In the SSE CMM Framework: BP.06.

• James P. Craft, CISSP
  USAID Information Systems Security Officer
  1300 Pennsylvania Ave., Suite 2.12-032
  Washington, DC 20523-2120
  Telephone: 202-712-5460
  Fax: 202-216-3053
  E-mail: jcraft@usaid.gov or cassistance@usaid.gov

Vendor Partner:

• William R. Cleveland
  USAID PRIME Security Program Manager
  Computer Sciences Corporation
  1100 Wilson Blvd., Suite 1100
  Rosslyn, VA 22209
  Telephone: 703-465-7054
  Fax: 703-465-7193
  E-mail: wclevela@csc.com

• Office of Management and Budget (OMB) Circular A-130, Appendix III, Security of Federal Automated Information Resources, requires "that a management official authorizes in writing use of the application by confirming that its security plan as implemented adequately secures the application. Results of the most recent review or audit of controls shall be a factor in management authorizations."

• Public Law 97-255, Federal Managers’ Financial Integrity Act of 1982, requires agency heads to annually evaluate and report to Congress on the control and financial systems that protect the integrity of Federal programs.

USAID Automated Directives Service (ADS), Chapter 545, Automated Information Systems Security, provides agency-wide information systems security policy.

Inputs

• Specific groups of 31 Management Controls, 46 Operational Controls and 59 Technical Controls derived from the Requirements in Section 2.2, above, and from the New Management System (NMS) Security Plan. These inputs were summarized in a Requirements Traceability Matrix contained in Appendix C of an overall NMS C&A Plan.
• USAID's policy for IT security C&A.
• Personnel very familiar with the subject system.

USAID's general C&A methodology, now called USAIDCAP, consists of four phases and hinges on a System Security Authorization Agreement (SSAA) package. USAIDCAP remains under development at the time of this BSP's creation.

Phase I: Initial Actions

• A high-level summary of the proposed USAID IT Security Certification and Accreditation Process was developed and forwarded to senior USAID management for approval. The package was a compendium of the planning, investigation, and remedial activities necessary to produce formal certification and accreditation of the NMS (in the USAIDCAP this package is called a System Security Authorization Agreement (SSAA)). Areas previously addressed to sufficient levels, for instance, contingency planning in the NMS Security Plan, were not subjected to explicit effort as part of this C&A task.
• The major planning activities in support of NMS Certification and Accreditation were captured in a C&A Plan.
• Five major technical fixes were identified in support of NMS security requirements prior to development of the NMS Security Plan. The C&A Team tracked the status of these fixes and served as the application engineers in support of associated software Problem Reports (PRs).
• Security roles and responsibilities, specifically for NMS Systems Security Managers, were documented and signed by USAID management.
• NMS-specific security training was incorporated into the ongoing NMS training program. The C&A Team evaluated the status of ongoing NMS security training and made improvement recommendations. In addition, user roles and responsibilities were identified.
• Select, high-priority action items from the existing NMS Security Plan were considered for implementation prior to beginning the C&A effort. These action items were selected to meet requirements of OMB Circular A-130 and to address the material weakness of NMS Security and Access Controls.
• As added assurance for the Certification Authority, the contents of the Requirements Traceability Matrix (see C&A Plan, Appendix C) were subjected to an independent verification and validation (IV&V) review.
• The C&A Security Test Plan presented the details of who would perform each test, how those tests would be conducted, where in the system the tests would be applied, and when in the testing sequence they would be used, for testing and evaluating the security requirements of the NMS in Certifying the system. The scope of NMS security testing was comprehensive. This Test Plan called for testing and evaluating the management, operational and technical control requirements, to include personnel and physical aspects, identified in the NMS Security Plan. Special attention was given to those aspects of NMS security and access controls that were reported as an Agency material weakness.
• The C&A Test Procedures presented test cases and procedures for validation testing and evaluation of the NMS, leading to findings that were formally presented to the Designated Accrediting Authority.
• The Security Test and Evaluation Report addresses the disposition of the NMS with respect to federal management, operational, and technical control requirements, as well as personnel and physical requirements identified in the NMS Security Plan.
• Each of the requirements in the NMS Security Plan was evaluated and the amount of residual risk identified in a Risk Assessment report. For the assessment of NMS technical controls, this risk assessment relied heavily upon the results of security penetration testing performed as part of the NMS C&A process.

The results of the Security Test and Evaluation Report and risk assessments were analyzed and reported in the Report of Findings.

The total package was then assembled into an Approval Package. This package formed the basis for both the certification and accreditation statements, and issuance of the formal Authority to Operate certificate.

Following C&A, the OIG conducted an audit to verify that the material weakness of NMS Security and Access Controls warranted removal. The USAID ISSO then briefed senior USAID management on the Agency’s readiness to remove the material weakness of NMS Security and Access Controls.

Outputs

• The significant outputs of the NMS C&A effort were the signed certification and accreditation statements. They are provided here for reference (sensitive information has been removed).
• USAID's C&A process is in its final stages of development. Called USAIDCAP, the four-phase, System Security Authorization Agreement-based process will serve as the Agency's overarching certification and accreditation guideline.

• The C&A concept was unfamiliar to most managers at USAID when the NMS C&A effort commenced. Because of this, it was very important to keep a realistic set of expectations in the minds of all the stakeholders in the process, and to take care that requirements-creep was carefully controlled as the effort unfolded. To avoid a problem with continuously expanding goals for the project, all stakeholders were involved during the planning stage and throughout project execution. This practice assured everyone that their concerns were being addressed. Frequent briefings on progress and findings helped to keep expectations properly calibrated.
• Manage individual component activities in the context of their contribution to the overall objective, vice perfecting each deliverable in isolation.

The Team members' skill levels consisted of one (1) senior security test engineer, one (1) senior systems security analyst, and one (1) senior security project manager.

The NMS C&A team members participated in the NMS Overview Training Class at the commencement of the effort. This training permitted the team members to both learn about the major application as well as observe the quality of training imparted to all users.

At the end of the NMS C&A effort, 3 slides were added to the standard "New-NMS User" briefing materials, to familiarize users with the additional tasks involved in secure system operations.

1. Clinger-Cohen Act of 1996.
2. Department of Defense Instruction No. 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP), December 30, 1997.
3. General Accounting Office "Federal Information System Control Audit Manual" (FISCAM).
4. International Standard 15408, Common Criteria, Version 2.0, May 1998.
5. National Computer Security Center (NCSC) NCSC-TG-027, Guide to Understanding Information System Security Officer Responsibilities for Automated Information Systems, May 1992.
6. National Computer Security Center (NCSC) NCSC-TG-028, Assessing Controlled Access Protection, May 1992.
7. National Computer Security Center (NCSC) NCSC-TG-029, Introduction to Certification and Accreditation, January 1994.
8. National Computer Security Center (NCSC) NCSC-TG-031, Certification and Accreditation Process Handbook for Certifiers, July 1996.
9. National Computer Security Center (NCSC) NCSC-TG-032, Accreditor’s Guideline, July 1997.
10. National Institute of Standards and Technology (NIST) Special Publication 800-12, Introduction to Computer Security, the NIST Handbook, October 1995.
11. National Institute of Standards and Technology (NIST) Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996.
12. National Institute of Standards and Technology (NIST) Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems, December 1998.
13. Federal Information Processing Standards (FIPS) Publication 102, Guideline for Computer Security Certification and Accreditation, September 1983.
14. Federal Information Processing Standards (FIPS) Publication 191, Guideline for the Analysis of Local Area Network Security, November 1994.
15. National Security Agency (NSA), National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 1000, National Information Assurance Certification and Accreditation Process (NIACAP) , April 2000.
16. National Security Agency (NSA), National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4009, National Information systems Security (INFOSEC) Glossary, January 1999.
17. National Security Agency (NSA), National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4012, National Training Standard for Designated Approving Authority (DAA).
18. National Security Agency (NSA), National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4013, National Training Standard for System Administrators in Information Systems Security (INFOSEC) , August 1997.
19. National Security Agency (NSA), National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4014, National Training Standard for Information Systems Security officers (ISSO, August 1997).
20. Office of Management and Budget (OMB) Memorandum 99-05, Instructions on Complying with President’s Memorandum of May 14, 1998, Privacy and Personal Information in Federal Records.
21. Office of Management and Budget (OMB) Memorandum 00-13, Policies and Data Collection on Federal Web Sites.
22. Office of Management and Budget (OMB) Memorandum 99-18, Privacy Policies on Federal Web Sites.
23. Office of Management and Budget (OMB) Circular A-130, Appendix III, Security of Federal Automated Information Resources.
24. Office of Management and Budget (OMB) Circular A-123, Management Accountability and Control Paperwork Reduction Act of  1995, June 21, 1995.
25. Presidential Decision Directive 67, Enduring Constitutional Government and Continuity of Government.
26. Public Law 100-235, Computer Security Act of 1987.