You are previewing The Definitive Guide to the C Transformation Process.
O'Reilly logo
The Definitive Guide to the C Transformation Process

Book Description

Learn more about establishing and maintaining a secure information environment...

War is always a product of its age; and information systems are one of the primary drivers of war in the age of information. The tools and tactics used to fight the information war have evolved with advances in technology. So, it is no wonder that the tools and tactics needed to defend critical information systems must also evolve.

Certification and Accreditation Process

One of the tools in the defense toolkit is the process known as Certification and Accreditation (C&A). C&A stretches across the Department of Defense (DoD), the Office of the Director of National Intelligence (DNI), the Committee on National Security Systems (CNSS), the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB).

It can be an extremely effective risk-based process in ensuring the implementation of the measures necessary to protect devices, systems and networks. It is therefore essential, for information security professionals to understand this huge and complex body of work, in order to establish and maintain a secure information environment.

New C&A practices reduce redundant activity

The new C&A practices will reduce redundant activity and unnecessary documentation, and will shorten the overall process that has historically affected DoD procurement. The new procedures will also ensure system certifications and accreditations accomplished by one agency are valid for all agencies.

A comprehensive and authoritative guide to C&A

This book is the first comprehensive manual to explain the current standards and best practices. The book provides all the information needed to recognize, implement and manage the relevant authorization requirements, and therefore to achieve compliance with federal, local and agency laws and policies. Each chapter not only provides a list of related references but also offers recommendations for additional reading. Ideal for security practitioners, system administrators, managers, standards developers, evaluators and testers, no other book provides such authoritative guidance on these emerging requirements.

What others are saying about this book...

'Book is easy to read and easy to follow. The author clearly identifies the major points of C&A. An excellent material for our MBA669A (Principles of Information Security Management) class'. Jeralyn Pasinabo, University of Dayton

'This book is excellent for real world techniques for employing best practices for security… very well laid out and has lots of important points.'

'This textbook was very detailed, yet easy to follow… I would highly recommend The Definitive Guide to the C&A Transformation.' Letitia Sharp (amazon.com review)

Table of Contents

  1. PREFACE
  2. ABOUT THE AUTHORS
  3. ACKNOWLEDGEMENTS
  4. CONTENTS
  5. INTRODUCTION
    1. Purpose and scope
    2. Motivation – what do we hope to accomplish with this book?
    3. Who is the target audience?
    4. Terminology
    5. Overview of the contents
  6. CHAPTER 1: AN ABRIDGED HISTORY OF INFORMATION TECHNOLOGY AND INFORMATION SYSTEMS SECURITY
    1. From physical to virtual – a highly abridged history of information technology
    2. Information systems and information systems security – merging concerns
      1. 40 years ago: The Dinosaur Age – the mainframe
      2. 30 years ago: The caveman and the wheel – ftp, email, and telnet
      3. 20 years ago: The automobile meets the road – rise of the personal computer
      4. 10 years ago: The Autobahn – the information super-highway
      5. Today: The sky is the limit – networking without boundaries!
    3. References
  7. CHAPTER 2: THE ESSENTIAL INFORMATION SYSTEMS SECURITY REGULATIONS
    1. Information systems security regulations you need to know
      1. Executive orders, laws, regulations, and standards
        1. Laws
        2. Executive orders
        3. Regulations
        4. Policy, guidance and standards
      2. Miscellaneous legislation affecting the authorization process
        1. Health Information Portability and Accountability Act (HIPAA)
        2. Sarbanes-Oxley
        3. Federal Information System Controls Audit Manual (FISCAM)
      3. The C&A transformation – The future is here (near)
    2. References
  8. CHAPTER 3: THE AUTHORIZATION PROCESS FRAMEWORK
    1. Commonly found authorization process deficiencies
      1. Risk assessments were not conducted or did not provide an adequate basis for a risk-based decision
      2. Information system sensitivity levels were inconsistent or incorrect
      3. Inappropriate or insufficient security controls
      4. Authorization decisions were based on inadequate and inconsistent testing
      5. Processes for security controls reviews were inadequate or nonexistent
    2. Authorization process commonalities
    3. The basic authorization framework
    4. Factors that influence authorization activities
    5. Joint or reciprocal authorization
      1. Joint accreditation
      2. Reciprocal accreditations
    6. References
  9. CHAPTER 4: THE AUTHORIZATION PROCESS – ESTABLISHING A FOUNDATION
    1. Authorization is only one part of an effective security program
      1. Making the business case – what is the ROSI?
      2. Don’t sell FUD – tell them what they have to gain
    2. Designing an effective information security program
      1. Defining the program
      2. The 5000 meter view
      3. Getting and keeping resources
      4. Security governance – establishing the right roles and responsibilities
        1. Senior leadership
        2. Chief information officer (CIO)
        3. Senior agency information security officer (SAISO)/chief information security officer (CISO)
        4. Risk executive (individual or function)
        5. Authorizing official (AO)/designated accrediting authority (DAA)43
        6. Information systems security manager (ISSM)/information assurance manager (IAM)44
        7. Information system security officer (ISSO)/information assurance officer (IAO)
        8. Certifying authority (CA)45
        9. Security controls assessor
        10. Common control provider
        11. Information owner/information steward
        12. Information system owner or program manager (PM)/information system steward
        13. Information system security engineer (ISSE)
        14. User representative
        15. Users
        16. Subject matter experts (SME)
        17. Contractors
        18. But I’m just a small organization…
        19. Can roles and responsibilities be delegated?
      5. Systems security training and certification
      6. Developing and publishing plans and policies
      7. Measuring progress
    3. Milestones from the “establishing a foundation” activities
    4. References
  10. CHAPTER 5: PRE-AUTHORIZATION ACTIVITIES – THE FUNDAMENTALS
    1. Establish the authorization team
      1. Authorization roles by team member
    2. Training the authorization team should not be an afterthought
    3. Categorizing the information system
      1. Identifying the type of information system
        1. Enclave
        2. Automation information system (AIS) application
        3. Outsourced IT
        4. Platform IT
      2. Identifying the information
    4. Defining the boundary ensures manageable and measurable authorization
      1. Network topology
      2. Organization
      3. Mission
      4. Location
      5. Data sensitivity or classification
      6. Boundary considerations: too narrow or too broad
      7. Helpful hints
    5. Establishing a risk management process
    6. Risk management process example
      1. The risk assessment process
      2. The risk assessment process
        1. Step 1: Prepare and plan the risk assessment
        2. Step 2: Identifying assets
        3. Step 3: Perform asset sensitivity analysis
        4. Step 4: Conduct a threat analysis
        5. Step 5: Conduct a vulnerability analysis
        6. Step 6: Execute cost/impact analysis
        7. Step 7: Finalize risk assessment and analysis
        8. Step 8: Assess residual risk against risk tolerance
      3. The full risk assessment: Yes or No?
    7. Align with the system life cycle61 (SLC)
    8. Milestones from the pre-certification and accreditation activities:
    9. References
  11. CHAPTER 6: PLAN, INITIATE AND IMPLEMENT AUTHORIZATION – PREPARING FOR AUTHORIZATION
    1. UNDERSTAND the information and the information system
      1. Who is involved?
      2. Scope and level of effort
      3. Information obtained from documentation
      4. Developmental systems
      5. Operational systems
      6. Plan and schedule
      7. Cost
      8. System security categorization for information
        1. Subtask 1: Identify the information type(s)
        2. Subtask 2: Select the provisional or initial impact level
        3. Subtask 3: Review the provisional/initial impact levels and adjust
        4. Subtask 4: Assign system security category
    2. System 1: A public web server
    3. System 2: A financial organization
    4. System 3: A medical management system
      1. Additional notes on security category
      2. The final output: Identification of the security controls baseline
        1. Selecting the initial baseline
        2. Supplementing the initial baseline
        3. Identifying common or inherited controls
      3. Benefits of common/inherited controls
    5. REGISTER the information system
      1. Who is involved?
      2. The registration process
        1. It’s all about the money!
    6. NEGOTIATE the authorization approach
      1. Negotiations associated with system type
        1. Major applications (MAs)/AIS applications68
        2. General support system (GSS) or enclave
        3. The authorization plan
    7. IMPLEMENT the security controls
      1. Implementation factors
        1. Technology-related implementation factors
        2. Infrastructure-related implementation factors
        3. Public access-related implementation factors
        4. Scalability-related implementation factors
        5. Common/inherited control-related implementation factors
        6. Risk-related implementation factors
      2. Implementation guidance
        1. Operational or management control
        2. Technical control
      3. Results of implementation: Evidence or artifacts
    8. Milestones from the plan, initiate, and implement authorization activities
    9. References
  12. CHAPTER 7: VERIFY, VALIDATE & AUTHORIZE – CONDUCTING THE AUTHORIZATION
    1. ASSESS the security controls
      1. What is security control testing?
      2. What should be tested?
      3. Who executes security control testing?
        1. Validation testing in federal agencies
        2. Validation testing within DOD
      4. Security control test procedures
      5. Security control assessment methods
        1. Examine – “E”
        2. Interview – “I”
        3. Test – “T”
        4. Observation – “O”
      6. Executing the security controls assessment
        1. Plan the security controls assessment
        2. Execute the security controls test
        3. Analyze, document, and report the results in the security assessment report (SAR)
    2. DEVELOP the plan of action and milestones (POA&M)
      1. Importance of the POA&M – $$$$
      2. How the POA&M fits into the information system security evaluation
      3. Benefits of the POA&M process
      4. The POA&M process of weakness remediation
        1. Summary
    3. AUTHORIZE the operation of the information system
      1. The security authorization package
        1. The system security plan (SSP)
        2. Assessment summary report
        3. A plan of action and milestones (POA&M)
        4. The certification statement
      2. Importance of the certifying authority and the certification statement
      3. The security authorization decision
        1. Authorization to operate (ATO)
        2. Interim authorization to operate (IATO)
        3. Denial of authorization to operate (DATO)
        4. Interim authority to test (IATT)
        5. Accreditation decision letter
    4. Milestones from the verify, validate and authorize activities
    5. References
  13. CHAPTER 8: OPERATE & MAINTAIN – MAINTAINING AUTHORIZATION
    1. MONITOR the security control status: situational awareness
      1. Change and configuration management
        1. What is a security relevant event?
      2. Configuration management processes
        1. What is a configuration management plan?
        2. Why have a configuration management plan?
        3. When should you develop a CMP?
      3. Ongoing security control verification
    2. CONDUCT the annual review and security reporting
    3. MAINTAIN the authorization
    4. Milestones from the operate and maintain activities
    5. References
  14. CHAPTER 9: REMOVE THE INFORMATION SYSTEM FROM OPERATION
    1. Required actions when removing an information system from operation
      1. The removal from operation or decommissioning plan
    2. Avoiding self-inflicted security issues through effective system removal
    3. Methods of removing an information system and/or its data from operation
      1. Data you may not know you have
      2. Some examples of tools
    4. References
  15. CHAPTER 10: AUTHORIZATION PACKAGE AND SUPPORTING EVIDENCE
    1. The authorization package in detail
      1. System security plan (SSP)
        1. Developing the SSP
        2. A sample table of contents (TOC) for your SSP
        3. System security plan approval
      2. The POA&M elements and format
        1. Column 1: Weakness identifier
        2. Column 2: Weakness description
        3. Column 3: Point of contact (POC)
        4. Column 4: Resources required
        5. Column 5: Scheduled completion date
        6. Column 6: Milestones with completion dates
        7. Column 7: Changes to milestones
        8. Column 8: Identified in audit or review
        9. Column 9: Status
        10. Column 10: Comments
        11. Column 11: Risk level
        12. Risk level determination
        13. Establishing a POA&M process
      3. Security assessment report (SAR)
        1. Report structure
        2. Submitting the SAR
      4. Certification statement
        1. Contents of the certification statement
    2. Supporting evidence for the authorization decision – security control documentation
      1. Information system inventory – understand your information systems
        1. How to proceed
        2. The overall inventory of information systems
        3. Hardware and software inventories
        4. Use of inventory tools
      2. Security control assessment (SCA) plan91
        1. Types of security control assessments
        2. Security control assessment plan contents
        3. Security control assessment plan approval
      3. Security control assessment report (SAR)
        1. SAR template
      4. Configuration management (CM) process and plan
        1. Typical CM roles and responsibilities
        2. Configuration management board (CMB) and configuration control board (CCB)
        3. The configuration management process (CMP)
        4. The configuration management plan (CMP)
        5. What are the basic contents of the CMP?
      5. Continuity of operations/IT contingency planning
        1. Testing the plan
      6. User guides – general and privileged users
        1. User’s guide
        2. Privileged user’s guide
      7. Incident handling and response
        1. Incident handling versus just incident response
        2. Incident response plan (IRP)
      8. Privacy impact assessment (PIA)
        1. When is a PIA required?
        2. When is a PIA submitted?
        3. Steps to completing a PIA
        4. Contents of the PIA
      9. Interconnection agreements
        1. Why is an interconnection agreement necessary?
      10. MOU, MOA or ISA?
        1. Role of the authorizing official
        2. Memorandum of understanding/agreement (MOU/A)
        3. Interconnection security agreement (ISA)
    3. References
  16. CHAPTER 11: C&A IN THE US DEPARTMENT OF DEFENSE
    1. Introduction to the DIACAP
      1. The IA controls and how to use them
        1. Determining mission assurance category
        2. Determining confidentiality level
        3. Selecting the IA control set: Putting MAC and CL together
        4. IA control subject areas
        5. IA control naming convention
    2. DIACAP governance structure
      1. The accreditation sub-structure
      2. Configuration control and management sub-structure
      3. C&A process sub-structure
    3. A DIACAP roadmap (guide to the stages or activities)
      1. Initiate & plan IA C&A
        1. Register the information system with the DOD component IA program
        2. Assign the information assurance controls
        3. Assigning the DIACAP team
        4. Develop the DIACAP implementation plan
        5. Implement and validate assigned IA controls
        6. Finding implementation and validation test guidance
        7. Execute the DIACAP implementation plan
        8. Conduct validation activities
        9. Prepare the plan of action & milestones (POA&M)
        10. Compile validation results in the DIACAP scorecard
      2. Make certification determination & accreditation decision
        1. Make certification determination
        2. Issue accreditation decision
      3. Maintain authorization to operate & conduct reviews
        1. Maintain situational awareness
        2. Maintain IA posture
        3. Conduct reviews
        4. Initiate re-accreditation
      4. Decommission the information system
        1. Retiring the information system
    4. DIACAP support tools
      1. DIACAP Knowledge Service
      2. Enterprise Mission Assurance Support Service (eMASS)
    5. C&A and the DOD components
    6. References
  17. CHAPTER 12: AUTHORIZATION IN THE FEDERAL GOVERNMENT
    1. Establishing information system authorization boundaries (also known as accreditation boundaries)
      1. The system description
      2. Network and dataflow diagrams
      3. The system inventory
    2. Choose the proper accreditation vehicle
    3. Security authorization process
      1. Step 1: Categorizing the information system
      2. Step 2: Registering the information system
      3. Step 3: Selecting the security controls
      4. Step 4: Implementing the security controls
      5. Step 5: Identify and select the independent security control assessor (assessment team)
      6. Step 6: Develop the security control assessment plan
      7. Step 7: Prepare for the test
      8. Step 8: Conduct the security controls assessment test
        1. Some tips for preparing the final assessment report
      9. Step 9: Update the system security plan
      10. Step 10: Develop the POA&M
      11. Step 11: Security authorization decision
      12. Step 12: Continuous monitoring and ongoing risk acceptance
      13. Step 13: Decommissioning the information system
    4. References
  18. CHAPTER 13: THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA)
    1. The e-Government Act of 2002 and FISMA
    2. The FISMA report card
      1. The FISMA report requirements
        1. FISMA systems inventory
        2. Certification and accreditation, security controls testing, and contingency plan testing
        3. Implementation of NIST SP 800-53 security controls
        4. Incident detection, monitoring, and response
        5. Security awareness training
        6. Peer-to-peer file sharing
        7. Configuration management
        8. Incident reporting
        9. New technologies and emerging threats
        10. Security performance metrics
    3. FISMA misunderstood – What FISMA is NOT
    4. FISMA and its achievements
    5. 10 critical questions for FISMA compliance
    6. The 30,000 foot view of FISMA compliance
      1. Automated C&A tools can help!
    7. References
  19. CHAPTER 14: AUTHORIZATION AND THE SYSTEM LIFE CYCLE (SLC)
    1. Phases of the system life cycle (SLC)
      1. Initiation phase
      2. System concept development phase
      3. Planning phase
      4. Requirements analysis phase
      5. Design phase
      6. Development/acquisition phase
      7. Integration and test phase
      8. Production and deployment phase
      9. Operations and maintenance phase
      10. Disposal phase
    2. Life cycle phases and documentation
      1. Why link authorization to the SLC?
    3. References
  20. CHAPTER 15: INFORMATION SYSTEMS SECURITY TRAINING AND CERTIFICATION
    1. Leverage your most important asset
    2. The drivers
      1. Policy foundation
    3. Security education, training, and awareness (SETA) – and certification
      1. Why certification?
      2. Managers and technical staff
    4. References
  21. CHAPTER 16: THE FUTURE – REVITALIZING AND TRANSFORMING C&A
    1. Why transform?
    2. Goals of the transformation
    3. The transformation process
      1. Approach to developing the revised C&A policy
    4. Proposed approach to C&A
      1. The elements of the enterprise risk perspective
      2. Combining the processes with the system life cycle views
      3. The basis for reciprocity
    5. Status of the C&A transformation and transition
    6. Transition
    7. What is the value added by the transformation and transition?
    8. References
  22. THE RESOURCE CD
  23. GLOSSARY
  24. ACRONYMS
  25. ITG RESOURCES