Net Ready Key Performance Parameters (NR-KPP)

The Net Ready Key Performance Parameters (NR-KPP) is
comprised of the following elements: compliance with the Net-Centric
Operations and Warfare (NCOW) Reference Model (RM), applicable Global
Information Grid (GIG) Key Interface Profiles (KIP),
DOD information assurance requirements, and supporting integrated
architecture products required to assess information exchange and use
for a given capability.

Net Centric Operations Warfare Reference Model (NCOW RM) (a) The NCOW
RM serves as a common, enterprise-level, reference model for the DOD’s
Enterprise Architecture The NCOW RM will ultimately provide a common
architectural construct for NCOW with a common language and taxonomy.
The final version of the RM will include:

1. All Views (AV): AV-1 and AV-2
2. Operational Views (OV): OV-1, OV-2, OV-3, and OV-5
3. System Views (SV): SV-1, SV-2, SV-3, SV-4, and SV-5
4. Target Technical View

AV-1 Overview and Summary
Information Scope, purpose, intended users, environment depicted, analytical findings

OV-2 Operational Node
Connectivity Description Operational Nodes, operational activities performed at each node,
connectivity and information exchange need lines between nodes

OV-4 Organizational Relationships Chart
Organizational, role, or other relationships among organizations

OV-5 Operational Activity Model
Operational activities, relationships among activities, inputs and outputs.

OV-6c Operational Event-Trace Description
One of three products used to describe operational activity sequence and
timing – traces actions in a scenario or sequence of events and specifiestiming of events.

SV-4 Systems Functionality Description
Functions performed by systems and the information flow among system
functions, including information assurance functions

SV-5 Operational Activity to Systems Function Traceability Matrix
Mapping of systems back to operational capabilities or of system functions
back to operational activities.

SV-6 Systems Data Exchange Matrix
Provides details of systems data being exchanged between systems.

TV-1 Technical Standards Profile Extraction of standards that apply to the given architecture,
Including information assurance functions.

Bookmarks
that are constantly updated by people around the world use delicious
feed for netcentric (will need an aggregator to view feed):

http://del.icio.us/rss/tag/netcentric
More on Netcentrics, Ditscap, DIACAP and Information Assurance at infoassure.blogspot.com

SSAA vs. ISP

I've done a few System Security Authorization Agreements (SSAA's) but I
admit I'm doing Information Support Plans, ISPs (formerly C4ISPs) for
the first time.

I used to think that the SSAA was a little bit
too much information. Overtime I've learned that it make total sense.
It forces the Information System designers to answer important questions. Many times the
questions it answers aren't important until much later (such as life
cycle issues).

The ISP's puts the SSAA to shame in its sheer
volume of information that needs to be gathered. This is because it
includes the netcentric aspects of the system, the actual schedule and
money involved, acquisitions issues and a bunch of other things that I,
as a security guy, don't care about.

The ISP is a birds eye view
of the target system where the SSAA is a microscope into all levels of
security over the life of the system from cradle to the grave.

More on Information Assurace, DITSCAP, and DIACAP on infoassure.blogharbor.com

DIACAP Policy

This is an overview of the DIACAP’s final draft. 

The DIACAP includes the same things that the DITSCAP has with two major differerences: netcentric environments and GIG standards. With these two (and MANY other changes) it seems that this evolution of the DITSCAP has to take place. So many major levels of Information Assurance in the DoD and abroad have changed that DITSCAP will have to embrace them to stay relevant.

The DIACAP policies will come from DoD Directive/Instruction 8500.01E/.2. [fixed 22 Aug 07]

The DIACAP supports Information Systems transitioning to netcentric environments and GIG Standards by:

  1. Ensuring uniformity of approach
  2. Managing and disseminating Information Assurance Design, implementation, validation, sustainement and approach
  3. Being able to handle differing system
  4. facilitating a dynamic environment

Information Assurance will be implemented with Information Assurance Controls as defined by DoDI 8500.2 and maintained through a DoD wide configuration management process that considers the GiG architecture and risk assessments conducted at the DoD component level in accordance with FISMA.

The DIACAP will support the ongoing validation to maintain the Information Assurance posture of an Information System. DoD component IA Programs are the primary method of supporting the DoD Information Assurance Program.

Status of all systems in the DIACAP program will be available to all who have authorized access.

SUBJECT: DoD Information Assurance Certification and Accreditation Process (DIACAP)

The Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) is replacing with the DoD Information Technology Security Certification and Accreditation Process (DITSCAP). More on DITCAP can be found at the DOD's IASE website.

What is DIACAP?
The DIACAP is the DoD process for identifying, implementing, and validating information assurance controls, for authorizing the operation of DoD information systems, and for managing information assurance posture across DoD information systems consistent with the Federal Information Security Management Act (FISMA).

What is so special about the DIACAP?
It will replace DoDI 5200.40 and DoD 8510.1-M
Guide for compliance with the Global Information Grid
Supports Netcentricity.

Follow this link to my interpretation of the DIACAP Policy.

What will we have to do differently with the DIACAP. (soon)

DITSCAP, DIACAP, NICAP, ISP

If you are looking for the acronyms above go to –> http://infoassure.blogspot.com  

Most human beings have the luxury of not having to know what the acronyms DITSCAP, DIACAP, NIACAP and ISP mean.  I am not one of those human beings. 

You know all those times you were at work and the Big Wigs decide to come up with some new ridiculous security rule that is just more hassle; have you ever cursed the stupid, stupid bastards that came up with a web blocker that won't let you visit fark.com, ebaum's world or stileproject… I'm the that stupid, stupid bastard

But hey, man, don't blame me.  Any policy I (or any other System Security Engineer) comes up with usually is and interpretation of a company policy.  And usually (at least in my experience) we aren't the ones making the final decisions.

(Sigh) Anyway, bitches…  

I try to include some actual Security Engineering in this blog but it just seems a little over the top because most of my readers (who are either techies or N00bies) can not relate and/or don't have a use for. 

System Security Engineering has to do with Certification and Accreditation, developing security and business plans, and creating organizational information security policies far Information Systems (boring, boring, booooring stuff… that pays pretty good).  It includes all levels of computer security but also deals with things like… operational security.

http://infoassure.blogspot.com  will focus on system security engineering.

I'll continue to put the SSE post in this blog but I'll hide most of them in the DITCAP category so my regular elamb.org visitors don't get nauseated.

Common Criteria, the Rainbow Series and Windows 2K

Windows 2000 was awarded the Common Criteria Certificate.  This
is the first Microsoft Operating System to receive such a prestigious
certification putting it on the same level as SecureOS Solaris Unix,
both built on an operating system that has been around for over thirty
years.  This document will explain what the Common Criteria Certificate is, how a vendor achieves it and why a vendor would want it.

Common Criteria is based on the idea of a sound way of evaluating the security of an operating system.  Common Criteria has evolved over the years.  Security evaluation criteria goes back to the ‘70’s.  The
first standard for this criteria was published in the United States
Trusted Computer Systems Evaluation Criteria (TCSEC), the “Orange Book.”  It was published in 1985 by the National Security Agency.  Europe
came up with similar standards in an effort to create an international
standard called Information Technology Security Evaluation and
Certification (ITSEC) in 1991.  This led to the CC Editorial Board (CCEB) which was formed establishing globally recognized standards for security evaluation (dinopolis).  Each country has its own organization that enforces and advertises these international standards.  In the United States,
both the NSA and the National Institute of Standards and Technology
meet the security and testing needs of Information Technology producers
and consumers.  They do this through a joint program called the National Information Assurance Partnership (NIAP).  The responsibilities of these organization are outlined in the Computer Security Act of 1987 (epic).

In order for a vendor to be awarded the Common Criteria Certification it must pass all required tests for a security certification accepted in 15 countries.  There
are three parts to the CC: 1) Introduction and general model, is the
introduction to the CC. It defines general concepts and principles of
IT security evaluation and presents a general model of evaluation.  2)
Security functional requirements, establishes a set of security
functional components as a standard way of requirements for Targets of
Evaluation (TOEs).  3) Security assurance
requirements, establishes a set of assurance components as a standard
way of expressing the assurance requirements for TOEs (CRYPTIC).

Common Criteria is essential particularly in these times of heightened Information security awareness.  The CC Certification is verification that the operating system has met a specific level of security.  Consumers
are more likely to purchase an operating system that is internationally
accredited than one with just a good reputation.

This certification took Microsoft three years and millions of dollars to attain.  Very few companies have the time, money and resources to reach this level security.  According to Microsoft they obtained the Common Criteria “because its evaluation and certification process helps consumers make informed security decisions (Microsoft).”

 

Works Cited

 

Dinopolis. Common Criteria History. 11 May 2001. http://www.dinopolis.org/documentation/misc/theses/hhaub/node78.html

 NIAP. Common Criteria Evaluation Verification Scheme.

http://niap.nist.gov/

 Electronic Privacy Center. Computer Security Act of 1987. http://www.epic.org/crypto/csa/

 Microsoft. Windows 2000 achieves the Common Criteria Certificate. 29 Oct 2002.

http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/cccert.asp#top

Radium. The Rainbow Series Library. 28 June 2000.

http://www.radium.ncsc.mil/tpep/library/rainbow/

Digg This

ISP versus the SSAA

As
a System Security Engineer most of my work has been on DITSCAP (SOON DIACAP)
Certification and Accreditation and producing System Security
Authorization Agreements. But now the government is have us SSEs do
Information Support Plan (formerly C4ISP). Anyway, the Program Managers
want us to do it.

While it is a little frustrating that I'm
stepping out of my security world and into Acquisitions, I can see the
potential for growth as I'm force to learn the Military equivalent of a
Business Continuity Plan.

Once I get a handle on the ISP I have a feeling that it will lead me to great things.

1 2 3 4