Issep Study Deck

Card Set Information

Author:
Anonymous
ID:
307870
Filename:
Issep Study Deck
Updated:
2015-09-15 13:17:46
Tags:
ISSEP
Folders:

Description:
Isc2 Issep Study Deck (Cram)
Show Answers:

Home > Flashcards > Print Preview

The flashcards below were created by user Anonymous on FreezingBlue Flashcards. What would you like to do?


  1. What does CNSS stand for?
    Committee for National Security Systems
  2. Why is Executive Order 13231 significant?
    major milestone document establishing the President’s intent to secure the national infrastructure
  3. What does NIAC stand for?
    National Infrastructure Advisory Council
  4. What does NSTAC stand for?
    National Security Telecommunications Advisory Committee
  5. What does EO 13231 require?
    that the responsible personnel oversee, develop, and ensure implementation of policies, principles, standards, and guidelines for the security of information systems that support the operations under their respective control
  6. What does EO 13231 establish?
    * Voluntary public–private partnership * Provided the Director OMB increased responsibility * NIAC * NSTAC
  7. What policy created CNSS?
    Executive Order 13231
  8. What agency chairs the CNSS?
    DoD
  9. What is the effective date of EO 13231?
    '16 OCT 2001
  10. What is the ISSEP definition of availability?
    Timely, reliable access to data and information services for authorized users
  11. What is the ISSEP definition of integrity?
    Quality of an IS reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data.
  12. What is the ISSEP definition of confidentiality?
    Assurance that information is not disclosed to unauthorized individuals, processes, or devices.
  13. What is the ISSEP definition of access control?
    Limiting access to information system resources only to authorized users, programs, processes, or other systems.
  14. What is the ISSEP definition of authentication?
    Security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information.
  15. What is the ISSEP definition of non–repudiation?
    Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the data.
  16. What is a National Security System?
    A system that: Involves intelligence activities Involves ctryptologic activities related to national security Involves command and control of military forces Involves equipment that is an integral part of a weapon or weapons system Is critical to the direct fulfillment of military or intelligence missions
  17. According to NIST, what are the phases of the Systems Development Life Cycle (SDLC)?
    Initiation Develop/Acquire Implement Ops/Maintenance Disposal
  18. What is C&A?
    The standard DoD approach for: identifying IS requirements providing security solutions and managing the security of DoD ISs
  19. What are the general phases of C&A?
    Define Problem Risk Assessment Implement Controls Certification Accreditation Ops/Maintenance Disposal
  20. What are the phases of the Risk Management Framework?
    Categorize the IS Select security controls Implement security controls Assess security controls Authorize IS Monitor security controls
  21. With respect to the RMF, what are the contributing factors to categorize the IS?
    Architecture Description Organizational Input
  22. What are the components of the RMF architecture description?
    Architecture reference models Segment and solution architectures Mission and business processes Information system boundaries
  23. What are the components of the RMF organizational inputs?
    Laws and directives Policy guidance Strategic goals and objectives Priorities and resource availability Supply chain considerations
  24. What government inputs should be considered when developing security requirements?
    Statutory (USC, ACT, HR, Title, Public Law) Regulatory (EO/PD, OMB, Cabinet/Agency Policy) Processing Standards (FIPS, CNSS, NIST standards) Guidelines (NIST SPs, STIGs)
  25. What is the organizational role and authority of The White House?
    Executive Office given statutory authority to issue E.O., proclamations, PDD/HSPD, and similar documents that initiate action, stop action, or require general notice be given.
  26. What is the organizational role and authority of The US Congress?
    Legislative body responsible for the USC and the general, permanent laws of the nation that it contains. Congress’s power to authorize the appropriation of federal spending to carry out government activities.
  27. What is the organizational role and authority of OMB?
    Evaluates expenditure effectiveness, and provides oversight of Administration procurement, fiscal management, information and regulatory policy
  28. What is the organizational role and authority of NSA?
    Has responsibility for ensuring that all cryptographic methods and systems used to protect USFG information and systems are sufficiently strong; for penetrating adversary systems and codes; and to ensure that all national security information is protected appropriately whether in transit or at rest
  29. What is the organizational role and authority of NIST?
    Has responsibility to ensure that standards and measures are developed to improve performance, and charged by law with responsibility for information security standards, metrics, tests, and various other means to support agencies' missions. Issues SP, FIPS, ITL Bulletins, NISTIR, and other guidance.
  30. What is the organizational role and authority of NIAP?
    NIAP is an initiative partnership between the NIST and the NSA to evaluate and attempt to meet the needs and requirements of IT/IA product producers and consumers to evaluate functionality and pedigree.
  31. What does OMB stand for?
    Office of Management and Budget
  32. What does NIST stand for?
    National Institute of Standards and Technology
  33. What does NIAP stand for?
    National Information Assurance Partnership
  34. What is the organizational role and authority of CNSS?
    Formerly know as NSTISSC, the CNSS provides a participative forum to examine national policy and promulgates direction, operational procedures and instructions (CNSSI), and other forms of authoritative guidance for national security systems.
  35. What is the significance of EO 13228?
    Establishing the Office of Homeland Security and the HS Council (2001) – Initiates a comprehensive strategy to secure the US from terrorist attacks.
  36. What is the significance of EO 13231?
    CIP in the Information Age (2001) ~ which states policy to protect CI against compromise. Renamed NSTISSC to CNSS.
  37. What is the significance of HSPD–7?
    Homeland Security Directive 7 (2003) ~ which directs the identification and prioritization of CI assets and key resources to protect them from terrorist attacks. Supersedes PDD–63.
  38. What is the significance of HSPD–12?
    Homeland Security Directive 12 (2004) ~ which directs a common identification standard that is “secure and reliable” to verify employee identity.
  39. What is Public Law 100–235, Title 101, Statute 1724?
    The Computer Security Act of 1987
  40. What does the Computer Security Act of 1987 establish?
    ~ Improve security/privacy of sensitive information in federal systems; ~ Federal agencies to establish standards & guidelines ~ Requires that any federal computer system that processes sensitive information have a customized security plan (SSAA). ~ Requires that users of those systems undergo security training. NIST responsible, NSA to advise. ~ assessing the vulnerability of federal computer systems, ~ developing standards, ~ providing technical assistance with NSA support, and ~ developing training guidelines for federal personnel
  41. What is the significance of the Privacy act of 1974?
    ~ Balance the government’s need to maintain information about individuals with the rights of individuals ~ Act focuses on four basic policy objectives – Restrict disclosure – Increased rights of access to agency records – Grant individuals the right to seek amendment – Establish a code of “fair information practices”
  42. What is the significance of the Clinger–Cohen Act of 1996?
    Established that every federal agency must have a CIO Reformed Information Technology Management Defined a National Security System
  43. What is the significance of OMB Circular A–130 Appendix III, 24 DEC 1985?
    Management of Federal Information Resources Mandatory implementation of Computer Security Act and FISMA requirements Defines adequate security ~Provides specific practices and guidelines for implementation of the Paperwork Reduction Act –Established a mandate for agencies to perform their information resources management in an effective manner ~Requires accreditation of federal IS’ to operate based on an assessment on management, operational, and technical controls
  44. What is the definition of adequate security (according to OMB Circular A–130)?
    “security commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information.…provide appropriate confidentiality, integrity, and availability, through the use of cost–effective management, personnel, operational, and technical controls.”
  45. What determines a systems criticality?
    mission
  46. What determines a systems sensitivity?
    confidentiality, integrity and availability
  47. What is Public Law 107–347, Title III?
    The E–Government Act of 2002, Federal Information Security Management Act
  48. What does the E–Government Act of 2002 establish?
    ~ OMB has Oversight over E–Government –Federal Government (Organizations and IG’s) must report IA status to OMB annually and quarterly –OMB provides reports to Congress annually –Congressional Cyber Security Grade ~ NIST publishes Standards and Guidelines ~ All Federal Government must follow NIST C&A processes, with the exception of Defense and Intelligence organizations.
  49. What does the 2000 update to OMB Circular A–130 add?
    ~ Risk–based approach to assess and react to threat and vulnerabilities ~ Security Plans and identification and correction of deficiencies ~ Incident Response capabilities ~ Interruption planning and continuity support ~ Technical controls consistent with NIST guidance ~ Periodic review of status and controls ~ Information sharing (MA only) and public access controls ~ Responsibility assignment ~ Periodic reporting of operational and security status
  50. What does M–00–13 establish?
    Privacy Policies and Data Collection on Fed. Websites A continuation and update of M–99–18 to add the mention of “cookies” and their impact, and to add as mandatory compliance with the Children’s Online Privacy Act (COPA–98) (2000).
  51. What does M–01–08 establish?
    Implementing GISRA (2001) – superseded by FISMA Provides guidance to agency heads regarding GISRA implementation
  52. What does M–02–01 establish?
    Guidance for Preparing and Submitting Security Plans of Action and Milestones (Oct 2001)
  53. What are the required components of a POA&M according to OMB?
    Weakness POC Resources Required Scheduled Completion Date Milestones with Completion Dates Changes to Milestones Indentified in CFO Audit or other review? Status
  54. What are the required components of a DIACAP POA&M?
    Weakness CAT (Severity Code) IA Control and Impact Code POC Resources Required Scheduled Completion Date Milestones with Completion Dates Changes to Milestones Indentified in CFO Audit or other review? Status Comments
  55. DoD 5200.28 ~ Title, Date issued and what superseded it?
    Security Requirements for Automated Information Systems, March 21, 1989 (updated under DOD 8500 series)
  56. DoD CIO Policy 10–8460 ~ Title and date
    Global Information Grid –Network Operations Aug 24, 2000
  57. What are the types of DoD Issuances?
    ~ Directives (DoDD): policy documents that establish or describe requirements, missions, authorities, etc. ~ Memoranda (from SecDef): they direct implementation of policy, legislation, EO; becomes DoDD 180 days later unless subject is classified or temporary. ~ Instructions (DoDI): describe policy implementation ~ Administrative (DoD AI): support supplement to DoDI ~ Publication (DoDP): provides procedures for DoDI
  58. What is DIAP?
    Defense–Wide IA Program. Mission is to ensure that information assets are protected through unified IA activities using D–in–D approaches in support of GIG Net–Centricity.
  59. What is DISA?
    Defense Information Systems Agency. Responsible for all aspects of systems engineering and support of GIG. Provides IASE as the clearinghouse location for all DoD IA info.
  60. What is NIAD?
    NSA IA Directorate. Provide required capability to support survival and success of all DoD missions.
  61. What is DARPA?
    R&D for DoD. Operates the OASIS program to provide robust capability to enable survival of DoD AIS against a sophisticated and motivated adversary.
  62. What is the high–level list of DoD IA Policy series?
    ~ 8500: General Policy ~ 8510: IA Certification and Accreditation ~ 8520: Security Management ~ 8530: Computer Network Defense ~ 8540: Interconnectivity ~ 8550: Network and Web ~ 8560: IA Monitoring ~ 8570: Education, Training, and Awareness
  63. Describe DoDP 8500.1
    Information Assurance (2003) Supersedes: 5200.28,5200.28M, 5200.28STD and CIO Memorandum 6–8510. Applies to all DoD owned or controlled AIS Establishes policy and assigns responsibilities to achieve IA goals through Defense–in–Depth and integrates people, technology, and operations to support GIG.
  64. Describe DoDI 8500.2
    IA Implementation (2003) Accompanies: 8500.1 Information Assurance Provides guidance on how to implement 8500.1 policy to establish layered defenses IAW with principles underlying GIG and D–in–D, defines controls for MAC levels, and defines Robustness levels ~ Basic (~ to CC EAL 2) ~ Medium (~ to CC EAL 4) ~ High (~ to CC EAL 6)
  65. Describe DoDD 8570.1
    IA Training, Certification, and Workforce Management (2004) This directive describes the program for training and certification (qualifications, requirements, metrics, and more) for ensuring adequate security knowledge and skill in assigned duty positions.
  66. Describe DoDM 8570.1M
    IA Workforce Improvement Program (Change 1, 5/2008) This manual accompanies DoDD 8570.1, and provides details necessary to implement the program.
  67. Describe DoDI 500.2–R
    Mandatory Procedures for Major Defense Acquisition Programs (MDAPS) & Major Automated Information System (MAIS) Acquisition Programs (2001) This has been superseded effective December 2008, and replaced by DoDI 5000.02., which also cancels DoDI 5000.2 (2003) It called for consideration of risks and IA functions, capabilities, and features to be given consideration in the acquisition process of COTS and GOTS products.
  68. Describe DoDI 5200.40
    DITSCAP (1997) DoD C&A standard that outlines an iterative four–step process to accomplish the mission of operational deployment of assured systems: 1. Definition: document al aspects of system context 2. Verification: Compliance status determination 3. Validation: all activities required to prove status 4. Post–Accreditation: Mgmt of SSAA, change, and continual monitoring of compliance state (This has been superseded by DoDI 8510.01 DIACAP effective November 2007.)
  69. What is the CNSS?
    NSTISSC was established by NSDD 42a (1990) in order to implement provisions and requirements of NSDD 42, renamed to CNSS by EO 13231 in 2001, in order to: ~ Considers technical matters and develop operating policies, procedures, guidelines, instructions, and standards; ~ Assess the overall security posture of and disseminate information on threats to and vulnerabilities of national security systems; ~ Review and approve all standards, techniques, systems, and equipment related to the security of national security systems, and, ~ To examine U.S. national security systems and evaluate their vulnerability to foreign interception and exploitation, and oversee mitigating action.
  70. What are the CNSS issuance types and purpose?
    Policy: assigns responsibilities and establishes criteria (NSTISSP/CNSSP); Directives: Establish or describe policy, programs assign authority or responsibilities (NSTISSD/CNSSD); Instructions: Describe implementation or intention of policy (NSTISSI/CNSSI); Memoranda: To provide guidance or explanation of policy or other issuance (NSTISSAM/CNSSAM)
  71. Describe NTISSP 6
    Issued 1994, Established the requirement for all Federal agencies operating NSS to have a C&A program; implemented through NSTISSI 1000.
  72. Describe NSTISSP 7
    Issued 1995, Specified functional, management, and technical requirements to produce a secure electronic messaging system for conduct of official business: Additional guidance issued to implement by Y2000 To be government–wide interoperable across all NSS Required this to be accomplished through common standards and procedures
  73. Describe NSTISSP 11
    Issued 2003, States policy that IA shall be done through COTS and GOTS products, and that such products are to be evaluated through CC processes: ~ Must achieve more than simply confidentiality; ~ COTS/GOTS should be used as more readily available; ~ IA achievement must evolve beyond traditional view; ~ OCONUS CC partner evals for EAL 1–4 accepted w/o NIAP ~ NIAP required as well for EAL 5–7 product requirements Exceptions allowed: ~ Any COTS/GOTS acquired prior to policy effective date; ~ Recognition of the complexities of technology and evaluation process
  74. Describe NCSC–5
    Issued 1981, Governs use of crypto–materials in high–risk environments. Specifies requirements for equipment selection, use, evacuation, destruction (to prevent loss), P2P keying (no netting or common–user), and only minimum necessary.
  75. Describe NSTISSP 200
    Issued 1987, sets policy that, in essence, requires all NSS to comply with C2–level requirements. Defines AIS, TCB, TCSEC (now must meet EAL 4).
  76. Describe NSTISSP 101
    Issued 1999, Sets national policy that all military voice radio and sensitive civilian government voice systems must be secure; threats must be assessed and security implemented must be commensurate.
  77. Describe CNSSP 14
    Issued 2002, Governs release of IA products and services to non–USFG members, and specifies methods and controls by which this can, as appropriate, be done.
  78. Describe NSTISSD–500
    Issued 1993, Specifies requirements for all USFG departments to implement programs to address ongoing needs for education, awareness, and training for NSS.
  79. Describe NSTISSI 4011
    Issued 1994, Course content InfoSec profession
  80. Describe CNSSI 4012
    Issued 2004, For senior system managers (DAAs). Supersedes NSTISSI 4012 (1997)
  81. Describe CNSSI 4013
    Issues 2004, For Sysadmins. Supersedes NSTISSI 4013 (1997)
  82. Describe CNSSI 4014
    Issued 2004, For ISSOs. Supersedes NSTISSI 4014 (1997).
  83. Describe NSTISSI 4015
    Issued 2000, Standards for Systems Certifiers
  84. Describe NACSI 6002
    Issued 1984, Protection of USFG contractor communications. In essence enforces the requirement for contractors to protect their communications (contract related) to the same level as the agency, and then charge that agency for the cost of meeting those requirements.
  85. Describe NSTISSI 7003
    Issued 1994, Protected distribution systems. This refers to systems that are used to transmit unencrypted traffic (NSI) through lower–cleared areas, and how, when, and where they can be used.
  86. Describe NSTISSI 1000
    Issued 2000, Establishes minimum national standards for C&A processes, and provides guidance on how to implement NSTISSP 6. Describes the NIACAP
  87. Describe NSTISSAM CompuSec 1–98
    Issued 1998, Describes the role of firewalls and other enclave boundary protections IAW with Defense in Depth principles. Names firewall types: packet, proxy, and hybrid of these.
  88. Describe NSTISSAM CompuSec 1–99
    Issued 1999,Describes the decision to transition from TCSEC to CC, recognition of technology advances and evaluation independence needs.
  89. Describe NSTISSAM InfoSec 1–00
    Issued 2000, States that the policy shall be that all applications or devices processing as Unclassified NSS that use crypto must use a form validated against FIPS 140 or the CC.
  90. Describe NSTISSAM InfoSec 2–00
    Issued 2000, Describes the policy and a strategy for using the NIAP to evaluate COTS using commercial labs. All units evaluated must be reviewed by NIAP for compliance with the CC, and a separate NIAP evaluation is optional.
  91. Describe CNSSAM 1–04
    Issued 2004, Provides guidance to all agencies that a multilayer/multivendor approach to IA architecture is desirable, as long as the overall architecture and engineering is performed in a sound and well–executed manner (to ensure optimal integration and interoperability).
  92. What is NIST's role in the USFG?
    Establishes an Information Assurance Technology Framework (IATF) Continuing Key Areas: ~ Developing security standards, guidelines, and associated methods and techniques for information services, including metrics as in SP 800–53 ~ Conduct security research – understand vulnerabilities and develop new security techniques
  93. NIST SP 800–12
    (1995): Introduction to Computer Security Basic information and guidance (from OECD) on principles and practices: ~ Supports org mission and is part of sound management ~ Cost–effective with a comprehensive, integrated approach ~ Responsibility and accountability are explicit
  94. NIST SP 800–14
    Generally Accepted Principles and Practices for Securing Information Technology Systems (GASSP) (1996) Provides father and deeper explanation and guidance of the topics introduced in 800–12 Among other things, addresses risk management, SLC planning, incident response, training and awareness
  95. NIST SP 800–16
    Information Technology Security Training Requirements: A Role~ and Performance–Based Model
  96. NIST SP 800–18
    Guide for Developing Security Plans for Federal Information Systems (SSP) Complies with and implements OMB A130 Appendix III and CSA 87 SSP Purpose: ~ Describe requirements of the particular AIS ~ Delineate responsibilities and required behaviors of users Three primary tasks: ~ Preparation of the plan itself ~ Notification and resource identification ~ Plan analysis, update, and acceptance Defines Major Application (MA) and General Support System (GSS)
  97. NIST SP 800–27 REV A
    Engineering Principles for IT Security, Baseline Provides a listing of engineering principles (33) to be used to achieve appropriate levels of InfoSec Tied very closely to the principles stated in 800–12 and 800–14 Specifies a five phase model for employing these principles: ~ Initiation ~ Development/Acquisition ~ Implementation ~ O&M Phase ~ Disposal
  98. NIST SP 800–30
    Risk Management Guide for Information Technology Systems 1. System Characterization 2. Vulnerability Identification 3. Threat Identification 4. Control Analysis 5. Likelihood Determination 6. Impact Analysis 7. Risk Determination 8. Control Recommendations 9. Results Documentation
  99. What steps of SP 800–30 can be performed in parallel?
    2. Vulnerability Identification 3. Threat Identification
  100. NIST SP 800–34 REV 1
    Contingency Planning Guide for Federal Information Systems
  101. NIST SP 800–37 REV 1
    Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (RMF)
  102. NIST SP 800–39
    Managing Information Security Risk: Organization, Mission, and Information System View (Enterprise Risk)
  103. NIST SP 800–40
    Creating a Patch and Vulnerability Management Program (Vulnerability Management)
  104. NIST SP 800–41
    Guidelines on Firewalls and Firewall Policy
  105. NIST SP 800–47
    Security Guide for Interconnecting Information Technology Systems ~ Establishes guidelines (including tasks and subtasks) to plan, establish, maintain, and terminate interconnections between AIS that are owned and operated by different organizations. ~ Addresses all stages of interconnection lifecycle. ~ Does not address classified AIS.
  106. NIST SP 800–50
    Building an Information Technology Security Awareness and Training Program
  107. NIST SP 800–53 REV 3
    Recommended Security Controls for Federal Information Systems and Organizations ~ Provides a catalogue of security controls for federal information systems (NSS). ~ Recommends baseline security controls for federal information systems (IAW FIPS Publication 199 risk levels) ~ Provides guidelines for agency–directed tailoring of baseline security controls Incorporates security controls from many public and private sector sources ~ CC Part 2 ~ ISO/IEC 27001 ~ COBIT ~ GAO FISCAM ~ CMS (healthcare) ~ D/CID 6–3 Requirements ~ DoD Policy 8500 ~ BITS Functional packages
  108. NIST SP 800–53A REV1
    Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans Provides guidance for agencies to consistently map impact levels to information types and sensitivities and provide methods for evaluating the effectiveness of deployed controls in IT systems. Applicable to all Federal AIS other than NSS Operating as intended Implemented Effectively Providing desired outcome
  109. NIST SP 800–54
    Border Gateway Protocol Security
  110. NIST SP 800–59
    Guideline for Identifying an Information System as a National Security System (NSS)
  111. NIST SP 800–60
    Guide for Mapping Types of Information and Information Systems to Security Categories: (2 Volumes) Volume 1: Guide Provides guidance for agencies to consistently map impact levels to information types and sensitivities Applicable to all Federal AIS other than NSS Information types are based on OMB Federal Enterprise Architecture PMO Consolidated Reference Model, Version 2.3 (2007) Volume 2: Appendices Contains Appendices, References, Provisional impact Assignment levels, Legislative sources, and Rationale
  112. NIST SP 800–61
    Computer Security Incident Handling Guide
  113. NIST SP 800–63
    Electronic Authentication Guideline
  114. NIST SP 800–64
    Security Considerations in the System Development Life Cycle (SDLC)
  115. NIST SP 800–66
    An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
  116. NIST SP 800–70 REV 1
    National Checklist Program for IT Products: Guidelines for Checklist Users and Developers
  117. NIST SP 800–88
    Guidelines for Media Sanitization
  118. NIST SP 800–92
    Guide to Computer Security Log Management
  119. NIST SP 800–94
    Guide to Intrusion Detection and Prevention Systems (IDPS)
  120. NIST SP 800–100
    Information Security Handbook: A Guide for Managers
  121. NIST SP 800–115
    Technical Guide to Information Security Testing and Assessment
  122. NIST SP 800–117
    Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.0
  123. NIST SP 800–122
    Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
  124. NIST SP 800–126 REV 2
    The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1
  125. NIST SP 800–128 (DRAFT)
    DRAFT Guide for Security Configuration Management of Information Systems
  126. NIST SP 800–137 (DRAFT)
    DRAFT Information Security Continuous Monitoring for Federal Information Systems and Organizations
  127. NIST SP 800–55 REV 1
    Performance Measurement Guide for Information Security
  128. NIST SP 800–45 V2
    Guidelines on Electronic Mail Security
  129. FIPS 199
    Standards for Security Categorization of Federal Information and Information Systems Establishes standards to be used by Federal agencies to categorize information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels and potential impacts using this general formula: AIS Impact levels (using a H, M, L scale): SC (AIS) = {(Conf,impact),(Integ,impact)(Avail,impact) Result is system high, Moderate or Low. Using NIST 800–53 provides system Control Baseline
  130. What are the FIPS 199 impact levels?
    Low Moderate High
  131. What document(s) is/are used to categorize systems for FISMA?
    FIPS 199
  132. What document(s) is/are used to provide mapping guidelines recommending the types of information and information systems to be included in each category described in FIPS 199?
    NIST SP 800–60
  133. What document(s) is/are used to develop minimum information security requirements (i.e., management, operational, and technical security controls) for information and information systems in each category?
    NISP SP 800–53 and FIPS 200
  134. FIPS 200
    Minimum Security Requirements for Federal Information and Information Systems Specifies minimum security requirements in 17 areas that are to be met using controls outlined in SP800–53. These are mandatory. No provision for waivers is made. Complements FIPS 199
  135. What document(s) is/are used to define how C&A is performed under FISMA?
    NIST SP 800–37 & NIST SP 800–53A
  136. What NIST publications support FISMA?
    ~ FIPS 140: Crypto module requirements ~ FIPS 197: AES ~ FIPS 199: System Categorization ~ FIPS 200: Minimum Security Requirements FIPS 201 ~ SP 800–37: C&A ~ SP 800–53: Minimum Controls ~ SP 800–53A: Verification Procedures ~ SP 800–60: Mapping Guidance
  137. FIPS 46
    DES is permitted on legacy AIS only – and thus is still relevant to the ISSEP
  138. FIPS 81
    Triple DES is a FIPS approved algorithm of choice. Encourages transition to TDES as rapidly as prudent strategy and budgets permit
  139. FIPS 140
    Establishes requirements that must be met by modules to be used or considered for use in SBU systems, including voice systems. Describes a hierarchical system of increasing levels; Has a waiver procedure that allows relief in the event that a) adverse mission impact or b) financial impact
  140. What are the hierarchy levels of FIPS 140?
    1: lowest, executable on a general purpose system; 2: Includes 1, adds tamper–evidence features, AIS is EAL2 & up 3: Includes 2, adds mechanisms to prevent Rev–eng, and requires identity–based authentication; EAL3 and up 4: Includes 3, adds environmental protections (temp, voltage); EAL4 and higher
  141. FIPS 197
    Specifies that AES is a FIPS approved algorithm of choice. For use on SBU, but not classified information and AIS. Has a waiver procedure that allows relief in the event that a) adverse mission impact or b) financial impact [For classified and financial data must use Type 1 crypto (AES 256 or better)
  142. FIPS 199 low impact characteristics?
    limited adverse effect
  143. FIPS 199 moderate impact characteristics?
    serious adverse effect
  144. FIPS 199 high impact characteristics?
    sever or catastrophic adverse effect; threat to human life, or result in loss of major assets
  145. What key components are considered with each level of impact in FIPS 199?
    Mission Financial impact Asset impact Personnel security
  146. What are options are available to manage risk?
    ~ Risk Assumption ~ Risk Avoidance ~ Risk Limitation ~ Research and Development ~ Risk Transference
  147. NIST SP 800–37
    Guidelines for the Security C & A of Federal Information Systems (2004) ~ Issued by NIST under the authority of FISMA– 2002, and is consistent with OMB A–130. ~ Establishes guidelines (including tasks and subtasks) to certify and accredit information systems supporting the executive branch of the federal government ~ Applicable to non–national security information systems as defined in the FISMA of 2002 ~ Replaces FIPS Publication 102 (withdrawn 2005)
  148. What are the SP 800–53 control classes?
    Management security controls (aka Administrative) –Policy, standards, baselines, guidelines, procedures Technical security controls (aka Logical) ~ Hardware, software, firmware components and devices –Often provides basic support enabling other controls to function correctly Operational controls (aka Physical) ~ Include leading industry practices and procedural guidance
  149. What are the types of controls in each class of 800–53 controls?
    Preventive Detective Corrective Compensating Deterrent Supplemental
  150. What are the primary types of 800–53 controls?
    Preventive Detective Corrective
  151. What are the secondary types of 800–53 controls?
    Compensating Deterrent Supplemental
  152. What are the 800–53 Management Controls?
    Security Assessment and Authorization (CA) Planning (PL) Risk Assessment (RA) System and Services Acquisition (SA) Program Management (PM)
  153. What are the 800–53 Operational Controls?
    Awareness and Training (AT) Configuration Management (CM) Contingency Planning (CP) Incident Response (IR) Maintenance (MA) Media Protection (MP) Physical and Environmental Protection (PE) Personnel Security (PS) System and Information Integrity (SI)
  154. What are the 800–53 Technical Controls?
    Access Control (AC) Audit and Accountability (AU) Identification and Authentication (IA) System and Communications Protection (SC)
  155. What is the Common Criteria?
    The CC is a collection of generic security requirements (statements) to aid in the specification of product or system security attributes (Functional and Assurance) Common Criteria (CC) approach offers: ~ Security focus to individual network components ~ Software Applications CC Evaluated Products (EAL/EPL) ~ Evaluate Security Posture ~ Isolate Product by Defining Interface Boundary
  156. What is the consumers role in Common Criteria?
    Support procurement of evaluated products
  157. What is the Developers/Integrators role in Common Criteria?
    Support development to meet requirements
  158. What is the evaluators role in Common Criteria?
    Use the CC as a basis for evaluation of products
  159. What is the Auditor/Certifier/Accreditors role in Common Criteria?
    to support specific needs for security specifications
  160. What is Common Criteria derived from?
    ISO/IEC 15408 Rainbow series was too rigid and did not take many things into account and expensive evaluations ITSEC provided more flexibility, but added more complexity with its attempts Made up from: ~ TCSEC ~ ITSEC ~ Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) ~ Federal Criteria from US, UK, Germany, France, Canada
  161. What are the Common Criteria evaluation ratings?
    EAL 1: Functionally tested EAL 2: Structurally tested EAL 3: Methodically tested and checked EAL 4: Methodically designed, tested and reviewed EAL 5: Semi–formally designed and tested EAL 6: Semi–formally verified, designed, and tested EAL 7: Formally verified, designed, and tested
  162. What are the components of the Common Criteria?
    Protection Profile ~ Description of needed security solution Target of Evaluation ~ Product proposed to provide needed security solution Security Target ~ Written by vendor explaining security functionality and assurance mechanisms that meet the needed security solution Packages – Evaluation Assurance Levels (EAL) ~ Security requirements are bundled into packages for re–use ~ Reqs to be met to achieve specific EAL ratings
  163. What are the sets of requirements used in Common Criteria?
    Security functional requirements (performance) Security assurance requirements (pedigree)
  164. What areas comprise the security functional requirements of the Common Criteria?
    ~ Identification and authentication ~ Audit ~ Resource utilization ~ Trusted paths/channels ~ User data protection ~ Security management ~ TOE access ~ Communications ~ Privacy ~ Protection of the TOE security functions ~ Cryptographic support
  165. What areas comprise the security assurance requirements of the Common Criteria?
    ~ Guidance documents and manuals ~ Configuration management ~ Vulnerability assessment ~ Delivery and operation ~ Life cycle support ~ Assurance maintenance ~ Development ~ Testing
  166. What are the steps of the Common Criteria methodology?
    1. Evaluate the conditions between the evaluated product and the present situation. 2. Evaluate the differences of the conditions for regression and/or independent testing. 3. Determine if additional security requirements are required for the present situation. 4. Analyze the security impact of the interfaces. 5. Performed the testing and/or analysis.
  167. What is the intended scope/application of the Common Criteria?
    A paradigm used to specify security properties of IT products and systems that address ~ unauthorized disclosure (confidentiality, privacy) ~ unauthorized modification (integrity) ~ loss of use (availability) The basis for comparison of the results of independent evaluations Applicable to IT security functions implemented by hardware, software, and firmware
  168. How do consumers use the Common Criteria?
    They need to document user requirements in the protection profile ~ Part I: structure for PP ~ Part II & III: guidance for formulating and determining reqs
  169. How do developers use the Common Criteria?
    They need to develop security equipments into products ~ Part I: development and formulating reqs ~ Part II & III: interpreting requirements –> commonality
  170. How do evaluators use the Common Criteria?
    They need to prepare the ST for testing ~ Part I: structure for PPs and STs ~ Part II & III: mandatory statement of eval criteria
  171. What are the documents that make up the Common Criteria?
    Part 1 ~ Intro and General Model Part 2 ~ Security Functional Reqs Part 3 ~ Security Assurance Reqs
  172. How is Part 1 of the Common Criteria organized?
    Scope, Glossary, Overview Security Context & CC Approach Security Concepts, Environment & Objectives Evaluation Results Appendix A: History Appendix B: Specification of Protection Profiles (PPs) Appendix C: Specification of Security Targets (STs)
  173. What is a Protection Profile?
    ~ Answers the question: “What do I need in a security solution?” ~ Implementation independent for a class of products or systems ~ Protection Profile authors: anyone who wants to state IT security needs (e.g., commercial consumer, consumer groups) anyone who supplies products which support IT security needs…..anyone. PP makes a statement of implementation independent security needs ~ a generic OS with DAC, Audit, and I&A
  174. What is a Security Target?
    ~ Answers the question: “What does a developer provide in a security solution?” ~ Implementation dependent and version specific ~ Security Target authors: ~ Product vendors, developers, integrators Knowledge of implementation details required ST defines the implementation dependent capabilities of a specific product, e.g. – Microsoft NT 4.0.0.2 (TOE) – Sun OS 4.7.4 (TOE)
  175. What is the Common Criteria security environment?
    Security Environment defined with consideration to the: ~ Purpose and function of the TOE ~ Environment in which the TOE operates (IT & Non–IT) –IT Environment – Security services or capabilities provided by IT systems or products that are not part of the TOE –Non–IT Environment – Security implemented by personnel ~ Assets to be protected Assumptions ~ The security aspects of the environment in which the TOE will be used or is intended to be used. Threats ~ The ability to exploit a vulnerability by a threat agent. Organizational Security Policies (OSPs) ~ A set of rules, procedures, practices, or guidelines imposed by an organization upon its operations.
  176. What is the Common Criteria security objectives?
    Objectives establish the basis for the selection of security requirements (functional & assurance) Objective are completely based upon the statement of the Security Environment Objectives ~ Support Assumptions ~ Counter Threats (eliminate, minimize, monitor) ~ Enforce OSPs Objectives are the “focal point” of the PP/ST
  177. What are Common Criteria security functional requirements?
    Levied upon functions of the TOE that support IT security; their behavior can generally be observed
  178. Name the Common Criteria security functional requirements classes
    ~ Security Audit (FAU) ~ Communication (FCO) ~ Cryptographic Support (FCS) ~ User Data Protection (FDP) ~ Identification & Authentication (FIA) ~ Security Management (FMT) ~ Privacy (FPR) ~ Protection of the TOE Security Functions (FPT) ~ Resource Utilization (FRU) ~ TOE Access (FTA) ~ Trusted Path/Channels (FTP)
  179. How are Common Criteria security functional requirements organized?
    Class Family Component Element FIA_UID.1.1 (class_famly.component.element)
  180. What are the types of Common Criteria component relationships?
    ~ Dependency relationship ~ other component support (functional & assurance) ~ Hierarchy relationship ~ between components within a class
  181. What are the types of Common Criteria operations on functional components?
    ~ Assignment ~ “fill in the blank” ~ Selection ~ “select from a list” ~ Iteration ~ “repetitive use” ~ Refinement ~ “tailor/modify”
  182. What is the Common Criteria definition of assurance?
    Grounds for confidence that an IT product or system meets its security objectives.
  183. According to Common Criteria, why do we care about assurance?
    Vulnerabilities arising from … Requirements ~ Insufficient or ineffective requirements Construction ~ Incorrect design decisions ~ Errors in implementation Operation ~ Inadequate controls
  184. Name the Common Criteria security assurance requirements classes
    TOE Assurance: Configuration Mgt (ACM) Delivery and Operation (ADO) Development Docs (ADV) Guidance Documents (AGD) Life–Cycle Support (ALC) Testing (ATE) Vulnerability Assessment (AVA) Maintenance of Assurance (AMA) Specs Assurance: Protection Profile Eval (APE) Security Target Eval (ASE)
  185. How are Common Criteria security assurance requirements organized?
    Class Family Component Element Element Identifier ADV_LLD.3.1(D,C,E) (class_famly.component.element(element id))
  186. What are the Common Criteria assurance packages?
    Basic Assurance Level ~ EAL 1 & 2 ~ Limited vendor involvement ~ Functional & independent testing Medium Assurance Level ~ EAL 3 & 4 ~ Development environment controls ~ High–level design documentation High Assurance Level ~ EAL 5, 6, & 7 ~ Additional CM requirements ~ Analysis based on entire TSF implementation ~ Covert channel analysis ~ Modular and layered TOE design ~ Automated CM ~ Formal methods of functional specification & high–level design
  187. What NIST publication is characterized by 8 principles and 14 practices?
    NISP SP 800–14, Generally accepted Principles and Practices for Securing Information Technology Systems (GASSP)
  188. Name the principles of the 800–14
    1 Computer Security Supports the Mission of the Organization 2 Computer Security is an Integral Element of Sound Management 3 Computer Security Should Be Cost–Effective 4 Systems Owners Have Security Responsibilities Outside Their Own Organizations 5 Computer Security Responsibilities and Accountability Should Be Made Explicit 6 Computer Security Requires a Comprehensive and Integrated Approach 7 Computer Security Should Be Periodically Reassessed 8 Computer Security is Constrained by Societal Factors Review pages 669–670 of the ISC2 ISSEP book
  189. Name the first 7 practices of the 800–14
    1. Have policies to enforce compliance with organizational security practices 2. Managing computer security at multiple levels administered by central oversight 3. Manage organizational risks by assessing threats and taking steps to reduce their effects 4. Manage security by planning a system’s life cycle 5. Implement security practices to manage personnel 6. Prepare for contingencies and disasters 7. Deploy a security incident response system
  190. Name the last 7 practices of the 800–14
    8. Perform security awareness training 9. Apply security principles to all operational aspects of the organization 10. Implement physical and environmental security 11.Enforce effective user identification and authentication 12.Control logical access to systems 13.Maintain audit trails 14. Implement cryptography to protect sensitive data Review pages 671 – 673 of the ISC2 ISSEP
  191. What are the phases of the NIST 800–37 C&A process?
    Initiation Security Certification Security Accreditation Continuous Monitoring
  192. What are the key roles of the NIST 800–37?
    ~ Authorizing Official ~ Authorizing Official Designated Representative ~ Senior Agency Information Security Officer ~ Information System Owner ~ Information System Security Officer ~ Certification Agent ~ User Representative
  193. According to NIST 800–37, what is role of the authorizing official?
    ~ Reviews and approves the security plan for the information system ~ Determines residual risk to agency operations or assets based on information generated during the security certification ~ Makes security accreditation decisions and signs associated transmittal letter for accreditation package (authorizing official only) [GOVT ONLY!!!] ~ Reviews security status reports from continuous monitoring operations ~ Initiates security reaccreditation actions
  194. According to NIST 800–37, what is role of the Senior Agency Information Security Officer?
    ~ Carrying out the Chief Information Officer responsibilities under FISMA. ~ Possessing professional qualifications, including training and experience, required to administer the information security program functions; ~ Primary duty Information System Security. ~ Heading an office with the mission & resources. ~ Serve as the authorizing official's designated representative. ~ Serves as the CIO’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers.
  195. According to NIST 800–37, what is role of the Information System Owner?
    ~ Represents the interests of the user community ~ Prepares security plan and conducts risk assessment ~ Informs agency officials of the need for security certification and accreditation of the information system; ensures appropriate resources are available ~ Provides the necessary system–related documentation to the certification agent ~ Prepares plan of action (and milestones) to reduce or eliminate vulnerabilities in the information system ~ Assembles final security certification package; submits to authorizing official
  196. According to NIST 800–37, what is role of the Information System Security Officer?
    ~ Serves as principal staff advisor to the system owner on all matters involving the security of the information system ~ Manages the security aspects of the information system and, in some cases, oversees the day–to–day security operations of the system ~ Assists the system owner in: – Developing and enforcing security policies for the information system – Assembling the security certification package – Managing and controlling changes to the information system and assessing the security impacts of those changes
  197. According to NIST 800–37, what is role of the Certification Agent?
    ~ Provides an independent assessment of the security plan ~ Evaluates the security controls in the information system to determine: – The effectiveness of those controls in a particular environment of operation – The vulnerabilities in the system after the implementation of such controls ~ Provides recommended corrective actions to reduce or eliminate vulnerabilities in the information system
  198. According to NIST 800–37, what is role of the User Representative?
    ~ Represents the operational interests and mission needs of the user community ~ Identifies mission and operational requirements ~ Serves as the liaison for user community throughout the life cycle of the information system ~ Assists in the security certification and accreditation process, when needed
  199. What are the tasks of the 800–37?
    Task 1: Preparation Task 2: Notification and Resource Identification Task 3: System Security Plan Analysis, Update, and Acceptance Task 4: Security Control Assessment Task 5: Security Certification Documentation Task 6: Security Accreditation Decision Task 7: Security Accreditation Documentation Task 8: Configuration Management and Control Task 9: Security Control Monitoring Task 10: Status Reporting and Documentation
  200. What tasks are associated with the Initiation Phase of the 800–37?
    Task 1: Preparation Task 2: Notification and Resource Identification Task 3: System Security Plan Analysis, Update, and Acceptance
  201. What tasks are associated with the Security Certification Phase of the 800–37?
    Task 4: Security Control Assessment Task 5: Security Certification Documentation
  202. What tasks are associated with the Security Accreditation Phase of the 800–37?
    Task 6: Security Accreditation Decision Task 7: Security Accreditation Documentation
  203. What tasks are associated with the Continuous Monitoring Phase of the 800–37?
    Task 8: Configuration Management and Control Task 9: Security Control Monitoring Task 10: Status Reporting and Documentation
  204. What are the subtasks of Task 1 of the 800–37?
    Subtask 1.1: Information System Description Subtask 1.2: Security Categorization Subtask 1.3: Threat Identification Subtask 1.4: Vulnerability Identification Subtask 1.5: Security Control Identification Subtask 1.6: Initial Risk Determination
  205. List the responsible role, reference and output of 800–37 subtask 1.1
    Information System Owner, 800–18 + 800–59, first section of the SSP
  206. List the responsible role, reference and output of 800–37 subtask 1.2
    Information System Owner, FIPS 199 + 800–60, security categorization report
  207. List the responsible role, reference and output of 800–37 subtask 1.3
    Information System Owner, 800–30 + 800–60, threat section of RAR
  208. List the responsible role, reference and output of 800–37 subtask 1.4
    Information System Owner, 800–30 + 800–60, vulnerability section of the RAR
  209. List the responsible role, reference and output of 800–37 subtask 1.5
    Information System Owner, FIPS 200 + 800–53, second section of the SSP
  210. List the responsible role, reference and output of 800–37 subtask 1.6
    Information System Owner, 800–30, RAR
  211. What are the subtasks of Task 2 of the 800–37?
    Subtask 2.1: Notification Subtask 2.2: Planning and Resources
  212. List the responsible role, reference and output of 800–37 subtask 2.1
    Information System Owner, 800–37, SSP
  213. List the responsible role, reference and output of 800–37 subtask 2.2
    Authorizing Official SAISO/CISO Information System Owner Certification Agent, 800–37, Approved SSP
  214. What are the subtasks of Task 3 of the 800–37?
    Subtask 3.1: Security Categorization Review Subtask 3.2: System Security Plan Analysis Subtask 3.3: System Security Plan Update Subtask 3.4: System Security Plan Acceptance
  215. List the responsible role, reference and output of 800–37 subtask 3.1
    Authorizing Official SAISP/CISO Certification Agent, 800–60, Approved SecCat
  216. List the responsible role, reference and output of 800–37 subtask 3.2
    Authorizing Official SAISP/CISO Certification Agent, 800–18, Draft SSP
  217. List the responsible role, reference and output of subtask 3.3
    Information System Owner, 800–18, Final SSP
  218. List the responsible role, reference and output of 800–37 subtask 3.4
    Authorizing Official SAISP/CISO, 800–37, Approved SSP
  219. What are the subtasks of Task 4 of the 800–37?
    Subtask 4.1: Documentation and Supporting Materials Subtask 4.2: Methods and Procedures Subtask 4.3: Security Assessment Subtask 4.4: Security Assessment Report
  220. List the responsible role, reference and output of 800–37 subtask 4.1
    Information System Owner Certification Agent, 800–37, ST&E
  221. List the responsible role, reference and output of 800–37 subtask 4.2
    Certification Agent, 800–53A, ST&E
  222. List the responsible role, reference and output of 800–37 subtask 4.3
    Certification Agent, 800–53A + 800–30, vulnerability assessment report
  223. List the responsible role, reference and output of 800–37 subtask 4.4
    Certification Agent, 800–53A, SAR
  224. What are the subtasks of Task 5 of the 800–37?
    Subtask 5.1: Findings and Recommendations Subtask 5.2: System Security Plan Update Subtask 5.3: Plan of Action and Milestones Preparation Subtask 5.4: Accreditation Package Assembly
  225. List the responsible role, reference and output of 800–37 subtask 5.1
    Certification Agent, 800–53A, SAR
  226. List the responsible role, reference and output of 800–37 subtask 5.2
    Information System Owner, 800–18, SSP
  227. List the responsible role, reference and output of 800–37 subtask 5.3
    Information System Owner, OMB M02–01, POA&M
  228. List the responsible role, reference and output of 800–37 subtask 5.4
    Information System Owner, 800–37 + OMB M02–01, SAR + SSP + POA&M
  229. What are the subtasks of Task 6 of the 800–37?
    Subtask 6.1: Final Risk Determination Subtask 6.2: Risk Acceptability
  230. List the responsible role, reference and output of 800–37 subtask 6.1
    Authorizing Official, 800–37, Questions
  231. List the responsible role, reference and output of 800–37 subtask 6.2
    Authorizing Official, 800–37, AO ATO Decision Letter
  232. What are the subtasks of Task 7 of the 800–37?
    Subtask 7.1: Security Accreditation Package Transmission Subtask 7.2: System Security Plan Update
  233. List the responsible role, reference and output of 800–37 subtask 7.1
    Authorizing Official, 800–37, Security Accreditation Package
  234. List the responsible role, reference and output of 800–37 subtask 7.2
    Information System Owner, 800–37, Updated SSP and POA&M
  235. What are the subtasks of Task 8 of the 800–37?
    Subtask 8.1: Documentation of Information System Changes Subtask 8.2: Security Impact Analysis
  236. List the responsible role, reference and output of 800–37 subtask 8.1
    Information System Owner, 800–37, Change requests
  237. List the responsible role, reference and output of 800–37 subtask 8.2
    Information System Owner, 800–30, Change approvals
  238. What are the subtasks of Task 9 of the 800–37?
    Subtask 9.1: Security Control Selection Subtask 9.2: Selected Security Control Assessment
  239. List the responsible role, reference and output of 800–37 subtask 9.1
    Information System Owner, 800–53A, Continuous monitoring plan
  240. List the responsible role, reference and output of 800–37 subtask 9.2
    Information System Owner, 800–53A, Continuous monitoring reports
  241. What are the subtasks of Task 10 of the 800–37?
    Subtask 10.1: System Security Plan Update Subtask 10.2: Plan of Action and Milestones Update Subtask 10.3: Status Reporting
  242. List the responsible role, reference and output of 800–37 subtask 10.1
    Information System Owner, 800–18 + 800–37, Updated SSP
  243. List the responsible role, reference and output of 800–37 subtask 10.2
    Information System Owner, OMB M02–01, Updated POA&M
  244. List the responsible role, reference and output of 800–37 subtask 10.3
    Information System Owner, 800–37, System security status report to AO
  245. According to the IATF, how is IA implemented in the system life cycle?
    System Life Cycle is a process by which systems are developed, from pre–concept to deployment and disposal IA objectives are to achieve levels of confidentiality, integrity and availability commensurate with the type and value of data, mission requirements, support organization, etc. The processes: ~ Generally Accepted System Security Principles (GASSP) ~ Security in the System Life Cycle (SLC) ~ Common IT Security Practices ~ NIST Engineering Principles ~ ISSE, CMM, and IATF
  246. List the first 7 NIST Engineering Principles
    1. Establish a sound security policy as the “foundation” for design 2. Treat security as an integral part of the overall design 3. Clearly delineate the physical and logical security boundaries governed by associated security policies 4. Reduce risk to an acceptable level 5. Assume that external systems are insecure 6. Identify potential trade–offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness 7. Ensure no single point of vulnerability
  247. List NIST engineering principles 8 –14
    8. Implement tailored system security measures to meet organizational security goals 9. Strive for simplicity 10.Design and operate an IT system to limit vulnerability and to be resilient in response 11.Minimize the system elements to be trusted 12.Implement security through a combination of measures distributed physically and logically 13.Provide assurance that the system is, and continues to be, resilient in the face of expected threats 14.Limit or contain vulnerabilities
  248. List NIST engineering principles 15–20
    15.Formulate security measures to address multiple overlapping information domains 16.Isolate public access systems from mission critical resources 17.Use boundary mechanisms to separate computing systems and network infrastructures 18.Where possible, base security on open standards for portability and interoperability 19.Use common language in developing security requirements 20.Design and implement audit mechanisms to detect authorized use and to support incident investigations
  249. List NIST engineering principles 21–27
    21.Design security to allow for regular adoption of new technology, including a secure and logical technology upgrade process 22.Authenticate users and processes to ensure appropriate access control decisions both within and across domains 23.Use unique identities to ensure accountability 24.Implement least privilege 25.Do not implement unnecessary security mechanisms 26.Protect data during all the transaction’s phases 27.Strive for operational ease of use
  250. List NIST engineering principles 28–33
    28.Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability 29.Consider custom products to achieve adequate security 30.Ensure security in the shutdown or disposal of a system 31.Protect against all likely classes of “attacks” 32.Identify and prevent common errors and vulnerabilities 33.Ensure that developers are trained to develop secure software
  251. Name the 3 IATF key principles
    1 Always keep Problem and Solution spaces separate. ~ Problem Space: desired end–product functionality ~ Solution Space: how that functionality will be provided 2 Customer’s mission/business needs defines Problem. ~ Includes mission, compliance requirements, constraints... ~ Takes into account threats, risks, operational efficiencies... 3 SE and SSE collaborate to define the Solution, which is driven by the Problem space. ~ Must satisfy operational as well as security requirements ~ Must include trade–offs and flexibility to assure mission success
  252. What are the DODAF architecture views?
    All view (AV) Operational view (OV) Systems view (SV) Technical view (TV)
  253. What does the DODAF OV convey?
    Information flows Indentifies what needs to be accomplished and who does it
  254. What does the DODAF SV convey?
    systems and interconnections Relates systems and characteristics to operational needs
  255. What does the DODAF TV convey?
    rules governing the arrangements, interactions and interdependence of system parts or elements Prescribes standards and conventions
  256. What are the 6 fundamental steps DODAF calls for when building and architecture?
    1 – Determine the intended use of the architecture 2 – Determine scope of architecture 3 – Determine characteristics to be captured 4 – Determine views and products to be built 5 – Gather data and build the requisite products 6 – Use architecture for intended purpose
  257. What is the ISSE process definition?
    Discovering users’ requirements and designing systems that meet the requirements effectively and securely
  258. What are the 6 elements of the systems engineering process?
    Discover Needs Refine Requirements Design Architecture Detailed Design Implement System Assess Effectiveness
  259. What are the 6 elements of the systems security engineering process?
    Discover system protection needs Define system security requirements Design system security architecture Develop detailed security design Implement system security Assess system security effectiveness
  260. What is the Information Assurance Technology Framework?
    Provides an integrated process (involving technical and non–technical aspects) for developing and deploying IT systems with intrinsic and appropriate security measures in order to meet the organization’s mission. It defines the requirements for the TCB hardware, software, and firmware, and applies the processes to achieve a layered protection architectural strategy known as “Defense in Depth”, to defend the: ~ Computing Environment ~ Enclave Boundary ~ Network and Infrastructure ~ Supporting Infrastructures
  261. What 3 areas does the IATF technical process focus on?
    ~ People – those authorized to perform to work ~ Technology – the tools and technologies used ~ Operations – the processes and activities
  262. What is the goal of IATF?
    “Defense in Depth” implementation
  263. What are the principles of defense in depth?
    Defense in multiple places: to protect against internal and external threats Layered defenses: to ensure adversaries must negotiate multiple impediments to gain access and achieve attack goals Security robustness: the assurance and relative strength of the security component against anticipated threats Deploy KMI/PKI: deployment of robust key management infrastructures and PKI technologies Deploy intrusion detection systems: use of IDS and similar technologies to detect intrusions, evaluate information and results, and take or support taking action.
  264. What is the technology goal of defense in depth?
    Appropriate tools and technologies must be acquired and applied prudently to achieve program goals: ~ Security policy and principles ~ IA architectures and standards ~ IA Architecture framework areas ~ Specification criteria for product selection ~ IA criteria (security, interoperability, and PKI) ~ Acquisition and integration of evaluated products ~ System risk assessments
  265. What are the focus areas of defense in depth?
    Defend the computing environment ~ Clients, servers, applications, and other AIS components Defend the enclave boundaries ~ A collection of AIS under single authority/policy ~ Assume highest mission assurance category Defend the networks & infrastructure ~ Networks and support systems providing interconnection between locations or enclaves Defend the supporting infrastructures ~ Defense with KMI/PKI with detect–response capability (IDS/IPS/IDP)
  266. What does defense in depth seek to protect?
    ~ People ~ Technology ~ Operations
  267. What must management commit to for defense in depth to work?
    Management must demonstrate its commitment to achieving success in IA programs through ~ Policies and procedures ~ Roles and Responsibilities ~ Commitment of resources ~ Training and awareness ~ Physical security and countermeasures ~ Personnel security programs and controls ~ Personal accountability ~ Sanctions and penalties
  268. What must be performed to make defense in depth work for operations?
    The activities required to perform and maintain the effective security posture are daily, and include ~ Visible and enforced current security policy ~ Certification and accreditation ~ Readiness assessments ~ Security assessments ~ Infrastructure protection ~ Security management ~ Key management ~ Monitoring and reacting to threats ~ Attack sensing and warning response ~ Recovery and reconstitution
  269. What is the general approach to defense in depth?
    ~ Conduct risk assessments. ~ Deploy cost–effective, risk–based security. ~ Use commercial off–the–shelf (COTS) products. ~ Education, training, and awareness. ~ Continuous monitoring. ~ Employ multiple means of threat mitigation. ~ Implement a robust IA posture to cope with the unexpected. ~ Only trustworthy personnel have access. ~ Have effective incident response plan.
  270. What is a countermeasure?
    A targeted control [response] to a single threat
  271. What are the 3 categories of information according to IATF?
    Public Private Classified
  272. What is the IATF definition of an information system?
    An “Information System”: ~ Also referred to as: Automated Information System (AIS), Information Technology System ~ “Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data and includes computer software, firmware, and hardware.”
  273. What is the IATF definition of a security engineer?
    “A Security Engineer, through engineering discipline and process, helps build dependable systems in the face of malice, error, or mischance.” “As a discipline, it focuses on tools, processes, and methods needed to design, implement, and test complete systems, and to adapt existing systems as their environment evolves.”
  274. What is the IATF definition of a threat?
    The likelihood that the impact of an unwanted incident will be realized
  275. What is the IATF definition of a vulnerability?
    An inherent or intrinsic flaw or weakness in a system, its subsets, or components (hardware, software, or firmware) that can be exploited by a threat
  276. What is the IATF definition of impact?
    An adverse operational impairment or loss caused by the materialization of a threat
  277. What is the IATF definition of risk?
    The quantification of a) probability that a threat will materialize and cause impact, or b) the estimate of potential financial loss (exposure) an organizational unit might experience in a scenario
  278. What is the IATF definition of trust?
    ~ All protection mechanisms work cohesively to process sensitive data for all authorized users and maintain the required level of protection ~ Consistent enforcement of policy through all states
  279. What is the IATF definition of assurance?
    ~ Degree of confidence that the system will act in a correct and predictable manner in all possible computing situations ~ Known inputs produce expected results through all states
  280. What is the engineering definition of a system?
    a combination of elements designed to function as a unit to perform a function
  281. What is the engineering definition of a structure?
    formulation of systems or processes to perform a function or achieve an objective
  282. What is the engineering definition of a function?
    a description of work that a system must perform to meet customer requirements
  283. What is the engineering definition of a purpose?
    knowledge used to perform a function
  284. Study slide 199
    Study slide 199
  285. Study slide 200
    Study slide 200
  286. What is the equation for an instance of risk?
    instance = threat x vulnerability x impact
  287. What are the parts of the NSTISSI–4009 Risk Management Cycle?
    ~ Identify and value assets in context ~ Assess the risk/threat environment ~ Develop Risk Management Plan ~ Implement Risk Management Actions ~ Monitor to ensure continued correct performance and operation ~ Periodically re–evaluate the risk environment and act as required
  288. What are the risk management actions of Phase 1 of the SLC?
    Phase 1 (Initiation) – Identified risks are used to support the development of the system requirements, including security requirements, and a security concept of operations (strategy)
  289. What are the risk management actions of Phase 2 of the SLC?
    Phase 2 (Development/Acquisition) – The risks identified during this phase can be used to support the security analyses of the IT system that may lead to architecture and design tradeoffs during system development
  290. What are the risk management actions of Phase 3 of the SLC?
    Phase 3 (Implementation) – The risk management process supports the assessment of the system implementation against its requirements and within its modeled operational environment. Decisions regarding risks identified must be made prior to system operation
  291. What are the risk management actions of Phase 4 of the SLC?
    Phase 4 (Operation/Maintenance) – Risk management activities are performed for periodic system reauthorization (or reaccreditation) or whenever major changes are made to an IT system in its operational, production environment (i.e., new system interfaces)
  292. What are the risk management actions of Phase 5 of the SLC?
    Phase 5 (Disposal) – Risk management activities are performed for system components that will be disposed of or replaced to ensure that the hardware and software are properly disposed of, that residual data is appropriately handled, and that system migration is conducted in a secure and systematic manner
  293. What are the inputs to step 1 of the SP 800–30 Risk Assessment Activities?
    ~ Hardware ~ Software ~ Systems interfaces ~ Data and information ~ People ~ Systems mission
  294. What are the inputs to step 2 of the SP 800–30 Risk Assessment Activities?
    ~ History of system attack ~ Data from intelligence agencies, NIPC, OIG, FedCIRC, mass media
  295. What are the inputs to step 3 of the SP 800–30 Risk Assessment Activities?
    ~ Reports from prior risk assessments ~ Any audit comments ~ Security requirements ~ Security test results
  296. What are the inputs to step 4 of the SP 800–30 Risk Assessment Activities?
    ~ Current controls ~ Planned controls
  297. What are the inputs to step 5 of the SP 800–30 Risk Assessment Activities?
    ~ Threat–source motivation ~ Threat capacity ~ Nature of vulnerability ~ Current controls
  298. What are the inputs to step 6 of the SP 800–30 Risk Assessment Activities?
    ~ Mission impact analysis ~ Asset criticality assessment ~ Data criticality ~ Data Sensitivity
  299. What are the inputs to step 7 of the SP 800–30 Risk Assessment Activities?
    ~ Likelihood of threat exploitation ~ Magnitude of impact ~Adequacy of planned or current controls
  300. What are the outputs to step 1 of the SP 800–30 Risk Assessment Activities?
    ~ System boundary ~ System functions ~ System and data criticality ~ System and data sensitivity
  301. What are the outputs to step 2 of the SP 800–30 Risk Assessment Activities?
    ~ Threat statement
  302. What are the outputs to step 3 of the SP 800–30 Risk Assessment Activities?
    ~ List of potential vulnerabilities
  303. What are the outputs to step 4 of the SP 800–30 Risk Assessment Activities?
    ~ List of current and planned controls
  304. What are the outputs to step 5 of the SP 800–30 Risk Assessment Activities?
    Likelihood rating
  305. What are the outputs to step 6 of the SP 800–30 Risk Assessment Activities?
    Impact rating
  306. What are the outputs to step 7 of the SP 800–30 Risk Assessment Activities?
    Risks and associated risk levels
  307. What are the outputs to step 8 of the SP 800–30 Risk Assessment Activities?
    Recommended controls
  308. What are the outputs to step 9 of the SP 800–30 Risk Assessment Activities?
    Risk Assessment Report
  309. What is the DoD 500.2–R definition of Systems Engineering?
    The systems engineering process shall: ~ Transform approved operational requirements into an integrated system design solution through concurrent consideration of all life–cycle needs ~ Ensure the integration of all operational, functional, and physical interfaces, and that system definition and design reflect the requirements for all system elements ~ Characterize and manage technical risks ~ Apply engineering principles to identify security vulnerabilities and contain information assurance as well as enforce protection risks associated with these vulnerabilities
  310. What is security engineering?
    It is the application of traditional systems engineering processes to the specific problems and issues regarding assurance and security of systems and information.
  311. What are the goals of security engineering?
    ~ Understand Security Risks ~ Establish Security Needs ~ Develop Security Guidance ~ Determine Acceptable Risks ~ Establish Assurance
  312. Who practices security engineering?
    ~ Developers ~ Product vendors ~ Integrators ~ Buyers ~ Security evaluation organizations ~ System administrators ~ Consulting/service organizations
  313. When is security engineering practiced?
    throughout all phases of the SDLC
  314. What activities should be included/considered in security engineering?
    Operations Security Information Security Network Security Physical Security Personnel Security Administrative Security Communications Security Emanations Security Computer Security
  315. What are the system lifecycle phases of IEEE–1220?
    1. Development: the initial phases of planning and executing system definition tasks required to meet the evolving customer need 2. Manufacturing: the activities necessary to produce models and prototypes to demonstrate the planned design functionality 3. Test: performance validation of prototype or the pre–commission version of the produced solution to measure customer satisfaction 4. Distribution: delivery and commissioning of the produced solution in the planned operational environment(s) 5. Operations: the produced solution performing as intended/expected 6. Support: sustaining maintenance of the produced solution 7. Training: all tasks, tools, and technologies employed to prepare and sustain human knowledge and proficiency in the produced solution 8. Disposal: the disposal, retirement, or recycling of the original produced solution in a secure and environmental sound manner
  316. What is the goal of activity 1 of the IATF ISSE process?
    Discover Information Protection Needs Ascertain why the system needs to be built – what needs the system must fulfill.
  317. What is the goal of activity 2 of the IATF ISSE process?
    Define System Security Requirements Define the system in terms of what the system needs to be able to do.
  318. What is the goal of activity 3 of the IATF ISSE process?
    Define System Security Architecture Use previously documented information to choose the types of security components that will perform specific security function. This process is the core of designing the security architecture.
  319. What is the goal of activity 4 of the IATF ISSE process?
    Develop Detailed Security Design Based on the security architecture, begin to design the system to be able to do what it needs to.
  320. What is the goal of activity 5 of the IATF ISSE process?
    Implement System Security Build/Implement the system so it does what it is suppose to do.
  321. What is the goal of activity 6 of the IATF ISSE process?
    Assess Security Protection Effectiveness Assess the degree to which the system, as it is defined, designed, and implemented, meets the needs. This assessment activity occurs during and with all the other activities in the ISSE process.
  322. What is the goal of activity 7 & 8 of the IATF ISSE process?
    Plan and Manage Technical Effort ~ Planning the technical effort occurs throughout the ISSE process. ~ ISSE must review each of the following areas to scope support to the customer in conjunction with the other activities. ~ Requires a unique skill set, and is likely to be assigned to senior–level personnel.
  323. List the tasks and subtasks of IATF ISSE Activity 1
    Task – 01.1 Analyze organizations mission Task – 01.2 Determine relationship and importance of information to mission Task – 01.3 Identify legal and regulatory requirements Task – 01.4 Identify classes of threats Task – 01.5 Determine impacts Task – 01.6 Identify security services Task – 01.7 Document the information protection needs Task – 01.8 Document security management roles and responsibilities Task – 01.9 Identify design constraints Task – 01.10 Assess information protection effectiveness Subtask – 01.10.1 Provide/present documented information protection needs to the customer Subtask – 01.10.2 Obtain concurrence from the customer in the information protection needs Task – 01.11 Support system C&A Subtask – 01.11.1 Identify DAA/Accreditor Subtask – 01.11.2 Identify Cert Authority/Certifier Subtask – 01.11.3 Identify C&A and acquisition processes to be applied Subtask – 01.11.4 Ensure accreditors and certifiers concurrence in the information protection needs
  324. List the tasks and subtasks of IATF ISSE Activity 7
    Task – 07.1 Estimate the project scope Task – 07.2 Identify resources and availability Task – 07.3 Identify roles and responsibilities Task – 07.4 Estimate project costs Task – 07.5 Develop project schedule Task – 07.6 Identify technical activities Task – 07.7 Identify deliverables Task – 07.8 Define management interfaces Task – 07.9 Prepare technical management plan Task – 07.10 Review project plan Task – 07.11 Obtain customer agreement
  325. List the tasks and subtasks of IATF ISSE Activity 8
    Task – 08.1 Direct technical effort Task – 08.2 Track project resources Task – 08.3 Track technical parameters Task – 08.4 Monitor progress of technical activities Task – 08.5 Ensure quality of deliverables Task – 08.6 Manage configuration elements Task – 08.7 Review project performance Task – 08.8 Report project status
  326. What are the ISSE duties during Initiation?
    The need for a system is expressed and the purpose of the system is documented: ~ Discover information protection needs ~ Define system security requirements ~ Categorize/characterize the system (as intended in final form) ~ Conduct a Sensitivity Assessment ~ Prepare a Security Plan (initial very general working plan) ~ Initiate Risk Assessment activities All items are documented and become part of the system history and build baseline documentation.
  327. What tasks must the ISSE complete while Discovering Information Protection Needs?
    ~ Develop an understanding of the customer’s mission or business ~ Help the customer determine what information management is needed to support the mission or business ~ Create a model of that information management, with customer concurrence ~ Document the results as the basis for defining information systems that will satisfy the customer’s needs
  328. What are the key documents/components produced when discovering information protection needs?
    Business/Mission ~ Mission Needs Statement (MNS) ~ Concept of Operations (CONOPS) Information Management Model (IMM) ~ Users or members ~ Rules, privileges, roles, and responsibilities ~ Information objects being managed Information Protection Policy (IPP) ~ Protection needs that support Mission/Business ~ Security service requirements
  329. What constitutes the requirements baseline?
    To determine the customer’s needs: ~ Define the mission need ~ Define the information management to create an Information Management Model (IMM) ~ Define the Information Protection Policy (IPP) Results become the basis for creating an Information Management Policy that meets the customer’s needs
  330. What is Harm To Information (HTI)?
    considers the value of the information and the degree of harm to the mission if the information were disclosed, modified, destroyed, or unavailable when needed
  331. What are Potentially Harmful Events (PHE)?
    considers the existence of malicious adversaries, their degree of motivation, and the potential for accidents and natural disasters
  332. What is an Information Management Policy?
    The ISSEP documents: ~ Information threats ~ Security services and priorities ~ Roles and responsibilities Information Protection Policy (IPP) basis for IMP Information Management Policy (IMP) ~ Information Flow ~ Access and Privileges
  333. What are the parts of the requirements hierarchy?
    ~ Business Mission ~ Functions ~ Architecture ~ Components ~ Design ~ Specifications ~ Implementation
  334. List the parts of the requirements hierarch from most abstract to most specific.
    ~ Business Mission ~ Functions ~ Architecture ~ Components ~ Design ~ Specifications ~ Implementation
  335. What are the ISSE duties during Development or Acquisition phase?
    The system is designed, purchased, programmed, developed, or otherwise constructed ~ Design system security architecture ~ Develop detailed security design ~ Incorporate Security Requirements Into Specifications ~ Make–Buy decisions are made: – Procurement (component or turn–key) – Program – Build All items are documented and become part of the system history and build baseline documentation. Previously recorded items are updated or replaced as required to ensure accuracy.
  336. What tasks must the ISSE complete while defining system security requirements?
    The ISSEP defines a solution set that satisfies the information protection needs of the IPP A solution set consists of: ~ The System Context ~ A Concept of Operations (CONOPS) ~ The System Requirements
  337. What are the ISSE duties during the Implementation phase?
    The system is tested and installed or fielded ~ Install and configure selected controls and countermeasures ~ Enable and test all controls required in the design documentation ~ Verification and validation of controls functionality ~ Security Testing All items are documented and become part of the system history and build baseline documentation. Previously recorded items are refined, updated or replaced as required to ensure accuracy. ~ Design system security architecture
  338. What tasks must the ISSE complete while designing system security architecture?
    ~ Performs functional analysis of potential architectures to meet requirements from Step 2 ~ Allocates security services ~ Selects security mechanisms ~ Identifies elements of the system to be protected ~ Allocates security functions to those elements ~ Describes the relationships between the elements
  339. What tasks must be performed as part of the detailed design?
    ~ Design must satisfy customer–specified design constraints and the security requirements ~ Design should project the schedule and cost of long–lead items and life–cycle support ~ Design should be under configuration control ~ Design should include a revised security CONOPS ~ Trade–offs must consider priorities, cost, schedule, performance, and residual security risks ~ Failures to satisfy security requirements must be reported to C&A authorities
  340. What tasks must the ISSE complete when developing a detailed security design?
    ~ Allocating security mechanisms to system security design elements ~ Identifying candidate products ~ Qualifying element and system interfaces ~ Developing system specifications
  341. When does the Operations & Maintenance phase official being?
    When the AO signs and issues the ATO
  342. What are the ISSE duties during the Operation & Maintenance phase?
    The system is being modified by the addition or removal of components, features, or changes in them: ~ Security Operations and Administration ~ Operational Assurance and measurement ~ Audits and Monitoring and subsequent corrective actions ~ Assessment of controls effectiveness ~ Configuration and change management All items are documented and become part of the system history and operational baseline documentation. Previously recorded items are updated or replaced as required to ensure accuracy.
  343. What factors should be considered when selecting components?
    ~ Current and future availability ~ Cost ~ Form factor ~ Reliability ~ Potential risk to system due to component failure ~ Conformance to design specifications ~ Compatibility with existing components ~ Satisfying evaluation criteria
  344. What tasks must the ISSE complete during implementation?
    ~ Provides inputs to C&A process activities ~ Reviews evolving system life cycle support plans ~ Reviews operational procedures for users ~ Reviews maintenance training for administrators ~ Assesses information protection measures in preparation for the final system effectiveness assessment
  345. What tasks must the ISSE complete testing?
    ~ Participation in the testing of protection mechanisms and functions ~ Verification that the system implementation does protect against the threats identified in the original threat assessment ~ Application information protection assurance mechanisms related to system implementation and testing practices ~ Continuing risk management ~ Supporting the C&A processes
  346. What tasks must the ISSE complete during the disposal phase?
    This involves the final disposition of data, hardware, and software ~ Information archiving ~ Data transferral to new operational environment ~ Media Sanitization ~ Retirement or destruction ~ Recycling All items are documented and become part of the system history and operational baseline documentation. Previously recorded items are updated or replaced as required to ensure accuracy.
  347. Why use the CMM approach?
    Accepted way of defining practices and improving capability Increasing use in acquisition as an indicator of capability ROI for software indicates success
  348. Why was the SSE–CMM developed?
    Objective: ~ advance security engineering as a defined, mature, and measurable discipline Project Goal: ~ Develop a mechanism to enable: – selection of appropriately qualified security engineering providers – focused investments in security engineering practices – capability–based assurance
  349. List the organizational capability measures?
    ~ Level 1 (Performed Informally) 1.1 Base Practices are Performed ~ Level 2 (Planned and Tracked) 2.1 Planning Performance 2.2 Disciplined Performance 2.3 Verifying Performance 2.4 Tracking Performance ~ Level 3 (Well–Defined) 3.1 Defining a Standard Process 3.2 Perform the Defined Process 3.3 Coordinate the Process ~ Level 4 (Quantitatively Controlled) 4.1 Establishing Measurable Quality Goals 4.2 Objectively Managing Performance ~ Level 5 (Continuously Improving) 5.1 Improving Organizational Capability 5.2 Improving Process Effectiveness
  350. How does the SSE–CMM define best practices at the domain level?
    ~ process areas ~ base practices
  351. How does the SSE–CMM define best practices at the organizational capability level?
    ~ implementation of process areas ~ institutionalization of process areas
  352. What are the SSE–CMM process categories?
    Engineering processes Project processes Organizational Processes
  353. What are the SSE–CMM organizational process areas?
    ~ Define Organization’s Security Engineering Process ~ Improve Organization’s Security Engineering Process ~ Manage Security Product Line Evolution ~ Manage Security Engineering Support Environment ~ Provide Ongoing Skills and Knowledge ~ Coordinate with Suppliers
  354. What are the SSE–CMM project process areas?
    ~ Ensure Quality ~ Manage Configurations ~ Manage Program Risk ~ Monitor and Control Technical Effort ~ Plan Technical Effort
  355. What are the SSE–CMM engineering technical "base" process areas?
    PA01 – Administer Security Controls PA02 – Assess Security Impacts PA03 – Assess Security Risk (to CIA and other information assets) PA04 – Assess Threat PA05 – Assess Vulnerability PA06 – Build Assurance Argument PA07 – Coordinate Security PA08 – Monitor Security Posture PA09 – Provide Security Input PA10 – Specify Security Needs PA11 – Verify and Validate Security
  356. What are the classes of attacks?
    ~ Passive attacks can result in the disclosure of data to an attacker without the knowledge of the user ~ Active attacks include attempts to circumvent protection features to execute a deliberate attack ~ Close–in attacks occur when an attacker is in physical close proximity to resources to launch an attack ~ Insider attacks can be malicious or non–malicious: – Malicious insiders intend to deliberately attack an asset – Non–malicious attacks typically result from lack of knowledge ~ Distribution attacks focus on the malicious modification of resources during production or distribution
  357. What is the first line of defense for a passive attack?
    Link and network layer and encryption and traffic flow security
  358. What is the first line of defense for a active attack?
    Defend the enclave boundaries
  359. What is the first line of defense for a insider attack?
    Physical and personnel security
  360. What is the first line of defense for a close–in attack?
    Physical and personnel security
  361. What is the first line of defense for a distribution attack?
    Trusted software development and distribution
  362. What is the second line of defense for a passive attack?
    Security–enabled applications
  363. What is the second line of defense for a active attack?
    Defend the computing environment
  364. What is the second line of defense for a insider attack?
    Authenticated access controls, audit
  365. What is the second line of defense for a close–in attack?
    Technical surveillance countermeasures
  366. What is the second line of defense for a distribution attack?
    Run time integrity controls
  367. What is the major goal of C&A?
    Enabling more consistent, comparable, and repeatable assessments of security controls in federal information systems
  368. What are the objectives of C&A?
    To achieve more secure information systems within the federal government by: ~ Enabling more consistent, comparable, and repeatable assessments of security controls in federal information systems ~ Promoting a better understanding of agency–related mission risks resulting from the operation of information systems ~ Creating more complete, reliable, and trustworthy information for authorizing officials in order to facilitate more informed accreditation decisions
  369. What is the NSTISSI 4009 definition of Certification?
    “The comprehensive evaluation of the technical and non–technical security features of an AIS and other safeguards, made in support of the accreditation process, to establish the extent to which a particular design and implementation meets a specified set of security requirements.”
  370. What are the characteristics of certification?
    Formal process for testing systems against a set of security requirements Performed by an independent reviewer instead of someone who was involved with building or operating the system The amount of rigor employed may vary depending on the system level or operational context.
  371. What is accreditation?
    The decision given by the designated senior agency official to authorize operation of an information system: ~ In a particular security mode ~ Using a prescribed set of controls ~ Against a defined threat ~ At an acceptable level of risk ~ For a specific period of time The official explicitly accepts the risk to agency assets based on the implementation of these security conditions. [remember the phrase "and the nation"]
  372. What is the NSTISSI 4009 definition of Accreditation?
    “A formal declaration by the DAA that an AIS is approved to operate in a particular security mode using a prescribed set of safeguards.”
  373. What are the significant benefits of C&A?
    More consistent, comparable, and repeatable security evaluations More complete, reliable technical information for information system accreditation authorities, leading to better understanding of complex systems and associated risks and vulnerabilities Greater availability of competent certification services for customers Assessments by accredited organizations can form the basis for cyber insurance policy decisions
  374. What is the NSTISSI 4009 definition of an Automated Information System (AIS)?
    “Any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data and includes computer software, firmware, and hardware.”
  375. What is Information Assurance?
    Measures that protect and defend information and information systems by ensuring their availability, integrity, confidentiality, authentication and non–repudiation. This includes providing for restoration of information systems by incorporating the following capabilities: protection, detection, and reaction.
  376. What is Availability?
    Timely, reliable access to data and information services for authorized users.
  377. What is Integrity?
    Quality of an IS reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data.
  378. What is confidentiality?
    Assurance that information is not disclosed to unauthorized individuals, processes, or devices.
  379. What is Access Control?
    Limiting access to information system resources only to authorized users, programs, processes, or other systems.
  380. What is Authentication?
    Security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information.
  381. What is Non–Repudiation?
    Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the data.
  382. What are the accreditation options?
    1 – System: accreditation evaluates a major system application or a clearly defined independent system. 2 – Type: accreditation evaluates a common application or system that is distributed to a number of different locations. 3 – Site: accreditation evaluates applications and systems at a specific, self–contained location.
  383. What are C&A artifacts?
    System policies, documentation, plans, test procedures, test results, and other evidence that express or enforce the information assurance (IA) posture of the DoD IS, make up the certification and accreditation (C&A) information, and provide evidence of compliance with the assigned IA controls.
  384. What is C&A from the DoD's perspective?
    The standard DoD approach for: ~ identifying information security requirements, ~ providing security solutions, and ~ managing the security of DoD information systems.
  385. What are the general steps of the C&A process?
    ~ Define problem ~ Risk assessment ~ Implement controls ~ Certification ~ Accreditation ~ Ops/maintenance ~ Disposal
  386. What Acts support C&A?
    Privacy Act of 1974 Computer Security Act of 1987 Clinger–Cohen Act of 1996 ~ Information Technology Management Reform Act ~ Defines National Security Systems NIST SP800–59
  387. What Government document requires C&A?
    OMB Circular A–130 ~ Management of Federal Information Resources, Appendix III, December 24, 1985 ~ Mandatory implementation of Computer Security Act and FISMA requirements – 3–year reviews ~ Defines "adequate security"
  388. What is "adequate security"?
    “security commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information.…provide appropriate confidentiality, integrity, and availability, through the use of cost effective management, personnel, operational, and technical controls.”
  389. What executive order mandates C&A?
    Executive Order 13231, 16 October 2001 Critical Infrastructure Protection in the Information Age
  390. What law is the most recent overarching requirement for C&A?
    FISMA ~ (Federal Information Security Management Act) – Title III of E–Government Act of 2002 (Public Law 107–347) ~ OMB has Oversight over E–Government – Federal Government (Organizations and IG’s) must report IA status to OMB annually and quarterly – OMB provides reports to Congress annually – Congressional Cyber Security Grade ~ NIST publishes Standards and Guidelines ~ All Federal Government must follow NIST C&A processes, with the exception of Defense and Intelligence organizations.
  391. What does DITSCAP stand for?
    Defense Information Technology Security Certification and Accreditation Process
  392. What instruction created DITSCAP?
    DoDI 5200.40, 30 December 1997 ~ Applies to all DoD systems
  393. What are the phases of DITSCAP?
    o Definition o Verification o Validation o Post–accreditation
  394. What document further defined DITSCAP?
    DoD 8510.1–M DITSCAP Application Manual, July 00 ~ Implementation guidance ~ Deliverable format
  395. What is the document created by DITSCAP called?
    System Security Authorization Agreement (SSAA)
  396. What activities occur in phase 1 of DITSCAP/NIACAP?
    ~ Determine requirements ~ Define boundaries ~ Tailor the process & scope the effort ~ Draft the SSAA
  397. What activities occur in phase 2 of DITSCAP/NIACAP?
    ~ System development activities ~ Initial certification analysis ~ Document results in SSAA
  398. What activities occur in phase 3 of DITSCAP/NIACAP?
    ~ Test installed system ~ Evaluate procedural, physical, personnel, CM etc. procedures ~ Document results
  399. What activities occur in phase 4 of DITSCAP/NIACAP?
    ~ Operate the system ~ Security operations ~ CM & change control ~ Maintain SSAA
  400. What does NIACAP stand for?
    National Information Assurance Certification and Accreditation Process
  401. What instruction created NIACAP?
    NSTISSI No. 1000, April 2000 Applies to all National Security Systems (NSSs)
  402. What are the phases of NIACAP?
    Definition Verification Validation Post–accreditation
  403. What is the document created by NIACAP called?
    System Security Authorization Agreement (SSAA)
  404. What document defines the NIST C&A process?
    Guide for the Security Certification and Accreditation of Federal Information Systems NIST 800–37, May 2004 ~ Applies to all Federal Systems
  405. What are the phases of the NIST C&A process (800–37)?
    Initiation Certification Accreditation Continuous Monitoring
  406. What are the key documents produced in the NIST C&A process (800–37)?
    SSP – System Security Plan, NIST SP800–18 ST&E – Security Test and Evaluation – NIST SP800–53A SAR – System Assessment Report – NIST 800–37 POA&M – Program of Actions & Milestones – OMB 02–1
  407. What does DIACAP stand for?
    DoD Information Assurance Certification and Accreditation Process
  408. What are the major components of DIACAP?
    ~ Process (DoDI 8510) ~ Automation (eMASS) ~ Guidance and Collaboration (Knowledge Service)
  409. What instruction created DIACAP?
    DoDI 8510.01, 28 November 2007 ~ Applies to all DoD systems
  410. What are the phases of DIACAP?
    ~ Initiation and Planning IA C&A ~ Implement and Validate Assign IA Controls ~ Make Certification Determination and Accreditation Decision ~ Maintain Authorization to Operate and Conduct Reviews ~ Decommission
  411. What are the key documents produced by DIACAP?
    ~ System Identification Profile (SIP) [Description/Registration] ~ DIACAP Implementation Plan (DIP) [Implement/Validate] ~ POA&M [correction/mitigation] ~ Scorecard [risk assessment]
  412. What are the supporting resources for DIACAP?
    Knowledge Service eMASS and other tools
  413. What is the NSTISSI 4009 definition of Program Manager?
    “The PM represents the interests of the AIS, and is responsible for the AIS throughout its lifecycle; ensures the security requirements are integrated in order to achieve an acceptable level of risk as documented in the SSAA, and keeps all participants informed of AIS lifecycle actions, security requirements and user needs.”
  414. What is the NSTISSI 4009 definition of Designated Approving Authority?
    “The primary government official responsible for implementing system security. An executive with the authority to formally assume responsibility for operating an AIS or network at an acceptable level of risk, and to balance the needs of the system with the security risks.”
  415. What is the NSTISSI 4009 definition of User Representative?
    “Official with the authority to formally assume responsibility for operating an AIS or network at an acceptable level of risk.”
  416. What is the NSTISSI 4009 definition of Information Systems Security Officer?
    “Person responsible to the designated approving authority who ensures that security of an information system is implemented through its design, development, operation, maintenance, and secure disposal stages.”
  417. What is the DoDI 5200.40 definition of System Security Authorization Agreement?
    “A description of the system mission, target environment, target architecture, security requirements, and applicable data access policies. It also describes the applicable set of planning and certification actions, resources, and documentation required to support the certification and accreditation. It is the vehicle that guides the implementation of INFOSEC requirements and the resulting certification and accreditation actions.”
  418. What does the SSAA document?
    ~ The operating environment and the threat ~ The AIS security architecture and the C&A boundary of the AIS to be accredited ~ The agreement among the parties involved ~ All requirements necessary for accreditation ~ Condenses and consolidates the documentation requirements (CONOPS, tests, etc) ~ The overall C&A plan (NIACAP/DITSCAP) ~ The test plans, results, and residual risk ~ The baseline security configuration document
  419. What are the characteristics of an SSAA?
    ~ Describes the operating environment and threat ~ Describes the system security architecture ~ Establishes the C&A boundary of the system ~ Documents the formal agreement among the DAA, certifier, program manager, and user representative ~ Documents all requirements necessary for accreditation ~ Documents test plans and procedures, certification results, and residual risk ~ Forms the baseline security configuration document
  420. What are the main tasks of DITSCAP phase 1?
    ~ Define system functions, requirements, and interfaces ~ Define information category and classification ~ Prepare the system architecture description ~ Identify principle C&A roles & responsibilities ~ Define C&A level of effort ~ Draft SSAA ~ Agree on the method for implementing security requirements (documented in SSAA)
  421. What are the phases of the 800–37 Rev 1?
    ~ Categorize ~ Select ~ Implement ~ Assess ~ Authorize ~ Monitor
  422. What are the key deliverables of the 800–37 Rev 1?
    SSP, SAR, POA&M
  423. In the Definition phase of DITSCAP (Determine mission needs), what documents/information is needed?
    ~ System Requirements and Capabilities ~ System Mission, Function, Interfaces ~ Organizations operating system ~ Operational environment ~ Information types and classifications ~ Expected System Life Cycle ~ System User Characteristics ~ Intended system/network interfaces
  424. What actions are required in Task 1 of DITSCAP Definition: Determine Mission Needs?
    Registration begins with preparing the business, mission, or operational functional description as well as system description and system identification. The information collected during the preparation activity is evaluated and applicable information assurance requirements are determined.
  425. What actions are required in Task 2 of DITSCAP Definition: Determine Mission Needs?
    Inform the DAA, Certifier, and user representative that the system will require C&A support (register the system).
  426. What actions are required in Task 3 of DITSCAP Definition: Determine Mission Needs?
    Prepare the environment and threat description. Threats should be assessed against the specific business functions and system description to determine the required protection. The threat, and subsequent vulnerability assessments, must be used in establishing and selecting the IA policy objectives that will counter the threat.
  427. What actions are required in Task 4 of DITSCAP Definition: Determine Mission Needs?
    Prepare system architecture description, describe the C&A boundaries, and document relationships with external systems or equipment.
  428. What actions are required in Task 5 of DITSCAP Definition: Determine Mission Needs?
    Determine the system security requirements. The risk management and vulnerability assessment actions commence. A risk management process may also be installed in an effective, understandable, and repeatable manner.
  429. What actions are required in Task 6 of DITSCAP Definition: Determine Mission Needs?
    Tailor the C&A tasks, determine the level of effort, and prepare a C&A plan. The C&A team determines the level of effort by evaluating the security requirements and the degree of assurance needed in areas such as confidentiality, integrity, availability, and accountability. The planned level of effort is targeted at addressing the security requirements and fulfilling the mission of the program.
  430. What actions are required in Task 7 of DITSCAP Definition: Determine Mission Needs?
    Identify organizations involved in C&A and the resources required.
  431. What actions are required in Task 8 of DITSCAP Definition: Determine Mission Needs?
    Develop the draft SSAA during the registration activities to consider the program’s system development approach and life cycle stage, existing documentation and environment, architecture and business functions, and documentation on users and data classification and categorization.
  432. In the Definition phase of DITSCAP (Registration), what information is needed?
    Information collected Security requirements determined Threat Assessment started Level of effort of C&A determined Prepare system description with boundaries Determine acquisition strategy & life cycle Assess impact of life cycle on certification
  433. In the Definition phase of DITSCAP (Registration), what tasks must be performed?
    Determine classification and types of information Determine clearances and access requirements Identify system class and security requirements Identify organizations supporting DITSCAP Tailor DITSCAP activities Determine scope, level of effort, and schedule
  434. In the Definition phase of DITSCAP (negotiation), who needs to participate?
    Key members are: ~ Designated Approving Authority ~ Program Manager ~ Certifying Agent ~ User Representative Information Systems Security Officer Strategy agreed upon ~ Not a bargaining session! ~ Everyone understands roles ~ No surprises
  435. In the Definition phase of DITSCAP (negotiation), what needs to happen?
    Clearly defines ~ Requirements ~ Approach ~ Level of Activity Approval of SSAA ~ Designated Approving Authority ~ Program Manager ~ User Representative
  436. What are the objectives of the DITSCAP SSAA?
    ~ Phase 1 End Product (refined in later phases) ~ Document the formal agreement among the DAA, the CA, the user representative, and the program manager ~ Document all requirements necessary for accreditation ~ Document all security criteria for use throughout the IT system life–cycle ~ Minimize documentation requirements by consolidating applicable information into the SSAA ~ Document the DITSCAP plan
  437. What are the main tasks of DITSCAP phase 2?
    ~ System Architecture Analysis ~ Software Design Analysis ~ Network Connection Rule Compliance ~ Integrity Analysis of Integrated Products ~ Life Cycle Management Analysis ~ Security Requirements Validation Procedures ~ Vulnerability Evaluation ~ Refine/modify SSAA
  438. In the Verification phase of DITSCAP, what are the goals?
    Verify system compliance with requirements Refine the SSAA, if needed Refine analysis ~ System development ~ Modifications ~ Certifications Review and refine SSAA, if necessary ~ Hardware details ~ Software details Certification analysis ~ Corresponds to Life Cycle activity ~ Verification by analysis, investigation, comparison
  439. In the Verification phase of DITSCAP, what are the certification actions?
    System Architecture Analysis Software Design Analysis Network Connection Rule Compliance Product Integrity Analysis Life Cycle Management Vulnerability Assessment Actions Completion gives: ~ Documented security specification ~ Comprehensive test plan ~ All interconnection requirements implemented Vulnerability assessment impacts Configuration Management ~ “Good configuration management builds good security; good security application establishes good configuration management.”
  440. In the Verification phase of DITSCAP, what are the completion actions?
    Review certification analysis results upon conclusion of each life cycle development milestone Significant deviation from SSAA, revert to Definition Phase to resolve problems
  441. What are the main tasks of DITSCAP phase 3?
    ~ ST&E* (Implementation of security reqs, I&A, AC, Audits…) ~ Penetration Testing (Exploitation, Insider/Outsider) ~ COMSEC Compliance Evaluation (reqs, integration) ~ System Management Analysis (Maintain Mgmt/CM/Arch) ~ Contingency Plan Evaluation (Backup, COOP…) ~ Site Accreditation Survey (SSAA compliance, environment) ~ Risk Management Review (acceptable risks to CIAA**) ~ Develop Certification Report and Recommendation for Accreditation: – System Certified: Yes or No (based on meeting SSAA reqs) – If Certified, Recommend: IATO or full accreditation ~ Ends with accreditation decision from DAA
  442. In the Validation phase of DITSCAP, what are the goals?
    ~ Review the SSAA to ensure requirements and agreements are current ~ Evaluation of the IT system ~ Formal system certification test and security accreditation actions
  443. In the Validation phase of DITSCAP, what are the evaluation actions?
    ~ System Security Testing and Evaluation ~ Penetration Testing ~ TEMPEST (EMSEC) and Red/Black Verification ~ Validation System Management Analysis ~ Site Accreditation Surveys ~ Personnel Security ~ Physical Security ~ Environmental Security ~ Contingency Plan Examination ~ Risk Management Review ~ Recommendation and documentation to DAA Security Findings Deficiencies Risks of Operation
  444. In the Validation phase of DITSCAP, what are the possible accreditation decisions?
    Denial IATO ATO
  445. What are the main tasks of DITSCAP phase 4?
    Review configuration & security management ~ Follow change mgmt documented in SSAA ~ Determine if system security mgmt continues to support mission and architecture Conduct risk management review ~ Assess if risk to CIAA is being maintained at an acceptable level Conduct compliance validation if needed ~ Ensure continued compliance w/SSAA reqs, current threat assessment, and concept of operations Maintain SSAA
  446. What are the roles and responsibilities of NIACAP?
    ~ DAA – Designated Approving Authority ~ Program Manager ~ Certifier ~ User Representative
  447. What NIACAP establish?
    NIACAP establishes a standard national process to certify and accredit systems that will maintain the IA of a system
  448. What are the NIACAP levels of certification?
    ~ Level 1: Basic security review ~ Level 2: Minimum analysis ~ Level 3: Detailed analysis ~ Level 4: Comprehensive analysis Level is determined by criticality, C.I.A. requirements, business mission, CI involvement, data processed, user types, accountability and other factors. The higher on such scales, the more comprehensive the C&A.
  449. Why was DIACAP established?
    Providing a standard C&A approach. Giving guidance on managing and disseminating enterprise standards and guidelines for: ~ IA design, implementation, configuration, validation, operational sustainment, and reporting. ~ Implementing and maintaining security through the IS’s Life–Cycle Accommodating diverse information systems in a dynamic environment.
  450. What is a DIACAP SIP?
    System Identification Profile (SIP) The SIP is compiled during: ~ DIACAP registration ~ Maintained throughout the system life cycle. Provides detailed description of: ~ System mission ~ Components and Information ~ Location and Environment ~ Connections ~ Players
  451. What is a DIACAP DIP?
    DIACAP Implementation Plan (DIP) Contains the IS’s: ~ Assigned IA controls ~ Implementation status ~ Responsible entities ~ Resources ~ Estimated completion date The plan may reference: ~ Supporting implementation material ~ Artifacts
  452. What does the DICAP DIP do?
    How each assigned IA control is implemented Implementation follows guidelines described in the DIACAP KS
  453. What information is included in the DIACAP DIP?
    IA Control # IA Control Subject Area IA Control Name IA Control Text (Requirement) Threat/Vulnerability/ Countermeasure General Implementation Guidance System–specific Guidance Resource
  454. What is a DIACAP Scorecard?
    ~ Summary report that succinctly conveys information on the IA posture of the system in a format that can be exchanged electronically. ~ Documents the accreditation decision and must be signed, either manually or with a DoD PKI–certified digital signature. ~ The Scorecard contains a listing of all IA controls and their status of either C, NC, or NA. ~ Additional data elements may be specified by CIOs, DAAs, or other enterprise users of the Scorecard
  455. What is a DICAP POA&M?
    ~ Is a management tool. ~ Primary purpose assist agencies in identifying, assessing, prioritizing, and monitoring security weaknesses found in programs and systems, along with the progress of corrective efforts for those vulnerabilities. ~ OMB requires agencies to prepare IT Security POA&Ms for all programs and systems in which an IT security weakness has been found. ~ Agency CIOs must report their progress on at least a quarterly basis to OMB.
  456. What tasks are part of DIACAP Activity 1?
    Initiate and Plan IA C&A ~ Create the System Identification Plan (SIP) ~ Register system with DoD Component IA Program ~ Assign IA controls ~ Assemble DIACAP Team ~ Initiate DIACAP Implementation Plan (DIP)
  457. What tasks are part of DIACAP Activity 2?
    Implement and Validate Assigned IA Controls ~ Execute DIP ~ Conduct validation activities ~ Plan of Action and Milestones (POA&M) ~ Compile validation results in DIACAP Scorecard
  458. What tasks are part of DIACAP Activity 3?
    Make Certification Determination and Accreditation Decision ~ Make certification determination ~ Make accreditation decision
  459. What tasks are part of DIACAP Activity 4?
    Maintain Authorization to Operate and Conduct Reviews ~ Maintain situational awareness ~ Maintain IA posture ~ Conduct annual reviews ~ Initiate reaccreditation
  460. What tasks are part of DIACAP Activity 5?
    Decommission ~ Retire the system ~ Update/remove registration with DoD Component IA Program
  461. What is the GIG?
    Global Information Grid Globally interconnected, end–to–end set of information capabilities, associated processes, and personnel for collecting, processing, storing, disseminating, and managing information for all. Provides capabilities from all locations, interfaces to coalition, allied, and non–DoD users and systems.
  462. What does the GIG support?
    Supports National Security, Intelligence Community and DoD Mission Areas (MA) functions: ~ Enterprise Information Environment MA (EIEMA) ~ Business MA (BMA) ~ Warfighting MA (WMA) ~ Defense Intelligence MA (DIMA)
  463. What is the DICAP TAG?
    Technical Advisory Group (TAG) ~ A formally chartered body established by ASD–NII and DoD CIO to examine and address common C&A issues, including changes to the baseline IA controls, across the DoD Component IA programs, IA Communities of Interest (COIs), and other GIG entities. ~ The DIACAP TAG also maintains configuration control and management of the DIACAP and all its supporting content on the DIACAP KS.
  464. What is the role of the DIACAP IA Senior Leadership?
    IA Senior Leadership (IASL) ~ Provides the integrated planning, coordination, and oversight of the Department's IA programs to assure the availability, integrity, authentication, confidentiality, and non–repudiation of the Department's mission essential and mission support information and the reliability DII.
  465. What does the DIACAP apply to?
    DIACAP applies to DoD–owned information systems and DoD–controlled information systems operated by a contractor or other entity on behalf of the DoD that receive, process, store, display, or transmit DoD information, regardless of classification or sensitivity
  466. What does the DIACAP NOT apply to?
    uclear Command and Control Extremely Sensitive Information (NC2–ESI)
  467. What are the DIACAP roles and responsibilities?
    Principal Accrediting Authority (PAA) PAA Representative Designated Approving Authority (DAA) Heads of DoD Components Chief Information Officer (CIO) Senior Information Assurance Official (SIAO) Certifying Authority (CA) – (e.g., validators, analysts, CA representatives (CAR)). Program Executive Officer (PEO) Program/System Manager (PM/SM) Information Assurance Manager (IAM) Information Assurance Officer (IAO) User Representative (UR)
  468. What is the PAA?
    The senior official representing the interests of a GIG MA regarding C&A ~ Represent the interests of the MA and, as required, issue accreditation guidance specific to the MA, consistent with this Instruction. ~ Appoint flag–level (e.g., general officer, senior executive) PAA Representatives to the DISN/GIG Flag Panel. ~ Resolve accreditation issues within their respective MAs and work with other PAAs to resolve issues among MAs, as needed. ~ Designate DAAs for MA ISs, if required, in coordination with appropriate DoD Components.
  469. What is the PAA Representative?
    Appointed by PAA ~ Serve as a member of the DISN/GIG Flag Panel. ~ Provide MA–related guidance to DAAs, Milestone Decision Authorities (MDA), the DSAWG, and the DIACAP TAG. ~ Advise the corresponding MA PAAs and assist the DoD CIO and SIAO in assessing the effectiveness of GIG IA capabilities.
  470. What do the Heads of DoD Components do to support DIACAP?
    ~ Ensures DoD ISs under their purview comply with the DIACAP. ~ Operates only accredited ISs. ~ Complies with all accreditation decisions, including denial of authorization to operate (DATO), and enforce authorization termination dates (ATD). ~ Ensures that an annual assessment of the DoD Component IA program is conducted. ~ Appoints DAAs for DoD ISs under their purview.
  471. What is the role of the DAA in DIACAP?
    The official with the authority to formally assume responsibility for operating a system at an acceptable level of risk. ~ ATO ~ IATO ~ DATO ~ IATT Responsible for the Mission and Resources Must be a Government Employee
  472. What is the role of the CIO in DIACAP?
    Appoints the DoD Component SIAO. Ensures ~ Implementation and validation of IA controls through the DIACAP are incorporated in the IS’s life–cycle management processes. ~ C&A status of the ISs are visible to the ASD(NII)/DoD CIO and PAAs. ~ Collaboration and cooperation between the DoD Component IA program and the PAA and DAA structure. ~ PM or SM is identified for each IS. Establishes and manages an IT Security POA&M program.
  473. What is the role of the SIAO in DIACAP?
    Senior IA Officer (SIAO) ~ Establishes and enforces the DoD Component IA program’s C&A process. ~ The single IA coordinator for joint or Defense–wide programs that are deploying ISs to DoD Component enclaves ~ Ensures participation in the DIACAP TAG. ~ Tracks C&A status of Component ISs. ~ Establishes and manages a coordinated IA certification process. ~ Is the certifying authority (CA) or formally delegating CA for ISs and oversees CA experts.
  474. What is the role of the PM, SM and PEO in DIACAP?
    ~ Implements the DIACAP for assigned DoD ISs. ~ Plans and budgets for IA controls implementation, validation, and sustainment throughout the system life cycle, including timely and effective configuration and vulnerability management. ~ Develops, tracks, resolves, and maintains the DIACAP Implementation Plan (DIP) for assigned ISs. ~ Enforces DAA accreditation decisions for hosted or interconnected DoD ISs.
  475. What is the role of the PM, SM and PEO in DIACAP?
    Ensures that: ~ Each assigned DoD ISs has a designated IA manager (IAM) with the support, authority, and resources to satisfy their responsibilities. ~ Information system security engineering is employed to implement or modify the IA component of the system architecture in compliance with the IA component of the GIG Architecture and to make maximum use of enterprise IA capabilities and services. ~ IT Security POA&M development, tracking, and resolution. ~ Annual reviews of assigned ISs required by FISMA are conducted.
  476. What is the role of the user representative in DIACAP?
    ~ Represents the operational interests of the user community in the DIACAP. ~ Supports the IA controls assignment and validation process to ensure user community needs are met.
  477. Who are the members of the certifying team in DIACAP?
    Certifying Authority (CA) ~ The senior official having the authority and responsibility for the certification of information systems governed by a DoD Component IA program. ~ Make the certification recommendation to the DAA ~ Can be the SIAO. CA Representative/Analyst ~ Delegated the responsibility of reviewing and assessing the DIACAP package for compliance and risk. Validator ~ Individual responsible for conducting a validation procedure.
  478. What is the role of the ISSE in DIACAP?
    Information Systems Security Engineer ~ An individual that performs the Information Systems Security Engineering functions. ~ Works with system architects, engineers, and developers to ensure that IA controls are designed and implemented into a system throughout the development process.
  479. What is the role of the IAM in DIACAP?
    ~ Support the PM or SM in implementing DIACAP. ~ Advise and inform the DoD Component IA program on ISs C&A status and issues. ~ Comply with the DoD Component IA program’s information and process requirements. ~ Provide direction to the IA Officer (IAO). ~ Coordinate with the organization’s SM to ensure issues affecting the organization’s overall security are addressed appropriately. ~ Similar to the IA title Information Systems Security Manager (ISSM) used else where.
  480. What is the role of the IAO in DIACAP?
    ~ An individual responsible to the IAM for ensuring that the appropriate operational IA posture is maintained for a DoD information system or organization. ~ While the title IAO is favored within the DoD, it may be used interchangeably with other IA titles (e.g., Information Systems Security Officer, Information Systems Security Custodian, Network Security Officer, or Terminal Area Security Officer).
  481. What are the DIACAP risks?
    Risks are assessed to determine the impact upon: ~ Integrity (MAC) ~ Availability (MAC) ~ Confidentiality (CL)
  482. What is a Mission Assurance Category?
    Applicable to DoD information systems, the mission assurance category (MAC) reflects the importance of information relative to the achievement of DoD goals and objectives, particularly the warfighters' combat mission. MACs are primarily used to determine the requirements for availability and integrity. The DoD has three defined MAC Levels: ~ MAC I ~ MAC II ~ MAC III
  483. What are the details of MAC I?
    Availability (HIGH), Integrity (HIGH), Most Stringent Protection Measures
  484. What are the details of MAC II?
    Availability (MEDIUM), Integrity (HIGH), Beyond Best Practices
  485. What are the details of MAC III?
    Availability (BASIC), Integrity (BASIC), Commensurate with Commercial Best Practices
  486. What are the Confidentiality Levels (CLs)?
    Classified: ~ Kept secret in the interest of national defense or foreign policy. ~ Includes Confidential, Secret, and Top Secret. Sensitive: ~ could adversely affect the national interest or the conduct of Federal programs, or the privacy of individuals. Public: ~ has been reviewed and approved for public release by the information owner.
  487. What types of information are recognized by DIACAP?
    Sensitive ~ Controlled Unclassified Information (CUI) ~ Loss of confidentiality, integrity, availability, could have serious, sever, or catastrophic adverse impact [includes critical infrastructure data] ~ Types: Personnel, Financial, Payroll, Operational, Medical, and Privacy Act [PII] Non–Sensitive ~ Approval must be gained prior to release
  488. What EO defines classified information?
    EO 12356
  489. What is the damage the loss of "top secret" would cause?
    cause exceptionally grave damage to the national security
  490. What is the damage the loss of "secret" would cause?
    cause serious damage to the national security
  491. What is the damage the loss of "confidential" would cause?
    cause damage to the national security
  492. What are confidentiality levels used for?
    Used to establish requirements for: ~ individual security clearances or background investigations requirements ~ access approvals ~ need–to–know determinations ~ interconnection controls and approvals ~ acceptable methods by which users may access the system (e.g., intranet, Internet, wireless) ~ appropriate security controls
  493. What are the details of CL: Classified?
    Robustness (HIGH), Security: NSA–approved cryptography and key management
  494. What are the details of CL: Sensitive?
    Robustness (MEDIUM), Security: NIST/FIPS approved cryptography and NSA approved key management
  495. What are the details of CL: Public?
    Robustness (BASIC), Security: NIST/FIPS–approved cryptography and key management
  496. What are DIACAP IS Controls?
    An objective IA condition of integrity, availability or confidentiality achieved through the application of specific safeguards or through the regulation of specific activities that is expressed in a specified format, i.e., a control number, a control name, control text, and a control class. Specific management, personnel, operational, and technical controls are applied to each DoD information system to achieve an appropriate level of integrity, availability, and confidentiality in accordance with reference OMB A–130.
  497. What are the objective conditions for DIACAP IA Controls?
    ~ objective condition is testable ~ compliance is measurable, and ~ activities required to achieve the IA Control are assignable and thus accountable.
  498. How are DIACAP IA controls assigned?
    Assignment of the controls are made according with: ~ MAC ~ CL
  499. How are DIACAP IA controls laid out?
    Are laid out in: ~ IA Control Subject Areas ~ IA Control Names
  500. List the DIACAP IA control areas, their acronym and number of controls?
    Security Design and Configuration, DC, 31 Identification and Authentication, IA, 9 Enclave and Computing Environment, EC, 48 Boundary Defense, EB, 8 Physical and Environmental, PE, 27 Personnel, PR, 7 Continuity, CO, 24 Vulnerability and Incident Management, VI, 3
  501. Study slide 398
    Study slide 398
  502. Study slide 399
    Study slide 399
  503. What is the robustness level of a DIACAP MAC I system?
    HIGH
  504. What is the robustness level of a DIACAP MAC II system?
    MEDIUM
  505. What is the robustness level of a DIACAP MAC III system?
    BASIC
  506. How are DIACAP IA control robustness levels numbered?
    1 –3 where 3 is HIGH robustness. The opposite of MAC levels
  507. List the DIACAP IA controls associated with Security Design and Configuration
    Procedural Review DCAR–1 Availability Acquisition Standards DCAS–1 Confidentiality Best Security Practices DCBP–1 Integrity Control Board DCCB–2 Integrity Configuration Specification DCCS–2 Integrity Compliance Testing DCCT–1 Availability Dedicated IA Services DCDS–1 Integrity Functional Architecture for AIS Applications DCFA–1 Integrity HW Baseline DCHW–1 Availability Interconnection Documentation DCID–1 Integrity IA Impact Assessment DCII–1 Integrity IA for IT Services DCIT–1 Integrity Mobile Code DCMC–1 Integrity Non–repudiation DCNR–1 Integrity
  508. List the DIACAP IA controls associated with Security Design and Configuration
    Partitioning the Application DCPA–1 Integrity IA Program and Budget DCPB–1 Availability Public Domain Software Controls DCPD–1 Availability Ports, Protocols, and Services DCPP–1 Availability CM Process DCPR–1 Integrity IA Documentation DCSD–1 Availability System Library Management Controls DCSL–1 Integrity Security Support Structure Partitioning DCSP–1 Integrity Software Quality DCSQ–1 Integrity Specified Robustness – Medium DCSR–2 Confidentiality System State Changes DCSS–2 Integrity SW Baseline DCSW–1 Availability
  509. What guidance/instructions are reference for the DIACAP IA controls?
    DoD 5200.1–R, "DoD Information Security Program," January 1997, i.e., Storage, Access, Classification, etc. DoD Directive C–5200.5 COMSEC activities ASD(C3I) Memorandum, dated June 4, 2001, "Disposition of Unclassified DoD Computer Hard Drives." DoD Directive S–5200.19, DoD TEMPEST DoD Instruction O–8530.2, defines reportable incidents, outlines a standard operating procedure for incident response. IATF, IA Technical Framework, Protection Profile Consistency Guidance for High, Medium, and Basic Robustness NIST FIPS 140–2, validated cryptography
  510. What is a compensating control?
    Management, operational, and technical controls employed in lieu of recommended controls that provides equivalent or comparable protection for an information system.
  511. What is a DIACAP CAT Severity Code?
    Indicates: ~ Risk level associated with non–compliance, and ~ Urgency with which corrective action must be completed. CA assigns the CAT codes to a system security weakness during certification analysis. How serious are these codes: ~ A CAT I rating for a MAC I or MAC II must, at a minimum, be classified CONFIDENTIAL. ~ CAT II weaknesses must be reviewed for their classification level.
  512. What are Category I Severity Code Weakness?
    Allows: ~ Primary security protections to be bypassed. ~ Immediate access by unauthorized personnel or unauthorized assumption of super–user privileges. Only Component CIO can ~ authorize operation of a system with a Cat I weakness and then only through an IATO. System must be ~ critical to military operations and failure to deploy will preclude mission accomplishment. ~ Copy of authorization must be sent to DoD SIAO.
  513. What are Category II Severity Code Weakness?
    A weakness that can lead to unauthorized system access or activity. Usually are corrected or mitigated to a point where any residual risk is acceptable. Can be granted an ATO ~ Only when clear evidence exists that that deficiency can be mitigated within 180 days of the accreditation decision. ~ Only one 180 day extension allowed. DAA ~ Will normally issue a DATO if not corrected or mitigated in 360 consecutive days.
  514. What are Category III Severity Code Weakness?
    CAT III ~ One that if corrected will improve the system’s IA posture. DAA ~ Will determine if these types of weaknesses will be corrected or if the risk will be accepted. CAT IIIs accepted by DAA will be documented in the POA&M: ~ Marked N/A in the scheduled completion date column. ~ Note acceptance by DAA in the milestone column ~ Note risk accepted in the status column
  515. What are the types of DIACAP packages?
    Comprehensive Package ~ Used for the CA recommendation ~ Includes all the information resulting from the DIACAP process Executive Package ~ Less than the Comprehensive package ~ Used for an accreditation decision ~ Provided to others in support of accreditation or other decisions, such as connection approval Actual Artifact Formats: ~ Each DAA will determine what information is necessary to make an accreditation decision and what format they want it presented in.
  516. What documents constitute a DIACAP Comprehensive Package?
    SIP, DIP, Supporting Certification Documentation, Scorecard, POA&M
  517. What documents constitute a DIACAP Executive Package?
    SIP, Scorecard, POA&M
  518. What is the DICAP Knowledge Service?
    ~ A Web–based, DoD PK–enabled DIACAP knowledge resource that provides current GIG IA C&A. ~ A library of tools, diagrams, process maps, documents, etc., to support and aid in execution of the DIACAP. ~ A collaboration workspace for the DIACAP user community to develop, share and post lessons learned & best practices. ~ A source for IA news and events and other IA related information resources.
  519. What is included in the validation procedures?
    IA Control # Procedure Name Procedure Objective Procedure Script Expected Results
  520. What is a STIG?
    Security Technical Implementation Guides (STIG) ~ Provides the guidance needed to development, integration, and updating of secure applications. ~ Subjects: development, design, testing, maintenance, configuration management, education, and training.
  521. What are the families of STIGs?
    ~ Infrastructure ~ Operating System ~ Database ~ Web and Application Services ~ Desktop Application
  522. What is technical project management?
    Project Management is a structured, pro–active management approach for finite undertakings that produce a unique product, service, or other result.
  523. What are the characteristics of technical project management?
    It is characterized by the application of knowledge, skills, tools, and techniques in detailed planning and execution of the endeavor.
  524. How is technical project management accomplished?
    It is accomplished through integrated and logically flowing processes to perform initiating, planning, executing, monitoring, controlling, and close–out activities while balancing competing demands for quality, scope, schedule, and cost.
  525. What is a project framework?
    The Project Framework illustrates and combines all elements necessary to begin, manage, and conclude a project. It starts as a skeleton with basic contents and evolves and expands as the project proceeds.
  526. What is a scope statement?
    A formal definition agreed to by all stakeholders in the project, describing what is to be done, why it is being undertaken, who will be engaged to do the work and when the whole venture should be completed.
  527. What is milestone identification?
    Refers to the process of identifying those discrete steps in a project which represent major steps of achievement, and are generally tied to progress payments.
  528. What is a work breakdown structure?
    This step consists of both the decomposition of all the work associated with milestone achievement into individual work tasks, as well as the identification of all dependencies.
  529. What is a baseline project plan?
    This is the final set of project documents which collectively represents the foundation “agreement” from which work will proceed to its desired end–product or solution. Changes to the baseline should be managed carefully and precisely to avoid unwanted or unforeseen impacts.
  530. What are change management procedures?
    Formal change management is vital in order to avoid unplanned or unmanaged impacts occurring that adversely effect the project schedule or resource profiles. All changes considered must be reviewed and formally agreed to by all parties after discussing issues and risks, and before proceeding with the proposed modifications. Prevents “scope creep”.
  531. Define activity
    A discrete element of work performed during the course of a project. Has measured duration, cost, and resource requirements. Often subdivided into tasks.
  532. Define baseline
    Officially approved version of the plan (cost, schedule, or technical) for a project, a work package, or an activity, plus or minus approved scope changes. Normally altered or updated through changes in scope, funding, schedule, requirements, etc. through the Change Management process.
  533. Define critical path
    Series of activities that determines the duration of the project. In a deterministic model, the critical path is usually defined as those activities with float equal to zero. It is the longest path through the project. See critical path method.
  534. Define critical path method (CPM)
    A network analysis technique used to assess the degree of flexibility (float) through multiple scheduling paths in project duration in order to determine overall project duration, and task start/end dates (early–late).
  535. Define decision tree analysis
    The decision tree is a diagram that describes a decision under consideration and the implications of choosing one or another of the available alternatives, incorporating risk, value, scheduling and potential outcomes variables
  536. Define deliverable
    A measurable, tangible, verifiable outcome, result, or item that must be produced to complete a project or part of a project.
  537. Define deming cycle
    Another name for the “Plan–Do–Check–Act” model popularized by W. Edwards Deming as a continual quality management tool.
  538. Define dependency
    An action, input, or outcome (cost, schedule, or other factor) that creates a cause–and–effect relationship between two or more aspects of a project. Can result in a slippage, acceleration, overrun, or similar result in the effected element.
  539. Define estimate
    An assessment of the likely quantitative result; as in cost, schedule, outcome, plus or minus some percent or ROM.
  540. Define life–cycle costing
    The concept of including acquisition, operating, and disposal costs when evaluating various alternatives.
  541. Define network analysis
    The process of identifying early and late start and finish dates for the uncompleted portions of project activities. See also critical path method, program evaluation and review technique, and graphical evaluation and review technique.
  542. Define pareto diagram
    A histogram, ordered by frequency of occurrence, that shows how many results were generated by each identified cause.
  543. Define PERT chart
    The term is commonly used to refer to a project network diagram.
  544. Define PERT
    Program Evaluation and Review Technique (PERT): An event–oriented network analysis technique used to estimate program duration when there is uncertainty in the individual activity duration estimates. PERT applies the CPM using durations that are computed by a weighted average of optimistic, pessimistic, and most likely duration estimates. PERT computes the standard deviation of the completion date from those of the path’s activity durations. Also known as the Method of Moments Analysis.
  545. Define project
    A temporary endeavor undertaken to create a unique product, service, or result.
  546. Define project life–cycle
    A collection of generally sequential project phases whose name and number are determined by the control needs of the organization or organizations involved in the project.
  547. Define project network diagram
    Any schematic display of the logical relationships of project activities. Always drawn from left to right to reflect project chronology. Often referred to as a PERT chart.
  548. Define project plan
    A formal, approved document used to guide both project execution and project control. The primary uses of the project plan are to document planning assumptions and decisions, facilitate communication among stakeholders, and document approved scope, cost, and schedule baselines. A project plan may be produced or presented in a summary or detail form.
  549. Define project risk management
    The systematic process of identifying, analyzing, and responding to project risk (produced by any element that threatens to cause adverse impact to cost, schedule, resource utilization, or overall project failure). It includes the processes of risk management planning, risk identification, qualitative risk analysis, quantitative risk analysis, risk response planning, and risk monitoring and control.
  550. Define project schedule
    The planned dates for performing activities and the planned dates for meeting milestones.
  551. Define project scope
    The work that must be done to deliver a product with the specified features and functions. Also, The sum of the products and services to be provided as a project. See project scope and product scope.
  552. Define schedule control
    Controlling changes to the project schedule.
  553. Define scope change control
    Controlling changes to project scope (“creep”) so that the rate of change does not exceed the rate of progress.
  554. Define stakeholder
    Individuals and organizations that are actively involved in the project, or whose interests may be positively or negatively affected as a result of project execution or project completion. They may also exert influence over the project and its results.
  555. Define statement of work (SOW)
    A narrative description of products or services to be supplied under contract.
  556. Define task
    A generic term for work that is not included in the work breakdown structure, but potentially could be a further decomposition of work by the individuals responsible for that work. Also, lowest level of effort on a project.
  557. Define work breakdown structure (WBS)
    A deliverable–oriented grouping of project elements that organizes and defines the total work scope of the project. Each descending level represents an increasingly detailed definition of the project work.
  558. Define work package
    A deliverable at the lowest level of the work breakdown structure, when that deliverable may be assigned to another project manager to plan and execute. This may be accomplished through the use of a subproject where the work package may be further decomposed into activities.
  559. Technical Project Management Roles and Responsibilities (provider/project): System Owner
    System owner – verifier of product design and purpose. Has overall accountability for system (final result). Has the CHECKPOINT FUNCTION to APPROVE changes in scope, products, results, functionality, etc.
  560. Technical Project Management Roles and Responsibilities (provider/project): User POC
    User POC – represents intended end–user community and provides conduit for communication, approval, and changes. Has the CHECKPOINT FUNCTION to APPROVE.
  561. Technical Project Management Roles and Responsibilities (provider/project): Project Manager
    Project Manager – overall responsibility for project work, progress and control, staffing and resource utilization.
  562. Technical Project Management Roles and Responsibilities (provider/project): Planner
    Planner – provides administrative support of planning effort. Collects metrics to report status of “planned to actual” regarding resources, cost, and schedules.
  563. Technical Project Management Roles and Responsibilities (provider/project): Quality Manager
    Quality Manager – owns QM plan and all QA activities. Has CHECKPOINT FUNCTION to APPROVE items impacting QA
  564. Technical Project Management Roles and Responsibilities (provider/project): Configuration Manager
    Configuration Manager – owns CM plan and related activity
  565. Technical Project Management Roles and Responsibilities (provider/project): Testers
    Testers – conduct full range of tests for product performance at various stages (SUT, IVTE, etc), and final acceptance testing to assure ultimate success
  566. Technical Project Management Roles and Responsibilities (USFG/customer): Federal Technical Monitor
    Federal Technical Monitor – has responsibility to oversee and assure SOW composition, project cost–control, timely performance, standards compliance, plans analysis, approvals, stakeholder coordination and representation
  567. Technical Project Management Roles and Responsibilities (USFG/customer): Federal Program Manager
    Federal Program Manager – general oversight of program and assurance of funding, plan approval, deliverables acceptance and approval, issue escalation and resolution
  568. Technical Project Management Roles and Responsibilities (USFG/customer): Federal Project Manager
    Federal Project Manager – daily involvement in performance or oversight of configuration management, change, management, requirements management, risk management, and QA.
  569. What are the program manager responsibilities?
    The PM has the lead for all activities involving: ~ Cost ~ Schedule ~ Performance ~ Security The PM works directly with: ~ Development ~ Maintenance ~ Configuration management ~ Quality Assurance ~ Test verification and validation
  570. What is necessary for successful implementation?
    early planning
  571. What are the steps for SSE planning?
    ~ Definition of program requirements ~ Development of a Program Management Plan (PMP) ~ Identification of SSE requirements ~ Preparation of a detailed Systems Engineering Management Plan (SEMP)
  572. What are the ISSEP planning phase activities?
    ~ Reviewing, setting, and agreeing to project scope ~ Defining appropriate management structure ~ Assessing and determining resource requirements ~ Developing schedules and discovering dependencies ~ Setting performance milestones and metrics
  573. List the specific planning phase tasks (steps 1–3)?
    1. Estimation of project scope: must be as concise and as accurate as possible (will evolve). Must include assessment of complexity regarding human, technology, and other factors. 2. Identification of resources and constraints: this will include skills, technology, physical assets, and requires addressing the question of “in–house” or “out–source”. 3. Identifying roles and responsibilities: clearly establishing who will do what, skill levels, rotation, etc.
  574. List the specific planning phase tasks (steps 4–6)?
    4. Estimation of project cost: As much art as science. Should use cost models where feasible and historical cost where possible. WBS are used to collect and estimate cost factors. 5. Developing schedules: Setting start–finish dates for optimistic, pessimistic, and probable completion. 6. Identify Technical Activities: Define the work at the task level, sequencing and linking, establishing methods and materials required.
  575. List the specific planning phase tasks (steps 7–9)?
    7. Identify deliverables: Must have clear definitions of WHAT is due, required content, format, and success criteria. 8. Define Management Interfaces: Communications planning and channels must be established as early as possible for flow of PM information on all subjects. 9. Preparation of Technical Mgmt. Plan (TEMP): Included in the overall PMP and SEMP, and integrates technical execution with overall systems engineering and PM.
  576. List the specific planning phase tasks (steps 10–11)?
    10. Review of overall Project Mgmt. Plan (PMP): This overarching plan integrates consistently and coherently all aspects of project execution, schedule, and resource. All actions and changes roll up into this from subsidiary plans. It evolves and changes as the project moves forward. 11. Obtain customer agreement: All aspects must be in accordance with customer requires and expectations, and includes: ~ Environmental analysis ~ Feasibility analysis ~ Scope, requirements, and deliverables verification ~ Customer approval
  577. What process groups are part of the management phase of technical management?
    controlling executing
  578. What are management phase activities?
    ~ Managing change: requesting, implementing, rejecting ~ Managing configurations: documents, deliverables, etc. ~ Managing corrective actions: identifying, applying ~ Managing updates: scope, PMP, performance plans, etc. ~ Managing expectations: effective, timely communication ~ Managing risk: identifying, tracking, mitigating
  579. List the specific management phase tasks (steps 1–3)?
    1. Directing technical effort: the management of the actual technical (engineering, designing, etc) work and production of deliverables. 2. Tracking resources: Using all necessary tools and feedback mechanisms to ensure timely accurate knowledge of the “planned to actual” consumption rates. 3. Tracking performance: Continuous awareness and access to performance metrics (cost, schedule, earned value, customer satisfaction) to ensure timely action
  580. List the specific management phase tasks (steps 4–6)?
    4. Monitoring progress: Evaluation of overall progress toward completion of short–term, mid–term, and long–term objectives and deliverables IAW plans and requirements. 5. Ensuring quality: Evaluation of quality indicators to ensure timely awareness and correction of issues and unacceptable variances. 6. Managing Configuration elements: Continuous management and control of changes to baselines, documentation, products, and other items.
  581. List the specific management phase tasks (steps 7–8)?
    7. Evaluation of performance: Review and assessment of overall aspects of performance in technical, schedule, cost, human resources, and other areas of performance measurement for the project. 8. Status reporting: providing all stakeholders with timely progress reports, including status of technical changes, cost profiles, staffing/skills requirements, quality indicators, schedule changes or slippage, scope changes, and corrective actions.
  582. What does project monitoring provide?
    Project Monitoring activities provide for metrics collection, evaluation, comparison, and reporting on all aspects of project performance to stakeholders (includes owners, sponsors, staff, and others).
  583. What does effective and timely monitoring provide?
    Effective and timely monitoring is crucial to facilitating problem resolution, corrective action planning and execution, and provides the analytical basis for understanding and correcting variances to baseline.
  584. What three project management activities occur in parallel?
    Managing Project Execution Milestone Achievement Continuous Risk Assessments
  585. What is managing project execution?
    This is the part where the Project Manager assumes ownership and accountability for project success. He uses “referent” authority to influence all the key participants and steer the whole venture towards a successful conclusion.
  586. What is milestone achievement?
    To the extent that milestones are generally achieved in a serial rather than a parallel fashion, one milestone must normally be fully completed before the next can commence. Consequently, the project manager is obliged to focus heavily on whatever is the current milestone. Remember – payments are frequently tied to milestone achievement.
  587. What is continuous risk assessments?
    In line with a highly preventive management approach, continual risk assessments need to be carried out to identify risk categories, risk events, likelihood of occurrence, priorities for attention and mitigation strategies.
  588. What is project closeout?
    This step is extremely important because close–out and final payment can often be difficult, if not planned properly. Some tips below on how to close–out effectively. ~ Understand the acceptance criteria for close–out. ~ Initiate early talks to gain clear visibility of any concerns. ~ Work to ensure that problem areas are cleared up in time. ~ Seek opportunities for the client to gain leverage after completion. ~ Avoid paying sub–contractors until customer accepted work. ~ Do lessons learned exercise to capture improvement ideas. ~ Be sure to thank all the outstanding contributors.
  589. What are the prescribed technical management documents?
    ~ Statement of Work (SOW) ~ Project/Program Management Plan (PMP) ~ The Systems Engineering Management Plan (SEMP) ~ Work Breakdown Structure (WBS) ~ Statement of Milestones ~ Cost, Schedule, Resource and other projections ~ Quality Management Plan (QMP or QA Plan) ~ Configuration Management Plan (CMP) ~ Project Risk Management Plan (RMP)
  590. What is a Statement of Work (SOW)?
    The SOW provides the details regarding what is to be performed or delivered as a result/product: ~ Summary statement of the tasks to be accomplished ~ Identification of the input requirements from other tasks ~ References to applicable specifications, standards, procedures, and related documentation ~ Description of specific results to be achieved and a proposed schedule of delivery Often is used to measure contractual obligations and compliance.
  591. What is a Program Management Plan (PMP)?
    The PMP covers all the planning a high level and leads to low–level planning for specific activities
  592. What are the major components of a PMP?
    ~ Systems Engineering Management Plan (SEMP) ~ Security Systems Engineering Plan (SSEP) ~ Work Breakdown Structure (WBS) ~ Costing and budgeting plans ~ Testing plans
  593. What is a Systems Engineering Management Plan (SEMP)?
    The SEMP is the integrated “living” master plan that provides the central repository that binds together all subordinate plans, tasks, and other work elements. It contains: ~ Who is doing a thing or things ~ What things are done, in progress, to start… ~ When these things will start, or finish ~ Where the people, resources, documentation etc. are ~ How things are being organized and accomplished (The RFP/SOW contain and outline the “why” )
  594. In general what is included in the SEMP?
    ~ Baselines for cost, schedule, and resources ~ Requirements analysis and Planned Deliverables ~ Standards and procedures (e.g. ISO, MIL, NIST) ~ Business case trade–offs, cost–effectiveness analyses ~ Project taxonomy and glossary ~ Organizational structure (internal and external relationships) ~ Allocations & constraints (resource, technical, scheduling, etc) ~ Design requirements validation (Is it what we want?) ~ Functional analysis and verification (Does it do what it is supposed to do?) ~ Life–cycle support information and considerations (transition and operational)
  595. What is a Work Breakdown Structure (WBS)?
    WBS describes how all the essential tasks of the project will be defined (including dependencies), assigned, and scheduled to members of the team.
  596. In general, who many hierarchical activity levels are assigned to a WBS and what are they?
    3 levels ~ Level 1 – Identifies the entire program scope of work to be produced ~ Level 2 – Identifies the various activities and categories of the entire program ~ Level 3 – Identifies the specific tasks of each category
  597. What is a statement of milestones?
    Statement of Milestones derives from the SOW, and describes in detail: ~ What is to be delivered by which activities and to whom ~ What the agreed deliverable content will be ~ The schedule on which the milestone will be achieved All of which is subject to alteration and variance by change or environmental factors
  598. What is cost control?
    Cost control requires effective management, including: ~ Cost estimating ~ Cost accounting ~ Cost monitoring ~ Cost analysis and reporting ~ Control functions
  599. What is schedule estimating?
    Schedule Estimating requires knowledge of technical task execution and interdependencies, and uses: ~ Activity definition (what must be done) ~ Activity sequencing (order, precursors, successors) ~ Resource requirements and estimation ~ Activity duration ~ Input requirements and output expectations ~ Risk factors to schedule, cost, flow
  600. What is a Quality Management Plan?
    The QMP is the authoritative plan (integrates upward into the SEMP) that provides the central control for how “quality” is to be achieved throughout the project and in the final delivered product(s) and deliverables.
  601. What is the definition of quality?
    “Quality” is defined as “the degree to which a set of inherent characteristics [of performance, of appearance, or other] satisfy a set of requirements”.
  602. What is quality management?
    “Quality Management” is the process by which stakeholder needs, wants, and expectations are transformed into requirements that can then be executed and met by the project. “Quality Control” processes monitor and track this.
  603. What are the components of a QMP?
    The QMP will contain the framework necessary to implement, monitor, correct, and report on this aspect of overall project management and deliverables: ~ Standards to be employed (i.e. ISO 9000 or 10006) ~ Data elements and metrics to be collected ~ Analytical processes to be used (stat, financial, etc) ~ Benchmarks, comparators, KPI, CSF and other analytics ~ Corrective Action Plans and progress reports ~ An interface to the Change Management process to assure awareness and capture of impacts to the SEMP
  604. What is a configuration management plan (CMP)?
    The CMP is the authoritative plan (that integrates upward into the SEMP) that provides the central control for how changes (in their infinite variety) will be identified, evaluated, escalated, implemented, tracked and controlled continuously throughout the SEMP execution.
  605. Why must change be managed?
    Change as a factor having impact on all aspects of the project must be recognized as inevitable, but must be managed to avoid unacceptable deviations and adverse impact to schedule, cost, quality, or other factors that ultimately compromise achievement of project objectives.
  606. What are the components of a CMP?
    CMP as used by DoD describes a process with five components regarding configuration items (CI) and managing the potential impact of change to operations: ~ Management and Planning: approved and documented in PMP ~ CI Identification: selection criteria and documentation ~ Configuration Control: the CM process to ensure no unmanaged change occurs ~ Status Accounting: the system for tracking change to baseline ~ Verification and Audit: provides interface and feedback to QA/QM
  607. What is a risk management plan (RMP)?
    RMP describes the plan (that integrates upward into the SEMP) for identifying risks, threats–agents, physical, environmental, and other sources of risk are anticipated or identified throughout the project lifecycle, including: ~ Assessment and review processes and responsible roles ~ Reporting and documentation, including CM input ~ Controls and countermeasures use to mitigate, reduce, and avoid The RMP uses NIST SP 800–30 and OMB A130 as base requirements and guidance.
  608. What is a Test and Evaluation Master Plan (TEMP)?
    Test and Evaluation Master Plan (TEMP) – Overall description of test objectives: ~ Requirements for testing ~ Data to be collected and measured ~ Categories of tests ~ Methods and procedures to be used ~ Resources required for tests
  609. What are the general types of tests documented in a TEMP?
    General types of tests: ~ Preproduction (from initial stages forward) ~ Acceptance (customer acceptance and approval) ~ Operational (O&M SLC support)
  610. What is DT&E?
    Developmental testing (DT&E): ~ Analytical: conducted very early in SLC using automated techniques and simulation ~ Type 1: laboratory bench–testing, intended to verify performance and physical characteristics
  611. What is OT&E?
    Operational testing (OT&E): ~ Type 2: done in latter stages of detailed design (SUT) ~ Type 3: performed at initial qualification and prior to completion of production (IVT&E) ~ Type 4: performed during operations and lifecycle support phases
  612. What is a PERT schedule?
    The Program Evaluation and Review Technique (PERT) is a scheduling tool that defines the critical path (in red) through a project (zero float or slack)
  613. Draw a PERT node and example PERT schedule with critical path
    Check slide 501
  614. What is a Requirements Traceability Matrix (RTM)?
    Facilitates derivation of requirements from sources (laws, FIPS, project needs, etc), showing source, object, rationale, verification, validation, and execution, traceable from the result back to the source
  615. What is a Gnatt chart?
    Gantt Charts depict project schedules and milestones in a horizontal calendar, and shows task linkage, dependencies, start–finish relationships, task overlap, slack and other project attributes graphically (most often used PM tool)
  616. Name the development models recognized by ISSEP
    Water fall model Vee model Spiral model
  617. What are the pros and cons of the waterfall development model?
    PRO: Structured and understandable CON: Rigid and not flexible CON: Hard to manage complex projects
  618. What are the pros and cons of the Vee development model?
    PRO: Like IATF PRO: Very flexible for adapting new stuff CON: Lots of documentation
  619. What are the pros and cons of the spiral development model?
    PRO: Very flexible – prototyping CON: Needs strong management CON: Prone to “Production Paradox”
  620. What are the basic forms of risk?
    ~ Project Risk [criticality]: systematic and non–systematic risk factors that specifically threaten the timely, correct, and cost–effective completion of the project ~ IT Risk [sensitivity]: normal factors of risk that threaten to disrupt the CIA attributes of the IT involved (either as product or as support to the project.
  621. Why is unmanaged change a risk?
    The rate of unmanaged change will eventually exceed the rate of progress and endanger the project.
  622. What are the sources of change?
    Change has various sources: some is necessary, some otherwise. Change is a serious risk factor of positive and negative dimensions, and if not controlled can result in: ~ Increased cost ~ Scope creep ~ Schedule slippage ~ Excessive resource consumption ~ Unacceptable deliverables (content or quality) ~ Overall failure to complete on time, on budget, or at all
  623. What are the SSE–CMM project and organization process areas?
    PA12 – Ensure Quality PA13 – Manage Configuration PA14 – Manage Project Risk (threats to project success) PA15 – Monitor and Control Technical Effort PA16 – Plan Technical Effort PA17 – Define Organization’s SE Process PA18 – Improve Organization’s SE Process PA19 – Manage Product Line Evolution PA20 – Manage SE Support Environment PA21 – Provide On–going skills and knowledge PA22 – Coordinate with Suppliers
  624. What is the CMM IDEAL model?
    This model from C–M corresponds to an implementation approach for achievement of the CMM levels: I – Initiating: Lays foundation quality and process improvements (CCM–1) D – Diagnosing: Methods determine “AS IS” relative to the “TO BE” (CMM–2) E – Establishing: Planning how to attain the chosen level of maturity (CMM–3) A – Acting: Executing the plan and achieving the desired results (CMM–4) L – Learning: Continually improving what you do and how you do it (CMM–5)
  625. What do the early phase levels of CMM provide?
    Early phase levels and processes lay foundations for committed organizations to begin building in managerial, technological, and operational structures and controls to enable growth, advancement, and achievement of the higher levels
  626. What are the early phase levels of CMM?
    Levels 1 & 2
  627. What do the later phase levels of CMM provide?
    Institutionalize processes, methods, techniques and tools to continue building managerial, technological, and operational structures and controls to maintain advancements and continually learn and improve
  628. What are the later phase levels of CMM?
    Levels 3 – 5
  629. What are the major sections of an IEEE 1220 SEMP?
    I Scope II Applicable Documents III Systems Engineering Process (SEP) Application IV Transitioning Critical Technologies V Integration of Systems Engineering Effort VI Additional Systems Engineering Activities VII Notes Appendices
  630. What are the subsections of section III of an IEEE 1220 SEMP?
    Systems Engineering Process Planning Requirements Baseline Validation Functional Analysis Functional Verification Synthesis Design Verification Systems Analysis Control
  631. What are the subsections of section V of an IEEE 1220 SEMP?
    Organizational Structure Required Systems Engineering Integration Tasks
  632. What are the subsections of section VI of an IEEE 1220 SEMP?
    Long–lead Items Design to Cost Value Engineering Systems Integration Design Interface with Other Life–cycle Support Functions Safety Plan Other Plans and Controls
  633. What are the subsections of section VII of an IEEE 1220 SEMP?
    General Background Information Acronyms and Abbreviations Glossary
  634. What are the subsections of section "Systems Engineering Process Planning" of an IEEE 1220 SEMP?
    Major Deliverable and Results Integrated Database Specification Baseline Process Inputs Technical Objectives System Breakdown Structure (SBS) Training Standards and Procedures Resource Allocation Constraints Work Authorization Requirements Analysis
  635. What are the subsections of section "Systems Analysis" of an IEEE 1220 SEMP?
    Trade–off Analysis System/Cost–Effectiveness Analysis Risk Management
  636. What are the subsections of section "Control" of an IEEE 1220 SEMP?
    Design Capture Interface Management Data Management Systems Engineering Master Schedule Technical Performance Measurement Technical Reviews Supplier Control Requirements Traceability

What would you like to do?

Home > Flashcards > Print Preview