Transcription of DEPARTMENT OF DEFENSE (DOD) JOINT SPECIAL ACCESS …
1 DEPARTMENT OF DEFENSE (DOD). JOINT SPECIAL ACCESS PROGRAM (SAP) implementation guide (JSIG). 11 April 2016. NOTE: This version of the JSIG is based on NIST SP 800-53, Rev 4 and CNSSI 1253, March 2014. Chapter 1-Introduction and Roles PAGE 1-1. PREFACE. The Risk Management Framework (RMF) is a framework designed to be tailored to meet organizational needs while providing adequate risk management of data and information systems. Transformation to the RMF is a daunting task and we appreciate all the effort to date within the DEPARTMENT and Industry. We applaud all the hard work of the JOINT SAP Cybersecurity Working Group (JSCS WG) and the spectacular leadership of the individuals who created this JOINT coalition of the willing.
2 SPECIAL ACCESS programs represent some of the DEPARTMENT 's most sensitive information and must be protected accordingly. We can no longer rely on physical isolation as a primary risk mitigation strategy. Threats and risks often outpace our ability to implant robust, multi-disciplinary countermeasures. Cost and timelines to develop threats to our data almost always pale to the cost and time to implement countermeasures. Given the rapid increase in cybersecurity threats and prioritization from the SECDEF, the senior cybersecurity professionals responsible for authorizing information systems to process SAP. have identified three security controls which offer mitigations so significant they can no longer be tailored.
3 Beginning in this revision of the JSIG, we are introducing controls that are not tailorable. Historically, the ability to tailor controls has been delegated to the field but senior leadership is no longer willing to accept the risk of high volume data loss. Recognizing there may be extreme situations in which it is not feasible to implement these controls in their entirety, the authority to tailor or modify these controls is delegated to the component SAP senior authorizing official. This waiver authority cannot be further delegated. The establishment of a senior authorizing official for each DoD component will elevate the status of cybersecurity functions so they more effectively influence DEPARTMENT -wide strategy, policy, and investments.
4 Summary of Changes: Establishment of Component SAP Senior Authorizing Officials o Each DoD component responsible for authorizing SAP information systems, shall assign in writing a SAP Senior Authorizing Official for the component. This SAP Senior Authorizing Official shall be the waiver authority for non-tailorable controls. This authority cannot be delegated. Waivers to these controls will be submitted to the DoD. SAPCO and DoD SAP CIO within 30 days of approval. Establishment of non-tailorable controls o See AC-6(1), Least Privilege | Authorize ACCESS to Security Functions System endpoint protection shall not be tailored out. o See SA-22,Unsupported System Components Added to the baseline and required to be implemented on all SAP systems.
5 O See SC-28, Protection of Information at Rest Encryption of data at rest shall be implemented for all SAP systems. The entirety of this document is effective immediately. Policy The policy of the Government is that all classified information be appropriately safeguarded to assure the confidentiality, integrity, and availability of that information. This document provides standardized security policies and procedures for use in the management of all networks, systems, and components under the purview of the DEPARTMENT of DEFENSE (DoD) SPECIAL ACCESS Program Central Office (SAPCO) and DoD Service/Agency SAPCOs. This guidance applies to the DoD SAP Community and all networks, information systems, weapon systems, and applications for which the cognizant SAP.
6 Authorizing Official (AO) has management or oversight responsibility, regardless of the physical location. Chapter 1-Introduction and Roles PAGE 1-2. Responsibilities The JOINT SAP Cybersecurity Working Group (JSCS WG) is chartered to provide DoD SAP cybersecurity implementation guidance. The JSCS WG provides organizations within the DoD SAP Community a forum to address all aspects of cybersecurity. JSCS WG functions and activities related to RMF include: Promote DoD SAP Community coordination in methodologies for assessing and authorizing SAP information systems and related areas ( , documentation, tools, assessment methods, processes) to provide for consistency in methodologies, approaches, templates, and organization-defined values across the DoD SAP Community Develop, maintain, and periodically update the policies and procedures related to RMF to include, as needed, JSIG, security control overlays, RMF training, templates, and other supporting documentation Promote, review, and update training and awareness objectives, material, and availabil ity for all service, agency, and industry partners on cybersecurity, emphasizing insider threat, community best practices, and RMF.
7 Additional information on roles and responsibilities related to the Risk Management Framework can be fou nd in Section Effective Date This document is effective immediately and organizations should begin tracking the changes from the Revision 3 to Revision 4 security controls (new, modified and deleted) in an information system POA&M, with a focus on the three non-tailorable controls identified above. Components may also provide additional transition guidance. This document must be reissued, cancelled, or certified current within 5 years of its publication to be considered current.. David B. Been Kenneth R. Bowen Brigadier General, USAF Chief Information Officer for Director, SPECIAL ACCESS Program Central Office DoD SPECIAL ACCESS programs Chapter 1-lntroduction and Roles PAGE 1-3.
8 Table of Contents TABLE OF CONTENTS .. 4. 1 INTRODUCTION AND 11. INTRODUCTION .. 11. PURPOSE AND APPLICABILITY .. 12. RECIPROCITY .. 12. CHANGES IN 13. ROLES AND RESPONSIBILITIES .. 14. Agency/Component Head .. 14. Risk Executive (Function) .. 14. Chief Information Officer (CIO).. 15. Chief Information Security Officer (CISO) .. 15. Authorizing Official (AO) .. 16. Delegated Authorizing Official (DAO) .. 17. Security Control Assessor (SCA) .. 17. Common Control Provider (CCP).. 18. Program Security Officer (PSO) .. 18. Information Owner/Steward .. 18. Mission/Business Owner (MBO) .. 18. Information System Owner (ISO) .. 19. Information System Security Engineer (ISSE).
9 20. Information System Security Manager (ISSM) .. 20. Information System Security Officer (ISSO) .. 21. Privileged Users .. 22. General Users .. 22. DOCUMENT ORGANIZATION AND USE .. 22. 2 RISK MANAGEMENT FRAMEWORK (RMF) .. 24. INTRODUCTION TO THE RMF .. 24. FUNDAMENTALS OF THE RMF .. 25. Organization-Wide Risk Management .. 25. System Development Life Cycle (SDLC).. 26. Information System 28. RMF SIX-STEP PROCESS .. 30. RMF Step 1, Categorize .. 30. RMF Step 2, Select .. 33. RMF Step 3, Implement (Develop/Build) .. 35. RMF Step 4, Assess (Test).. 35. RMF Step 5, Authorize (Deploy/Operate) .. 36. RMF Step 6, Monitor .. 38. 3 POLICY AND PROCEDURES .. 41. FAMILY: ACCESS CONTROL.
10 43. AC-1 ACCESS CONTROL POLICY AND PROCEDURES .. 43. AC-2 ACCOUNT MANAGEMENT .. 43. AC-3 ACCESS ENFORCEMENT .. 48. AC-4 INFORMATION FLOW ENFORCEMENT .. 51. AC-5 SEPARATION OF DUTIES .. 58. AC-6 LEAST PRIVILEGE .. 59. AC-7 UNSUCCESSFUL LOGON ATTEMPTS .. 61. AC-8 SYSTEM USE NOTIFICATION .. 62. AC-9 PREVIOUS LOGON ( ACCESS ) NOTIFICATION .. 63. AC-10 CONCURRENT SESSION 63. AC-11 SESSION LOCK .. 64. Chapter 1-Introduction and Roles PAGE 1-4. AC-12 SESSION 64. AC-13 SUPERVISION AND REVIEW ACCESS CONTROL .. 65. AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION .. 65. AC-15 AUTOMATED MARKING .. 66. AC-16 SECURITY 66. AC-17 REMOTE ACCESS .. 69. AC-18 WIRELESS ACCESS .
