Certification & Accreditation Change

Standard-issue security
Certification and accreditation process for national security systems to extend to the rest of government. A two-year-old effort to standardize processes for certifying and accrediting government IT systems could soon bear fruit, according to officials from several agencies.

The Committee on National Security Systems is preparing instructions for implementing a unified certification and accreditation (C&A) process that could be used on all national security systems, including those in the Defense Department and intelligence community, said Tony Cornish, chairman of the CNSS’ C&A working group.

At the same time, the National Institute of Standards and Technology plans to update its C&A guidance for systems covered by the Federal Information Security Management Act, said Ron Ross, a senior computer scientist and FISMA implementation lead at NIST.

“We are very close to producing a unified C&A process for the entire federal government,” Ross said in July at a government security symposium hosted by Symantec. “Within the next six to eight months, you are going to see a plethora of new things coming out” from CNSS and NIST.

CNSS’ instructions will be incorporated into NIST guidelines in its 800 series of special publications. Ross said a major update of SP 800-53 Rev. 2, “Recommended Security Controls for Federal Information Systems,” is expected in December, and a draft of the first revision of SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems,” is expected to be released for comment soon.

A single, governmentwide approach would make it easier for agencies to share data and cooperate with one another and with states, foreign allies and the private sector.

It could enable reciprocity, or the acceptance of other agencies’ C&A processes, without requiring recertification, and also could streamline acquisition processes by making it easier for vendors and developers to meet one set of standards.

C&A is a process for ensuring that IT systems are operating with an appropriate level of security. In the certification phase, the security of the system is documented; for accreditation, a designated authority signs off on the system’s fitness to go into operation. The concept has been around for some time, but there has been little standardization.

“In the past, we each had our own set of policies, and we didn’t look at each other’s,” said Sherrill Nicely, deputy associate director of national intelligence at the Office of the Director of National Intelligence.

FISMA requires C&A of information technology systems, but that does not apply to national security systems. And within the national security community, the military and intelligence sectors each have had their own way of doing things.

“Since about 1993, the Defense Department had its program, the Defense IT Security Certification and Accreditation Process,” said Eustace King, DOD chief of acquisition and technology oversight. “It worked pretty well” in a time before DOD’s emphasis on network- centric systems and information sharing, but it lacked enterprise visibility.

That C&A program was replaced with the Defense Information Assurance Certification and Accreditation Process. DOD was moving to the program in 2006 to harmonize military and intelligence processes when, a year later, it was expanded to include the rest of the national security community by bringing in the CNSS.

Through NIST, C&A procedures eventually will be standardized across all of government. However, policies do not change mind-sets, and old habits still remain one of the primary challenges to a standardized process. At DOD, there is a reluctance to accept reciprocity — that is, to give full credit to another agency’s C&A process without recertification, King said.

The intelligence community faces a similar hurdle, said Sharon Ehlers, an assistant deputy associate director of national intelligence.

“The cultural change has been the biggest challenge,” Ehlers said. “When it is not invented here, people don’t want to look at it.”

Popularity: 1% [?]

FISMA Tool

xbasics Ulinzi is the only professional tool available in its class focusing directly on FISMA compliance, addressing both the Security Categorization of information and systems, and the development of Security Controls. Ulinzi’s only focus is FISMA. It does not try to be everything to everyone. If you are looking for an easy to use tool to help you develop a FISMA compliant set of Security Controls, look no further, this is the one. There is simply nothing like it anywhere!

Right from the start, xbasics Ulinzi provides all the information needed to put together a FISMA compliant set of Security Controls. No need to look anywhere else. All NIST-developed Standards and Guidelines are already integrated within a great, modern Windows-based interface.

More here

Popularity: 1% [?]

Organizational Relationships Chart (OV-4)

Product Definition. The Organizational Relationships Chart illustrates the command structure or relationships (as opposed to relationships with respect to a business process flow) among human roles, organizations, or organization types that are the key pla yers in an architecture.

Product Purpose. This product clarifies the various relationships that can exist between organizations and sub-organizations within the architecture and between internal and external organizations.

Product Detailed Description. OV-4 illustrates the relationships among organizations or resources in an architecture. These relationships can include supervisory reporting, command and control relationships, and command-subordinate relationships. Another type of relationship is a coordination relationship between equals, where two organizations coordinate or collaborate without one having a supervisory or command relationship over the other. Others may be defined depending on the purpose of the architecture. Architects should feel free to define any kinds of relationships necessary and important within their architecture to support the goals of the architecture. For example, dynamic teams or task forces (i.e., new operational nodes) may be created in real time with only limited lifespans and assigned missions, and could have needlines assigned to them. The creating node and the created node have a unique relationship that should be documented. This relationship may not be one of lines of command or organizational hierarchies, as these do not necessarily map to the needlines of OV-2. In this product, the dynamic organizations represented by operational nodes in OV-2 have a limited lifespan and a temporary collaboration relationship.

The product illustrates the relationships among organizations or organization types that are the key players in an architecture. These key players correspond to the operational nodes of an OV-2, which contains added detail on how the key players interact together in order to conduct their corresponding operational activities of OV-5.

Human roles whose skills are needed to perform the operational activities or business processes described in the architecture may also be defined in OV-4. The corresponding operational activities should be decomposed to a degree that allows them to be correlated to specific human roles within organizations. In addition, and specifically in the case of target architectures, human roles that do not reflect a specific supervisory reporting, command and control, or coordination organizational structure may be used in OV-4. In this case, OV-4 may be developed using strictly human roles that are the key players in an architecture.

Organizational relationships are important to depict in an OV (for a current architecture), because they can illustrate fundamental human roles (e.g., who or what type of skill is needed to conduct operational activities) as well as management relationships (e.g., command structure or relationship to other key players). Also, organizational relationships may influence how the operational nodes in an OV-2 are connected.

Popularity: 2% [?]

Operational Node Connectivity Description (OV-2)

OV-2 Example

Product Definition. The Operational Node Connectivity Description graphically depicts the operational nodes (or organizations) with needlines between those nodes that indicate a need to exchange information. The graphic includes internal operational nodes (internal to the architecture) as well as external nodes.

Product Purpose. OV-2 is intended to track the need to exchange information from specific operational nodes (that play a key role in the architecture) to others. OV-2 does not depict the connectivity between the nodes.

Product Detailed Description. The main features of this product are the operational nodes and the needlines between them that indicate a need to exchange information. The product indicates the key players and the interactions necessary to conduct the corresponding operational activities of OV-5.

Operational Nodes. An operational node is an element of the operational architecture that produces, consumes, or processes information. What constitutes an operational node can vary among architectures, including, but not limited to, representing an operational/human role (e.g., Air Operations Commander), an organization (e.g., Office of the Secretary of Defense) or organization type, i.e., a logical or functional grouping (e.g., Logistics Node, Intelligence Node), and so on. The notion of operational node will also vary depending on the level of detail addressed by the architecture effort.

Needlines and Information Exchanges. A needline documents the requirement to exchange information between nodes. The needline does not indicate how the information transfer is implemented. For example, if information is produced at node A, is simply routed through node B, and is used at node C, then node B would not be shown on the OV-2 diagram - the needline would go from node A to node C. OV-2 is not a communications link or communications network diagram. The system implementation (or what systems nodes or systems are used to execute the transfer) is shown in the Systems Interface Description (SV-1). Furthermore, the needline systems equivalent is the interface line depicted in SV-1. The actual implementation of an interface may take more than one form and is documented in a Systems Communications Description (SV-2). Therefore, a single needline shown in the OV may translate into multiple interfaces in SV-1 and multiple physical links in SV-2.

Needlines are represented by arrows (indicating the direction of information flow) and are annotated with a diagram- unique identifier and a phrase that is descriptive of the principal types of information exchanged. It is important to note that the arrows on the diagram represent needlines only. This means that each arrow indicates only that there is a need for some kind of information transfer between the two connected nodes.

There is a one-to- many relationship from needlines to information exchanges (e.g., a single needline on OV-2 represents multiple individual information exchanges). The mapping of the information exchanges to the needlines of OV-2 occurs in the Operational Information Exchange Matrix (OV-3). For example, OV-2 may list Situational Awareness as a descriptive name for a needline between two operational nodes. In this example, the needline represents a number of information exchanges, consisting of various types of reports (information elements), and their attributes (such as periodicity and timeliness) that are associated with the Situational Awareness needline. The identity of the individual information elements and their attributes are documented in OV-3.

OV-2 should also illustrate needs to exchange information between operational nodes and external nodes (i.e., operational nodes that are not strictly within the scope of the subject architecture but that act as important sources of information required by nodes within the architecture or important destinations for information provided by nodes within the architecture). Operational Activities. The operational activities (from the OV-5 Operational Activity Model) performed by a given node may be listed on the graphic, if space permits. OV-2, in effect, turns OV-5 inside out, focusing first-order on the operational nodes and second-order on the activities. OV-5, on the other hand, places first-order attention on operational activities and only second-order attention on nodes, which can be shown as annotations on the activities.

Representation of the product. For complex architectures, OV-2 may consist of multiple graphics. There are at least two different ways to decompose OV-2. One method involves using multiple levels of abstraction and decomposing the nodes. Another method involves restricting the nodes and needlines on any given graphic to those associated with a subset of operational activities. Both of these methods are valid and can be used together.

OVs usually avoid representing real physical facilities as operational nodes and focus on virtual or logical nodes that can be based on operational (human) roles or missions. Operational nodes are independent of materiel considerations; indeed, they exist to fulfill the missions of the enterprise and to perform its tasks and activities (business processes, procedures, and operational functions). Use of operational nodes supports analysis and design by separating business process modeling and information requirements from the materiel solutions that support them. Similarly, tasks and activities are organized, and communities of interest are defined to suit the mission and process requirements; the materiel is flexibly and automatically configurable to support the operational processes. However, an OV often has materiel constraints and requirements that must be addressed. Where appropriate, system or physical nodes that constitute the location of an operational node may augment the description of an operational node. These are often taken as recommendations or boundaries for further SV details.

Popularity: 2% [?]

EITDR - enterprise information technology data repository

To all System Security Engineers and Information Assurance Officers,

Here is something you might want to know. The Air Force is conducting all certification & accreditation through the EITDR database. This database feeds into the DoD IT Portfolio Registry (DITPR) database. Each branch has its own methods IT registry: the Army’s has the Portfolio Management System (APMS), Navy/Marines have the DITPR-DON. All of these system are used to “record investment review and certification submission information, FISMA assessments, E-Authentication status, and Privacy Impact Assessment status” (office of the assistance sec of the navy).

Each branch has an agency that controls these databases for example, the Air Force has the Air Force Communincations Agency (AFCA), the Army has the Installation Management Agency. These agencies moderate the certification & accreditation process. The IT Lean (aquisitions process) and the SISSU (security, interoperability, supportability, sustainability and usability) processes are integrated into the EITDR/DITPR-DON/APMS. Once you complete all the questions for you registered system, you will have accomplised complete SSAA, DIACAP, and even ISP packages.

For more information search the public.afca.af.mil (USAF). Everything you need to know is there. Also call or email AFCA/EV to learn more.
Army can go –>https://www.us.army.mil/suite/folder/4920492

Popularity: 10% [?]

What is Information Assurance - The Video

Information Assurance is not just information security. Information Assurance is managing the risk associated with the confidentiality, integrity and availability of information.

Popularity: 2% [?]