Information System
Profile
Contractor:
Lockheed Martin, Missiles and Fire Control
Address:
1701 W. Marshall Dr. Grand Prairie, Texas 75051
Cage Code:
64059
IS Number:
240
This IS Profile is associated with ODAA Unique Identifier:
64059-20040803-00001
Preparing System Security Plans
JSAC
13 -14 April 2011
DD254
• The Federal Acquisition Regulation (FAR) requires that a
DD Form 254 be incorporated in each classified contract.
The DD Form 254 provides to the contractor (or a
subcontractor) the security requirements and the
classification guidance that would be necessary to perform
on a classified contract.
• Invitation for Bid (IBF), Independent Research and
Development (IRAD), Request for Proposal (RFP), Request
for Quotation.


Security classification guide or other relevant
security docs (Required prior to beginning a IS
profile)
Identify classification and handling caveats
◦ Identify IS USER required training based on
classification and handling caveats
◦ COMSEC: information includes accountable or
non-accountable COMSEC information and
controlled cryptographic items (CCI).
◦ Closed area/ Safe training required




“White board” meeting to discuss computing
system requirements
Engineering and program requirements
Unclassified and Classified systems
Allocate, Build and pre-Certify systems based
upon ODAA technical baseline settings.
Why the Defense Security Service denies (DSS) an Interim Approval to Operate
(IATO)
•
Missing or incomplete Unique Identifier (UID)
•
ISSM did not sign the IS Security Package Submission and Certification
Statement
•
Missing Hardware List / Software List / Configuration Diagram
•
Physical Security not adequately explained
•
No signed DSS Form 147 (Record of Controlled Area) if the system is in
a Closed Area
•
No Certification Test Guide or NISP Tool Results were provided
•
Missing letter from Government Contracting Activity (GCA) if any
variances are needed
•
Missing MOA when required
•
Identification and Authentication not adequately addressed
•
Any unique issues that would require denial of the IATO
Missing or incomplete UID
Physical Security not adequately explained
Any unique issues that would require denial of the IATO
Special Procedures
Other Special procedures: N/A Yes If yes, describe:
Other Comments or Additional Information:
Classified media may be utilized at the same or higher classification and or handling caveat,
contact the ISSM for specific details. Hard drives and other media will be destroyed by
sending it to the NSA or by returning it as classified back to the data owner. Overwriting
of hard drives is NOT an approved method of Sanitization.
Temporarily inactive drives or infrequent use of the hard drives is not uncommon. These
procedures pertain to drives not used for a Week or longer. In lieu of conducting Weekly
online audits of the hard drive, the drives will be placed in Bag and the opening sealed with
Tamper Proof Seals. Each week, the Bags will be inspected to ensure usage has not taken
place. If or when a Seal is broken, an entry will be made in the Seal Log identifying the reason.
When the drives are used, the anti-virus definitions will be updated, work conducted, then an
on-line audit of the drive completed and then the drive will be bagged and seal placed over
the opening. The action will be recorded in the Maintenance and or Seal Logs as appropriate
and in the weekly record audit.
The ASTi / Telestra 4 hardware has a BIOS password length limitation of 7 characters. It will
accept upper/lower case and special characters, but does not enforce any complexity requirements.
Missing Hardware List / Software List / Configuration Diagram
No signed DSS Form 147 (Record of Controlled Area) if the system is in a Closed Area
No Certification Test Guide or NISP Tool Results were
provided
No Certification Test Guide or NISP Tool Results were
provided
No Certification Test Guide or NISP Tool Results were provided
Missing MOA when required
MOU Requirements
• When information systems accredited by different DAAs are to be interconnected,
an MOU is required to be completed and signed by the DAAs for the systems
involved. MOUs are created to describe the security responsibilities and other
information as agreed upon by two or more designated approving authorities or DAAs.
• Contractor-to-Contractor system interconnections do not require an MOU when DSS
is the DAA for all systems involved.
Missing letter from GCA if any variances are needed
• A signed copy of the customers Risk Acceptance Letter on Government letterhead.
• stating they are willing to assume the residual risk for the alternate trusted download procedures.
• Note that Risk Acceptance Letter's must be updated when the plan is reaccredited every three years.
• For special purpose systems not part of a larger system the facility needs to explain the need to the
GCA and get risk acceptance letter to include GCA security guidance since the system won't meet
NISPOM requirements.
• Operating system must be NISPOM compliant, or have a Risk Acceptance Letter from the GCA.
Identification and Authentication not adequately
addressed
Any unique issues that would require denial of the IATO
Restricted Areas…
MAINTENANCE, OPERATING SYSTEM & SECURITY SOFTWARE CHANGE LOG
This log is used to record additions, removals, maintenance, and changes to hardware, installation, and testing of O/S & Security Software.
DATE
SYSTEM/DEVICE
DESCRIPTION
COMPONENT
ID NUMBER
DESCRIPTION OF ACTIONS
PERSON/
(Company if appl)
PCL
ESCORT
All entries must include date, description of action, and person taking action. Company of person performing action is only required if they are not
an employee. Escort is only listed when the performing person does not have the requisite clearances and/or NTK. PCL must be included for
entries involving changes to hardware or software. Hardware changes must include system/device description, id number and clear/sanitize
actions if applicable.
Missing or incomplete UID
ISSM did not sign the IS Security Package Submission and Certification Statement
Missing or incomplete UID
Question Time?