirements, high-level architectures and approved solutions may be documented in a common repository. When a new system is required in that class, or a legacy system needs to be upgraded, the class repository will provide valuable support. E7.3.4.2. An independent requirements definition process needs to collect all ITSEC requirements into a common database. Then the requirements need to be reviewed to remove conflicts and duplications to produce a clean, and complete set of requirements. Those requirements may be allocated to each security class. The result will be an agreed on consistent set of security requirements for each class. Again, users of that class will have the economy of a readily obtainable requirements set. E7.4. DETERMINATION OF SYSTEM CLASS E7.4.1. A key step in the use of system classes is first to prepare an accurate description of the system being considered. While the details of the system may not be clear at the outset of development, its outlines and boundaries should be understood. It is important to know what is not part of the system as well as what is part of the system. The system description shall include those items in figure E7-1. Figure E7-1. System Description Elements. 1. Mission of the system. 2. Functions this system will perform. 3. Interfaces with other systems. 4. Interactions across system interfaces. 5. Expected users of this system. 6. Information categories to be processed. 7. Time frame for developing and implementing the system. 8. Components of the system that will be automated versus manual. 9. Budget limitations that may affect the system. 10. Other system constraints or assumptions that will impact the system. E7.4.2. These questions define the boundaries of the system compared to those that this system may interact. That description shall be sufficiently clear and comprehensive to provide an unambiguous definition of when the system may be certified and accredited. If information or understanding about the system is insufficient for that system description to be written, the DITSCAP is not ready to begin. E7.4.3. Determining the applicable system class is essential to development of the minimal security requirements necessary for the certification and eventual accreditation of the system. By determining the applicable class, the security engineer automatically develops the minimum set of security requirements for the system being analyzed. The various system classes also are associated with specific DITSCAP activities that must be performed. As a result, early in system development the minimum set of security requirements as well as the DITSCAP activities are known to the program manager, the DAA, the user representative, and the CA. E7.4.4. A system class is determined by first selecting the applicable entries for the first three columns of table E7-1. Next the first three entries are resolved to reflect the most applicable value for the fourth column so that the system will adequately support the needs defined in the first three columns. That will result in a system with the minimum security requirements required in the context of its associated operation, data, and infrastructure. Future DITSCAP application guidance will give further instruction with specific examples and rules in selecting the applicable alternatives for each characteristic as it applies to each system aspect. For example, a completed system class chart could look like the following. Table E7-2. ITSEC Class Characteristics. Characteristic System Alternatives Interfacing Mode Active Benign, Passive, or Active Processing Mode System High Dedicated, Compartmented, System High, or Multi-level Attribution Mode Basic None, Rudimentary, Selected, Basic, or Comprehensive Mission-Reliance Factor Partial None, Cursory, Partial, or Total Accessibility Factor ASAP Reasonable, Soon, ASAP, or Immediate Accuracy Factor Approximate Not-applicable, Approximate, or Exact Information Categories Sensitive Sensitive (U.S.C. Code 552 (reference(l)), Financially Sensitive, Administrative, Proprietary, or Other), Collateral Classified, or Compartmented and/or Special Access Classified E8. ENCLOSURE 8 DITSCAP COMPONENTS OVERVIEW E8.1. DITSCAP Components The DITSCAP components are composed of phases, activities, tasks, and steps. There are four phases: Definition, Verification, Validation, and Post Accreditation. Each phase is composed of activities that are in turn composed of tasks. Each certification analysis task is composed of one or more steps as determined by the level of certification analysis required. E8.2. Table 8-1 Table 8-1 shows the relationship of the phases, activities and tasks. Table 8-1. Relationship of Phases, Activities, and Tasks. Phase Associated Activities Associated Task Phase 1, Definition. Document mission need. Determine and document mission functions. Conduct registration. Register the system - inform the DAA and the user representative that a system will require C&A support. Prepare mission description and system identification. Prepare environment and threat description. Prepare system architecture description. Determine the ITSEC class. Determine the system security requirements. Identify organizations that will support the C&A. Tailor the DITSCAP tasks, determine the C&A scope, level-of-effort, and prepare the DITSCAP plan. Develop the draft SSAA. Perform negotiation. Review the draft SSAA. Conduct the CRR. Approve the SSAA. Prepare the SSAA. Table 8-1. Relationship of Phases, Activities, and Tasks. Phase Associated Activities Associated Task Phase 2, Verification. Refine the SSAA. Support system development activities. Perform certification analysis. System architecture analysis. Software design analysis. Network connection rule compliance analysis. Integrity of integrated products analysis. Life-cycle management analysis. Vulnerability assessment analysis. Assess analysis results against SSAA requirements. Phase 3, Validation. Refine the SSAA. Certification evaluation of the integrated system. ST&E. Penetration testing. TEMPEST and red-black verification. Validation of COMSEC compliance. System management analysis. Contingency plan evaluation. Risk-based management review. Develop recommendation to the DAA. CAs recommendation. DAA accreditation. Phase 4, Post Accreditation. Maintenance of the SSAA. Review the SSAA. Obtain approval of changes. Document changes. System operation. System maintenance. System security management. Contingency planning. Change management. Support system configuration management. Risk-based management review. Compliance validation. Review the SSAA. Physical security analysis. Procedural analysis. Risk-based management review.