UPDATED IA STUFF + Procrastination
January 27, 2010
My greatest skill is procrastination. I really am the best, most skilled procrastinator I know. It takes all of my will power to stay consistent with anything, including this blog, which is why (among other things) I am not banking like Darren Rowse or Steve Pav, two of my favorite bloggers.
YOU SEE, I am such a good procrastinator that JUST procrastinated on getting to the REAL subject of this article, security, IA updates.
A fellow IA Analyst wrote me with questions that got right to the heart of IA, change.
She asked about AFI 33-202.
And I said:
Right as I felt I had mastered the contents of 33-202, the airforce moved to 33-210 (to replace all its C&A stuff). I believe 33-202 is now obsolete and replaced with 33-200 & 33-202 and others.. last time I was with the AF, anyway.
What about IT LEAN?
I said:
As for IT Lean, you can find that on AF Knowledge Now site and I think they have links to it on EITDR. If you are interested in IT Lean you’ll be REALLY interested in 33-210:
33-210
But if you are working with the Air Force and want more on the IT LEAN process you should be digging into AFCAP, Air Force Certification & Accreditation Program, an AF version of IT Lean.
CNSS 1253:
A lot of people also ask me to send them a copy of the CNSSI 12-53. But it is actually OUT. Its the CNSSI 1253. I, personally, have not had any clear direction (currently NO direction) on how to start moving some of the CNSSI to the systems I work on. I suspect that the Govt. will start this within the next couple of years and start phasing out DIACAP.. but who the hell knows what a bureaucracy of their size will do next!
Lastly, my fellow IA Analyst asked me about EITDR
and I said:
You’ll find the EITDR POCs on the Air Force Portal or Knowledge Now. Log on to the Air Force Portal (if you don’t have an account get one.. you may have to get sponsor by the Govt to get it). Once on the AF Portal search for EITDR and they’ll have tons of stuff on it. Waaaaay more stuff than you want to read. You’ll also find the person you need to start the EITDR process with.
Popularity: 1% [?]
CNSSI 12-53: New Security Control Catalog for National Security Systems
July 2, 2009
New DIACAP Certification & Accreditation IA Controls
The DoD has had the same IA controls since DoD 8510.1-M, controls since DoD 8510.1-M, Department of Defense Information Technology System Certification & Accreditation Process (DITSCAP), July 31, 2000 – it was developed late last century.
The DoD has a total of 157 IA controls spread across 8 subject areas in 4 classes:
DC – Security Design & Configuration
IA – Identification and Authentication
EC – Enclave & Computing
EB – Enclave Boundary Defense
PE – Physical & Environmental
PR – Personnel
CO – Continuity
VI – Vulnerability
There is a huge change coming in certification & accreditation for the DoD coming. The IA controls are being expanded and changed. The last two DIACAP classes I’ve been to mentioned that there is a big change coming. Essentially, all the IA Controls (security controls, safeguards, countermeasures.. whatever your organization is calling them) are getting expanded. All federal organizations will have security controls that look more like what is in the National Institute of Standards and Technology Special Publication 800-53. This is all being placed in the Committee on National Security Systems Instruction (CNSSI) 1253. As of 25 June 2009, the CNSSI 1253 is still in draft.
The draft has 17 families & identifiers in three security control classes.
TABLE 1: SECURITY CONTROL CLASSES, FAMILIES, AND IDENTIFIERS
IDENTIFIER FAMILY CLASS
AC Access Control Technical
AT Awareness and Training Operational
AU Audit and Accountability Technical
CA Certification, Accreditation, and Security Assessments Management
CM Configuration Management Operational
CP Contingency Planning Operational
IA Identification and Authentication Technical
IR Incident Response Operational
MA Maintenance Operational
MP Media Protection Operational
PE Physical and Environmental Protection Operational
PL Planning Management
PS Personnel Security Operational
RA Risk Assessment Management
SA System and Services Acquisition Management
SC System and Communications Protection Technical
The CNSSI has about 500 controls with pretty good granularity.
One of the really cool thing about 1253 was the security control mapping. It’s a table that matches up 800-53, DCID 6/3 and DODI 8500.2.
Popularity: 3% [?]
DIACAP Essentials + IA Control Validation Training (part 4): DIACAP/AFCAP Day 4 & 5
July 2, 2009
Days 4 & 5 bring the DIACAP/AFCAP Essentials Class to a close. The
biggest things I learned were: CNSSI 4009 is the the official glossary of DOD IA, there is a big difference between theory, policy and practice, Agents of the Certifying Authority (ACA) are official validators and there is a difference between acquisition Mission criticality and IA MAC levels.
Stuff I learned from people in the class:
-AFCA is changing its name (to what?)
DOD is going to put the new IA controls in NCSSI 12-53 (currently in draft)
-a lot of what I need in there is in NIST 800-53
Marines use something called Exacta
Site called securitycritics.org
33-202 is now completely irrelevant and obsolete (not even mentioned ONCE in the class)
800-30
Feds call Certification &Accreditation (C&A) “Security authorization”
NIST SP 800-37
Day 4:
Validator Activities & Issue Accreditation Decision
Prepare POA&M
Validate Results/Scorecard
Scorecard
Make certification determination
CA/DAA Package review
Day 5:
Validation procedures were discussed. On day five, we looked at how the validators look at a system.
I thought is was interesting. It should help me get through the EITDR/DIACAP process easier.
Maintain Situational Awareness
Maintain IA Posture
Conduct Review
R-Accreditation
Retire system
Popularity: 2% [?]
DIACAP Essentials + IA Control Validation Training (part 4): DIACAP/AFCAP Day3
July 2, 2009
Day 3 heats up a little. We start talking about what it take to actually get validated. The DIACAP Implementers Guide & the DIACAP Validators guide is opened up and reviewed. I think we all learned a little something during this discussion because there have been some challenges with this. Unfortunately, we don’t to far into the validator stuff.
Day 3:
DIACAP Structure
Terminology Review
Assemble DIACAP Team
Registered System/System Information Profile
Assign IA Controls
Initiate DIACAP Implementation Plan
Popularity: 2% [?]
DIACAP Essentials + IA Control Validation Training (part 3): DIACAP/AFCAP Day2
July 2, 2009
Day 1 & 2 have been all about the very basics of DIACAP. Were introduced to the terminologies, key players of the C&A process and basically given the big picture. Like I said, GREAT for beginners, but just lots of theory and refresher if you’ve been doing C&A since DITSCAP.
Day 1 &2:
Getting the Big Picture
DIACAP/AFCAP Policy & Terminology
Roles and Responsibilities for the C&A process
Accreditation & Approval to Connect
Homework: review terminology
In between longer breaks, during lunch and just before class we sneak in episode of the The IT Crowd. Its the first time I’ve watched it so its a real treat for me. Hilarious show.
Popularity: 2% [?]
DIACAP Essentials + IA Control Validation Training (part 2): DIACAP/AFCAP Day1
June 22, 2009
DIACAP/AFCAP Day 1.
This is the second installment of the DIACAP Essentials journal.
In the first day of class we’ve taken a high level look at the big picture of the Department of Defense Information Assurance Certification & Accreditation Process (DIACAP) and Air Force Certification & Accreditation Program (AFCAP). It is a very valuable tool for a beginner.
Since I’ve gone through the entire process (with a legacy system) more than once through all the growing pains of Air Force C&A from DITSCAP to DIACAP, I found that I knew about 90% of everything taught. I don’t mind having a refresher, though and quite frankly, I need the CPE’s for my CISSP 
.
There were a couple of golden nuggets that I’ve been able to get out of some of the old timers. I learned some interesting things about how the Navy, Marines and Army do things.
Navy (as weird as their dumb ass rank system.. yep, I said it.. its dumb) have like three systems: DITPR-DON, DA-DUMB and some other BS, Marines have something called Exacta and the Army has APMS (Army Profile Management System). Also learned cool off topic stuff like history of eMass.
I must admit I’m looking forward to day two.
pros of day 1: Good solid start on basics GREAT for beginners. SecureInfo gets mad props for have a great instructor John M.(don’t know if he wants his full name published.. but he’s highly, highly knowledgeable and very positive).
cons of day 1: Right off the bat I am noticing a huge hole in the training… a lack of in depth teaching of EITDR, which is how the Air Force implements, manages and maintains the entire DIACAP/AFCAP process. I don’t really see how you can teach one without the other these days. I guess contractually, SecureInfo can not touch it since some other company has the contract. But unfortunately, the folks that are new to this are going to suffer. Because if they goto this class without knowing the EITDR they will know why but now how, and if they go to the EITDR class without knowing the DIACAP they will know how but not Why.
Popularity: 4% [?]
DIACAP Essentials + IA Control Validation Training (part 1)
June 9, 2009
I’ve been scheduled to go to DIACAP Essentials + IA Control Validation training. It is the same training that is given to validators at AFCA, so I guess it is pretty serious stuff. I was very reluctant to go until I realized that I actually really need the CPE’s to maintain my CISSP.
Since I’ve been doing the DIACAP stuff for about 2 years now, I’m not certain there is any new information for me to learn.
DIACAP Essentials
The Department of Defense Information Assurance Certification and
Accreditation Process (DIACAP) Essentials course blends lecture and hands-on
exercises to introduce students to DIACAP policy (to include FISMA
requirements of a comprehensive, repeatable, and auditable Information
Security process).
IA Control Validation In-Depth - 3 Days
The IA Control Validation In-Depth course takes the students DIACAP
education and turns the view from an implementor to a Validator perspective
and involves the students in the validation process for the IA Controls
(DoDI 8500.2).
What I am hoping to get from the course is a better handle on the FISMA process.
I don’t feel like I really have a handle on what is supposed to happen with it.
Popularity: 4% [?]
New Certification & Accreditation Process (Rumor)
March 25, 2009
One C&A package to rule them all?
The federal government has a bunch of Certification & Accreditation processes. There is Department of Defense Information Assurance Certification & Accreditation (DIACAP) for the DOD, there’s Director of Central intelligence Directive (DCID) 6/3 for certain classified systems, there is National Information Assurance Certification & Accreditation (NIACAP) for National Security Systems. And under each of these their processes differ according the branch, leadership, organization and/or mission. Each process, organization, branch and mission has a different set of resources that they pull from. DIACAP pertains to military branches and pulls from the DoD 8500 series, many other federal agencies use National Institute of Standards and Technology (NIST) Special Publication (SP) 800-xx series.
Each agency, organization and/or branch uses their own methods and everyone is happy. The only problem is when a system gets exploited. When it happens there is mass panic and they realize that there are massive holes in the process.
Rumors and Trends
There have been rumors floating around about many of these federal C&A processes merging into one. At their core they are actually pretty similar. Take NIST SP 800-37, C&A of Federal Information Systems and DOD 8510, DIACAP for example. Both have an initial phase where data is gathered on the system and all parties involved with a system are pulled together (see table. 1 for more similarities).
initial;border-color:initial'>
Federal C&A Process
Phases
Activities
SP 800-37
Initiation Phase
Gather data, get agreement of all stake
holders
DIACAP
Initiate & Plan IA C&A
SP 800-37
Security Certification Phase
IA Control Assessment and agreement
DIACAP
Implement & Validate Assigned IA
Controls
SP 800-37
Security Accreditation Phase
Security implementation and assessment
DIACAP
Make Cert. Determination &
Accreditation Decision
DP 800-37
Continuous Monitoring Phase
Configuration management; FISMA reporting;
sustainment
DIACAP
Maintain Authorization to Operate
DIACAP
Decommission
Retire System
12-37?
Popularity: 7% [?]
DIACAP Activity #4 Maintain Authorization to Operate and Conduct Review
February 21, 2008
Maintain Situational AwarenessIncluded in the IA controls assigned to all DoD ISs are IA controls related to configuration and vulnerability management, performance monitoring, and periodic independent evaluations (e.g., penetration testing). The IAM continuously monitors the system or information environment for security-relevant events and configuration changes that negatively impact IA posture and periodically assesses the quality of IA controls implementation against performance indicators such as security incidents, feedback from external inspection agencies (e.g., IG DoD, Government Accountability Office (GAO)), exercises, and operational evaluations. In addition the IAM may, independently or at the direction of the CA or DAA, schedule a revalidation of any or all IA controls at any time. Reference (a) requires revalidation of a select number of IA controls at least annually. (DoD 8510.01, 6.3.4.1)
Knowing what is going on with the system is the job of the Information Assurance Manager (IAM). This can be delegated to the Information Assurance Officer (IAO) or the IAM and IAO may be the same person, but keep in mind that these permission require training, a technical and security certification (IAW DoD 8570).
Maintain IA Posture
Ensuring that there are no changes to the IA posture falls on the shoulders of the IAM. This includes making sure that the establish baseline of the system has no signifigant changes. Most patches (even involving security) will have a minimal impact on the system. Applicable patches should always be tested before being put on a system. Major patches are usually service packs that may actually change the IA posture. The DIACAP Team should be involved with any major changes to the IA posture. They will also decide which modifications, upgrades and additions should be considered changes to the IA posture of the system. As a minimum, the Program Manager, IAM, subject matter experts (software/system security engineers) and information system owner/user representative should be appart of that decision.
What will likely be considered a change to the IA Posture:
Adding IA products (firewalls, intrusion detection systems, ect)
Some internetworking devices such as Routers and Switches
New operating systems
Major upgrades to software or operating systems (not including support applications)
Newly discover major vulnerabilities
*Basically any major changes that will affect the security, supportability, usability, and interoperability of the system. It is important to have who, what when and where of sustainability, new risks, and usability requirements in writing. Information Assurance includes all these things, not just security.
What are usually not changes to the IA Posture:
Most NOTAM/IAVAS/TCNOs (such as Office patches, browser upgrades, ect)
Re-positioning equipment within the office (as long as the IAM has readable documentation on the data connections)
Adding passive periferal devices such as stand-alone printers, scanners and new monitors (devices with connectivity to external sources such as faxes, share external network printers should go before the DIACAP Team)
Devices such as DVD, CD and hard drives with more capacity may not affect the IA Posture but it is best to have some formalized method of tracking upgrades to hardware especially on mission systems as some changes could have some unpredictable affects
Annual FISMA Reviews
DIACAP includes the task of performing reviews annually on the system. This is one of the key features of the Federal Information System Management Act of 2002. What ever command or branch of the DoD you reside, your system has the potential of being audited annually to make sure it is in compliance with federal regulations. The eMASS IT Portfolio management systems (EITDR, DITPR-DON, APMS) also has this feature intergrated into its key functions. All data on each systems IA posture is collect annually. This is done by the IAMs and/or the DIACAP Team.
Additionally, each system must be re-accredited every three years:
6.3.4.4. Initiate Reaccreditation. In accordance with OMB Circular A-130 (Reference (s)), an IS must be recertified and reaccredited once every 3 years. The results of an annual review or a major change in the IA posture at any time may also indicate the need for recertification and reaccreditation of the IS. DoD 8510.01, 6.3.4.4
From DoD 8510.01, DIACAP:
6.3.4.1.1. DoD ISs with a current ATO that are found to be operating in an unacceptable IA posture through GAO audits, IG DoD audits, or other reviews or events such as an annual security review or compliance validation shall have the newly identified weakness added to an existing or newly created IT Security POA&M.
6.3.4.1.2. If a newly discovered CAT I weakness on a DoD IS operating with an ATO cannot be corrected within 30 days, the system can only continue operation under the terms prescribed in subparagraph 6.3.3.2.6.1.2.
6.3.4.1.3. If a newly discovered CAT II weakness on a DoD IS operating with a current ATO cannot be corrected or satisfactorily mitigated within 90 days, the system can only continue operation under the terms prescribed in subparagraph 6.3.3.2.6.2.5.
6.3.4.2. Maintain IA Posture. The IAM may recommend changes or improvement to the implementation of assigned IA controls, the assignment of additional IA controls, or changes or improvements to the design of the IS itself.
6.3.4.3. Perform Reviews. The IAM shall annually provide a written or DoD PKI-certified digitally signed statement to the DAA and the CA that indicates the results of the security review of all IA controls and the testing of selected IA controls as required by Reference (a). The review will either confirm the effectiveness of assigned IA controls and their implementation, or it will recommend: changes such as those described in subparagraph 6.3.4.2.; a change in accreditation status (e.g., accreditation status is downgraded to IATO or DATO); or development of an IT Security POA&M. The CA and DAA shall review the IAM statement in light of mission and information environment indicators and determine a course of action that will be provided to the concerned CIO or SIAO for reporting requirements described in Reference (a). The date of the annual security review will be recorded in the SIP. A DAA may downgrade or revoke an accreditation decision at any time if risk conditions or concerns so warrant.
6.3.4.4. Initiate Reaccreditation. In accordance with OMB Circular A-130 (Reference (s)), an IS must be recertified and reaccredited once every 3 years. The results of an annual review or a major change in the IA posture at any time may also indicate the need for recertification and reaccreditation of the IS.
Popularity: 13% [?]
DIACAP Activity #1 Initiate and Plan Certification & Accreditation
February 2, 2008
Initiating the
Register the System with DoD IA Component
Each branch of the military has an IA component. Each of the US Armed Services have a division under their respective chief information officer’s responsible for all computers, communications and networks in a given military branch. These communications divisions will house the Information Assurance component responsible for the DIACAP tasks.
Table 1. DoD IA Components
| DoD Branch |
Branch Communication & Information Service |
|
| US Air Force |
Air Force Communication Agency (AFCA) |
AFCA/EV |
| US Army |
*Army NETCOM 9th Signal Corps |
Army NETCOM Information Assurance Office |
| Department of the Navy |
DON CIO |
DON SIAO |
*more on Army NETCOM
More on Registering with your IA Component
DIACAP Team
Once you’ve made contact with your system’s IA Component you may be asked to identify the players in your DIACAP Team. The DIACAP Team roles will consist of a Designated Approval Authority (DAA), Program Manager (PM), Certifying Authority (CA), User Rep, Information Assurance Manager and others. You will also need to identify other important players such as the Lead Engineer.
More on DIACAP Team Roles.
Get an Enterprise Mission Assurance Support Service (eMASS) account
The Enterprise Mission Assurance Support Service (eMASS) is a generic name for specific automated databases that are used to manage the DIACAP. Each branch has a different automated database (Fig 1). The USAF has the EITDR, The Navy has the DITPR-DON, and the Army has the APMS. Each of these databases satisfies DoD IT portfolio management, certification and IT reporting directives addressed in DoD Directive 8115.01, signed October 10, 2005.
Fig 1, DoD IT Portfolio Management System
Information Assurance Controls are also known as Information Assurance requirements and security controls. IA Controls are assigned according to a system’s Mission Assurance Category (MAC) and Confidentiality Levels (Fig 2.) defined in DoDI 8500.2. The DIACAP Knowledge Service has Excel spread sheets breaking down each of the IA Controls.
Fig. 2, Mission Assurance Category & Confidentiality Levels
Some of the IA Controls require system security engineering interpretation because no system is alike. Some IA Controls will not apply while other will apply only under certain circumstances and that is where knowledgeable system & system security engineer comes in.
Ref:
https://akss.dau.mil/dag/GuideBook/IG_c7.5.7.2.asp
DoDI 8500.2, Enclosure 4
Initiate DIACAP Implementation Plan
With the proper MAC/CL level applied, the system security specialist/engineer and/or technician should have a good idea what IA Controls apply to a given system. The next step is to begin the DIACAP Implementation Plan.
The DIACAP Knowledge Service has a thorough break down of each of the IA Controls and how to accomplish and validate them. Once complete, your system’s DIACAP Implementation Plan should identify each of the applicable IA Controls, whether the system is compliant or not and when it will be compliant with those particular IA Controls.
Initiation of the DIACAP Plan means you are consulting developers and or Program Managers on the IA Controls that will affect the system. Both new systems, and existing legacy systems will require some sort of documentation whether a simple spreadsheet, or Word document detailing who, what, when and where of each IA Control feature applied to the system. The DIACAP Knowledge Service has a sample DIACAP Implementation Plan spread sheet that thoroughly details all the above requirements. It can be downloaded and tailored easily to your specific systems needs.
Once registered, the eMASS (EITDR, DITPR-DON, and APFM) system will require that you upload your completed DIACAP Implementation Plan (which is a bit of a paradox because the EITDR can actually create a DIACAP package once certain data is uploaded, validated and approved. EITDR will also require that the IA Controls be addressed and validated individually and subsequently Reviewed, Validated and Approved by system stakeholders.
Deliverables for Activity #1:DIACAP System Identification Profile (SIP)
DIACAP Implementation Plan
USAF SISSU Stakeholder’s List (Air Force)
References:
DoD Regulation 5200.1-R , “DoD Information Security Program,” January 1997
DoDD 8115.01, “Information Technology Portfolio Management”, dated October 10, 2005
DoDD 8500.01E, “Information Assurance (IA),” dated April 23, 2007
DoDI 8551.1, “Ports, Protocols, and Services Management (PPSM) Release 6.9,” dated September, 2007
DoDI 8570.1-M “Information Assurance Workforce Improvement Program,” dated December 19, 2005
Federal Information Security Management Act (FISMA) (2002)
Information Assurance Support Environment (IASE)
Popularity: 17% [?]
