How to Prepare an SSP - jsac
Download
Report
Transcript How to Prepare an SSP - jsac
Preparing System Security Plans
2013 Joint Security Awareness
Council Seminar
Sherry Williams, Speaker
UNCLASSIFIED
Preparing System Security Plans
JSAC 17-18 April, 2013
UNCLASSIFIED
Requirements…
To start a new Classified Program
Contract Instrument
DD254
IFB
IRAD
RFP
RFQ
UNCLASSIFIED
Contract Instrument
The Federal Acquisition Regulation (FAR) requires that
a DD-254 be incorporated in each classified contract.
The DD-254 provides the contractor (or subcontractor)
security requirements and classification guidance
necessary to perform on a classified contract
Invitation for Bid (IFB), Independent Research and
Development (IRAD), Request for Proposal (RFP),
Request for Quotation (RFQ)
UNCLASSIFIED
DD 254…
UNCLASSIFIED
Data Protection…
The Security Classification Guide or other
relevant security docs (required prior to
beginning a IS profile)
Identify classification level(s) and handling
caveats
IS USER required training based on classification level
and handling caveats
Closed area/Safe training requirements
UNCLASSIFIED
White Board Meeting…
“White board” meeting to discuss computing
system requirements (Form 1116)
Engineering and program requirements
Unclassified and Classified systems
Allocate, Build and pre-Certify systems based
upon ODAA technical baseline settings
UNCLASSIFIED
Why the Defense Security Service (DSS)
denies an Approval to Operate (ATO)
•
Missing or incomplete Unique Identifier (UID)
•
ISSM did not sign the IS Security Package Submission and Certification Statement
•
Missing Hardware List / Software List / Configuration Diagram
•
Physical Security not adequately explained
•
No signed DSS Form 147 (Record of Controlled Area) if the system is in a Closed Area
•
No Certification Test Guide or NISP Tool Results were provided
•
Missing letter from Government Contracting Activity (GCA) if any variances are needed
•
Identification and Authentication not adequately addressed
•
Any unique issues that would require denial of the IATO
•
Missing MOU when required
UNCLASSIFIED
Missing MOU when required…
MOU Requirements:
Interconnected systems accredited by different DAAs
Created to establish agreed upon roles, security
responsibilities and other information
Signed by each DAA and submitted with SSP
Contractor-to-Contractor system interconnections do not
require an MOU when DSS is the DAA for all systems
involved
Valid for three years or until system changes occur
affecting security posture
UNCLASSIFIED
Missing GCA Letter for variances…
• A signed copy of the customers Risk Acceptance Letter (RAL) on
Government letterhead stating they are willing to assume the
residual risk for e.g. alternate trusted download procedures
• Special purpose/Non-Complaint systems requiring a RAL should be
under a separate profile and if connection to the larger compliant
system is required a single page Network Security Plan (NSP) may
be used
• Risk Acceptance Letter's must be updated when the plan is
reaccredited every three years
UNCLASSIFIED
Variances and Self-Certification
Profiles with RALs and Variances render and IS non-NISPOM
compliant therefore ineligible for Self-Certification authority
Variance requests must be submitted after MSSP ATO granted
and include a description of the approved variance and signed
RAL
Approved variance must be maintained with the profile
UNCLASSIFIED
Forget-me Not’s
Identify Group Accounts
List Hardware Memory Size and Types
Ensure Caveats are listed on ATO letters and in profiles
Ensure UIDs on MSSP, Profile, and ATO all match
Ensure Sanitization procedures are included in profiles
Communicate often with your ISSP
UNCLASSIFIED
Lets Take A Look…
UNCLASSIFIED
UNCLASSIFIED