Example: bankruptcy

Defense Counterintelligence and Security Agency Assessment ...

National Industrial Security Program Authorization Office Version 9 March 2020 Defense Counterintelligence and Security Agency Assessment and Authorization Process Manual I Page | i executive summary Government policy is that all classified information must be appropriately safeguarded to assure the confidentiality and integrity of that information, as well as its availability when required by contract. This Defense Counterintelligence and Security Agency (DCSA) Assessment and Authorization Process Manual (DAAPM) is intended for use by cleared contractors participating in the National Industrial Security Program (NISP). Federal agencies, to include the Department of Defense (DoD), Special Access Program (SAP), and Intelligence Communities, are adopting common guidelines to streamline and build reciprocity into the Assessment and Authorization (A&A) process, formerly known as Certification and Accreditation (C&A).

EXECUTIVE SUMMARY U.S. Government policy is that all classified information must be appropriately safeguarded to assure the confidentiality and integrity of that information, as well as its availability when required by contract. This Defense Counterintelligence and Security Agency (DCSA) Assessment and Authorization Process Manual

Tags:

  Assessment, Summary, Executive, Executive summary

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Transcription of Defense Counterintelligence and Security Agency Assessment ...

1 National Industrial Security Program Authorization Office Version 9 March 2020 Defense Counterintelligence and Security Agency Assessment and Authorization Process Manual I Page | i executive summary Government policy is that all classified information must be appropriately safeguarded to assure the confidentiality and integrity of that information, as well as its availability when required by contract. This Defense Counterintelligence and Security Agency (DCSA) Assessment and Authorization Process Manual (DAAPM) is intended for use by cleared contractors participating in the National Industrial Security Program (NISP). Federal agencies, to include the Department of Defense (DoD), Special Access Program (SAP), and Intelligence Communities, are adopting common guidelines to streamline and build reciprocity into the Assessment and Authorization (A&A) process, formerly known as Certification and Accreditation (C&A).

2 The DAAPM transitions the DCSA C&A processes to the Risk Management Framework (RMF) made applicable to cleared contractors by DoD , Change 2, National Industrial Security Program Operating Manual (NISPOM), issued on May 18, 2016. The DAAPM implements RMF processes and guidelines from the following publications: National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy; NIST SP 800-53, Version 4, Security and Privacy Controls for Federal Information Systems and Organizations; NIST SP 800-53A, Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organization; the Committee on National Security Systems Instruction (CNSSI) No.

3 1253, Security Categorization and Control Selection for National Security Systems; and Committee on National Security Systems Directive (CNSSD) 504, Directive on Protecting National Security Systems From Insider Threat. The DAAPM also incorporates Insider Threat minimum requirements defined in the NISPOM, which are consistent with the requirements of executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing of Classified Information, and the Presidential Memorandum, National Insider Threat Policy and Minimum Standards for executive Branch Threat Programs. Changes to these core documents will be incorporated through the Change Management Process outlined in Section 2 of this manual. This process manual is not intended to be relied upon or construed to create any right or benefit, substantive or procedural, enforceable by law against the United States, its agencies, officers or employees.

4 The Federal Government reserves the right, and has the obligation, to impose any Security method, safeguard, or restriction it believes necessary to insure and verify unauthorized access to classified information is effectively denied and that performance of classified contracts is not adversely affected. This DAAPM supersedes all previous versions of the DAAPM and Office of the Designated Approving Authority (ODAA) Process Manuals. I Page | ii TABLE OF CONTENTS executive summary .. I 1 INTRODUCTION .. 1 BACKGROUND .. 1 APPLICABILITY AND 1 REFERENCES .. 1 CHANGES IN TERMINOLOGY .. 2 2 CHANGE MANAGEMENT PROCESS .. 3 3 ROLES AND RESPONSIBILITIES .. 4 AUTHORIZING OFFICIAL (AO) .. 4 Security CONTROL ASSESSOR (SCA) .. 5 COMMON CONTROL PROVIDER (CCP).

5 5 INFORMATION OWNER (IO) .. 6 INFORMATION SYSTEM OWNER (ISO) .. 6 INFORMATION SYSTEM Security MANAGER (ISSM) .. 7 INFORMATION SYSTEM Security OFFICER (ISSO) .. 10 FACILITY Security OFFICER (FSO) .. 10 PRIVILEGED USER .. 11 GENERAL 12 4 Security TRAINING .. 13 PRIVILEGED USER TRAINING .. 13 GENERAL USER TRAINING .. 14 DATA TRANSFER AGENT (DTA) TRAINING .. 14 5 RISK MANAGEMENT FRAMEWORK .. 15 INTRODUCTION TO THE RISK MANAGEMENT FRAMEWORK (RMF) .. 15 FUNDAMENTALS OF THE RMF .. 17 6 ENTERPRISE MISSION ASSURANCE SUPPORT SERVICE (EMASS) .. 17 EMASS WORKFLOW .. 18 EMASS APPROVAL CHAIN .. 18 7 Assessment AND AUTHORIZATION IMPLEMENTATION GUIDANCE .. 19 PREPARE .. 19 PREPARE STEP TASKS .. 19 PREPARE STEP SUPPORTING INFORMATION.

6 21 PREPARE STEP OUTPUTS .. 21 PREPARE STEP REFERENCES AND RESOURCES .. 22 CATEGORIZE .. 22 CATEGORIZE STEP TASKS .. 25 CATEGORIZE STEP OUTPUTS .. 25 CATEGORIZE STEP REFERENCES AND RESOURCES .. 25 SELECT .. 26 SELECT STEP TASKS .. 26 SELECT STEP OUTPUTS .. 28 SELECT STEP REFERENCES AND RESOURCES .. 28 I Page | iii IMPLEMENT .. 29 IMPLEMENT TASKS .. 29 IMPLEMENT STEP OUTPUTS .. 29 IMPLEMENT STEP REFERENCES AND RESOURCES .. 30 ASSESS .. 30 ASSESS STEP TASKS .. 30 ASSESS STEP OUTPUTS .. 34 ASSESS STEP REFERENCES AND RESOURCES .. 34 AUTHORIZE .. 35 AUTHORIZE STEP TASKS .. 35 AUTHORIZE STEP SUPPORTING INFORMATION .. 36 AUTHORIZE STEP OUTPUTS .. 37 AUTHORIZE STEP REFERENCES AND RESOURCES .. 37 MONITOR .. 37 MONITOR STEP TASKS.

7 38 MONITOR STEP OUTPUTS .. 41 MONITOR STEP REFERENCES AND RESOURCES .. 41 8 AUTHORIZATION BOUNDARIES .. 42 9 TYPES OF SYSTEMS .. 43 STANDALONE SYSTEMS .. 43 LOCAL AREA NETWORK (LAN) .. 43 WIDE AREA NETWORK (WAN) .. 43 ENTERPRISE WIDE AREA NETWORK (EWAN).. 44 UNIFIED WIDE AREA NETWORK (WAN) .. 44 INTERCONNECTED SYSTEMS .. 44 INTERNATIONAL INTERCONNECTIONS .. 48 FEDERAL INFORMATION SYSTEMS .. 49 PROPOSAL SYSTEMS .. 51 SPECIAL CATEGORIES .. 52 TACTICAL, EMBEDDED, DATA-ACQUISITION, LEGACY, AND SPECIAL-PURPOSE SYSTEMS 53 MOBILE SYSTEMS .. 53 DISKLESS WORKSTATION .. 54 MULTIFUNCTION DEVICES .. 54 VIRTUALIZATION .. 54 TEST EQUIPMENT .. 54 VIDEO TELECONFERENCE (VTC) .. 55 VIDEO DISTRIBUTION SYSTEM (VDS) .. 55 PERIPHERALS.

8 55 10 DEPARTMENT OF Defense INFORMATION NETWORK (DODIN) .. 56 11 CROSS DOMAIN SOLUTION (CDS) .. 57 12 AUDIT VARIANCE .. 57 13 TYPE AUTHORIZATION .. 58 APPENDIX A: Security CONTROLS ( Defense Counterintelligence AND Security Agency ORGANIZATIONAL VALUES) .. 59 I Page | iv APPENDIX B: Defense Counterintelligence AND Security Agency OVERLAYS .. 60 APPENDIX C: RISK Assessment REPORT TEMPLATE .. 77 APPENDIX D: PLAN OF ACTION AND MILESTONES TEMPLATE .. 84 APPENDIX E: RISK MANAGEMENT FRAMEWORK Security PLAN SUBMISSION AND CERTIFICATION STATEMENT .. 85 APPENDIX F: INFORMATION SYSTEM Security MANAGER APPOINTMENT LETTER .. 86 APPENDIX G: HARDWARE LIST .. 87 APPENDIX H: SOFTWARE LIST .. 88 APPENDIX I: SYSTEM DIAGRAM/NETWORK TOPOLOGY .. 89 APPENDIX J: RECORD OF CONTROLLED AREA.

9 90 APPENDIX K: INFORMATION SYSTEM ACCESS AUTHORIZATION AND BRIEFING FORM .. 91 APPENDIX L: INFORMATION SYSTEM PRIVILEGED ACCESS AUTHORIZATION AND BRIEFING FORM .. 94 APPENDIX M: UPGRADE/DOWNGRADE PROCEDURE RECORD .. 97 APPENDIX N: Security SEAL LOG .. 98 APPENDIX O: MAINTENANCE, OPERATING SYSTEM, & SOFTWARE CHANGE 99 APPENDIX P: DATA TRANSFER PROCEDURES .. 100 APPENDIX Q: CONTINGENCY PLAN TEMPLATE .. 109 APPENDIX R: INCIDENT RESPONSE PLAN TEMPLATE .. 117 APPENDIX S: CLASSIFIED SPILL CLEANUP PROCEDURES .. 121 APPENDIX T: MEDIA SANITIZATION .. 125 APPENDIX U: MOBILITY SYSTEM PLAN TEMPLATE .. 132 APPENDIX V: FEDERAL IS REQUEST TEMPLATE .. 138 APPENDIX W: GOVERNMENT-TO-CONTRACTOR ISA TEMPLATE .. 140 APPENDIX X: WARNING BANNER .. 144 APPENDIX Y: ACRONYMS.

10 145 APPENDIX Z: DEFINITIONS .. 150 APPENDIX AA: REFERENCES .. 157 I Page | 1 1 INTRODUCTION BACKGROUND Federal agencies have adopted the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) as a common set of guidelines for the Assessment and Authorization (A&A) of Information Systems (IS). The Defense Counterintelligence and Security Agency (DCSA) adopted these standards in an effort to streamline and build reciprocity across all federal agencies and to ensure all cleared contractor systems that process classified information as part of the National Industrial Security Program (NISP) are authorized under the RMF A&A process. The RMF focuses on a more holistic and strategic process for the risk management of systems, and on processes and procedures designed to develop trust across the Federal Government.


Related search queries