UPDATED IA STUFF + Procrastination

My greatest skill is procrastination. I really am the best, most skilled procrastinator I know. It takes all of my will power to stay consistent with anything, including this blog, which is why (among other things) I am not banking like Darren Rowse or Steve Pav, two of my favorite bloggers.

YOU SEE, I am such a good procrastinator that JUST procrastinated on getting to the REAL subject of this article, security, IA updates.

A fellow IA Analyst wrote me with questions that got right to the heart of IA, change.

She asked about AFI 33-202.
And I said:

Right as I felt I had mastered the contents of 33-202, the airforce moved to 33-210 (to replace all its C&A stuff). I believe 33-202 is now obsolete and replaced with 33-200 & 33-202 and others.. last time I was with the AF, anyway.

What about IT LEAN?
I said:

As for IT Lean, you can find that on AF Knowledge Now site and I think they have links to it on EITDR. If you are interested in IT Lean you’ll be REALLY interested in 33-210:
33-210

But if you are working with the Air Force and want more on the IT LEAN process you should be digging into AFCAP, Air Force Certification & Accreditation Program, an AF version of IT Lean.

CNSS 1253:
A lot of people also ask me to send them a copy of the CNSSI 12-53. But it is actually OUT. Its the CNSSI 1253. I, personally, have not had any clear direction (currently NO direction) on how to start moving some of the CNSSI to the systems I work on. I suspect that the Govt. will start this within the next couple of years and start phasing out DIACAP.. but who the hell knows what a bureaucracy of their size will do next!

Lastly, my fellow IA Analyst asked me about EITDR
and I said:

You’ll find the EITDR POCs on the Air Force Portal or Knowledge Now. Log on to the Air Force Portal (if you don’t have an account get one.. you may have to get sponsor by the Govt to get it). Once on the AF Portal search for EITDR and they’ll have tons of stuff on it. Waaaaay more stuff than you want to read. You’ll also find the person you need to start the EITDR process with.

Popularity: 1% [?]

SRR Findings to IA Controls

From Reader:

I stumbled upon your site and am new to security working for a contractor. I’m attempting to complete a DIACAP POA&M and need to map SRR findings to IA controls – any idea where I might find this information?

The SRR finding reference the DOD Unix STIG and NIPR STIG. It doesn’t seem to completely match up the the DIACAP IA Controls, but that is where a good system security engineer/ IA analyst comes in.

Once you’ve got your SRR results, IA Control compliance and mitigation depends on your situation. There are a few that map directly (like Screen Saver) but most of the SRR findings will fall under one or two of the IA Controls.

Hope this helps.

Popularity: 2% [?]

CNSSI 12-53: New Security Control Catalog for National Security Systems

New DIACAP Certification & Accreditation IA Controls

The DoD has had the same IA controls since DoD 8510.1-M, controls since DoD 8510.1-M, Department of Defense Information Technology System Certification & Accreditation Process (DITSCAP), July 31, 2000 – it was developed late last century.

The DoD has a total of 157 IA controls spread across 8 subject areas in 4 classes:

DC – Security Design & Configuration

IA – Identification and Authentication

EC – Enclave & Computing

EB – Enclave Boundary Defense

PE – Physical & Environmental

PR – Personnel

CO – Continuity

VI – Vulnerability

There is a huge change coming in certification & accreditation for the DoD coming. The IA controls are being expanded and changed. The last two DIACAP classes I’ve been to mentioned that there is a big change coming. Essentially, all the IA Controls (security controls, safeguards, countermeasures.. whatever your organization is calling them) are getting expanded. All federal organizations will have security controls that look more like what is in the National Institute of Standards and Technology Special Publication 800-53. This is all being placed in the Committee on National Security Systems Instruction (CNSSI) 1253. As of 25 June 2009, the CNSSI 1253 is still in draft.

The draft has 17 families & identifiers in three security control classes.

TABLE 1: SECURITY CONTROL CLASSES, FAMILIES, AND IDENTIFIERS
IDENTIFIER FAMILY CLASS

AC Access Control Technical

AT Awareness and Training Operational

AU Audit and Accountability Technical

CA Certification, Accreditation, and Security Assessments Management

CM Configuration Management Operational

CP Contingency Planning Operational

IA Identification and Authentication Technical

IR Incident Response Operational

MA Maintenance Operational

MP Media Protection Operational

PE Physical and Environmental Protection Operational

PL Planning Management

PS Personnel Security Operational

RA Risk Assessment Management

SA System and Services Acquisition Management

SC System and Communications Protection Technical

The CNSSI has about 500 controls with pretty good granularity.

One of the really cool thing about 1253 was the security control mapping. It’s a table that matches up 800-53, DCID 6/3 and DODI 8500.2.

Popularity: 3% [?]

DIACAP Essentials + IA Control Validation Training (part 4): DIACAP/AFCAP Day 4 & 5

Days 4 & 5 bring the DIACAP/AFCAP Essentials Class to a close. The
biggest things I learned were: CNSSI 4009 is the the official glossary of DOD IA, there is a big difference between theory, policy and practice, Agents of the Certifying Authority (ACA) are official validators and there is a difference between acquisition Mission criticality and IA MAC levels.

Stuff I learned from people in the class:

-AFCA is changing its name (to what?)

DOD is going to put the new IA controls in NCSSI 12-53 (currently in draft)

-a lot of what I need in there is in NIST 800-53

Marines use something called Exacta

Site called securitycritics.org

33-202 is now completely irrelevant and obsolete (not even mentioned ONCE in the class)

800-30

Feds call Certification &Accreditation (C&A) “Security authorization”

NIST SP 800-37

Day 4:

Validator Activities & Issue Accreditation Decision

Prepare POA&M

Validate Results/Scorecard

Scorecard

Make certification determination

CA/DAA Package review

Day 5:

Validation procedures were discussed. On day five, we looked at how the validators look at a system.

I thought is was interesting. It should help me get through the EITDR/DIACAP process easier.

Maintain Situational Awareness

Maintain IA Posture

Conduct Review

R-Accreditation

Retire system

Popularity: 3% [?]

DIACAP Essentials + IA Control Validation Training (part 4): DIACAP/AFCAP Day3

Day 3 heats up a little. We start talking about what it take to actually get validated. The DIACAP Implementers Guide & the DIACAP Validators guide is opened up and reviewed. I think we all learned a little something during this discussion because there have been some challenges with this. Unfortunately, we don’t to far into the validator stuff.

Day 3:

DIACAP Structure

Terminology Review

Assemble DIACAP Team

Registered System/System Information Profile

Assign IA Controls

Initiate DIACAP Implementation Plan

Popularity: 2% [?]

DIACAP Essentials + IA Control Validation Training (part 3): DIACAP/AFCAP Day2

Day 1 & 2 have been all about the very basics of DIACAP. Were introduced to the terminologies, key players of the C&A process and basically given the big picture. Like I said, GREAT for beginners, but just lots of theory and refresher if you’ve been doing C&A since DITSCAP.

Day 1 &2:

Getting the Big Picture

DIACAP/AFCAP Policy & Terminology

Roles and Responsibilities for the C&A process

Accreditation & Approval to Connect

Homework: review terminology

In between longer breaks, during lunch and just before class we sneak in episode of the The IT Crowd. Its the first time I’ve watched it so its a real treat for me. Hilarious show.

Popularity: 2% [?]

DIACAP Essentials + IA Control Validation Training (part 2): DIACAP/AFCAP Day1

DIACAP/AFCAP Day 1.
This is the second installment of the DIACAP Essentials journal.

In the first day of class we’ve taken a high level look at the big picture of the Department of Defense Information Assurance Certification & Accreditation Process (DIACAP) and Air Force Certification & Accreditation Program (AFCAP). It is a very valuable tool for a beginner.

Since I’ve gone through the entire process (with a legacy system) more than once through all the growing pains of Air Force C&A from DITSCAP to DIACAP, I found that I knew about 90% of everything taught. I don’t mind having a refresher, though and quite frankly, I need the CPE’s for my CISSP .

There were a couple of golden nuggets that I’ve been able to get out of some of the old timers. I learned some interesting things about how the Navy, Marines and Army do things.
Navy (as weird as their dumb ass rank system.. yep, I said it.. its dumb) have like three systems: DITPR-DON, DA-DUMB and some other BS, Marines have something called Exacta and the Army has APMS (Army Profile Management System). Also learned cool off topic stuff like history of eMass.

I must admit I’m looking forward to day two.
pros of day 1: Good solid start on basics GREAT for beginners. SecureInfo gets mad props for have a great instructor John M.(don’t know if he wants his full name published.. but he’s highly, highly knowledgeable and very positive).

cons of day 1: Right off the bat I am noticing a huge hole in the training… a lack of in depth teaching of EITDR, which is how the Air Force implements, manages and maintains the entire DIACAP/AFCAP process. I don’t really see how you can teach one without the other these days. I guess contractually, SecureInfo can not touch it since some other company has the contract. But unfortunately, the folks that are new to this are going to suffer. Because if they goto this class without knowing the EITDR they will know why but now how, and if they go to the EITDR class without knowing the DIACAP they will know how but not Why.

Popularity: 4% [?]

DIACAP Essentials + IA Control Validation Training (part 1)

I’ve been scheduled to go to DIACAP Essentials + IA Control Validation training. It is the same training that is given to validators at AFCA, so I guess it is pretty serious stuff. I was very reluctant to go until I realized that I actually really need the CPE’s to maintain my CISSP.

Since I’ve been doing the DIACAP stuff for about 2 years now, I’m not certain there is any new information for me to learn.

DIACAP Essentials
The Department of Defense Information Assurance Certification and
Accreditation Process (DIACAP) Essentials course blends lecture and hands-on
exercises to introduce students to DIACAP policy (to include FISMA
requirements of a comprehensive, repeatable, and auditable Information
Security process).

IA Control Validation In-Depth - 3 Days
The IA Control Validation In-Depth course takes the students DIACAP
education and turns the view from an implementor to a Validator perspective
and involves the students in the validation process for the IA Controls
(DoDI 8500.2).

What I am hoping to get from the course is a better handle on the FISMA process.
I don’t feel like I really have a handle on what is supposed to happen with it.

Popularity: 4% [?]

Validation: Track the Results

If you are doing Certification & Accreditation then you know it’s all about the documentation.

But its not just about reviewing the documentation that a system is supposed to have. If you’re in the business of getting systems validated sometimes you’ll have to produce the documentation.

An IA Analyst, system security engineer or Information Assurance Officer (IAO) usually documents the results of their security tests. For example, if they run a Retina Scan they will want to generate a report that has the results of that network or system scan.

DoD Information Assurance Certification & Accreditation (DIACAP) Knowledge Service, the Enterprise Information Technology Data Repository (EITDR) and other IT profile databases have very detailed information on what the final Validators are looking for.

If you’re in line with the final validators you will not have much of a problem, because they will approve the system and move it on to the Designated Approval Authority (DAA).

Popularity: 4% [?]

New Certification & Accreditation Process (Rumor)

One C&A package to rule them all?

The federal government has a bunch of Certification & Accreditation processes. There is Department of Defense Information Assurance Certification & Accreditation (DIACAP) for the DOD, there’s Director of Central intelligence Directive (DCID) 6/3 for certain classified systems, there is National Information Assurance Certification & Accreditation (NIACAP) for National Security Systems. And under each of these their processes differ according the branch, leadership, organization and/or mission. Each process, organization, branch and mission has a different set of resources that they pull from. DIACAP pertains to military branches and pulls from the DoD 8500 series, many other federal agencies use National Institute of Standards and Technology (NIST) Special Publication (SP) 800-xx series.

Each agency, organization and/or branch uses their own methods and everyone is happy. The only problem is when a system gets exploited. When it happens there is mass panic and they realize that there are massive holes in the process.

Rumors and Trends

There have been rumors floating around about many of these federal C&A processes merging into one. At their core they are actually pretty similar. Take NIST SP 800-37, C&A of Federal Information Systems and DOD 8510, DIACAP for example. Both have an initial phase where data is gathered on the system and all parties involved with a system are pulled together (see table. 1 for more similarities).

style='border-collapse:collapse;mso-padding-alt:0in 0in 0in 0in;border-width:
initial;border-color:initial'>

Federal C&A Process	Phases	Activities
SP 800-37	Initiation Phase	Gather data, get agreement of all stake holders
DIACAP	Initiate & Plan IA C&A
SP 800-37	Security Certification Phase	IA Control Assessment and agreement
DIACAP	Implement & Validate Assigned IA Controls
SP 800-37	Security Accreditation Phase	Security implementation and assessment
DIACAP	Make Cert. Determination & Accreditation Decision
DP 800-37	Continuous Monitoring Phase	Configuration management; FISMA reporting; sustainment
DIACAP	Maintain Authorization to Operate
DIACAP	Decommission	Retire System

12-37?

Popularity: 7% [?]

Next Page »