Certification and Accreditation - the DLA Approach
|How to Perform Information Systems Security Certification and Accreditation (C&A) within the Defense Logistics Agency (DLA) using Metrics and Controls for Defense-in-Depth (McDiD).|
|CIO Council Security Practices Subcommittee|
|Defense Logistics Agency (DLA), Information Assurance Division - J-633 (formerly J-653)|
|1.7||Level of BSP|
|1.8||Security Processes or other Framework(s) Supported|
|Certification and Accreditation (SPF 9)|
|1.10||Points of Contact|
BSP Owner: |
Yes, post this contact information with the publicly accessible BSP.
Yes, post this contact information with the publicly accessible BSP.
|2.0||What This BSP Does|
|This BSP describes the implementation of metrics and controls specifically tailored for DLA information systems, web sites, networks that constitute an enterprise solution for the information systems security certification and accreditation process set forth in DoD Instruction 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP).|
|2.2||Requirements for this BSP|
|The DLA has approximately 600 information systems, websites and networks in all phases of the DITSCAP process, and in various stages of McDiD implementation. Even in its initial stages the McDiD has demonstrated the capacity to significantly enhance information system security awareness and improve the security posture of DLA. This BSP has produced a marked increase in the number and quality of System Security Authorization Agreements (SSAAs) submitted for Headquarters DLA review and fostered a robust exchange of information and views on security issues across all DLA elements and information system proponents. The result has been to steadily improve the quality of IA activities on an enterprise-wide scale. Endorsers for this BSP include: Victor Johnnides, Chief, PEO Operations Division; Linda Cooper, Deputy Chief, DLA Computer Emergency Response Team; and Susie Fairley, Information System Security Manager (ISSM), Defense Supply Center Columbus.|
|3.0||What This BSP Is|
|3.1||Description of BSP|
key to a single comprehensive information assurance program is the effective application
of safeguards such that information and information systems maintain the appropriate
level of assurance while maintaining required levels of interoperability. DLA
is implementing a single comprehensive information assurance program using the
DITSCAP as the implementation mechanism for its systems, networks and sites that
also responds to the mandated readiness and defense-in-depth requirements. To
accomplish this task DLA developed an internal enterprise-wide process called
Metrics and Controls for Defense in Depth (McDiD) to track the level of compliance
its elements achieve and maintain against master lists of safeguards or security
controls. The McDiD master lists consist of a range of controls and metrics developed
to mitigate specific threats across DLA, in accordance with DoD policy. While
the McDiD master lists are not available for general dissemination, a sample control
is presented below. Further information about the controls or the McDiD process
can be obtained by contacting the POCs listed on the first page. Each McDiD control
is comprised of the following elements:|
An example of a McDiD control is provided below:
McDiD controls address the actions and conditions required for policy compliance, for certification and accreditation leading to an approval to operate, and for readiness sustainment on an agency-wide basis. Local supplementation of the master list is expressly encouraged where unique or special conditions warrant additional scrutiny to assure an adequate level of security is attained and maintained for a DLA site, system or network.
|The McDiD controls are crucial components of DLA C&A activities at each of the four DITSCAP phases. They form the foundation for the development of the System Security Authorization Agreement (SSAA) in the Definition Phase, and serve to orient and focus local and agency actions to prepare for and conduct the Verification and Validation phases. In the Post-accreditation phase the McDiD controls serve as a vital tool to identify changes in the information security baseline for the system, site, network or operating environment that can indicate to the DAA that re-certification action is required.|
the DLA C&A process requires that all information systems, networks and web
sites be covered by an SSAA, a separate SSAA is not required for each system,
network or web site. The DLA implementation of DITSCAP provides for three classes
of SSAAs based on logical groupings of its information systems, networks, and
web sites. The grouping decision requires that all components included in the
SSAA be under a single DAA and are subject to a uniform set of metrics and controls
to assure defense-in-depth (DiD). In this respect the SSAA defines and establishes
an identifiable security domain and facilitates the clear assignment of security
roles and responsibilities. The Designated Approving Authority (DAA) and Certifying
Authority (CA) are normally determined by mission categorization. The McDiD controls
are organized into the following three sets of master control lists drawn from
a variety of sources and tailored to correspond with the DLA C&A process as
The sources of McDiD controls are depicted below:
The McDiD for DLA IT Sites addresses physical and environmental security, IT site configuration management, computer emergency/incident response and network defense, IA technology requirements for enclave boundary protection (e.g., separation of internal and external services, DLA defense in depth architecture for e-mail), IA technology requirements for standard intranet computing environments (e.g., virus protection, vulnerability assessments, and Public Key Infrastructure), enclave security management, continuity of operations planning, and IA program and budget.
The McDiD for Production Systems focuses on application-level security safeguards that can be implemented in a post-deployment phase and presume that the system will be hosted at a DLA site, thus inheriting the security of IT site implemented controls. The controls address system management, configuration management, security architecture, security management and continuity of operations planning.
The McDiD for Emerging Systems is designed to address security across the system life cycle. It includes:
For DLA IT Sites and production systems, the C&A process is initiated by the performance of a security self-assessment using the McDiD controls appropriate to the class of SSAA to be developed as part of the DITSCAP's Phase 1 (Definition). The self-assessment provides a preliminary indication of the information security posture of the site, system or network and facilitates the negotiation among the key players needed to produce the SSAA. More importantly, the McDiD self-assessment highlights those areas requiring corrective action, which are aggregated in an executable Plan of Action and Milestones (POAM). Successful completion of the POAM during the conduct of DITSCAP's Phase 2 (Verification) positions the site or system program manager for the conduct of DITSCAP Phase 3 (Validation) by the CA. The McDiD controls are continuously refreshed and re-evaluated as a normal part of the SSAA reviews that are integral to the Verification and Validation phases. At the conclusion of Phase 3, the DLA CA provides the DAA with a summary of the McDiD control ratings, the SSAA and other supporting documentation, and a recommendation regarding approval to operate. While DLA sets the enterprise standard as a C1 rating in all controls, the actual rating profile may vary based on the DAA's acceptance of residual risk in those areas where a full compliance solution is not feasible based on the assessed level of vulnerability or resources required. To ensure the McDiD process remains current and comprehensive, DLA ISSMs/ISSOs and CAs are required to provide comments and recommendations for improvements to the C&A process. The DLA Headquarters Information Assurance Division also conducts quarterly security reviews with agency elements to maintain the momentum and focus on information system security. Following the approval to operate, within DLA the McDiD controls will be used to support a required annual re-assessment during the DITSCAP Post-accreditation (Phase 4) in the years between required re-validations.
For emerging systems, the C&A process is tailored to the system's adopted life cycle model. The Definition and Post-accreditation phases are fixed; however, Verification and Validation may iterate according to the number of new enclaves or computing environments established and the number of major software releases scheduled prior to Full Operating Capability (e.g., an evolutionary design scheme).
To implement the McDiD process, DLA developed a comprehensive set of training materials and hosted a series of workshops or seminars with its operating and staff elements. Further information regarding the training materials can be obtained by contacting the POCs on the first page. These initiatives focused on the SSAA development process, and in addition to reviewing the master McDiD control lists, included a number of exercises to identify the local controls necessary to adequately address unique operating environment, system, or site requirements. The thrust of the DLA effort is to hold to an absolute minimum the administrative burdens associated with the C&A process on its operating and staff elements. Wherever possible, enterprise-wide approved text for portions of the SSAA, such as the threat assessment, has been provided for the use of the individual site, system or network managers. In all other areas worksheets and templates have been developed at the enterprise level to ensure a unity of vision and purpose across the agency. To facilitate the flow of information, and support information system security as a function of electronic business, DLA is in the process of establishing an online Comprehensive Information Assurance Knowledge-base (CIAK) that is available in the DLA domain for DLA subscribers only. CIAK will provide DLA elements with a single web site for policy analysis, guidance, reference and research materials, training materials, assistance, announcements and information. CIAK also will serve as the repository and interactive workspace for the development, submission, processing, review and exchange of SSAAs and all other documentation related to the C&A process.
|3.2||Relationship to Other BSPs|
|This BSP serves as the enterprise-wide foundation for the conduct of C&A and the implementation of a single, comprehensive information assurance program with DLA.|
|4.0||How To Use This BSP|
|Conducting effective and comprehensive C&A is the single best method for providing an adequate level of information assurance in support of organizational missions and activities, and for providing inter-connected organizations adequate information assurance that security risks are being managed. While the DITSCAP remains a vital and valid higher-level process to approach this task, each organization can benefit from this BSP by considering the development of similar controls and metrics to guide the entire C&A process. The McDiD process supports the standardization of effort at the enterprise level to offer greater efficiencies in the implementation and conduct of a tailored information assurance program, and facilitates the adoption of a unified functional approach across the organization. The application of McDiD provides organizational leaders at all levels with a valuable security and readiness profile in support of policy, planning and resource management activities.|
|4.2||Implementation Resource Estimates|
|The resources required to implement this BSP will vary greatly depending on the size and nature of the organization. All levels of command and all key players in the C&A process as outlined in the DITSCAP will have substantial roles and responsibilities. However, the adoption of standardized procedures, templates, worksheets and extensive information sharing have the potential to deliver substantial resource benefits through avoidance of duplication and streamlined operating procedures.|
|4.3||Performance Goals and Indicators (Metrics)|
|The DLA standard for all McDiD controls is a C1 rating. While the implementation of McDiD is, by design, a continuous operation, DLA has already experienced an increase in the level of enterprise IA awareness, clarity of purpose, quality of thought, a significant increase in information sharing, and an improved understanding of the C&A process as outlined in the DITSCAP. These factors have already elevated the information assurance posture of DLA and resulted in improvements to DLA sites, systems and networks as the SSAA developmental process matures.|
|A complete package of document and report templates, including several completed sections of the SSAA pre-approved for enterprise-wide use, is available in a variety of formats, as well as on-line in the CIAK. The CIAK also serves as a valuable tool to facilitate the electronic submission of SSAAs and dissemination of information and documents. CIAK is available in the DLA domain for DLA subscribers only.|
|A complete package of materials used to support the conduct of the training workshops and seminars is available and includes worksheets to assist DLA personnel in the application of McDiD and the development of the SSAA.|
|A||Executive Overview and Briefing|
|A copy of an informational briefing on McDiD is enclosed.|
|Assistant Secretary of Defense for Command, Control, Communications and Intelligence|
|DLA has contracted with Booz-Allen and Hamilton for general support in the development of the McDiD controls under a GSA contract for Information Assurance Certification, Accreditation and Reporting Process Engineering (GS-23F-0025K.)|
- Certifying Authority |
CIAK - Comprehensive Information Assurance Knowledge-base
C&A - Certification and Accreditation
DAA - Designated Approving Authority
DLA - Defense Logistics Agency
DITSCAP - DoD Information Technology Security Certification and Accreditation Process
GIG - Global Information Grid
Legacy System - Information systems within DLA currently in operation that are scheduled for replacement/retirement, and for which no further program resources will be allocated for improvement or expansion.
McDiD - Metrics and Controls for Defense-in-Depth Production System - Information Systems within DLA that have achieved full-operational capability and are currently deployed for operational use.
SSAA - System Security Authorization Agreement
SOW - Statement of Work