Certification and Accreditation - the DLA Approach

1.0	Identification Data
1.1	BSP Number
	00016
1.2	BSP Title/Name
	How to Perform Information Systems Security Certification and Accreditation (C&A) within the Defense Logistics Agency (DLA) using Metrics and Controls for Defense-in-Depth (McDiD).
1.3	Version Number
	1.0
1.4	Adoption Date
	03/12/2001
1.5	Approving Authority
	CIO Council Security Practices Subcommittee
1.6	Responsible Organization
	Defense Logistics Agency (DLA), Information Assurance Division - J-633 (formerly J-653)
1.7	Level of BSP
	Candidate
1.8	Security Processes or other Framework(s) Supported
	Certification and Accreditation (SPF 9)
1.9	Reserved
1.10	Points of Contact
	Government BSP Owner: Yes, post this contact information with the publicly accessible BSP. Richard A. Parker, Captain S.C. USN Deputy Executive Director Information Technology Policy, Plans, and Assessment Defense Logistics Agency 8725 J.J. Kingman Rd. Fort Belvoir, VA 22060 Vendor Partner: Yes, post this contact information with the publicly accessible BSP. Glenda Turner Booz-Allen and Hamilton, Inc. 3190 Fairview Park Drive Falls Church, VA 22042 Telephone: 703-289-5279 Fax: 703-289-5813 E-mail: turner_glenda@bah.com

2.0	What This BSP Does
2.1	BSP's Purpose
	This BSP describes the implementation of metrics and controls specifically tailored for DLA information systems, web sites, networks that constitute an enterprise solution for the information systems security certification and accreditation process set forth in DoD Instruction 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP).
2.2	Requirements for this BSP
	DoD Directive 5200.28, Security Requirements for Automated Information Security Systems (AISS) mandates the accreditation of all AIS to include stand-alone personal computers, connected systems and networks. DoD Instruction 5200.40, DoD Information Technology Security Certification and Accreditation Process, (DoDI 5200.40) established a four-phase process, required activities and general criteria to accomplish a certification and accreditation process leading to an approval to operate based on acceptable residual risk. The DITSCAP requires that all information system and network owners address security from a single system or network perspective, and to do so across the system's life cycle. DoD Chief Information Officer Guidance and Policy Memorandum No. 6-8510, DoD Global Information Grid (GIG) Information Assurance (IA), dated June 16, 2000 directed that DoD develop an enterprise-wide IA architectural overlay to implement a defense-in-depth strategy across the Global Information Grid (GIG). The DOD GIG IA Defense-In-Depth strategy specifically addresses internetworked risk, and requires information system and network owners to integrate information enterprise and security solutions into the local computing environment, the network enclave and its boundaries, the wide area network, and supporting enterprise security services. The Defense in Depth strategy incorporates both technical and non-technical means to afford multiple protections at different layers within information systems and their supporting communications networks. The Chairman's Readiness System includes information assurance readiness in the Command, Control, Communications, and Computers (C4) portion of its Joint Monthly Readiness Reports (JMRRs). The JMRRs provide the DOD leadership a current, macro-level assessment of the military’s readiness to execute the National Military Strategy (NMS). The DLA is required to address the IA checklist items contained in CJCSI 6510.04 (available only in the .mil domain) in the JMRR assessment.
2.3	Success Stories
	The DLA has approximately 600 information systems, websites and networks in all phases of the DITSCAP process, and in various stages of McDiD implementation. Even in its initial stages the McDiD has demonstrated the capacity to significantly enhance information system security awareness and improve the security posture of DLA. This BSP has produced a marked increase in the number and quality of System Security Authorization Agreements (SSAAs) submitted for Headquarters DLA review and fostered a robust exchange of information and views on security issues across all DLA elements and information system proponents. The result has been to steadily improve the quality of IA activities on an enterprise-wide scale. Endorsers for this BSP include: Victor Johnnides, Chief, PEO Operations Division; Linda Cooper, Deputy Chief, DLA Computer Emergency Response Team; and Susie Fairley, Information System Security Manager (ISSM), Defense Supply Center Columbus.

3.0	What This BSP Is
3.1	Description of BSP
	The key to a single comprehensive information assurance program is the effective application of safeguards such that information and information systems maintain the appropriate level of assurance while maintaining required levels of interoperability. DLA is implementing a single comprehensive information assurance program using the DITSCAP as the implementation mechanism for its systems, networks and sites that also responds to the mandated readiness and defense-in-depth requirements. To accomplish this task DLA developed an internal enterprise-wide process called Metrics and Controls for Defense in Depth (McDiD) to track the level of compliance its elements achieve and maintain against master lists of safeguards or security controls. The McDiD master lists consist of a range of controls and metrics developed to mitigate specific threats across DLA, in accordance with DoD policy. While the McDiD master lists are not available for general dissemination, a sample control is presented below. Further information about the controls or the McDiD process can be obtained by contacting the POCs listed on the first page. Each McDiD control is comprised of the following elements: Control Number - a unique identifier. Control Name - a brief title phrase that describes the subject area or focus of the control. Control Description - several sentences or a paragraph that describe the security condition or state that the control is intended to achieve. Metrics - an assessment or rating that serves as an indicator of compliance with the control. In assessing and rating individual controls DLA generally defines the four readiness "C-Levels" with progress toward full compliance with each control as follows: C1 - The security control has been fully implemented and the security profile achieved by the control is being actively maintained. Full compliance indicates that only minor IA deficiencies with a negligible impact on mission capabilities may be expected. C2 - The IT organization is in the process of deploying or implementing the security control. This level of compliance indicates that some IA deficiencies with a limited impact on mission capabilities may be expected. C3 - The IT organization is aware of the control and is in a planning phase for compliance. This level of compliance indicates that significant IA deficiencies preventing the performance of some portions of required missions may be expected. C4 - No awareness of the control or progress toward compliance is evident. This level of compliance indicates that major IA deficiencies that preclude satisfactory mission accomplishment may be expected. An example of a McDiD control is provided below: McDiD controls address the actions and conditions required for policy compliance, for certification and accreditation leading to an approval to operate, and for readiness sustainment on an agency-wide basis. Local supplementation of the master list is expressly encouraged where unique or special conditions warrant additional scrutiny to assure an adequate level of security is attained and maintained for a DLA site, system or network.

The McDiD controls are crucial components of DLA C&A activities at each of the four DITSCAP phases. They form the foundation for the development of the System Security Authorization Agreement (SSAA) in the Definition Phase, and serve to orient and focus local and agency actions to prepare for and conduct the Verification and Validation phases. In the Post-accreditation phase the McDiD controls serve as a vital tool to identify changes in the information security baseline for the system, site, network or operating environment that can indicate to the DAA that re-certification action is required.

	While the DLA C&A process requires that all information systems, networks and web sites be covered by an SSAA, a separate SSAA is not required for each system, network or web site. The DLA implementation of DITSCAP provides for three classes of SSAAs based on logical groupings of its information systems, networks, and web sites. The grouping decision requires that all components included in the SSAA be under a single DAA and are subject to a uniform set of metrics and controls to assure defense-in-depth (DiD). In this respect the SSAA defines and establishes an identifiable security domain and facilitates the clear assignment of security roles and responsibilities. The Designated Approving Authority (DAA) and Certifying Authority (CA) are normally determined by mission categorization. The McDiD controls are organized into the following three sets of master control lists drawn from a variety of sources and tailored to correspond with the DLA C&A process as indicated above: McDiD for DLA Information Technology Sites McDiD for DLA Production Systems, both contemporary and legacy McDiD for DLA Emerging Systems The sources of McDiD controls are depicted below: The McDiD for DLA IT Sites addresses physical and environmental security, IT site configuration management, computer emergency/incident response and network defense, IA technology requirements for enclave boundary protection (e.g., separation of internal and external services, DLA defense in depth architecture for e-mail), IA technology requirements for standard intranet computing environments (e.g., virus protection, vulnerability assessments, and Public Key Infrastructure), enclave security management, continuity of operations planning, and IA program and budget. The McDiD for Production Systems focuses on application-level security safeguards that can be implemented in a post-deployment phase and presume that the system will be hosted at a DLA site, thus inheriting the security of IT site implemented controls. The controls address system management, configuration management, security architecture, security management and continuity of operations planning. The McDiD for Emerging Systems is designed to address security across the system life cycle. It includes: Security controls for the program manager and program office (e.g. personnel security requirements and rules, information release rules, program OPSEC); Requirements for the system security architecture (e.g., compliance with the DLA technical architecture, policy based access, single sign-on, use of public key technologies); Security controls for the development process (e.g., an automated library for system software objects managed and maintained in such as way as to protect privileged programs and to prevent or minimize the introduction of malicious or unauthorized code); Security controls for the transition to production (e.g. limitations on application developers' ability to change production code, physical and/or logical isolation of systems that provide unregulated access to the Internet); and Security controls for any new enclave or computing environment established to support the system, whether for design, development, testing, or production (e.g., firewalls, routers, virus protection). For DLA IT Sites and production systems, the C&A process is initiated by the performance of a security self-assessment using the McDiD controls appropriate to the class of SSAA to be developed as part of the DITSCAP's Phase 1 (Definition). The self-assessment provides a preliminary indication of the information security posture of the site, system or network and facilitates the negotiation among the key players needed to produce the SSAA. More importantly, the McDiD self-assessment highlights those areas requiring corrective action, which are aggregated in an executable Plan of Action and Milestones (POAM). Successful completion of the POAM during the conduct of DITSCAP's Phase 2 (Verification) positions the site or system program manager for the conduct of DITSCAP Phase 3 (Validation) by the CA. The McDiD controls are continuously refreshed and re-evaluated as a normal part of the SSAA reviews that are integral to the Verification and Validation phases. At the conclusion of Phase 3, the DLA CA provides the DAA with a summary of the McDiD control ratings, the SSAA and other supporting documentation, and a recommendation regarding approval to operate. While DLA sets the enterprise standard as a C1 rating in all controls, the actual rating profile may vary based on the DAA's acceptance of residual risk in those areas where a full compliance solution is not feasible based on the assessed level of vulnerability or resources required. To ensure the McDiD process remains current and comprehensive, DLA ISSMs/ISSOs and CAs are required to provide comments and recommendations for improvements to the C&A process. The DLA Headquarters Information Assurance Division also conducts quarterly security reviews with agency elements to maintain the momentum and focus on information system security. Following the approval to operate, within DLA the McDiD controls will be used to support a required annual re-assessment during the DITSCAP Post-accreditation (Phase 4) in the years between required re-validations. For emerging systems, the C&A process is tailored to the system's adopted life cycle model. The Definition and Post-accreditation phases are fixed; however, Verification and Validation may iterate according to the number of new enclaves or computing environments established and the number of major software releases scheduled prior to Full Operating Capability (e.g., an evolutionary design scheme). To implement the McDiD process, DLA developed a comprehensive set of training materials and hosted a series of workshops or seminars with its operating and staff elements. Further information regarding the training materials can be obtained by contacting the POCs on the first page. These initiatives focused on the SSAA development process, and in addition to reviewing the master McDiD control lists, included a number of exercises to identify the local controls necessary to adequately address unique operating environment, system, or site requirements. The thrust of the DLA effort is to hold to an absolute minimum the administrative burdens associated with the C&A process on its operating and staff elements. Wherever possible, enterprise-wide approved text for portions of the SSAA, such as the threat assessment, has been provided for the use of the individual site, system or network managers. In all other areas worksheets and templates have been developed at the enterprise level to ensure a unity of vision and purpose across the agency. To facilitate the flow of information, and support information system security as a function of electronic business, DLA is in the process of establishing an online Comprehensive Information Assurance Knowledge-base (CIAK) that is available in the DLA domain for DLA subscribers only. CIAK will provide DLA elements with a single web site for policy analysis, guidance, reference and research materials, training materials, assistance, announcements and information. CIAK also will serve as the repository and interactive workspace for the development, submission, processing, review and exchange of SSAAs and all other documentation related to the C&A process.
3.2	Relationship to Other BSPs
	This BSP serves as the enterprise-wide foundation for the conduct of C&A and the implementation of a single, comprehensive information assurance program with DLA.

4.0	How To Use This BSP
4.1	Implementation Guidance
	Conducting effective and comprehensive C&A is the single best method for providing an adequate level of information assurance in support of organizational missions and activities, and for providing inter-connected organizations adequate information assurance that security risks are being managed. While the DITSCAP remains a vital and valid higher-level process to approach this task, each organization can benefit from this BSP by considering the development of similar controls and metrics to guide the entire C&A process. The McDiD process supports the standardization of effort at the enterprise level to offer greater efficiencies in the implementation and conduct of a tailored information assurance program, and facilitates the adoption of a unified functional approach across the organization. The application of McDiD provides organizational leaders at all levels with a valuable security and readiness profile in support of policy, planning and resource management activities.
4.2	Implementation Resource Estimates
	The resources required to implement this BSP will vary greatly depending on the size and nature of the organization. All levels of command and all key players in the C&A process as outlined in the DITSCAP will have substantial roles and responsibilities. However, the adoption of standardized procedures, templates, worksheets and extensive information sharing have the potential to deliver substantial resource benefits through avoidance of duplication and streamlined operating procedures.
4.3	Performance Goals and Indicators (Metrics)
	The DLA standard for all McDiD controls is a C1 rating. While the implementation of McDiD is, by design, a continuous operation, DLA has already experienced an increase in the level of enterprise IA awareness, clarity of purpose, quality of thought, a significant increase in information sharing, and an improved understanding of the C&A process as outlined in the DITSCAP. These factors have already elevated the information assurance posture of DLA and resulted in improvements to DLA sites, systems and networks as the SSAA developmental process matures.
4.4	Tools
	A complete package of document and report templates, including several completed sections of the SSAA pre-approved for enterprise-wide use, is available in a variety of formats, as well as on-line in the CIAK. The CIAK also serves as a valuable tool to facilitate the electronic submission of SSAAs and dissemination of information and documents. CIAK is available in the DLA domain for DLA subscribers only.
4.5	Training Materials
	A complete package of materials used to support the conduct of the training workshops and seminars is available and includes worksheets to assist DLA personnel in the application of McDiD and the development of the SSAA.

Appendices
A	Executive Overview and Briefing
	A copy of an informational briefing on McDiD is enclosed.
B	Reference List
	Assistant Secretary of Defense for Command, Control, Communications and Intelligence DLA Library IA Technical Framework Forum National Defense University Library
C	Procurement Information
	DLA has contracted with Booz-Allen and Hamilton for general support in the development of the McDiD controls under a GSA contract for Information Assurance Certification, Accreditation and Reporting Process Engineering (GS-23F-0025K.)
D	Evaluation Information
E	Recommended Changes
F	Glossary
	CA - Certifying Authority CIAK - Comprehensive Information Assurance Knowledge-base C&A - Certification and Accreditation DAA - Designated Approving Authority DLA - Defense Logistics Agency DITSCAP - DoD Information Technology Security Certification and Accreditation Process GIG - Global Information Grid Legacy System - Information systems within DLA currently in operation that are scheduled for replacement/retirement, and for which no further program resources will be allocated for improvement or expansion. McDiD - Metrics and Controls for Defense-in-Depth Production System - Information Systems within DLA that have achieved full-operational capability and are currently deployed for operational use. SSAA - System Security Authorization Agreement SOW - Statement of Work