||DoDI 5200.40: DoD Information Technology Security Certification and Accreditation Proc
E3.5.2. Certification Evaluation of the Integrated System. This process activity is to certify that the fully integrated and operational system complies with the requirements stated in the SSAA and may be operated with an acceptable level of residual risk. During this process activity, certification tasks, shown in figure E3-11 are performed on the integrated operational system to ensure that the IT system is functionally ready for operational deployment. The certification tasks and the extent of the tasks will depend on the level of certification analysis agreed on in the SSAA.
Figure E3-11. Certification Tasks During
E184.108.40.206. Phase 3 certification tasks shall include certification of the software, firmware, and hardware and inspections of operational sites to ensure their compliance with the physical security, procedural security, TEMPEST, and COMSEC requirements. Phase 3 includes tasks to certify the compatibility of the computing environment with the description provided in the SSAA. DITSCAP flexibility permits the certification actions to be scaled to the type of IT system being evaluated and tailored to the program strategy used in the development or modification of the system. Subparagraphs E220.127.116.11.1. through E18.104.22.168. describe the certification tasks that may be included in the evaluation of the integrated system.
1. Security Test and Evaluation.
2. Penetration testing.
3. TEMPEST and Red-Black verification.
4. Validation of COMSEC compliance.
5. System management analysis.
6. Site accreditation survey.
7. Contingency plan evaluation.
8. Risk-based management review.
Security Test and Evaluation. The objective
of the ST&E is to assess the technical and non-technical implementation of
the security design and to ascertain that security features affecting
confidentiality, integrity, availability, and accountability have been
implemented in accordance with the SSAA, and perform properly. System ST&E
shall validate the correct implementation of identification and
authentication, audit capabilities, access controls, object reuse, trusted
recovery, and network connection rule compliance. Individual tests shall
evaluate system conformance with the requirements, mission, environment, and
architecture defined in the SSAA. Test plans and procedures shall address all
the security requirements and the results of the testing will provide
sufficient evidence of the amount of residual risk. These results shall
validate the proper integration and operation of all security features.
E22.214.171.124.1.1. When a system is deployed to multiple locations, the
ST&E may occur at a central integration and test facility. When use
of such a facility is not possible, the integrated system may be tested
at one of the intended-operating sites. Software and hardware security
tests of common system components at multiple sites are not recommended.
The system installation and security configuration should be tested at
E126.96.36.199.2. Penetration Testing. For applicable system
classes, penetration testing is strongly recommended to assess the
systemís ability to withstand intentional attempts to circumvent system
security features by exploiting technical security vulnerabilities.
Penetration testing may include insider and outsider penetration attempts
based on common vulnerabilities for the technology being
E188.8.131.52.3. TEMPEST and Red-Black
Verification. TEMPEST and Red-Black verification may be required to
validate that the equipment and site meet the security requirements. In
these situations the site may be inspected to determine if adequate
practices are being followed, and the equipment may be subjected to
E184.108.40.206.4. Validation of COMSEC Compliance. This certification
task validates that COMSEC approval has been granted and approved COMSEC
key management procedures are used. COMSEC analysis evaluates how well the
SSAA defined COMSEC requirements are integrated into the system
architecture and the site management procedures.
E220.127.116.11.5. System Management Analysis. The
system management infrastructure shall be examined to determine whether it
adequately supports the maintenance of the environment, mission, and
architecture described in the SSAA. Infrastructure components, that may
provide insight into security of operations at the site, include the
system and security management organizations, security training and
awareness, and the configuration management organization and processes.
The roles and responsibilities assigned to ISSO shall be examined to
ensure that the responsibilities are consistent with the procedures
identified in the SSAA. The system and security management organization
shall be examined to determine the ability of the ISSO to report security
incidents and implement security changes.
E18.104.22.168.5.1. Knowledge of the security
management structure may provide insight into the emphasis the
organization places on secure operation of the computing environment. It
also shall provide an indication of effectiveness of the security
personnel. Security training and awareness shall be examined to provide
insight into potential security problem areas.
E22.214.171.124.5.2. An effective configuration
management program is mandatory if an established secure posture is to
be maintained. This certification task evaluates the change control and
configuration management practices to determine their ability to
preserve the integrity of the security relevant software and hardware. A
system baseline that identifies all information hardware, software, and
firmware components and external interfaces, provides for future
security evaluations and establishes a known reference point from which
to make future accreditation decisions. Configuration management
practices shall include periodic reverification of the system
configuration to ensure unauthorized changes have not
E126.96.36.199.6. Site Accreditation
Survey. The site accreditation survey task shall ensure that the site
operation of the information system is accomplished in accordance with the
SSAA. The site accreditation survey shall validate that the operational
procedures for the IT, environmental concerns, and physical security pose
no unacceptable risks to the information being processed. Where the IT
system may not be confined to a fixed site; i.e., tactical or mobile
systems and embedded system in ships or aircraft, the IT system shall be
examined in representative sites or environments.
E188.8.131.52.7. Contingency Plan
Evaluation. The contingency plan
evaluation task analyzes the contingency, back-up, and continuity of
service plans to ensure the plans are consistent with the requirements
identified in the SSAA. Periodic testing of the contingency plan is
required by DoD Directive 5200.28 (reference (a)) for critical
systems and is encouraged for all systems.
E184.108.40.206.8. Risk Management Review.
The risk-based management review task assesses the operation of the system
to determine if the risk to confidentiality, integrity, availability, and
accountability is being maintained at an acceptable level. The risk
management review shall assess the system vulnerabilities with respect to
the documented threat, ease of exploitation, potential rewards, and
probability of occurrence. The operational procedures and safeguards shall
be evaluated to determine their effectiveness and ability to offset risk.
This is the final review before developing the recommendation to the