Of the four information systems areas defined by the IATF, where would security event correlation and display technology be found?
A. Defend the network and infrastructure
B. Defend the computing environment
C. Defend the supporting infrastructure
D. Supporting infrastructures
- Answer: D
- Rationale: Detect and Response is part of Supporting infrastructures which is used to identify and respond to attacks.
Which of the following is NOT an element of the Supporting infrastructure area defined by the IATF?
A. Establishing infrastructure to disseminate and control Type-1 key material for network encryptors
B. Integrating remote management services that allow an administrator to modify firewall rules in the event of a Denial-of-Service attack
C. Enable dynamic throttling of services in response to changing threats
D. Maintaining system components employed in public key infrastructure (e.g. directories, OCSP, etc�)
- Answer: C
- Rationale: PKI is part of key management. Type-1 is generally associated with KMI. Remote management services allow for response. C is verbatim out of the IATF discussion on enclave boundary defenses.
OK for Technical Management
OK for IA Regs (for only the currently applicable regs, not all that are listed)
DIACAP (DoD Information Assurance Certification and Accreditation Process)
- * DAA � Designated Approval Authority
- o Accredits the system
- o Accepts the risk and can reject a system for incurring too much risk to the overall network (think GIG)
- * PAA � Principal Accrediting Authority: Given oversight for the mission areas, work local issues
- * CA � Certification Authority (or CA rep)
- o Makes recommendations to the DAA
- o Certifies the IS
- o Makes certificate
- * IAO or SIAO � Senior Information Assurance Officer:
- o Ensures that baseline requirements are met within each area
- o Responsible for maintaining the approved security level of the IS
- o Ensures appropriate IA posture is maintained, people have clearances, need to know, etc.
- * IAM � Information Assurance Manager
- o Responsible for IA program and supports DIACAP implementation
- o supports the implementation of DIACAP
- o Provides oversight and direction to IAO
- o Implements IAVM,
- o conducts COOP drills/audit reviews/data backups,
- o schedules annual IA control review
- * System advocates include PM and User Rep
- * PM � Program Manager or Project manager
- o Implements DIACAP for assigned IS
- o Reports to DAA,
- o Responsible for corrective action against POAMs (specifies the MAC and CL levels)
- * User rep: represents the interests of the user community
- * Validator/Analysis (optional): Conducts Validation procedures
- * MAC and CL drive CIA levels (H/M/L) which drive protection mechanisms
- * The risk assessment becomes the foundation of the C&A decisions
- * KS � Knowledge Service: The official repository of DIACAP C&A information
- * eMASS - Enterprise Mission Assurance Support Services (requirements, lessons learned, best practices, etc.) for community wide input and discussion. Web-based
- * VAMS � Vulnerability Assessment Management Service. DB of system information that produces a standardized report of a platform security posture.
- * Review of System Security at Least Every Year
- * Enterprise (central) IA Decision Making
- * Fosters Inter-agency Information Sharing
- * Configuration Management Requirements
- * Re-certification every 3 years
SSAA (DITSCAP) is no longer needed (SSP)
- * System Identification Profile
- * Implementation Plan & DIACAP Strategy Documents
- * Support Certification Documentation (Test Reports, Artifacts, etc.)
- * DIACAP Scorecard (and Certification decision)
- * Accreditation decision
- * Plan of Actions and Milestones (POA&M, if needed based on test (reports/accreditation)
- Executive package is minimum of above (SIP, Scorecard, POAMs)
- 1 Initiate and Plan
- 2 Implement and Validate
- 3 C&A
- 4 Maintain
- 5 Decommission
- 1. Initiate and Plan
- * Register the system (in DoD Component)
- * SIP
- * Assign IA controls based on MAC/CL (Identify Baseline controls from DoDI 8500.2
- * Assemble DIACAP team
- * Initiate DIACAP Implementation Plan (
- * Identify IAM and User rep.
- * Identify tools to be used (EMASS)
- * Identify interconnected systems
- * Review KS for latest system registration requirements
- 2. Implement and Validate
- * Most critical of the C&A process
- * Implement as defined in DIACAP KS
- * Execute DIP
- * Conduct Validation activities
- * POAM created
- * Validation results published in Scorecard
- * Compile validation results in Scorecard
Impact codes are assigned by the DIACAP TAG and used by the CA to make certification decision. They indicate the consequences of non-compliant IA controls (H/M/L)
Severity codes are assigned by the CA
- 3. Make C&A Decisions
- * Certification destination is made by CA based on validation results, risks of non-compliant IA controls, and costs to mitigate
- * Looks at Impact codes (H/M/L) and severity categories (CAT) and determine corrective action for each IA control
- * Makes certification determination and provides to DAA
- * The DAA makes the Accreditation Decision and is communicated through the signed DIACAP scorecard and POAM
- * One of 4 Accreditation decision types: ATO, IATO, IATT, DATO
- 4. Maintain ATO/Reviews
- * IAM Monitors systems for change in IA posture, and has primary responsibility
- * Monitors security related events
- * Schedule re-validation of IA controls
- * Schedules annual reviews
- * DAA reviews IAM reports and determines if change in accreditation is needed
- * Review IA controls annually
- * Full recertification and reaccreditation every 3 years
- 5. Decommission
- * Assess impact of other systems
- * Remove scorecards and POAMs
- * Dispose artifacts
- Always check the KS for latest details
- Can take multiple forms, Excel/Systems
- System Identification Profile (SIP)
- DIACAP Implementation Plan (DIP)
- * Mac, CL
- * Assigned IA Control, implementation status, responsible entities, and details
- * IA controls,
- * IA control status C/NC/NA, Last date
- * DAA specifies IA Control status and sends to CA for a certification decision.
- * Then the scorecard goes to the DAA for an accreditation decision
- Supporting Certification Documentation
DIACAP includes or consists of:
* DoDD 8100.1 � GIG Overarching policy
* DoDD 8500.01E Information Assurance
* DoDI 8500.2 Information Assurance Implementation (lists the controls)
C&A supports network centric C&A
DIACAP is mandatory for all DoD Systems
- Certification is the comprehensive evaluation of technical and non-technical controls of an IS.
- Then, If the residual risk is acceptable, then the system is accredited.
- Determination of compliance with IA controls (included in DoDI 8500.2)
There are 8 areas of IA Controls
Must be testable, measureable, assignable, accountable
- 1. Security Design and Configuration
- 2. Identification and Authentication
- 3. Enclave and Computing environment
- 4. Enclave boundary defense
- 5. Physical and Environmental
- 6. Personnel
- 7. Continuity
- 8. Vulnerability and Incident Management
Assigned IA controls can be inherited (FW for example)
DIACAP enterprise Governance
- 1. Accreditation (who)
- 2. Configuration control and Management (assures strong posture)
- 3. C&A Process
DIACAP: Component responsibilities (from top down)
- DoD Component Head
- * Ensure DoD ISs comply with DIACAP
- * Appoints DAAs, assures lots of things
- DoD Component CIO
- * Appoints SIAO
- * Assures IA controls are implemented, PMs assigned, etc.
- DoD Component SIAO
- * Establishes and enforces C&A process
- * Tracks status, s generally the CA, ensures participation in DIACAP TAG,
- * Tactical aspects
- PAA, CA or CIO can be DAA
- Respect hierarchy listed above.
Know the 5 phases of SDLC
- 1. Initiation
- 2. Development or acquisition
- 3. Implementation
- 4. Operation or maintenance
- 5. Disposal
- There is risk mitigation done during each phase:
- 1 Risks are used to support development
- 2 Identify risks related to architecture and design tradeoffs
- 3 Assessment of system implementation against requirements
- 4 Periodic re-accreditation
- 5 Risks associated with disposal
800-30 Risk Management = Risk Assessment + Risk Mitigation + Evaluation and Assessment.
- This is the Risk Equation (All feeds to Risk management)
- Why do we do risk assessment: Identify, evaluate and recommend appropriate control (or accept)
When doing a risk assessment for an existing system, it must include all of the items in the POAM (which are open vulnerabilities)
Always check the risk vulnerability database when doing a risk assessment.
Where are we in SP 800-30:
Risk Management = Risk Assessment + Risk Mitigation + Evaluation and Assessment.
know the inputs, outputs and goals
This is tightly tied to SDLC
- 1. Characterization
- 2. Threat
- 3. Vulnerabilities
- 4. Control Analysis
- 5. Likelihood (Magnitude of harm)
- 6. Impact Analysis -
- 7. Risk Determination
- 8. Control Recommendations
- 9. Document, Print
Step 1: System Characterization
- * Gather as much information as you can. We are assessing both the data and the Information System
- o 800-60 is used by Information Owners to classify their Information
- o FIPS 199 is used by the Information SYSTEM owner
- * Inputs: hardware, software, environment, � people
- * Output: System and data criticality and sensitivity.
- o Must get our arms around system data and categorization.
- o DoDI 8500.2 for existing system. (gives you baseline controls based on MAC, but then you profile it)
- o Just like you would use 800-60, 800-53, and 800-53A, FIPS 199 for non-DOD
Step 2: Threat Identification
- * Identity all threat sources as well as motivations that might lead to attacks.
- * Inputs: History and info from Intel agencies/media/etc.
- * Outputs: Detailed Threat statement. Can pick appropriate controls based on this.
Step 3: Identify Vulnerabilities
- * Inputs: reports from prior risk assessments, Audit, security requirements, security test results, POAMs
- * Output: List of potential vulnerabilities. Include items from POAM and known vulnerabilities as on the xyz database. List all things that are still broken � more than just the results from a port scan.
- Remember the table with:
- Vulnerability, Threat Source, Threat action
Step 4: Control Analysis
- * Compare threats with the vulnerabilities: (We are not recommending controls - ?)
- * If there is already a control in place: Keeps threats away from vulnerabilities.
- o Controls minimize control factor.
- * Technical and non-technical controls
- * Question: Dept commerce, Joe wants to identify controls in the rack. SSP has some (bozo did not update it), where they documented? 800-63
- o There are only 2 references to controls.
- * DoD: 8500.2,
- * Non DOD: 800-63
- * Some controls are mandated (may not have risks � just do it) Common Controls
- * There are current and planned controls (you have taken some action but it�s not in place yet) so you do not re-recommend these controls in step 8.
- * Where do you take credit for planned controls: Here in Step 4!
Step 5: Likelihood
* High, Medium, Low
Step 6: Impact rating
* High, Medium, Low
Step 7: Risk Determination
- * How much money do we want to spend on this?
- * Likelihood (.1, .5, 1) x Impact (10,50,100) = Risk-Level matrix (NIST Vudu)
- o Qualitative numbers, but looks Quantitative (because of the numbers)
- * Risk Scale: High, Medium, Low
- o High: Fix or mitigate
- o Medium: POAM, mitigate
- o Low: see if DAA will accept
- o Tradeoff Protect, Detect, React (Incident Response team vs. Protection)
Step 8: Control Recommendations
- * Recommend controls to address the high (and maybe medium) level risks.
- * Cost breakeven is in the medium range.
- * If mandated, you may need to resolve all
Step 9: Documentation
- * Risk Assessment Report (also known as Report on Risk) RAR
- * Just the first 8 steps documented.
Where are we in 800-30
Risk Assessment, then Risk Mitigation, then Evaluate and assess
- High level Risk Mitigation strategies to reduce the residual risk.
- * Risk Assumption � AO, DAO can assume the risk
- * Avoid � don�t do the action
- * Limit � limit exposure to the risk
- * Planning � plan that there will be some level of loss
- * Research and Acknowledgement � Accept for now, then come up with a mitigation via R&D in the future
- * Transfer � Insurance. DOD is self insured.
Goal of Risk Mitigation: Minimize Impact with most cost effective solution.
Where are we in 800-30
Risk Management is: Risk Assessment, then Risk Mitigation, then Evaluate and assess
- Risk Evaluation and Assessment:
- * Do a risk assessment every 3 years: OMB A-130
- * C&A and control assessment is part of each phase of SDLC
- * Periodic reassess controls
- * Evolves with new threats
SP 800-37 RMF
- (i) the categorization of information and information systems
- (ii) the selection of security controls
- (iii) the implementation of security controls
- (iv) the assessment of security control effectiveness
- (v) the authorization of the information system
- (vi) the ongoing
- * Categorize
- * Select
- * Implement
- * Assess
- * Authorize
- * Monitor
SP 800-37 RMF
- Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.
- Inputs to task 1:
- * Architecture reference models
- * Segment and solution architectures
- * Mission and business processes
- * Information system boundaries
- * Laws, directives, policy guidance
- * Strategic goals and objectives
- * Priorities and resource availability
Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.
Implement the security controls and describe how the controls are employed within the information system and its environment of operation.
Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.
Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.
Steps 1-3 can be applied to legacy systems: gap analysis
RMS Step 1: Categorize
- 1-1 Categorize the IS (IS Owner)
- 1-2 Describe the IS (IS owner)
- 1-3 Register IS with appropriate organization (IS Owner)
RMF Step 2: Select
- 2-1 Identify Security Controls (CIO, IS architect, ISSE)
- * FPS 199, 200, 800-30, 8800-53, CNSS I 1253
- 2-2 Select security controls (IS Architect, IS owner)
- 2-3 Develop continuous monitoring strategy
- 2-4 Review and approve security plan (AO, Designated Representative)
RMF Step 3: Implement
- 2-1 Implement controls specified in the Plan
- 3-2 Document implementation (in the plan, with planned inputs, expected behavior and expected outputs)
RMF Step 4: Assess
- 4-1 Develop, review and approve a plan to assess the security controls
- 4-2 Assess controls in accordance with procedures
- 4-3 Prepare security assessment report (issues, findings, recommendations)
RMF Step 5: Authorize
- The security authorization package contains: (i) the security plan; (ii) the security assessment report; and (iii) the plan of action and milestones. The information in these key documents is used by authorizing officials to make risk-based authorization decisions.
- The authorization decision document conveys the final security authorization decision from the authorizing official to the information system owner or common control provider, and other organizational officials, as appropriate. The authorization decision document contains the following information:
- (i) authorization decision;
- (ii) terms and conditions for the authorization; and
- (iii) authorization termination date