Model Preview

Software Certification Demo

Vol 1 - C&A Process

Phase I - Pre Certification

Activity 1 - Determine Security Requirements

A1 Task 1 - Establish Security Mode

A1T01 Step 1 - Determine Data Sensitivity

A1T01 Step 2 - Determine User Clearance Levels

A1T01 Step 3 - Determine User Authorizations

A1T01 Step 4 - Determine Security Mode of Operations

A1 Task 2 - Develop System Description

A1T02 Step 1 - Write System Description

A1 Task 3 - Determine Protection Criteria

A1T03 Step 1 - Review Requirements Document

A1T03 Step 2 - Determine Environmental Requirements

A1T03 Step 3 - Determine System/Data Criticality

A1T03 Step 4 - Determine Contingency/Disaster Planning Requirements

A1T03 Step 5 - Formalize Accreditation Boundary

A1T03 Step 6 - Identify External Connections and Connection Rules

A1T03 Step 7 - Develop Security Input to Service Level Agreement(s)

A1 Task 4 - Develop System Security Policy

A1 Task 5 - Perform Threat/Vulnerability Assessments

A1T05 Step 1 - Identify Assumptions, Constraints, and Dependencies

A1T05 Step 2 - Determine Assessment Methodology

A1T05 Step 3 - Gather and Review Open Source Information

A1T05 Step 4 - Match Vulnerabilities with Threats

A1T05 Step 5 - Determine Likelihood of Occurrence

A1T05 Step 6 - Prioritize Risks

A1T05 Step 7 - Identify Existing/Planned Countermeasures

A1T05 Step 8 - Complete the Threat/Vulnerability Assessment Report

Activity 2 - Plan for C&A

A2 Task 6 - Determine Certification Level

A2T06 Step 1 - Determine Degrees of Assurance

A2T06 Step 2 - Consider C&A Approach

A2T06 Step 3 - Identify Certification Level

A2 Task 7 - Develop the C&A Plan

A2T07 Step 1 - Determine Required Certification Tasks

A2T07 Step 2 - Identifiy Certification Personnel

A2T07 Step 3 - Develop a Task Schedule

A2T07 Step 4 - Write the C&A Plan

Phase II - Certification

Activity 3 - Perform System Analysis

A3 Task 08 - Develop System Security Architecture

A3T08 Step 1 - Develop System/Site Description

A3T08 Step 2 - Document Implementation of Security Requirements

A3T08 Step 3 - Document Implementation of Operating System Security Mechanism

A3T08 Step 4 - Document Environmental Security Mechanism

A3T08 Step 5 - Evaluate the System's Compliance with the Defense Goal Security Architecture (DSGA)

A3T08 Step 6 - Write the Architecture Document

A3 Task 09 - Develop Trusted Facility Manual

A3T09 Step 1 - Develop the TFM

A3T09 Step 2 - Obtain Approval

A3 Task 10 - Develop Security Features User's Guide (SFUG)

A3T10 Step 1 - Develop the SFUG

A3T10 Step 2 - Obtain Approval

A3 Task 11 - Perform Security Test & Evaluation (ST&E)

A3T11 Step 1 - Develop ST&E Plan

A3T11 Step 2 - Perform ST&E

A3T11 Step 3 - Develop ST&E Reports

A3 Task 12 - Perform Risk Analysis

A3T12 Step 1 - Consolidate Documentation in SSAA

A3T12 Step 2 - Identify Constraints, Assumptions, and Dependencies

A3T12 Step 3 - Determine Adequacy of Certification

A3T12 Step 4 - Identify Risk Evaluation Methodology

A3T12 Step 5 - Identify Risks and Countermeasures

A3T12 Step 6 - Determine Residual Risk

A3T12 Step 7 - Prepare Risk Analysis Report

Activity 4 - Report Findings/Make Recommendations

A4 Task 13 - Develop Accreditation Recommendation

A4T13 Step 1 - Prepare Recommendation Letter

A4T13 Step 2 - Implement Operational Restrictions (Interim Accreditation Only)

A4T13 Step 3 - Update C&A Plan (Interim Accreditation Only)

A4T13 Step 4 - Prepare DAA's Accreditation Letter

A4 Task 14 - Prepare SSAA

A4T14 Step 1 - Inventory SSA

A4T14 Step 2 - Identify Risk Analysis

Phase III - Accreditation

Activity 5 - Make Accreditation Decision

A5 Task 15 - Present Findings/Accreditation Recommendation

A5T15 Step 1 - Determine Requirements

A5T15 Step 2 - Present Findings

A5 Task 16 - Review SSA

A5T16 Step 1 - Review Findings

A5T16 Step 2 - Request Additional Information

A5T16 Step 3 - Perform Site Visit (Optional)

A5 Task 17 - Make Accreditation Decision

A5T17 Step 1 - Make the Accreditation Decision

A5T17 Step 2 - Document the Accreditation Decision

A5 Task 18 - Assign and Record Accreditation Control Number (ACN)

A5T18 Step 1 - Assign ACN

A5T18 Step 2 - Record ACN

Phase IV - Post-Accreditation

Activity 6 - Maintain Accreditation

A6 Task 19 - Review New Threats and Vulnerabilities

A6T19 Step 1 - Obtain & Review

A6T19 Step 2 - Recertify & Reaccredit the Information System

A6 Task 21 - Review System/Enfironment Modification Requests

A6T21 Step 1 - Review Requests

A6T21 Step 2 - Develop Plan of Action

A6T21 Step 3 - Recertify & Reaccredit the Information System

A6 Task 20 - Review/Assess System/Environment

A6T20 Step 1 - Continuously Review/Assess the Information System

A6T20 Step 2 - Recertify & Reaccredit the Information System

A6 Task 22 - Review and Update SSAA

A6T22 Step 1 - Review & Update

A6T22 Step 2 - Recertify & Reaccredit the Information System

A6 Task 23 - Identify Need for Recertification/Reaccreditation

A6T23 Step 1 - Identify Need

A6T23 Step 2 - Recertify & Reaccredit

Vol 2 - C&A Certifying Officials Process

Vol 3 - Designated Approving Authority Guide