||DoDI 5200.40: DoD Information Technology Security Certification and Accreditation Proc
Analysis . Certification analysis is the process activity that determines if the IT system is ready to be evaluated and tested under phase 3, validation. Because the DITSCAP is a success-oriented process, this process activity ensures that the development, modification, and integration efforts will result in a certifiable and accreditable information system before phase 3 begins.
E22.214.171.124. The certification
analysis tasks that occur during the process activity, certification
analysis, are shown in figure E3-8. Those certification tasks verify by
analysis, investigation, and comparison methodologies that the IT design
implements the SSAA requirements and that the IT components that are
critical to security function properly. Those tasks compliment the
functional testing certification tasks that occur during phase 3 . While every system may be considered certifiable, the goal is to produce systems with an acceptable level of risk.
Figure E3-8. Certification Tasks During Verification
1. System architecture analysis.
2. Software design analysis.
3. Network connection rule compliance analysis.
4. Integrity analysis of integrated products.
5. Life-cycle management analysis.
Figure E3-9. Life-Cycle Management
E126.96.36.199. As a result of completion of the phase 2
certification analysis, the system should have a documented security
specification, a comprehensive test plan, and written assurance that all
network and other interconnections requirements have been implemented.
Commercial off-the-shelf (COTS) and government off-the-shelf (GOTS)
products used in the system design shall have been validated to assure
that they have been integrated properly and that their functionality meets
the security needs of the system. A vulnerability assessment will have
been conducted and will have concluded that the infrastructure needs of
the system; e.g., configuration management, will be accommodated
throughout the IT life-cycle. On acceptance of the vulnerability
assessment, the C&A task proceeds to phase 3 , that contains the formal system certification test and security accreditation actions.
E188.8.131.52. All analysis tasks, applicable for that system class, are to be completed. The intensity of the certification analysis tasks are scaled to the complexity of the IT design, the sensitivity of the information processed, and the criticality of the information systemís intended mission. The specific certification tasks may be tailored to the IT program strategy, its life-cycle management process, and the position of the information system in its life-cycle. Certification tasks are tailored to the system development activities to ensure that the former are relevant to the process and provide the required degree of analysis to ensure conformance with the SSAA. Tailoring also gives DITSCAP the flexibility to adjust the level of effort to fit the operational need. In
that manner, tailoring permits the DITSCAP to remain responsive to
national agency and military department priorities. Phase 2 certification
tasks may vary from completion of a minimal checklist to in-depth analysis
as determined by the system class. The certification tasks are discussed
in paragraphs E184.108.40.206.1 through E220.127.116.11.6 below.
E18.104.22.168.1. System Architecture
Analysis . The objective of this
certification task is to ensure that the system architecture complies
with the architecture description agreed on in the SSAA. Analysis of
system level information reveals how effectively the security
architecture implements the security policy and requirements. The
interfaces between this and other systems shall be identified. Those
interfaces must be evaluated to assess their effectiveness in
maintaining the security posture of the infrastructure.
E22.214.171.124.2. Software Design Analysis . The software design
certification task shall evaluate how well the software reflects the
security requirements of the SSAA and the security architecture of the
system. That certification task may include a detailed analysis of
software specifications and software design documentation. The TCB shall
be identified and analyzed for proper and full implementation of the
security requirements. The task shall assess whether the critical
security features e.g., identification and authentication, access
controls, and auditing, are implemented correctly and completely.
E126.96.36.199.3. Network Connection Rule
Compliance Analysis . The
connection of an information system to a network requires that the
particular system will not adversely affect the security posture of the
network. Connection also requires that the network will not adversely
affect the IT systemís own security posture. That certification task
evaluates the intended connections to other systems and networks to
ensure the system design will enforce specific network security policies
and protect the IT system from adverse confidentiality, integrity,
availability, and accountability impacts.
E188.8.131.52.3.1. Network analysis may include the evaluation of
intended interfaces for compliance with the security connection rules
not only for the network, but also for the information system. The
system concept of operations (SSAA section 1) shall be examined to
identify all the connections and interfaces intended for the system.
It is important to determine if connections exist that were not in the
initial concept, but are to be added after the initial fielding or
modification of the system. The interfaces to the networks or to other
systems shall be evaluated to determine if the system and network
security can be maintained at both ends of the interface. They also
shall be evaluated to ensure that end-to-end connection constructs are
maintained and security connection rules are applied. Test plans and
procedures shall be developed to validate compliance with the network
E184.108.40.206.4. Integrity Analysis of
Integrated Products (COTS, GOTS, or Non-Developmental Item (NDI)
. This certification task evaluates
the integration of COTS, GOTS, or NDI software, hardware, and firmware
to ensure that their integration into the system design complies with
the system security architecture, and the integrity of each product is
E220.127.116.11.4.1. Integrated product analysis shall include the
identification, and may include the verification of the security
functionality, of each product. That certification task shall
determine whether or not evaluated products are being used for their
intended purpose. Integrity product analyses shall include an
examination of the system and subsystem interfaces, information flows,
and applicable use of selectable product features. All interfaces and
information flows are examined to identify how they access the
E18.104.22.168.5. Life-Cycle Management
Analysis . This
certification task ensures that change control and configuration
management practices are, or will be, in place and are sufficient to
preserve the integrity of the security relevant software and hardware.
During the system development, or maintenance, the development approach,
procedures, and engineering environment are assessed and the life-cycle
plans are evaluated. Proposed contingency, continuity of operations, and
back-up plans shall be evaluated for feasibility. That may require
examining the following types of documents or procedures shown in figure E3-9.
Life-Cycle Management Documentation
1. Computer Resource Management Plan (CRMP).
2. Computer Resources Life-Cycle Management Plan (CRLCMP).
3. Configuration identification procedures.
4. Configuration control procedures.
5. Configuration status accounting procedures.
6. Configuration audit procedures and reports.
7. Software engineering (development approach and engineering environment) procedures.
8. Trusted distribution plans.
9. Contingency, continuity of
operations, and back-up
E22.214.171.124.6. Vulnerability Assessment . This
certification task shall evaluate security vulnerabilities with regard
to confidentiality, integrity, availability, and accountability and
recommends applicable countermeasures. The DAA should determine the
acceptable level of risk to protect the system commensurate with its
value to the Department of Defense.6
In phase 2, the vulnerability assessment concentrates on the
progress in implementing the security requirements of the SSAA. It
reviews the SSAA at the beginning of phase 2 and concludes with
notifying the CA and the DAA that the information system is ready for
C&A evaluation and testing.
E126.96.36.199.6.1. During vulnerability assessment, each of the
vulnerabilities and discrepancies isolated during the evaluation of
the system architecture, system design, network interfaces, product
integration, and configuration management practices is analyzed to
determine its susceptibility to exploitation, the potential rewards to
the exploiter, the probability of occurrence, and any related threat.
The analysis should use techniques such as static penetration, or
active penetration testing to determine the ability to exploit the
vulnerabilities. The residual risk, that portion of risk that remains
after security measures have been applied, shall be determined by
ranking the evaluated vulnerabilities against threat, ease of
exploitation, potential rewards to the exploiter, and a composite of
the three areas. All residual risks shall be identified and evaluated.
The evaluation shall indicate the rationale as to why the risk should
be accepted or rejected, and the operational impacts associated with
E188.8.131.52.6.2. Coordination among the program manager, the DAA, the
CA, and the user representative ensures that the residual risk does
not exceed the level of risk established by the DAA. That level of
risk that shall now be documented in the SSAA is called the
"acceptable level of residual risk." If the risk exceeds the maximum
acceptable risk, the system shall fail the
6An acceptable level of residual risk is
based on the relationship of the threat to the system and the information
processed, to the information systemís mission, environment, and architecture;
and its security confidentiality, integrity, availability, authenticity, and