Add to collection(s) Add to saved
  1. No category

Phase 3

advertisement 
CDS CERTIFICATION AND
ACCREDITATION
PROCESS
David Wallick
Chief, Navy Cross Domain Solutions Office
SPAWAR Atlantic IA Division
david.wallick@navy.mil
(843) 218-3874
CDS Stakeholders
•
SPAWAR Atlantic
–
–
–
•
•
•
•
•
Navy CDS Office (Certification Authority)
CDS Engineering
CDS Certification Test and Evaluation (CT&E)
Local DAA (NETWARCOM)
Unified Cross Domain Management Office
(UCDMO)
Defense Security Accreditation Working
Group (DSAWG), Cross Domain Technical
Advisory Board (CDTAB)
National Security Agency (NSA)
Director of National Intelligence (DNI)
Unclassified//FOUO
2
Phase 1 – Requirements Validation
CDSO
Analysis
PMO
1
Baseline
CDS
2
Modified
Baseline
CDS
CDSAP
Phase 1 CDA,
SEE, *VLAR
Criteria
3
Community
Jury
New
Development
DISA
CD Enterprise
1)
2)
3)
4)
5)
*Very Low
Risk
This phase looks at CDS requirements.
CDSO guides PMO.
CDSO represents PMO at the board meetings.
CDTAB rep(s) will make recommendation to Community Jury.
* For VLoR process, there are 16 criteria to be met.
Unclassified//FOUO
3
Phase 2 – Solution Development
and Evaluation
PMO
Baseline
CDS
Modified
Baseline
CDS
Phase 2 CDA,
ST&E Plan,
Solution CONOPS
Phase 2
Risk
Assessment
CDTAB
DSAWG
IATC
DISA
CD Enterprise
New
Development
1)
2)
3)
4)
5)
CT&E
(lab)
*Very Low
Risk
ST&E
ATO
CDSO conducts Phase 2 risk assessment and brief CDTAB.
Modified Baseline CDS may require CT&E.
DISA CDSO handles all enterprise candidates.
CDSO determines what testing (site and/or lab) needs to be done for VLoR.
Local DAA grants ATO for VLoR.
Unclassified//FOUO
4
Phase 3 – Solution Validation
Baseline
CDS
Modified
Baseline
CDS
DISA
CD Enterprise
PMO
Phase 3 CDA,
ST&E Report
Phase 3
Risk
Assessment
CDTAB
DSAWG
ATC
New
Development
1)
2)
3)
PMO rep conducts Security Test and Evaluation (ST&E).
CDSO conducts Phase 3 risk assessment and brief CDTAB.
DSAWG approves Approval to Connect (ATC) for up to one year.
Unclassified//FOUO
5
Phase 4 – Continuous Monitoring
•
•
ATC for one year
Annual revalidation
–
•
Requires inspection of system to verify configuration
hasn’t changed
Any change to CDS requires opening a new
request with CDSO
Unclassified//FOUO
6
Certification Process
• Security Design Review (SDR) – IC + DoD
• Test Readiness Review (TRR) – documentation,
IV&V, test lab
• Certification testing – NIST SP 800-53
• Risk assessment
- DoD – Risk Decision Authorization Criteria (RDAC)
- UCDMO – TBD
• Submit risk to CDTAB and DSAWG
Unclassified//FOUO
7
Unclassified//FOUO
8
Unclassified//FOUO
9
Very Low Risk (VLoR)
Phase 1
Phase 2
Phase 3
QUALIFICATION
VALIDATION
CONTINOUS
MONITORING
Determine if the
requirement is truly
VLoR through
answering very
specific questions
under the criteria
categories.
Categorize
Controls tailoring
against the LLL NIST
Controls Profile
Determine level of
verification and testing
Certification and
Accreditation activities
Select
Implement
Assess
Authorize
Steps to ensure
Annual revalidation
occurs
Monitor
Risk Management
Framework (SP 800.37)
Unclassified//FOUO
10
CDS Timeline
• Phase 0 - Expected Duration 105 Days, unless new or
modified CDS is required
–
–
–
–
–
–
–
(PMO) Initiate CDS discussion with CDSO and DAA
(PMO) Registers CDS request on NTIRA/UNTS
(PMO/NCDSO) Develop Phase 1 Cross Domain Appendix (CDA)
(NCDSO) Concur requirement on NTIRA
(NNWC N8/OPNAV) CDS requirements validation
(NNWC) Send Second Echelon Endorsement to CNO
(NCDSO) Cross Domain Solution Ticket Request
• Phase I - Expected Duration 30 Days
– (NCDSO/PMO) Brief CDSAP (part of CDTAB) on CDS technical feasibility, who
recommends approval
– (PMO) Brief Community Jury (part of DSAWG), who evaluates the community risk
associated with the CDS and approves
– (CNO) Provide CDS prioritization per CC/S/A quarterly
– (CCAO) Create a ticket as a result
Unclassified//FOUO
11
CDS Timeline (cont’d)
• Phase II - Expected Duration 2 Months (for Baseline
CDS)
–
–
–
–
–
–
–
–
–
–
(PMO/NCDSO) Decide on which CDS to use
(PMO/NCDSO/CDS PM) Phase 2 CDA, ST&E plan, Data Owner’s Guidance (DOG)
(NSA) Conducts CT&E for new CDS
(NSA) RDAC testing
(NSA) Penetration testing
(CDTAB) Technical Risk Rating
(NCDSO) Conduct data and threat risk assessment of CDS
(NCDSO/PMO) Brief CDTAB on risk assessment
(PMO) Brief DSAWG on risk assessment
(Site/PMO/NNWC) Update site accreditation documentation (SSAA, topology, SCQ,
Accr Letter, etc) to prepare for site installation and ST&E
– (DSAWG) IATC is granted as a result
Unclassified//FOUO
12
CDS Timeline (cont’d)
• Phase III – Expected Duration 4 Months
–
–
–
–
–
–
–
(Site/PMO) Install CDS/system
(PMO/CDS PM) Conduct ST&E at site and submit results to NSA
(PMO/NCDSO) Phase 3 CDA
(NSA) Evaluate the ST&E and Phase 3 CDA for final risk assessment
(CDTAB) Analyze Phase 3 risk assessment
(DSAWG) Analyze risk assessment and grant ATC
(NNWC) Grant ATO for 1 year
• Phase IV - (Operations) Usually no work on our part
– (PMO/User) Operations
– (PMO) Annual revalidation
– (NCDSO/CDTAB/DSAWG/NNWC) Annual ATO + ATC
Unclassified//FOUO
13
Related documents
supporting information
supporting information
Chapter Study Guide - Sign in to St. Francis Xavier Catholic School
Chapter Study Guide - Sign in to St. Francis Xavier Catholic School
Meeting Agenda Example
Meeting Agenda Example
Questionnaire for the Policy Paper on Urban Strategic Planning
Questionnaire for the Policy Paper on Urban Strategic Planning
Stanford Bank Game Manual Questions: Use the data for period 2
Stanford Bank Game Manual Questions: Use the data for period 2
Supporting Information - Royal Society of Chemistry
Supporting Information - Royal Society of Chemistry
(Neem) gum - Springer Static Content Server
(Neem) gum - Springer Static Content Server
GCF and LCM Word Problems #1
GCF and LCM Word Problems #1
Download
advertisement