Chapter 11,
Part 1
CERTIFICATION AND ACCREDITATION
METHODOLOGY
1 BACKGROUND
OMB
Circular A-130, Appendix III and the Federal Information Security Management
Act (FISMA) requires that all federal agencies institute an agency-wide
information security program to provide information security for the
information and information systems that support the operations and assets of
the agency. This includes those systems provided or managed by another agency,
contractor, or other source. All USDA agencies shall institute a
comprehensive assessment of the management, operational, and technical security
controls in an information system to determine the extent to which the controls
are implemented correctly, operating as intended, and producing the desired
outcome with respect to meeting a specified set of security requirements for
the system. These actions are referred to as system certifications.
Certification supports the official management decision given by a senior
agency official to authorize operation of an information system and to
explicitly accept the risk to agency operations, agency assets, or individuals
based on the implementation of an agreed-upon set of security controls. This
decision is referred to as system accreditation.
All USDA IT systems require certification and
accreditation prior to the system becoming operational. The Designated
Accrediting Authority (DAA) makes formal accreditation determinations. This
action supports the regulatory requirement that every USDA system must have official
approval to operate.
2 POLICY
All
USDA agencies and staff offices will formally certify and accredit all
federal information systems in accordance with this policy and the USDA
Certification and Accreditation Guide. This guide applies to all information
and information systems owned, leased, operated or connected to the Department
of Agriculture. Agency/system owners are responsible for ensuring that all
contractors comply with the C&A requirements defined by this policy for
systems they operate in support of USDAs mission. Agency CIOs act as both the
entity responsible for the overall C&A process and as the Certifying
Official (CO). Accordingly, agency CIOs will ensure that the Designated
Accrediting Authorities (DAA) understands the C&A process, including system risk factors, and accepts
accreditation responsibilities. Further the agency CIO will ensure that the
DAA does not delegate the security accreditation decision or signature
authority to subordinate levels. The agency DAA will ensure that the final
review and signatory authority of the CO is not delegated to subordinate
levels. Other certifications tasks may be delegated at the COs discretion.
Certified systems
will undergo an independent concurrence review by the ACIO-CS prior to
submission to the DAA. Concurrence reviews will be completed by the ACIO-CS
within 30 days of receipt and the results will be reported to the CO in
writing. All system reviews that result in significant deficiencies will be
returned to the CO for corrective action and/or adjustment necessitating that
the system be placed under an Interim Authority to Operate (IATO) until the
deficiencies are resolved. In addition, agencies and staff offices will
electronically track significant deficiencies resulting from the concurrence
review. All USDA IT systems will be certified and accredited every 3 years,
unless the system undergoes significant change. Significant Change is defined
in the USDA C&A Guide. Systems accreditation that occurred prior to the
C&A Policy release will be grandfathered under the previous accreditation
guidance until its 3 -year anniversary or it undergoes
significant change. Agencies will begin the C&A process for
re-accreditation in a in a timely fashion to ensure that the process is
completed before the system anniversary date of the last accreditation. Agencies are reminded that the Department CIO has the
right to terminate operation of systems that do not undergo proper
certification and accreditation or that do not meet department security
requirements.
Interim
Authority To Operate (IATO) Requirements There are no exceptions to the requirements to certify and
accredit all USDA systems. However, if after assessing the results of the
security certification of the IT system, the CO recommends (with ACIO-CS
concurrence) to the DAA and/or the DAA deems that the risk to the agency
operations, assets, or resources is unacceptable, but there is an overarching
mission necessity to place the IT system into operation or continue its operation,
an IATO may be issued. An interim authorization provides a limited
authorization to operate the IT system under specific terms and conditions and
acknowledges great risk to the agency for a 6-month period. An IATO is
rendered when the identified security vulnerabilities in the IT system,
resulting from deficiencies in the planned or implemented security controls,
are significant but can be addressed within a 6-month time frame. IATOs can be granted by the DAA for a maximum
period of 6 months. Agencies will track and report deficiencies through
the Plan of Action and Milestones (POA&M) process. An extension of this
period requires the approval of the Department Chief Information Officer (CIO)
and will only be considered for compelling reasons. Agencies will forward
approved copies of systems IATOs to the CS Certification and Accreditation
Program Manager (PM) and those will be monitored and tracked to ensure that
systems are progressing through the certification and accreditation process.
All
deficiencies, whether significant or reportable, must be entered and tracked
using the approved database system. Significant Deficiencies tracked in the
POA&M database must be resolved within 60 days. Reportable Conditions must
be resolved within 180 days. Agencies must present Cyber Security with
verification documentation, and receive concurrence, before a deficiency can be
considered resolved.
3 PROCEDURES
Each
USDA agency should complete the C&A phases for certifying and accrediting
their systems. These phases consist of:
a Phase
I : Pre-certification
Define Scope of C&A
Identify Security Controls
Conduct
Privacy Impact Assessment (PIA)
Review System Security Plan
Review Initial Risk Assessment
Review approved Interconnection Security Agreements
Negotiate with participants
b Phase
II : Certification and Accreditation
Conduct ST&E
Update the Risk Assessment
Update the System Security Plan
Identify and Report any
Residual Risk
Document Certification
Findings/Recommendation
Obtain ACIO-CS concurrence on the
certification package
Accreditation Decision
c Phase
III : Post-accreditation
(Repeat
Steps Above every 3 years or when significant system change occurs)
NIST,
800-37 permits the use of a modified version of the C&A process for systems
categorized by the agency as low risk/ low impact. In order to qualify as
Low Risk/Low Impact, a system must be rated as low risk/low impact in all three
of the assessment categories of confidentiality, integrity and availability.
These low
risk/impact systems are only required to complete
Phase 1, Pre-certification, which includes the security plan, risk assessment
and NIST 800-26, NIST Security Self-Assessment Guide for Information
Technology Systems.
Please note:
The NIST 800-26 Self Assessment Checklist or
equivalent is not an acceptable substitute for a Risk Assessment. These
checklists may be used as reference material to a Risk Assessment, but do not
contain sufficient discussion and analysis of a systems characterization,
mitigation or residual risk.
4 RESPONSIBILITIES
a The
Associate CIO for Cyber Security will:
(1)
Develop and publish
policy guidance to assist agencies and staff offices in the certification and
accreditation (C&A) of IT systems;
(2)
Make available, if
feasible, a departmental contract to provide certification and accreditation
services to agencies and staff offices;
(3)
Provide training on
C&A to agencies and staff offices, as required;
(4)
The departmental CIO
has formally delegated Certifying Official (CO) authority to the agency CIOs.
However, certification packages will be submitted to the ACIO-CS for an
in-depth concurrence review prior to submission to the DAA
(5)
Track the status of IT
systems and the associated C&A actions and any approved IATOs to ensure
that systems are certified and accredited within 6 months.
b Agency Chief Information
Officer will:
General Process Duties
(1)
Implement and manage
the certification and accreditation of all agency IT systems in
accordance with this policy; ensures that systems with significant deficiencies
are placed under an IATO in accordance with the requirements outlined above and
that they are certified and accredited in a timely manner within the six month
IATO period;
(2)
Ensure that a
Designated Accrediting Authority (s) is appointed in writing for each agency IT
system and that they fully accept the responsibility for system risk and
operation;
(3)
Ensure that the DAA
designates an independent individual to act as the Agency CO for IT systems;
ensure that the CO
does not delegate final review and signature authority to subordinate
individuals;
(4)
Disseminate this
policy to all IT professionals, security officers and business owners who will
be involved in the C&A process to ensure they understand and can fulfill
the roles and responsibilities in this procedure;
(5)
Support and facilitate
the work the Certification Teams to ensure that agency IT systems are certified
and accredited; approve ST&E teams, and ensure that final C&A
packages are accurate and complete;
(6)
Take necessary actions
to ensure that system risks are mitigated by appropriate security controls and
security issues are resolved;
(7)
Monitor the C&A
progress of systems and provide status to Cyber Security, including those under
an IATO;
(8)
Ensure that all system
changes are examined to determine if re-certification and re-accreditation of
the system must be performed; institute appropriate C&A action as a result
of this examination;
(9)
Ensure that all agency
IT systems are routinely certified and accredited every 3 years or when
significant changes occurs in the system; and
(10)
Ensure that systems
that have significant deficiencies uncovered as
a result of audits, concurrence reviews, IV&Vs or other authorized
processes are placed under an IATO until these findings are resolved and that
all corrective actions are tracked and reported to CS through the Plan of
Action & Milestones (POAM) process.
Certifying
Officials Duties
(1)
Act as the
certification agent responsible for the comprehensive evaluation of the
management, operational and technical security controls within an IT system;
(2)
Manage and coordinate
the functions of the Certification Team;
(3)
Perform the final
review of the certification package, prior to mandatory ACIO-CS concurrence,
and ensures the signed package is timely and accurate (final review and
signature authority will not be delegated to subordinate levels);
(4)
Provides recommended
corrective actions to reduce or eliminate vulnerabilities in IT systems and
assesses system security plans for completeness and consistency; and
(5)
Makes recommendations
to the DAA (Authorizing Official) for accreditation of an IT system, after
obtaining concurrence of ACIO-CS.
c The
agency Designated Accrediting Authority (DAA) will:
(1)
Act as the Authorizing
Official with the authority to approve or the operation of an IT system at an
acceptable level of risk;
(2)
Authorize a system to
operate as accredited or under an IATO only with the concurrence of the
ACIO-CS.
(3)
Issue an Interim
Authority to Operate (IATO), where appropriate, for an IT system based on the
level of risk involved in system operation or for systems that have major
deficiencies resulting from and IV&V;
(4)
Deny authorization for
an IT systems operation or halt a systems operation if unacceptable security
risk; and
(5)
Formally designate
independent individuals responsibility for C&A activities in writing; the
DAA shall not delegate the security accreditation decision and the signing of
the associated Accreditation Decision Letter.
d The agency Information
Systems Security Program Managers(ISSPM) will:
(1)
Assist in the
certification and accreditation of all agency IT systems;
(2)
Participate in
Certification Teams providing guidance,
testing
security controls and assisting in the preparation of the final C&A
package, as required;
(3)
Monitor and
electronically track using Plans of Action and Milestones (POAM) the C&A
progress on IT systems and report progress to agency CIO, including all systems
under IATO to ensure that deficiencies are corrected in a timely manner;
(4)
In conjunction with
the agency Configuration Control Board (CCB), identify system changes that
require
re-accreditation; and
(5)
Participate in the
preparation of IATO packages, as required.
-END
Appendix A
United States Department of Agriculture (USDA) Certification
and Accreditation Guide
Table of Contents
1. INTRODUCTION
.1
1.1. Purpose
..
.1
1.2. Interim Authority to Operate
Requirements
..1
1.3 General Support
Systems and Applications
2
1.4 Background
..2
1.5 Scope
3
1.6 Outcome
3
1.7 Structure
3
2. ROLES AND RESPONSIBILITIES
5
2.1. Designated Accrediting Authority
5
2.2. Certifying Official
(CO)
5
2.3. Certification Team
6
2.4. Security Test and Evaluation Team
..6
2.5. Program Manager and System Owner
..6
2.6. Information Systems Security
Officer
..7
2.7. Other Supporting Roles and Role
Delegation
..7
3. The C&A Process
.8
3.1. Phase 1:
Pre-Certification
9
3.1.1. Step 1: Define the System and
Scope of the C&A Effort
9
3.1.1.1. Determine the Security
Categorization
..
...9
3.1.2. Step 2: Identify Security
Controls and Construct a Compliance Matrix
11
3.1.3 Step 3: Conduct
Privacy Impact Assessment
12
3.1.4 Step 4: Review the
System Security Plan
.12
3.1.5. Step 5: Review the Initial Risk
Assessment
.12
3.1.6. Step 6: Review
approved Interconnection Security Agreements
.13
3.1.7 Step 7: Negotiate
with Participants
...13
3.2. Phase 2: Certification and
Accreditation
.14
3.2.1. Step 8: Conduct a Security Test
and Evaluation
.14
3.2.2. Create the ST&E Plan
..14
3.2.3. Execute the Test Plan
...15
3.2.3.1. Create the ST&E Report and
Recommend Countermeasures
..15
3.2.4. Step 9: Update the Risk
Assessment
16
3.2.5. Step 10: Update the System
Security Plan
16
3.2.6. Step 11: Document Certification
Findings
...16
3.2.6.1. Interim Authority to Operate
.17
3.2.7. Step 12: Accreditation Decision
17
3.3. Phase 3: Post-Accreditation Phase
.18
3.3.1. Configuration Management
18
3.3.2. Re-Accreditation
.19
4. Summary
..20
TABLE A-1 GLOSSARY OF
TERMS
TABLE A-2 ACRONYMS
TABLE A-3 REFERENCES
TABLE A-4
DOCUMENTATION
TABLE A-5 USDA CHECKLISTS
TABLE A-6 SECURITY EVALUATION
REPORT
TABLE A-7 BASE LEVEL
EVALUATION CRITERIA - RESERVED
TABLE A-8 SECURITY
ACCREDITATION DECISION LETTER SAMPLES
This Certification and Accreditation Guide is intended to
provide a comprehensive and uniform approach to the certification and
accreditation (C&A) process. Individuals responsible for, or involved in
the C&A process, will use this guide as a resource to assist them in
certifying and accrediting the United States Department of Agriculture (USDA)
general support systems and major applications.
A primary purpose of this guide is to support the Office of
Management and Budget (OMB) Circular A-130, Appendix III requirement for
agencies to ensure that a management official authorizes in writing the use of
each system/application
before beginning or significantly changing processing
in the system. Use of the system shall be re-authorized at least every three
years. Agencies are also reminded that the Department CIO has the right to
terminate operation of a system that does not undergo proper certification and
accreditation.
Ideally, the C&A process should be integrated into the
system development life cycle (SDLC) during the capital planning and investment
control (CPIC) process. During development, the system security plan (SSP)
should be written and the initial risk assessment completed in order to provide
an assessment of the possible risks to the system. Additionally, the
security-related documents listed in Appendix D of this Guide should be
completed during this processphase.
However, many USDA legacy systems already in place have not
gone through the C&A process as part of the SDLC. The requirement for
system approval applies to these systems as well. If systems have not obtained
official approval to operate prior to deployment, they must complete the
C&A process and obtain approval to operate. New regulations state that every
USDA system and application must have official approval to operate. This
approval can consist of an unconditional approval (which is good for three
years or until a significant change occurs). The approval can also be
an Interim Authority to Operate (IATO), which is only valid for up to 6
months. An extension of this period requires the approval of the
Department Chief Information Officer (CIO) and will only be considered for
compelling reasons. An IATO can be granted if risks have been identified and a
mitigation plan with a specific timetable for addressing those risks has been
approved.
1.2 Interim Authority to
Operate (IATO) Requirements
The CO may make a recommendation, with the ACIO-CS
concurrence, to the DAA to obtain an IATO if a mission critical system has an
unacceptable level of risk to agency assets based on the security
certification. An IATO may also be deemed necessary by the DAA if there is an
overarching mission need to place a new system into operation or continue
processing in an existing system. An IATO is rendered when the identified
security vulnerabilities in the IT system, resulting from deficiencies in the
planned or implemented security controls, are significant but can be addressed
within a 6-month timeframe. An extension of this period requires the approval
of the Department Chief Information Officer (CIO) and will only be considered
for compelling reasons. Agencies will forward IATO Request Submissions
to the ACIO-CS and those will be monitored and tracked to ensure that systems
are progressing through the certification and accreditation process. Phase 1
of the C&A Activities must be completed in order for an IATO to be approved.
The IATO Request Submission is a structured approach to monitor the
effectiveness of the security controls in the IT system during the
6-month period. Consequently, the IATO Request Submission submitted by the IT system
owner is used by the authorizing official and CS to monitor the progress in
correcting deficiencies noted during the security certification. Agencies must
forward to the C&A PM a copy of the DAA letter, indicating that the
specified IT system has been granted an IATO. A template of the DAA IATO
letter is in Appendix F along with a template for the IATO Submission.
All deficiencies, whether significant or reportable, must be
entered and tracked using the approved database system. Significant
Deficiencies tracked in the POA&M database must be resolved within 60
days. Reportable Conditions must be resolved within 180 days. Agencies must
present Cyber Security with verification documentation, and receive
concurrence, before a deficiency can be considered resolved.
Finally, agencies should be reminded that, in accordance
with OMB policy, an IT system is not accredited during the period of
limited authorization to operate. When the security-related deficiencies have
been adequately addressed, the interim authorization should be lifted and the
IT system accredited to operate.
1.3 General Support Systems
and Applications
As stated above, all systems and applications are required
to be certified and accredited. The differences between General Support
Systems (GSS) and Applications that are germane to the certification and
accreditation of such systems focus on the extent of activities performed for
each. An application performs a clearly defined function for which there are
readily identifiable security considerations and needs whereas
a GSS provides standard information security capabilities, such as boundary
defense, incident detection and response, and key management, and also delivers
common applications, such as office automation and electronic mail. The scope of the certification will vary
depending on the type and extent of the systems. For example, a GSS, such as
the USDA Wide Area Network (WAN), will require extensive testing to ensure that
all system components are evaluated against the baseline security requirements.
Applications that reside on a GSS that has already been certified and
accredited may refer to portions of the GSS risk assessment and Security
Testing & Evaluation (ST&E) activities (such as testing and document
evaluation) on certain components used by those applications rather than
repeating ST&E and risk assessment activities on those components.
The Federal Information Security Management Act (FISMA)
is the most recent legal requirement mandating that Federal agencies develop a
comprehensive IT security program. Laws such as FISMA, as well as requirements
in OMB Circular A-130, mandate that security must be developed at both the
programmatic and system levels.
The National Institute of Standards and Technology (NIST)
Special Publication (SP) 800-37 provides guidelines for security certification
and accreditation of information technology (IT) systems, as does the National
Security Telecommunications and Information Systems Security Instruction
(NSTISSI) No. 1000, National Information Assurance Certification and
Accreditation Process (NIACAP). IT systems can only be allowed to operate if
they do not compromise legal or regulatory security requirements.
The scope of this guide includes identifying roles and responsibilities
of key players, defining the C&A process, and describing the three phases
that comprise the C&A process. The guide is based on OMB Circular
A-130, dated November 2000, NSTISSI No. 1000, NIACAP, dated April 2000, Federal
Information Processing Standards (FIPS) Publication (PUB) 102, dated September
1983, NIST SP 800-37, May 2004, and other applicable Department and
Federal IT security laws and regulations.
The C&A methodology outlined in this guide will provide
USDA system owners and program managers with uniform guidance on how to certify
and accredit their IT systems. Proper use of the C&A methodology will
assure the Department that the level of security implemented and controls in
place adequately protect assets given an acceptable level of residual risk. The
Department will benefit from the C&A activities performed on IT systems in
the following ways:
·
Formal approval to operate
·
Standard operating environment through utilization of baseline
security requirements
·
Clearly defined system boundaries
·
Privacy implications reviewed (Privacy Impact Assessment/System
of Records Notice)
·
Documented security plans
·
Defined and tested contingency plans
·
Established configuration management processes
·
Heightened information security awareness
·
Validated security controls
·
Measured levels of risk based on identified threats and
vulnerabilities
·
Defined security roles and responsibilities
This guide is organized into four major sections. Section 1
introduces the Departments C&A Guide. Section 2 provides an overview of
the roles and responsibilities of the key parties involved in the C&A
process.
Section 3 describes the C&A process, which consists of
three phases comprising 12 major steps. A checklist has been included at the
end of each phase. These checklists are reminders of all the actions that
occur during that specific phase of the C&A process. They are designed to
provide a quick reference for all participants in the process.
Section 4 contains a summary of the C&A methodology
described in this Guide. Table A-1 provides a glossary of terms used in the
document. Table A-2 contains a list of acronyms. Table A-3 provides a list of
document references used to develop this C&A methodology. Table A-4
provides a list of required system documentation that must be maintained for
each system as part of the systems certification and accreditation. Table A-5
provides a list of the USDA software application and operating system
checklists that have been developed for use in the C&A process. Table A-6
provides templates for conditional and unconditional Security Evaluation
Reports (SER), respectively. Table A-7 contains the evaluation criteria for
various C&A documents. This table exists as a separate guide to facilitate
the usefulness of the checklists since they must be completed for all systems
undergoing certification and accreditation. Table A-8 contains Security
Accreditation Decision Letter (Samples). Table A-9 is the form to use when
submitting a request for an Interim Authority to Operate (IATO).
The following sections describe the various personnel
involved in the USDA C&A process and their particular responsibilities.
The Designated Accrediting Authority (DAA) is a USDA program
area executive with the authority to evaluate the mission, business case, and
budgetary needs for the system in view of the security risks present in the
systems operating environment. The DAA is a senior level official or
executive who has the authority to formally approve the operation of an
IT system at an acceptable level of risk within its environment. The DAA is
the business owner of the general support system or major application being
certified. By accrediting a system, the DAA assumes responsibility for the
residual risks of operation of the system in a stated environment. The DAA
approves security requirements documents, memoranda of agreement (MOA),
memoranda of understanding (MOU), and any deviations from security policies.
If the DAA is presented with a system with unacceptable
risks, but a plan for remediation, he or she may issue an Interim Authority to
Operate (IATO), which will allow the system to remain in operation for 6
months. During that time, the mitigation strategies for reducing the
unacceptable risks should be implemented. A regression ST&E should also be
completed to ensure that the unacceptable risks are mitigated. IATOs are
only good for six months; an extension of this period requires the approval of
the Department Chief Information Officer (CIO).
In addition to having the authority to accredit systems for
operation, the DAA has the authority to deny approval for systems to operate
and, if the systems are already operational, the authority to halt operations
if unacceptable security risks are found to exist. The right to reject
residual risk present for any general support system or major application
remains the right of the DAA if they are not comfortable with the level of risk
presented.
In some situations where IT systems interconnect,
certification and accreditation activities may involve multiple DAAs. If so,
agreements detailing which security controls are expected to be on which
systems must be established among the responsible DAAs and documented in the
accreditation package. In these cases, it may be advantageous to agree to a
lead DAA to represent the other DAAs during the C&A process. NIST SP
800-47 provides guidance on how to coordinate security for interconnecting systems.
Additionally, the DAAs shall sign system Interconnection Security Agreement
(s).
In the event of inter-agency or inter-department
connections, the DAAs should draft and sign MOAs or MOUs that provide details
on which agency or department is responsible for what areas of security.
The USDA Chief Information Officer (CIO) is the Departments
Certifying Official (CO). The CIO has delegated the authority to certify
agency systems to each agency CIO. Thus, the CO for each agency will be the
agency CIO unless a conflict of interest exits. If the agency CIO is also
the DAA, the agency Administrator or Head will serve as the DAA or will appoint
another senior executive level manager to act in this capacity who is not
in the CIOs chain of command. The CO will be the point of contact for
the agency with regards to certification activities. The mission of the CO is
to evaluate the certification package from a technical perspective, obtain the
mandatory concurrence from the ACIO-CS and present a recommendation to the DAA
in regards to the accreditation of the system. At the conclusion of the
C&A process, the certification team will present the certification package
to the CO, who will evaluate the risk to the system. At that point, the CO
will make the final decision about whether or not to request concurrence from
the ACIO-CS and, if concurrence is reached, recommend the DAA accredit the
system and will prepare the accreditation package to present to the DAA.
The certification team consists of the technical personnel
from the business unit responsible for conducting the certification
activities. The certification team is responsible for identifying, assessing,
and documenting the risks associated with operating the system, coordinating
C&A activities, and consolidating the final C&A package. The team will
assess the vulnerabilities in the system, determine if the security controls
are correctly implemented and effective, and identify the level of residual
risk of the system.
The security test and evaluation (ST&E) team consists of
personnel independent of the IT infrastructure and business function and is
responsible for performing the ST&E on the system to validate the results
of the risk assessment and that the controls in the System Security Plan (SSP)
are present and operating correctly on the system. The ST&E team should be
independent in the sense that they should not have a) been involved in the development
of the system and b) been involved in the other certification activities, such
as writing the SSP and conducting the risk assessment.
In order to ensure independence, the ST&E team must be
approved by the CO prior to the commencement of the C&A process.
The purpose of the ST&E is to ensure that the risk
determinations made during the risk assessment are accurate and provide a
thorough portrayal of the risks to the system and its data. The results of the
ST&E, together with the rest of the certification package, will be
presented to the CO so that the CO may make an accurate determination of the
risk to the system, obtain concurrence from the ACIO-CS and thus provide an
informed accreditation recommendation to the DAA.
The Program Manager and System Owner represent the
interests of the user community and the IT system throughout the systems life
cycle. The program manager is responsible for the system during initial
development and acquisition, and is concerned with cost, schedule, and
performance issues. The system owner assumes responsibility for the system
after delivery and installation, and is responsible for system operation,
system maintenance, and disposal. Together they are responsible for ensuring
the system is deployed and operated according to the security controls
documented in the security plan and are also responsible for seeing that system
users and security support personnel receive the requisite security training.
The program manager and system owner will coordinate the
C&A effort and provide the necessary staff and information to the
certification team. They will review the certification package before it is
presented to the CO.
For operational systems, the Information Systems Security
Officer (ISSO) is responsible for the day-to-day security of a specific
IT system including physical security, personnel security, incident handling,
and security awareness, training, and education. The ISSO, in conjunction with
the configuration control board (CCB) also identifies pending system or
environment changes that may necessitate re-certification and re-accreditation
of the system. For developmental systems, the ISSO serves as the principal
technical advisor to the program manager for all security-related issues.
There are other individuals
within USDA such as user representatives, security program managers, operations
managers, and facilities managers that may also have concerns or interests in
the C&A process. User representatives typically represent the operational
interests of the user community and serve as the liaison for that community
throughout the life cycle of the system. User representatives may assist in
the C&A process to ensure mission requirements are satisfied while meeting
the security controls defined in the security plan. Security program managers
ensure a standard C&A process is used throughout the agency, provide
internal C&A guidance or policy, and, if appropriate, review certification
packages prior to DAA review. Operations managers oversee the security
operations and administration of IT systems. Facilities managers oversee
changes and additions to facilities housing IT systems and ensure that changes
in facility design or construction do not adversely affect the security of
existing systems.
2.8 Associate
Chief Information Officer for Cyber Security (ACIO-CS)
Prior to formal submission of
the certification package to the DAA, the CO will submit the package and all
supporting documentation to the ACIO-CS for a mandatory Independent
Verification and Validation (IV&V). The ACIO-CS will perform an in-depth
IV&V of the certification package and will either concur with the recommendation
to accredit, recommend/concur with the need (and requisite mitigation plan) to
issue an IATO or make the determination that the certification package is
insufficient for accreditation or an IATO. The concurrence of the ACIO-CS is
mandatory prior to submission to the DAA.
The C&A process is comprised of three phases: the
pre-certification phase; the certification and accreditation phase, and the
post-accreditation phase. Phase 1, the pre-certification phase, has various
steps that include: defining the scope of the C&A effort, identifying
existing security controls, reviewing any approved Interconnection
Security Agreements (ISA), conducting Privacy Impact Assessment (PIA),
reviewing the SSP, reviewing the initial risk assessment, and negotiating with
the participants. Phase 2, the certification and accreditation phase, consists
of additional steps: conducting the ST&E, updating the risk assessment
with findings from the ST&E, updating the SSP, documenting certification
findings; and forwarding the certification findings to the DAA for an
accreditation decision. Phase 3, the post-accreditation phase, consists of
managing the configuration of the system and re-accreditation. The various
phases and steps are depicted in Figure 3-1 and are described more fully in the
following sections.
Figure 3-1
The C&A Process (
High & Medium Systems)
Note: Low impact systems
perform only Phase 1 and complete NIST 800-26 Self Assessment.
Phase 1 involves gathering information about the system to
be certified, determining the scope of the certification effort, validating the
initial System Security Plan (SSP) for the system, performing the initial
validation of the risk assessment and system security controls, and determining
the C&A schedule. During phase 1, the system owner or program manager will
coordinate with all stakeholders in the C&A process to ensure that the
certification schedule is set.
During this phase, the certification team should gather all
available system information (e.g., design documents, system descriptions,
graphics, system plans, approved Interconnection Security Agreement, Privacy
Impact Assessment, etc.) in order to get a comprehensive system description and
to define the scope of the certification and accreditation effort. Defining
the system involves cataloging the different types of software, hardware, and
communications equipment comprising the system in order to understand what
needs to be examined for the C&A effort.
During Phase 1, the C&A key participants - the DAA, the
CO, the program manager, the system owner, the certification team, the ISSO,
and other officials in the agency or department that have an interest in the
system - should agree on the scope and schedule for C&A activities. It is
recommended that the ACIO-CS be involved at this point to assure that the scope
and schedule is adequate. The participants should also evaluate the system and
determine the appropriate security categorization for the system in writing.
The security categorization is determined by the levels of concern for
confidentiality, integrity, and availability of data, and defines what
activities will take place during the ST&E phase of the C&A effort. In
addition, the certification team should inform the CO about who will be
performing the ST&E. The CO must approve of the ST&E team and ensure
they are fully independent from the IT infrastructure and the business function
prior to the commencement of the rest of the C&A process.
In order to determine the appropriate security
categorization for the system or application, the levels of concern must first
be identified for confidentiality, integrity, and availability. FIPS PUB 199
provides guidance for assigning security categorization factors for information
processed on federal systems. Each factor is assigned a level of low,
moderate, or high. Confidentiality provides assurance that the system data is
protected from disclosure to unauthorized personnel, processes, or devices.
Integrity provides assurance that the data processed by the system is protected
from unauthorized, unanticipated, or unintentional modification or
destruction. Availability provides assurance that the system data and
resources will be available to authorized users on a timely and reliable basis.
The format for documenting the security categorization is as
follows:
CATEGORIZATION
= [(confidentiality, RISK-LEVEL), (integrity, RISK-LEVEL), (availability,
RISK-LEVEL)]
If the level is Low, Low, Low, agencies can certify and
accredit the system using a modified process that requires only Phase 1
activities and the completion of NIST-800-26 prior to the formal accreditation
of the system. However, if the score contains one rating of medium or high,
the system must be rated as medium or high impact and proceed through the
complete process described in Section 3.
Table 3-1 below provides guidance on how to determine which
level of concern should be assigned to each factor.
Table 3-1
Levels of Concern
for Confidentiality, Integrity, and Availability
|
|
Level of Risk
|
|
|
LOW
|
MODERATE
|
HIGH
|
|
Confidentiality
Preserving
authorized restrictions on information access and disclosure, including means
for protecting personal privacy and proprietary information.
[44 U.S.C §3542]
|
The unauthorized disclosure
of information could be expected to have a limited adverse effect on agency
operations (including mission, functions, image, or reputation), agency
assets, or individuals. A loss of confidentiality could be expected to cause
a negative outcome or result in limited damage to operations or assets,
requiring minor corrective repairs.
|
The unauthorized disclosure
of information could be expected to have a serious adverse effect on
agency operations (including mission, functions, image, or reputation),
agency assets, or individuals. A loss of confidentiality could be expected
to cause significant degradation in mission capability, place the agency at a
significant disadvantage, or result in major damage to assets, requiring
extensive corrective actions or repairs.
|
The unauthorized disclosure
of information could be expected to have a severe or catastrophic
adverse effect on agency operations (including mission, functions, image, or
reputation), agency assets, or individuals. A loss of confidentiality could
be expected to cause a loss of mission capability for a period that poses a
threat to human life, or results in a loss of major assets.
|
|
Integrity
Guarding against improper
information modification, destruction, and includes ensuring information
non-repudiation and authenticity.
[44 U.S.C. §3542]
|
The unauthorized
modification or destruction of information could be expected to have a
limited adverse effect on agency operations (including mission, functions,
image, or reputation), agency assets, or individuals. A loss of integrity
could be expected to cause a negative outcome or result in limited damage to
operations or assets, requiring minor corrective actions or repairs.
|
The unauthorized
modification or destruction of information could be expected to have a serious
adverse effect on agency operations (including mission, functions, image, or
reputation), agency assets, or individuals. A loss of integrity could be
expected to cause significant degradation in mission capability, place the
agency at a significant disadvantage, or result in major damage to assets,
requiring extensive corrective actions or repairs.
|
The unauthorized
modification or destruction of information could be expected to have a severe
or catastrophic adverse effect on agency operations (including
mission, functions, image, or reputation), agency assets, or individuals. A
loss of integrity could be expected to cause a loss of mission capability for
a period that poses a threat to human life, or results in a loss of major
assets.
|
|
Availability
Ensuring timely and
reliable access to and use of information.
[44 U.S.C. §3542]
|
The disruption of access to
information could be expected to have a limited adverse effect on agency
operations (including mission, functions, image, or reputation), agency
assets, or individuals. A loss of availability could be expected to cause a
negative outcome or result in limited damage to operations or assets,
requiring minor corrective repairs.
|
The disruption of access to
information could be expected to have a serious adverse effect on
agency operations (including mission, functions, image, or reputation),
agency assets, or individuals. A loss of availability could be expected to
cause significant degradation in mission capability, place the agency at a
significant disadvantage, or result in major damage to assets, requiring
extensive corrective actions or repairs.
|
The disruption of access to
information could be expected to have a severe or catastrophic
adverse effect on agency operations (including mission, functions, image, or
reputation), agency assets, or individuals. A loss of availability could be
expected to cause a loss of mission capability for a period that poses a
threat to human life, or results in a loss of major assets.
|
*Adapted from FIPS
PUB 199, Security Categorization of Federal Information and Information
Systems, Table 1
During this step, the team should identify all security
controls that should be present on the system including those specified in the
SSP, review system privacy implications to include preparation of a Privacy
Impact Analysis (PIA) and Systems of Records (SOR) Notice (if required), and
additional requirements needed to secure the system at the proper security
categorization. The controls should be compiled from USDA Cyber Security
Manual 3500, other federal guidance, including OMB A-130, NIST 800-53, FISMA,
and industry best practices.
The security controls should include management,
operational, and technical controls for the system, as it will be operated, as
well as environmental controls and physical security controls. Once the
security controls are identified, a Security Controls Compliance Matrix (SCCM)
shall be constructed. This matrix should list each security control, the
reference from which the security control was derived, and whether or not the
control has been implemented. The SCCM shall be completed during ST&E and
submitted as part of the certification package. Table 3-2 provides an example
of an SCCM entry.
Table 3-2
Sample Security Controls Compliance Matrix
|
|
Security Control
|
Compliance
|
Comments
|
|
Yes
|
No
|
Other
|
|
Assignment of
Responsibilities
|
|
1.
|
Responsibility for security
has been assigned in writing to an individual trained in the technology used
in the system and in providing security for such technology (OMB Circular
A-130 Appendix III, Section A-3)
|
|
|
|
|
3.1.3 Step 3: Conduct a
Privacy Impact Assessment (PIA) and if required complete a System of Records
Notice (SOR) (High, Medium, Low Systems)
During this step, agencies
should determine the impact the system data has on individual privacy.
Therefore, each agency shall complete the Privacy Impact Assessment detailed in
Chapter 3, Part 2 of the Cyber Security Manual. This measure ensures that
agencies have thoroughly examined the privacy implications of system data
collection. In addition, The Privacy Act requires agencies to publish a System
of Records (SOR) Notice subject to 5 U.S.C. 552(E)(4). Specifically, a system
of records is defined as a group of records under the control of any agency from
which information is retrieved by the name of the individual or by some
identifying number, symbol, or other identifying particular assigned to the
individual. DM 3555-001, Chapter 11, Part 1, Certification and Accreditation,
Appendix C, contains additional guidance on SOR Notices. in the Appendices.
SOR shall be reviewed and updated every two years to ensure they remain
current.
The system security plan should provide a system description,
a list of the security requirements for the system, and should explain how the
system security controls meet the security requirements. The initial SSP
should be created during system development as part of the security
requirements definition for the system. SSPs should be updated whenever
changes are made to the security posture of the system.
During this step, the existing SSP should be reviewed to
ensure that it accurately follows the methodology in the USDA OCIOs Annual
Guide to System Security Plans and NIST 800-18, Guide for Developing Security
Plans for Information Technology Systems, and describes the most current
system configuration and all the security controls included in the system. The
team should also verify that the controls described are appropriate for the
security categorization and that the SSP provides information about any user
organizations, both internal and external, that connect to the system. If the
system does interconnect with other systems or organizations, details about the
security controls on those connections shall be documented in an ISA.
Specific review criteria for SSPs are presented in Appendix
G, Base Level Document Evaluation Criteria. There are separate SSP
evaluation documents for GSS and applications. These criteria will be
used by the ST&E team to review the SSP, so it is essential that the SSP
fulfill the criteria presented.
After the SSP is reviewed, the initial risk assessment
should be inspected to ensure that it identifies all apparent threats and
vulnerabilities in the IT system and is consistent with the guidance provided
in the USDA Risk Assessment Methodology, DM 3540-001, and NIST 800-30, Risk
Management Guide for IT Systems. The risk assessment should also determine
the overall level of risk present on the system given the type of data the
system processes, the security controls on the system, and the systems
operating environment. The initial risk assessment should be performed before
the system is fielded to verify that the security requirements specified during
development have been met. Risk assessments shall be updated every time there
is a change to the security controls on the system that might affect the
residual risk to the system.
Please note: The NIST
800-26 Self Assessment Checklist or equivalent is not an acceptable substitute
for a Risk Assessment. These checklists may be used as reference material to a
Risk Assessment, but do not contain sufficient discussion and analysis of a
systems characterization, mitigation or residual risk.
Specific review criteria for risk assessments are presented
in Appendix G, Base Level Document Evaluation Criteria. These criteria will
be used by the ST&E team to review the risk assessment report, so it is
imperative that the risk assessment fulfills the criteria presented.
3.1.6 Step 6: Review the Interconnection Security
Agreement (ISA) (High, Medium,
Low Systems)
If this system will be connected
to other IT systems, the business owner must discuss the requirements for
connectivity with the other systems business owner and work to identify the
security requirements for this connection. The ISA is started during the
Initiation Phase of the SDLC, is refined during the Acquisition/Development
Phase but the ISA may not be completed until the actual system Implementation
Phase. An ISA will be done for each system that will be connected to the new
system. Additional guidance on preparing the ISA is contained in Chapter 15,
Part 1, Security Controls in the System Development Life Cycle (SDLC).
After steps 1 through 4 are complete, all the participants,
including the DAA, the CO, the program manager, the system owner, and
certification team should meet to review the extent and scope of the planned
C&A effort. The participants should review the confidentiality, integrity,
and availability levels determined for the system and should verify that they
are accurate and that the security categorization is appropriate for the
system. The participants should also review the SCCM to ensure that it
accurately reflects the security requirements applicable to the system. At
this point, a schedule should be set for the remaining steps in the C&A
effort. This step should also occur for Low Impact/Low /Risk systems even
though the required actions are less stringent.
The checklist below provides a quick reminder of all
activities that should take place during Phase 1 of the C&A process.
Phase 1 Checklist
|
|
|
Has the scope of the
C&A effort been defined?
|
|
|
Has the security
categorization been determined and documented?
|
|
|
Have the Security
Controls been identified?
Has a review of the
approved ISA been done?
Has a PIA been
conducted?
|
|
|
Has a Security
Control Compliance Matrix been constructed?
|
|
|
Has the System
Security Plan been reviewed?
|
|
|
Has the Risk
Assessment been reviewed?
|
|
|
Have all participants
in the C&A process negotiated a schedule for the remaining C&A
activities?
|
Guidance for Low Impact Systems: For low
impact systems, the information system owner may employ the services of the
Information Systems Security Officer or other designated individuals to prepare
the security assessment report containing the results of the NIST 800-26, Self
Assessment. The security assessment report, based on NIST 800-26, can be an
abbreviated document synopsizing the results and highlighting those areas that
need further attention. For low impact systems the accreditation packages
consists of: the updated system security plan, an abbreviated NIST 800-26
Security Assessment Report, updated Risk Assessment, Security Categorization
Document, and a Plan of Action and Milestones (POA&M). Note: the
POA&M is a new requirement.
During the certification and accreditation phase, the
certification team will conduct ST&E to evaluate the effectiveness of the
security controls on the IT system, and then use the results of the ST&E to
update the risk assessment and the SSP. The results of this phase will be
documented as certification findings and included in the final certification
package. The certification package will then be presented to the DAA for a
final accreditation decision.
During this step, the team should evaluate the effectiveness
of the security controls through hands-on testing. ST&E consists of
three steps: creating the ST&E Plan, executing the test procedures, and
documenting the results in the ST&E Report with recommended
countermeasures. Figure 3-2 illustrates the three main steps (and the
sub-steps) involved in performing an ST&E.
Figure 3-2
Security Test and
Evaluation Process
3.2.2 Create the ST&E Plan (High
& Medium Systems)
There are two steps involved in writing an ST&E plan.
First, test objectives should be derived from the security controls identified
in Phase 1, Step 2 and compiled in the SCCM. The test objectives should
correspond to the appropriate technical requirements to test the security
features of operating systems and software used for the system, administrative,
procedural, environmental, physical, and communications security requirements.
Second, detailed procedures shall be written to test each
control or requirement. Procedures can consist of hands-on testing for
technical requirements, interviews with personnel for administrative
requirements, document review for procedural requirements, and observation of
facilities for environmental and physical requirements, or a combination of
techniques.
The extent of the ST&E activities will vary according to
the security categorization of the system. Systems that process information at
a high
