Preparing System Security Plans
2013 Joint Security Awareness
Council Seminar
Sherry Williams, Speaker
UNCLASSIFIED
Preparing System Security Plans
JSAC 17-18 April, 2013
UNCLASSIFIED
Requirements…
To start a new Classified Program
Contract Instrument
 DD254
 IFB
 IRAD
 RFP
 RFQ
UNCLASSIFIED
Contract Instrument
 The Federal Acquisition Regulation (FAR) requires that
a DD-254 be incorporated in each classified contract.
The DD-254 provides the contractor (or subcontractor)
security requirements and classification guidance
necessary to perform on a classified contract
 Invitation for Bid (IFB), Independent Research and
Development (IRAD), Request for Proposal (RFP),
Request for Quotation (RFQ)
UNCLASSIFIED
DD 254…
UNCLASSIFIED
Data Protection…
 The Security Classification Guide or other
relevant security docs (required prior to
beginning a IS profile)
 Identify classification level(s) and handling
caveats
 IS USER required training based on classification level
and handling caveats
 Closed area/Safe training requirements
UNCLASSIFIED
White Board Meeting…
 “White board” meeting to discuss computing
system requirements (Form 1116)
 Engineering and program requirements
 Unclassified and Classified systems
 Allocate, Build and pre-Certify systems based
upon ODAA technical baseline settings
UNCLASSIFIED
Why the Defense Security Service (DSS)
denies an Approval to Operate (ATO)
•
Missing or incomplete Unique Identifier (UID)
•
ISSM did not sign the IS Security Package Submission and Certification Statement
•
Missing Hardware List / Software List / Configuration Diagram
•
Physical Security not adequately explained
•
No signed DSS Form 147 (Record of Controlled Area) if the system is in a Closed Area
•
No Certification Test Guide or NISP Tool Results were provided
•
Missing letter from Government Contracting Activity (GCA) if any variances are needed
•
Identification and Authentication not adequately addressed
•
Any unique issues that would require denial of the IATO
•
Missing MOU when required
UNCLASSIFIED
Missing MOU when required…
MOU Requirements:
 Interconnected systems accredited by different DAAs
 Created to establish agreed upon roles, security
responsibilities and other information
 Signed by each DAA and submitted with SSP
 Contractor-to-Contractor system interconnections do not
require an MOU when DSS is the DAA for all systems
involved
 Valid for three years or until system changes occur
affecting security posture
UNCLASSIFIED
Missing GCA Letter for variances…
• A signed copy of the customers Risk Acceptance Letter (RAL) on
Government letterhead stating they are willing to assume the
residual risk for e.g. alternate trusted download procedures
• Special purpose/Non-Complaint systems requiring a RAL should be
under a separate profile and if connection to the larger compliant
system is required a single page Network Security Plan (NSP) may
be used
• Risk Acceptance Letter's must be updated when the plan is
reaccredited every three years
UNCLASSIFIED
Variances and Self-Certification
 Profiles with RALs and Variances render and IS non-NISPOM
compliant therefore ineligible for Self-Certification authority
 Variance requests must be submitted after MSSP ATO granted
and include a description of the approved variance and signed
RAL
 Approved variance must be maintained with the profile
UNCLASSIFIED
Forget-me Not’s
 Identify Group Accounts
 List Hardware Memory Size and Types
 Ensure Caveats are listed on ATO letters and in profiles
 Ensure UIDs on MSSP, Profile, and ATO all match
 Ensure Sanitization procedures are included in profiles
 Communicate often with your ISSP
UNCLASSIFIED
Lets Take A Look…
UNCLASSIFIED
UNCLASSIFIED