This action might not be possible to undo. Are you sure you want to continue?
Process Steps for PM
System Design System Created Differences?
Process Steps for PM
CIO evaluates support/sustain requirements
Evaluation will be signed and loaded as artifact prior to package moving to Certifier Will eliminate orphaned systems Give better configuration management Ensure life cycle management is built into system
Process Steps for PM Verify database entries Artifacts Ready for Validation? 4 .
Process Steps for Validator/Cert Agent Validation Validator conducts the test and evaluation If there are problems and they are easily resolved or there are no problems • Analysis of the risk items begins Notification sent to PM/IAM if any discovered items are not easily resolved Validator Develops and loads the initial Risk Assessment into the C&A Tool (IATS) 2nd Discussion occurs here if needed • Validator updates Risk Assessment. if needed due to the conversation of the discussion 5 .
Process Steps for Validator/Cert Agent Review C&A Plan Conduct Test and Evaluation Notify of Validation problems Corrections 6 .
IA Controls Review .
IA Controls Mission Assurance Category (MAC) Levels Confidentiality Levels (CL) 8 .
” 9 . Enclosure 2. particularly the warfighters' combat mission.Mission Assurance Category (MAC) Levels DoDI 8500.2. page 22: “the mission assurance category reflects the importance of information relative to the achievement of DoD goals and objectives.
Enclosure 2.Mission Assurance Category (MAC) Level 1 MAC I “Systems handling information that is determined to be vital to the operational readiness or mission effectiveness of deployed and contingency forces in terms of both content and timeliness.” Source: DoDI 8500. Page 22 10 .2. The consequences of loss of integrity or availability of a MAC I system are unacceptable and could include the immediate and sustained loss of mission effectiveness.
Loss of availability is difficult to deal with and can only be tolerated for a short time.2. The consequences of loss of integrity are unacceptable. The consequences could include delay or degradation in providing important support services or commodities that may seriously impact mission effectiveness or operational readiness. Enclosure 2. Page 22 11 .Mission Assurance Category (MAC) Level II MAC II “Systems handling information that is important to the support of deployed and contingency forces.” Source: DoDI 8500.
The consequences of loss of integrity or availability can be tolerated or overcome without significant impacts on mission effectiveness or operational readiness.2. The consequences could include the delay or degradation of services or commodities enabling routine activities.Mission Assurance Category (MAC) Level III MAC III “Systems handling information that is necessary for the conduct of day-to-day business. but does not materially affect support to deployed or contingency forces in the short-term. Enclosure 2.” Source: DoDI 8500. Page 22 12 .
sensitive. wireless). Enclosure 2. such as requirements for individual security clearances or background investigations.. and public. intranet. Page 16 “Applicable to DoD information systems.Confidentiality Levels DoDI 8500. The Department of Defense has three defined confidentiality levels: classified. interconnection controls and approvals.” 13 .2. the confidentiality level is primarily used to establish acceptable access factors. and need-to-know determinations. access approvals. Internet. and acceptable methods by which users may access the system (e.g.
Page 50.T2 14 . Sensitive : Use DoDI 8500. Classified: Use DoDI 8500.2 Attachments A2 and A4 MAC II. Table E4.2 Attachments A1 and A5 MAC I.2 Attachments A3 and A4 MAC III.2.2 Attachments A3 and A6 Source: DoD Instruction 8500. Public : Use DoDI 8500.Determining IA Controls Manually. Public : Use DoDI 8500.2 Attachments A1 and A4 MAC I.2 Attachments A2 and A5 MAC II.2 Attachments A1 and A6 MAC II. Sensitive : Use DoDI 8500. Enclosure 4. Classified : Use DoDI 8500. Classified : Use DoDI 8500.2 Attachments A2 and A6 MAC III.2 Attachments A3 and A5 MAC III. Sensitive : Use DoDI 8500. the MAC and Confidentiality Levels are combined to ascertain which IA Controls apply to your system: MAC I. Public : Use DoDI 8500.
Determinig IA Controls Or you can use the DIACAP knowledge service: https://diacap.mil 15 .iaportal.navy.
IA Controls of Note Three important IA controls are used by every MAC level: DCCS-1 and ECSC-1 both state that one is to use the DISA Security Technical Implementation Guides (STIG) or the NSA Security Recommendation Guides (SRC) to configure their system. VIVM-1 states that an automated tool is to be used as part of a vulnerability management program. DISA has started the Secure Computing Compliance Validation Initiative (SCCVI) 16 .
Testing 17 .
19 .Review Perform a Review Ensure minimum documents for your package is present If documents are missing the reviewer should request them from the submitter and not pass the package onto Navy CA until all documents are received Note: Reviewer should employ all review procedures required by his/her Echelon II command.
Review When submitted to Navy CA they also put your package through an In-depth review 20 .
Review Items to check in Review Accreditation Boundary not clear Certification level is clear Site Location is clear MAC category is clear 21 .
\ 23 .
Test The primary reason for testing the security of an operational system is to identify potential vulnerabilities and subsequently repair them Network and system security scanning is the most practical way to find out what the vulnerabilities and threats are Examining security vulnerabilities is the first step in reducing site. system. and server liabilities 24 .
A Test can take from one day to several weeks to complete. such as: • Documentation • Automated Software Reports • Hand-written test results The Test will require at least one tester (person familiar with the system) and one witness (a certification agent that documents the results). There are many different items to contribute to Test results.Preparing for the Test The Test involves considerable amount of time and preparation. depending on the size/complexity of the application/network/system. 25 .
Preparing for the Test
Automated software used during the Test could cause a temporary loss of functionality in the network/system; so plan for accordingly. Review the list of controls and validation procedures using the DIACAP Knowledge Service located at https://diacap.iaportal.navy.mil/
Sources for Test
DISA and the NSA has written a number of documents on locking down systems based on industry best practices and practical experience. These guides are known as Security Technical Implementation Guides (STIGs) or Security Recommendation Guides (SRG) and they cover technology in use in the Federal Government. For each STIG, there is an associated Security Checklist that allows a security professional to manually review a system for compliance with the STIG. In Accordance with the DoDI 8500.2 IA Controls DCCS-2 and ECSC-1, the DISA STIG or SRG for each system must be used as guidance on locking it down. STIGs and checklists are available at: http://iase.disa.mil
If there are specific functions of the system that are locally-developed or GOTS, or there are processes specific to your organization that meet the IA controls; then test procedures specific to these elements will need to be developed.
containing sensitive information • IA Products – will effect boundary • IA-enabled IT Products – can affect the boundary 29 .1 requires that “all IA and IA- enabled IT products incorporated into DoD information systems shall be configured in accordance with DoD-approved security configuration guidelines” • The use of the principles and guidelines in the STIG will provide an environment that meets or exceeds the security requirements of DoD systems operating at the Mission Assurance Category (MAC) II Sensitive level.DISA • DoD Directive 8500.
STIGs 30 .
and hardware technologies. 31 . database engines. NSA has produced documentation for a few operating systems. and other technologies.DISA STIGs DISA STIGs are used to lock down a system DISA has produced documentation for many operating systems.
For more information go to https://iase.mil 32 . and other technologies.disa.STIGs DISA STIGs and NSA Guides are configuration standards DISA has produced documentation for many operating systems. database engines.
local users. should not exist on a workstation in a domain. Users should always log onto workstations via their domain and domain accounts.STIG Example Local Accounts To minimize potential points of attack. (4.024: CAT III) The SA will ensure local user accounts do not exist on a workstation 33 . other than built in administrator and Guest accounts. This does not apply to laptop PCs which are designed to function both on the domain and off the domain.
Checklists 34 .
Checklist Security Checklist Lockdown Guide Hardening Guide Benchmark configuration Security Readiness Scripts (SRRs) – Unlicensed tools provided by FSO 35 .
Type “mmc.Checklist example The GPMC should appear in the Administrative Tools menu after it has been installed on a system. Select “Add/Remove snap-in” from the drop-down menu. Select “File” from the MMC menu bar. 36 . Click “Close”. Select the “Group Policy Management” snap-in and click the “Add” button. Click “OK”. It can also be loaded in an MMC with the following steps: Select “Start” and “Run” from the desktop.exe” in the Run dialog. Click the “Add” button on the Standalone tab.
Gold Disk 37 .
Domain Controller) Microsoft Office Netscape Navigator Internet Explorer Antivirus products 38 . Member Server.Gold Disk Gold Disk was designed to evaluate the following: Windows 2000 (Professional. Domain Controller) Windows XP Windows 2003 (Member Server.
Gold Disk Why was Gold Disk Developed? Gold Disk functionality 39 .
0. Service Pack 1 User account used to run the Gold Disk must have Administrator privileges Account Privileges User Right User account used to run the Gold Disk must have “Manage Auditing and Security Log” 800 X 600 40 Minimum Screen Resolution .Requirements Required OS Windows 2000 Professional Windows 2000 Member Server Windows 2000 Domain Controller Windows 2003 Member Server Windows 2003 Domain Controller Windows XP Internet Explorer Internet Explorer 6.
41 .Launch Gold Disk from CD-ROM To Run Gold Disk from CD-ROM: Insert Gold Disk CD Number 1 in the CD-ROM drive. Right click on the “My Computer” icon on the Windows desktop Select and click on Explore and navigate to the CD-ROM drive containing the Gold Disk CD. A window similar to Figure 2-1 will be displayed.
42 . Double-Click the launcher.Launch Gold Disk from Network To Run Gold Disk from a local or network drive: Right click on the “My Computer” icon on the Windows desktop Select and click on Explore and navigate to the local or network drive containing the Gold Disk executable and control files.exe icon.
two options are available by right-clicking on the asset name in the left side tree view. Edit Asset Information allows the user to enter information about the system to be imported into VMS. Evaluate Asset begins the process of scanning the system for vulnerabilities. 43 .Asset Evaluation Upon completion of system prescan. This action can also be initiated via the “Evaluate Asset” button located on the Tool Bar.
It is an Excel file with the top part containing current issues and the bottom part containing resolved issues. if you happen to still be using an older disk.Known Issues With every new Gold Disk comes the Known Issues file. The Known Issues files is overwritten with the new and resolved issues with every new release (about every two months). 44 . You might want to keep the old Known Issues.
Retina Vulnerability Scanner 45 .
whereas the STIGs are used for system lockdown 46 . as per NCDOC CTO 06-02. SCCVI tests for IAVA compliance. The Navy requires that this software be run on all Navy networks once a month. but have two different goals.SCCVI DISA has also procured software for use in vulnerability assessments. This software attacks the target like a hacker with some knowledge of your system. SCCVI and the STIGs cover some of the same vulnerabilities.
there are many IAVAs and settings that Retina can not check for. 47 . Because of this. because it scans from the network.What is Retina Retina. can only see what one would see from the network.
48 .Why do we use it? Retina tries to look at a system from the hacker’s perspective. It is a way to test the target system’s first line of defense. The DISA Gold Disk/SRR scripts test the rest of the system. Retina checks to see how an outsider with limited knowledge can compromise the target system. There is some overlap in the testing.
Wherever system capabilities permit.” Retina is one of these “automated vulnerability assessment tools”. DISA has procured and mandated Retina for DoD use.Why do we use it? DoDI 8500. mitigation is independently validated through inspection and automated vulnerability assessment or state management tools. 49 .2 IA Control VIVM-1 states: “A comprehensive vulnerability management process that includes the systematic identification and mitigation of software and hardware vulnerabilities is in place.
The results of these scans are used during the Residual Risk Assessment to show some of the risk of the system. We will need to be able to read the reports. Sometimes administrators will require our assistance in understanding the results of these reports. 50 .What does this mean to me? People will be using Retina to scan systems and networks.
Do not scan through a firewall.What do you need to know before you scan? Retina can only see a system’s vulnerabilities from the outside. thereby skewing your results. or other network device that blocks or reroutes TCP/IP traffic. 51 . router. you will effectively be scanning the ruleset for the firewall or router. If there is a firewall or router between the system running Retina and the target.
Reports Remediation Summary Executive 52 .
Reports The tests are factual information The analysis is a subjective and detached expert opinion on the validity. 53 . and plausibility of the tests The analysis should be written by someone other than the tester. integrity.
Report findings are ranked in order of severity: High Medium Low Informational 54 . The reports usually contain a reference for the vulnerability that was located.Interpreting Reports Interpreting reports requires some knowledge of the associated vulnerability. It is suggested that the reviewer review this reference if they are not familiar with the vulnerability found.
Executive Report Check version of the scan engine and audit files for currency against date the scan was run Verify the dates and scan engines for all three reports that are generated Verify the scans are for the amount of devices identified Verify the credentials used have the sufficient privilege to audit registries Do not dump into word doc put into a pdf file 55 .
If you receive a scan that shows all Zeroes this is a red flag! 56 .Executive Report All three reports are generated At the same time. Verify the dates and scan engines match for all reports. Null account does not. Verify you receive scans for the amount of devices identified in the SSAA & topology diagram Verify the credentials used have sufficient privilege to audit registries.
57 . Each item should be itemized in the POA&M for action.Remediation Report Verify that the dates and scan engines match for all reports Verify the IP to be used as a line item in the POA&M.
Verify the IP as a line item in the POA&M. Each finding should be itemized in the POA&M for action. 58 .Remediation Report Verify the dates and scan engines match for all reports.
CNTpp 59 . Protocols and Services Watch for differences between Ports and Protocols that use the same number.html Nipr – UTNpp Sipr . Protocols and Services list by the PPS CAL which is updated frequently at: http://iase.mil/ports/index.disa.Ports. Example is the DMS application uses Protocols 50 & 51 which are authorized Verify the Ports.
CTO 06-02 CTO 06-02 Requires monthly scans in order to verify IAVA compliance 60 .
Document Review. Observe. Test) Test Steps Expected Results Actual Results 61 .Test Case Content Test Cases shall contain the following information at a minimum: Test ID Requirement ID Test Objective Test Methodology (Interview.
fixes. Test Methodology: Interview. workarounds. upgrades. etc. Expected Result: The organization is in compliance with the DoD Information Assurance Vulnerability Management (IAVM) program and that a written and signed compliance policy is put into affect. Ensure that personnel responsible for tracking and responding to specific IAVAs based on technical content or system responsibilities have been identified in writing. 4. Actual Results: 62 . 2. 3. Check to ensure that vulnerability management policy includes a system of notification and compliance reporting for all vulnerability-related alerts. Document Review Procedure Script: 1. Identify all system resources that have been allocated for use in testing patches. for applicable vulnerabilities as described in IAVAs or equivalent notifications vehicles.Sample Test Case Test ID: NET-24 Requirement ID: VIVM-1 Test Objective: Ensure that the organization is in compliance with the DoD Information Assurance Vulnerability Management (IAVM) program and that a written and signed compliance policy is put into affect. Verify that the organization is included in distribution for DoD/CERT Information Assurance Vulnerability Alerts (IAVA)..
then the magnitude of impact if that vulnerability is exploited must be determined. 4. 63 . Risk Assessment. For each failed test there must be an entry in the 2. the likelihood of exploitation of that vulnerability must be determined. 3. The risk level combined with this mitigation produces the residual risk. After the entry is entered. 6. if one exists. 5. Then a mitigation (or countermeasure) is listed. Once the likelihood is determined. The likelihood and magnitude are both used to generate a risk level.Risk Assessment 1.
Risk Assessment – Likelihood The likelihood of the risk is how likely is the vulnerability will be exploited. and/or the threat-agent is both motivated and capable. The threat-agent has some of the resources required and/or a moderate level of motivation. The attack requires moderate effort and coincidence of events to Possible succeed. Rating 64 . and/or the threat-agent lacks motivation or capability. The table below shows the ratings for likelihood. Countermeasures are in place to prevent or significantly impede Unlikely successful exploitation. Definition The attack requires a minimal combination of effort and Likely coincidence of events to succeed.
The table below indicates the ratings used for magnitude. disclosure. Definition Successful exploitation could result in sustantial im pact to the organization. disclosure. or possibly injury to or death of personnel. loss of system High services for an unacceptable period of tim e. Rating 65 . including unavailability. m odification. M edium m odification. m odification. such as discernable but recoverable unavailability.Risk Assessment – Magnitude of Impact The raw risk finding indicates the magnitude of impact if this vulnerability were exploited. Low Unavilability. or destruction of data or degradation of system assets and services are easy to detect and correct. disclosure. or destruction of data or other system assets or services. Successful exploitation could result in m oderate im pact to the organization. and the im pact to the organization is m inor. or destruction of valued data or other system assets.
Likelihood of Exploitation M agnitude of Impact High M edium Low Unlikely Low or M edium Low Low Possible High M edium Low Likely High High M edium or High 66 .Risk Assessment – Risk Levels A Risk Level is derived by taking the likelihood rating and comparing it to the magnitude rating. the risk level is shown in the table below. Once that is done.
a risk level of high becomes medium.Risk Assessment – Residual Risk After the risk level any mitigations can reduce it by one more value. Claims of False Positives from automated tools and Mitigation Strategies must be supported by raw data or documentation to be acceptable to the reviewer. For example: with mitigation. These mitigations must be realistic and will be heavily questioned by the reviewers at both the CA and the ODAA. 67 .
Low 68 . Unlikely Magnitude of Impact High Risk Level Medium Mitigation Residual Risk The Network Security Officer oversees the installation of IAVAs as part of his day to day duties.Risk Assessment – Mitigation Example IA Control Test Case/ Procedure Name Vulnerability Likelihood of Occurrence VIVM-1 NET-24 No one is established in writing to handle the IAVA process.
the overall residual risk must be at least medium. 69 . the overall residual risk must be high.Risk Assessment – Summary of Risk All of the residual risk results are tallied together to produce an overall risk. The following criteria are used to derive the summary of risk: If there is at least one high individual risk. If there is at least one medium individual risk. If there are only low individual risk items. or summary of risk. the overall residual risk is low.
Implement and Validate IACs Finalize documentation and system configuration for Risk Assessment (PM/IAM) Load all artifacts and declare when ready for Validator 70 .
POA&Ms 71 .
If any additional tests are added onto the Validation Report. Macros must be enabled. The status column from the Validation Report is tied to the status in the POA&M. they will have to be manually added onto the POA&M. Also note that if the status is changed back to Open it will also automatically be returned to the Open tab. 72 . Closed and Inherited. The valid status selections are Open. depress the Update POA&M radio button.Validation Report and POA&M Templates In order for this template to be successfully utilized. This will also require they be manually moved to the Closed and Inherited Tabs. Upon completion of any or all tests identified in the Validation Report. This action will automatically move any Closed or Inherited items to the appropriate tab. The Status on the POA&M will be automatically updated when changes are made to the Validation Report.
NUDOP Env IACs Collaboration Test (Lab) ATO Operate IV&V Development Operation 73 .