Transcript Slide 1
Defense Security Service Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) August 2010 Defense Security Service Overview • ODAA Documentation • ISFO Process Manual (August 2010) • Certification & Accreditation (C&A) • Common Errors/Findings Defense Security Service ODAA Documentation – NISPOM (Chapter 8) (February 2006) – Industrial Security Letters (ISLs) – ISFO Process Manual (August 2010) Defense Security Service ISFO Process Manual • System Security Plans (SSP) Types – Standalone – Local Area Network (LAN) – Wide Area Network (WAN) – Network Security Plan (NSP) Defense Security Service ISFO Process Manual • Stand Alone – Single User Stand Alone (SUSA) • Only one general user • Physical security – Closed area – Restricted area – Classification level – Multi User Stand Alone (MUSA) • Two or more general users • Physical security – Closed area – Restricted area – Classification level Defense Security Service ISFO Process Manual • Local Area Network (LAN) – Peer to peer • Local user authentication – Closed area – Restricted area – Classification level – Domain controlled • Central user authentication – Closed area – Restricted area – Classification level Defense Security Service ISFO Process Manual • Wide Area Network (WAN) – Unified WAN • RDAA of host node will accredit • IATO not allowed • Single unified network SSP – Must include all nodes on the unified network – Interconnected WAN • Separately accredited systems • Network Security Plan (NSP) • IATO may be issued Defense Security Service ISFO Process Manual • Network Security Plan (NSP) – Allows interconnection of separately accredited systems – ATO/IATO will list nodes approved for connection – Provides overall network view – RDAA of host node will accredit – Network ISSO is responsible Defense Security Service ISFO Process Manual • Self Certification – Authority granted in MSSP/Profile, Approval to Operate (ATO) – Allows ISSM to self certify like systems • Specific to system type and similar operations – Only systems that are NISPOM compliant may be self certified – Documentation for self certified systems – Notify IS Rep, ISSP and ODAA Defense Security Service Certification & Accreditation (C&A) • Plan Submission – Must use approved SSP/MSSP/NSP templates – Assign Unique Identifier (UID) • Once assigned, UIDs never change – Email to ODAA • CC ODAA, IS Rep and ISSP • Email subject line • Email body Defense Security Service Table E-1 Subject Line Requirements for Plan Submissions Region PLAN Unique Identifier IS # Identifier Variables XXXXX-YYYYMMDD-XXXXX Capital Northern Southern Western CageCode¹ YYYYMMDD² XXXXX³ XXXXX4 See Variables Unique Identifiers ¹ Use the facility's 5 character Cage Code ² Use the date on the SSP or MSSP ³ Use a number from 00001 - 99999. Each plan must use a unique number. 4 Use a number from 00001 - 99999. Each plan must use a unique number. Variables MSSP Use MSSP when the plan is a Master Security Plan REV Use Rev when the plan has been resubmitted after the Contractor has made revisions as required by the ODAA. SIPR Use when the IS seeking accreditation has a connection to the SIPRNet. TERM Use when the IS is no longer used for classified processing INT Use INT for SSPs with International connections NSP Use NSP for Network Security Plans DIB Use DIB for DIBCS System Security Plans Defense Security Service Certification & Accreditation (C&A) • Process – Email plan to ODAA – ODAA accepts or rejects plan – Once accepted, ISSP performs desktop review – RDAA can deny or issue IATO – If required ISSM resubmits corrections – ISSP will perform on site verification – RDAA issues ATO Defense Security Service C&A Common Errors • Missing or incomplete UID • Not using approved DSS templates • Missing signed IS Security Package Submission and Certification Statement • Missing signed DSS Form 147 • Missing ISSM System Certification Test Checklist • Missing GCA risk acceptance letter for variances • Missing MOU if required • Missing published and promulgated IS Security Policy addressing the classified processing environment • ISSM fails to submit required corrections Defense Security Service Common Errors – Passwords – SSPs not properly updated (Hardware list, software list, configuration diagram not accurate) – Changing the security posture of the system without authorization Defense Security Service Audit Issues – References: NISPOM 8-602, ISL 2007-01 items 44 & 45 – Security Relevant Objects (SRO), file, and folder permission & auditing – System auditing Defense Security Service Questions & Answers