|How to Accredit Information Systems for Operation|
|CIO Council Security Practices Subcommittee|
Warfare Center, Dahlgren Division, Dahlgren
(Webmaster's Note: All links that were pointed to NSWCDL - have been removed from this page, because the NSWCDL server is no longer in operation)
|1.7||Level of BSP|
|1.8||Security Processes or other Framework(s) Supported|
|Certification and Accreditation (SPF 9)|
|1.10||Points of Contact|
|Government BSP Owner:
Personal information not posted to comply with policy .
Naval Surface Warfare Center, Dahlgren
Division, Dahlgren Laboratory, Computer
and Network Security (Code CD2S)
|2.0||What This BSP Does|
|This BSP describes the procedures employed by the Designated Approving Authority to accredit systems for operation.|
|2.2||Requirements for this BSP|
|SECNAVINST 5239.3. "All Information Systems must be accredited. Re-accreditation is required whenever a significant change occurs, such as change in operating system or , new services or applications."|
|2.3||Requirements for this BSP|
|SANS 2000 Security
Technology Leadership Awards, February 10, 2000, Washington, DC:
Each year, the SANS Institute
searches for teams of people that exemplify the best in innovation, sharing, and community
leadership. Winners of the SANS2000 awards include:
Naval Surface Warfare Center Dahlgren Division for pioneering work and continued leadership in developing and sharing promising security practices with the entire SANS community. Examples include the Shadow intrusion detection system, security courses and accreditation programs, and the consensus guide to incident handling for organizations infected with denial of service tools.
|3.0||What This BSP Is|
|3.1||Description of BSP|
Systems must be accredited. Re-accreditation is required whenever a significant
change occurs, such as change in operating system, new services or applications,
etc. or every three years - whichever comes first. Accreditation is granted
by the Designated Approving Authority (DAA) based on a favorable review
of a current Security
Domain Package and the requisite risk assessment(s). The primary factors
that are considered in accreditation review are:
For purposes of processing accreditation requests, we group systems as follows:
Note that the lines of demarcation are not hard and fast. The grouping is done to provide optimum risk management and Security Officer empowerment.
Unclassified Legacy Systems.
This includes PCs using only MS-DOS or versions of Windows prior to 3.1 and Macintoshes using MacOS 7.5 or earlier. These systems are beginning to be phased out. There is a whitepaper that details this further. If you have an IS that fits this description, do not send the accreditation request to ISSM. It must be included in a Security Domain Package on file with the Information Systems Security Office and accredited by an ISSO in your department who has a signed appointment letter authorizing him or her as a Designated Approving Authority (aka Accreditation Express). If your department does not have an ISSO on Accreditation Express, now is a good time to do so. The DAA updates the information in the IS Accreditation database and files the hard copy documentation.
Unclassified Modern Desktop Systems
If you have an IS other than what is described above, (i.e., a PC running Windows 3.1, Windows 95, Windows NT, or MacOS 7.6, MacOS 8.x, multi-user computer etc.) the same process applies. For the present, these accreditations are conducted by DAAs described above.
All Other ISs
As above, the user (typically) determines the level of risk (low, medium, high) based on countermeasures selected and marks the appropriate block for each threat area. An individual other than the person conducting the risk assessment, (typically the ISSO), then conducts Security Test and Evaluation (ST&E) to verify that all indicated countermeasures are in place and then passes (or fails) that particular vulnerability.
When the request and risk assessment are ready for review, the ISSO contacts the Information System Security Office to schedule a review. We will schedule you as soon as possible. When we review your request, we may or may not elect to conduct further ST&E. We will do one of the following three things:
If the IS is to be used for classified processing, it is advisable to prepare a cover sheet for the package that will let the DAA's administrative assistant know where to send the completed package once the DAA has accredited the system.
Once the IS has been accredited, the Security Officer then updates the information in the IS Accreditation database and files the completed request and risk assessment(s).
Process Description (non-NSWCDL systems)
These include computers that belong to other activities and are located/used at NSWCDL as well as systems that are brought into our spaces but may not be used to process information for us. In any event these systems must be operated at an acceptable risk as described below:
Systems which reside in NSWCDL spaces and process our information
These will be treated as NSWCDL systems for accreditation purposes. They are included in security domain packages and are described in appropriate risk assessments.
Systems that are brought into to NSWCDL spaces but do not process our information.
Use of these systems will be approved in writing by the cognizant Department Head (or designee). ISSOs will maintain a file of designees appointed in writing by the Department Head. The system will be accredited by the cognizant ISSO using (at least) an abbreviated risk assessment that stipulates the following minimum criteria:
The risk assessment will be signed by the user (constituting consent to the stated conditions), and the accrediting ISSO.
Database and Hard Copy Records.
ISSOs have read and write access to the centralized accreditation database and maintain the hard copy documentation that supports entries in that database.
If you need to move an IS, coordinate the move with your ISSO.
If the move involves an IS used only for processing unclassified information and the accreditation is less than two years old, the ISSO can update the data base to reflect the new location. If the accreditation is over two years old, the IS really needs a current risk assessment to determine if the accreditation is valid.
If the move involves an IS used for processing classified information and the accreditation is less than one year old, the following guidelines apply:
In either case, if the accreditation is over a year old, the IS really needs a current risk assessment to determine if the accreditation is valid.
Adding ISs to an existing domain
If you have a current Security Domain Package on file with ISSM and need to accredit additional systems, the following guidelines apply:
If you have an IS accredited to process classified information and you need to get it accredited to process unclassified information, it must be sanitized prior to downgrading (see below for information).
An IS must be sanitized prior to being downgraded. To sanitize an IS, you must remove all information. Contact your ISSO for details. You will need to complete a sanitization form and have it signed by your ISSO. Once the IS has been sanitized (and we have made the appropriate grants for the database), an Accreditation Express ISSO can update the record in the database. The ISSO must keep a record of the sanitization. If a classified IS is being excessed, it must have a sanitization certificate attached. If the system is unclassified, the folks who handle excessed equipment will perform the sanitization and complete the required paperwork.
Database updates and maintenance
ISSOs are responsible for maintaining current information in the Accreditation Database. When an IS is excessed, the ISSO needs to update the STATE field to reflect that the IS is not in service.
|3.2||Relationship to Other BSPs|
|None at this time.|
|4.0||How To Use This BSP|
|NSWCDL maintains an Accreditation Database to monitor the status of systems|
|4.2||Implementation Resource Estimates|
|Varies widely depending on system complexity. However, a stand-alone PC running WindowsNT may require approximately 8 man-hours to properly configure. In a networked environment the time per PC decreases, but is offset by the number of network specific devices, e.g., servers.|
|4.3||Performance Goals and Indicators (Metrics)|
|[Describe the metrics used to determine this BSPs success.]|
|NSWCDL ISSM Forms|
|NSWCDL training curriculum.|
|A||Executive Overview and Briefing|
|[Provide materials, briefings, etc. used to gain management buy-in.]|
|[List books, articles, or URLs to enhance understanding this BSP.]|
|[Identify contract vehicles and SOWs if services or materials were procured.]|
|[Define terms helpful to understanding this BSP.]|