CDS CERTIFICATION AND ACCREDITATION PROCESS David Wallick Chief, Navy Cross Domain Solutions Office SPAWAR Atlantic IA Division david.wallick@navy.mil (843) 218-3874 CDS Stakeholders • SPAWAR Atlantic – – – • • • • • Navy CDS Office (Certification Authority) CDS Engineering CDS Certification Test and Evaluation (CT&E) Local DAA (NETWARCOM) Unified Cross Domain Management Office (UCDMO) Defense Security Accreditation Working Group (DSAWG), Cross Domain Technical Advisory Board (CDTAB) National Security Agency (NSA) Director of National Intelligence (DNI) Unclassified//FOUO 2 Phase 1 – Requirements Validation CDSO Analysis PMO 1 Baseline CDS 2 Modified Baseline CDS CDSAP Phase 1 CDA, SEE, *VLAR Criteria 3 Community Jury New Development DISA CD Enterprise 1) 2) 3) 4) 5) *Very Low Risk This phase looks at CDS requirements. CDSO guides PMO. CDSO represents PMO at the board meetings. CDTAB rep(s) will make recommendation to Community Jury. * For VLoR process, there are 16 criteria to be met. Unclassified//FOUO 3 Phase 2 – Solution Development and Evaluation PMO Baseline CDS Modified Baseline CDS Phase 2 CDA, ST&E Plan, Solution CONOPS Phase 2 Risk Assessment CDTAB DSAWG IATC DISA CD Enterprise New Development 1) 2) 3) 4) 5) CT&E (lab) *Very Low Risk ST&E ATO CDSO conducts Phase 2 risk assessment and brief CDTAB. Modified Baseline CDS may require CT&E. DISA CDSO handles all enterprise candidates. CDSO determines what testing (site and/or lab) needs to be done for VLoR. Local DAA grants ATO for VLoR. Unclassified//FOUO 4 Phase 3 – Solution Validation Baseline CDS Modified Baseline CDS DISA CD Enterprise PMO Phase 3 CDA, ST&E Report Phase 3 Risk Assessment CDTAB DSAWG ATC New Development 1) 2) 3) PMO rep conducts Security Test and Evaluation (ST&E). CDSO conducts Phase 3 risk assessment and brief CDTAB. DSAWG approves Approval to Connect (ATC) for up to one year. Unclassified//FOUO 5 Phase 4 – Continuous Monitoring • • ATC for one year Annual revalidation – • Requires inspection of system to verify configuration hasn’t changed Any change to CDS requires opening a new request with CDSO Unclassified//FOUO 6 Certification Process • Security Design Review (SDR) – IC + DoD • Test Readiness Review (TRR) – documentation, IV&V, test lab • Certification testing – NIST SP 800-53 • Risk assessment - DoD – Risk Decision Authorization Criteria (RDAC) - UCDMO – TBD • Submit risk to CDTAB and DSAWG Unclassified//FOUO 7 Unclassified//FOUO 8 Unclassified//FOUO 9 Very Low Risk (VLoR) Phase 1 Phase 2 Phase 3 QUALIFICATION VALIDATION CONTINOUS MONITORING Determine if the requirement is truly VLoR through answering very specific questions under the criteria categories. Categorize Controls tailoring against the LLL NIST Controls Profile Determine level of verification and testing Certification and Accreditation activities Select Implement Assess Authorize Steps to ensure Annual revalidation occurs Monitor Risk Management Framework (SP 800.37) Unclassified//FOUO 10 CDS Timeline • Phase 0 - Expected Duration 105 Days, unless new or modified CDS is required – – – – – – – (PMO) Initiate CDS discussion with CDSO and DAA (PMO) Registers CDS request on NTIRA/UNTS (PMO/NCDSO) Develop Phase 1 Cross Domain Appendix (CDA) (NCDSO) Concur requirement on NTIRA (NNWC N8/OPNAV) CDS requirements validation (NNWC) Send Second Echelon Endorsement to CNO (NCDSO) Cross Domain Solution Ticket Request • Phase I - Expected Duration 30 Days – (NCDSO/PMO) Brief CDSAP (part of CDTAB) on CDS technical feasibility, who recommends approval – (PMO) Brief Community Jury (part of DSAWG), who evaluates the community risk associated with the CDS and approves – (CNO) Provide CDS prioritization per CC/S/A quarterly – (CCAO) Create a ticket as a result Unclassified//FOUO 11 CDS Timeline (cont’d) • Phase II - Expected Duration 2 Months (for Baseline CDS) – – – – – – – – – – (PMO/NCDSO) Decide on which CDS to use (PMO/NCDSO/CDS PM) Phase 2 CDA, ST&E plan, Data Owner’s Guidance (DOG) (NSA) Conducts CT&E for new CDS (NSA) RDAC testing (NSA) Penetration testing (CDTAB) Technical Risk Rating (NCDSO) Conduct data and threat risk assessment of CDS (NCDSO/PMO) Brief CDTAB on risk assessment (PMO) Brief DSAWG on risk assessment (Site/PMO/NNWC) Update site accreditation documentation (SSAA, topology, SCQ, Accr Letter, etc) to prepare for site installation and ST&E – (DSAWG) IATC is granted as a result Unclassified//FOUO 12 CDS Timeline (cont’d) • Phase III – Expected Duration 4 Months – – – – – – – (Site/PMO) Install CDS/system (PMO/CDS PM) Conduct ST&E at site and submit results to NSA (PMO/NCDSO) Phase 3 CDA (NSA) Evaluate the ST&E and Phase 3 CDA for final risk assessment (CDTAB) Analyze Phase 3 risk assessment (DSAWG) Analyze risk assessment and grant ATC (NNWC) Grant ATO for 1 year • Phase IV - (Operations) Usually no work on our part – (PMO/User) Operations – (PMO) Annual revalidation – (NCDSO/CDTAB/DSAWG/NNWC) Annual ATO + ATC Unclassified//FOUO 13