NISPOM Chapter 8 Information Systems Security Manager (ISSM

NISPOM ChapterNISPOM Chapter 8

Information Systems Security Information Systems Security Manager (ISSM) Self-Certifications Manager (ISSM) Self-Certifications

&& Other FAQs Other FAQs

NCMS Seminar

Reno, NV

June 2004

Ken Quigley

Tech Director

Overview

• Information Assurance Program Update

• ISSM Self-Certifications

• Reaccreditations

• Secret Internet Protocol Router Network (SIPRNet)

• Frequently Asked Questions (FAQs)

Information Assurance Program Update

• Automated Tools for National Industrial Security Program (NISP) Systems– Working on having tools available for Windows

(NT, 2000, XP) & UNIX (Solaris 8+, Linux 7.0+, IRIX 6.5+)

– PL1, PL2 and PL3– Tool verifies system configuration against technical

NISPOM requirements– Results in report– In development


• Feedback and Automated Security Plan Template (FAST)– Tool being developed through a joint effort with

the CIA to automate creation of an SSP– Question & answers format– Allows changes to be tracked and approved by

the accrediting authority


– Joint Configuration Control Board between DSS & CIA being created to:

• Establish common baseline for tool and formalize dialogue between DSS & CIA

• Maximize client (developer of SSP) education

• Achieve consistency in C&A process

• Minimize duplication of effort

• Set standardize SSPs

– In development --Beta testing on the horizon– Enclosure 27 eliminated upon implementation


• Selected portions of the ISOM Chapter 8 section has been approved for release to industry

• 4 Tech Directors on-board– Assigned to West, North, Capital, and South

Regions– Function as the DAAs for their respective

regions


• Hiring more ISSPs– Authorization seeks to increase by 40% the

current ISSP workforce to support the increasing workload of IS accreditations

– Goal to have at least one ISSP for each field office


• Inconsistencies being worked– Educating IS Reps on the issuance of interims

• If SSP is complete and complaint interims are to be issued

– 360 days maximum on interims– No verbals

ISSM Self-Certifications

• ISSM self-certification request submitted as cover letter to a Master SSP

• Title of “Master SSP” used only when requesting self-certification

• Master SSP must be for an existing system requiring accreditation


• Master SSP must contain detailed self-certification procedures that address:– Limits of self-certification authority

– Certifying & testing technical features for workstations added to an existing system/network

– Certifying & testing technical features on a new system/network

– Notification to DSS when new systems/networks are self-certified

– Documentation that will be maintained on all self-certifications


• Master SSP can address only “similar” ISs that operate in equivalent operational environments (closed area vs restricted area and single user vs multi-users)

• “Similar” is defined as same O/Ss and hardware that contain no components that require additional clearing, sanitization or disconnect procedures


• Self-certification granted to an individual by name, and alternate can also be granted self-certification authority

• If ISSM terminates position, the incoming ISSM must resubmit request for self-certification and demonstrate qualifications


• In order to be granted self-certification the ISSM must demonstrate – satisfactorily trained in Chapter 8 requirements– competency with ensuring technical security

features are properly enabled– reliability in maintaining approved system

configurations and reporting infractions

• If criteria met, IS Rep must grant self-certification


• DSS Approval letter for Master SSP and ISSM self-certification authority is specific to:– Operating environments (multi-user systems

closed area vs multi-user systems restricted area)

– Operating Systems (Win2K, IRIX 6.5)

ISSM Self-Certifications(Final Accreditation Letter)

• Accordingly, we hereby grant full accreditation to those Information Systems (IS) that were identified in the Master SSP for the processing of (Insert Data Classification Level) at Protection Level (Insert Protection Level). This accreditation remains in effect for three years from the date of this letter. Re-accreditation is required if there is a change affecting the security posture of the IS baseline. Copies of all baseline profiles, to include original baselines, must be maintained with this accreditation letter.

• This accreditation does grant (Insert ISSMs Name), the Information System Security Manger (ISSM), self-certification authority for “similar” ISs that operate in equivalent operational environments and for the following operating systems: (List Operating Systems). Under the auspices of this accreditation letter, any future systems you certify as “similar” accredits the information system to operate under your master plan. If you submitted a system that is part of a WAN for your Master SSP, you may not connect any remote sites to your system under self-certification authority. You are reminded that a copy of each certification report must be forwarded to your DSS Industrial Security Representative.

Reaccreditations

• Reaccreditation is required when major changes occur in– hardware– software– physical controls– procedural controls – security controls – every three years regardless if no changes

Reaccreditations

• If reaccreditation is required because of major changes, the process is similar to the initial accreditation– Contractor submits updated SSP – DSS On-site certification conducted– Final Reaccreditation provided by the DAA

• Contractors cannot make changes to the IS unless an interim approval to operate (IATO) has been granted by DSS

Reaccreditations

• If reaccreditation is required because of a pending 3 year expiration the process is much simpler – ISSM certifies to the IS Rep no changes have

occurred to the system or SSP under which the current accreditation exists

• ISSM certification to the IS Rep can be by telephone, mail, or email

– IS Rep notifies the DAA who in turn will issue a reaccreditation letter to the ISSM

SIPRNet

• Contractor’s are being routinely disconnected due to expired accreditations

• Reconnection process more timely than normal reaccreditation

• ISSMs must track reaccreditation due dates to prevent disruption of access to SIPRNet

SIPRNet(Accreditation Letter Wording)

Please be advised that once your

accreditation expires you are no

longer authorized to process classified

information or connect to the

SIPRNet. Failure to comply will be viewed

as a deliberate disregard of security

requirements and is reportable

under NISPOM paragraph 1-304.

FAQs

• Means to provide timely clarification & guidance within our information assurance program

• Thirty one posted on DSS website– WWW.DSS.MIL

• Several new ones in draft awaiting posting

• Many will be incorporated into Industrial Security Letters (ISL)

FAQs(Example)

• Do changes in Operating System versions require reaccreditation?– Yes, changes could eliminate existing security

features

• What is considered a “standalone” system?– An IS that is physically and electronically

isolated from all other systems and is intended to be used by one person only

FAQs(Example)

• Are audit records of anti-virus definition updates required to be maintained?

– Anti-virus software is considered security relevant and therefore updates to the software need to be recorded in a manual or automated process.

FAQs(Example)

• Is there a NISP policy for wireless devices in areas where classified information systems reside?– There is no NISP policy that prohibits wireless

devices in these areas. However, FSOs should consider the capabilities of the wireless device(s) and use sound judgement in developing appropriate security countermeasures

FAQs(Example)

• Are miniaturized storage devices allowed to be used for classified processing?– As with the wireless policy there is no

prohibition with using these types of devices. As with any storage media that contains classified information, appropriate classification markings, handling, storage and disposition need to be applied.

•USB Interface. Hot Plug and Play.

•BUS powered. NO separate power supply or battery required.

•High performance write up to 12mbps.

•Windows mass storage device class compatible, so no driver needed in windows ME, 2000, XP, Linux 2.4 or above, and MacOS 8.6 or above.

•Shock resistant, noise-free, and longer data retention.

•System Requirements: 133MHZ Processor or better. USB 1.1 or better port.

•Flash memory can be reused more than 1,000,000 times and data can be preserved more than 10 yrs.

•Cost: 59.99

Pen Drive

Miniaturized Storage Devices

New Technology poses new threats to security, not limited to Computer Security

Next Generation Devices, new devices and miniaturization

•Key Chain Size•Requires no external power•Flash RAM•8MB – 512 MB•$15 - $900•IBM version (and others) need no driver•Limits RAM

Thumb Drive


USB Memory Watch

•Standard USB interface and USB extension cord included (1 meter) •Sleek design, very lightweight (this is not a bulky watch) •Plug and play, easy operation (appears as a USB mass storage device) •Can be password protected using included software •Can be used as a boot disk •LED indicator light shows device connectivity and data transfer •Operating Systems: Win 98, ME, 2000, XP, Linux 2.4 or higher, Mac OS 8.6 or higher •Reading speed: 1000KB/sec. Writing: 920KB/sec •Water resistant to 20 meters (let USB connector dry before using) •Memory size: 256MB, 128MB •Weight: 1.5 oz (43 grams) •Dimensions: 1.5" width x .375" thick (watch face)


FAQs(Example)

• What is the difference between clearing and sanitizing media?– Clearing refers to procedures by which classified

information is removed whereby through a keyboard attack it cannot be recovered.

– Sanitizing refers to more stringent procedures by which classified is removed whereby even through a laboratory attack the information cannot be recovered.

FAQs(Example)

• What is an “interconnected” network?– Comprised of separately accredited systems

under different SSPs.– Can be systems that are separately accredited

within the same cage code or geographically dispersed systems.

– Requires accreditation under a Network Security Plan (NSP) which is separate from the individually accredited SSPs.

FAQs(Example)

• We have an O/S that is not capable of implementing any or portions of the current Chapter 8 audit requirements, what are my options?– Upgrade to an O/S that does support auditing– Purchase add-on third party software– Exception (ISL 04L-1)is when the GCA requires

that a previously accredited IS be maintained with an O/S that is not capable of implementing the current Chapter 8 audit requirements.

Questions

Documents

NISPOM Chapter 8 Information Systems Security Manager (ISSM