E3.6.2. Maintenance of the SSAA. As in the preceding phases, the SSAA shall be kept current. Phase 4 shall begin with a review of the SSAA to ensure that all requirements and agreements are still applicable. The user representative, the DAA, the CA, and the program manager must approve revisions to the SSAA. On approval the necessary changes to the mission, environment, and architecture are documented in the SSAA. Figure E3-13 summarizes the SSAA maintenance tasks.
Figure E3-13. SSAA Maintenance Tasks.
SSAA Maintenance Tasks
1. Review SSAA.
2. Obtain approval of changes.
3. Document changes.
E3.6.3. System Operation. The second process activity of phase 4, system operation, concerns the secure operation of the IT system and the associated computing environment, figure E3-14. System maintenance tasks ensure that the IT system continues to operate within the stated parameters of the accreditation. Secure system management depends on the organization and its procedures. Site operations staff and the ISSO are responsible for maintaining an acceptable level of residual risk. That is done by addressing security considerations when changes are made to either the information system baseline or to the baseline of the computing environment operational site. The ISSO is responsible for determining the extent that a change affects the security posture of either the information system or the computing environment, for obtaining approval of security-relevant changes, and for documenting the implementation of that change in the SSAA and site operating procedures. Users are responsible for operating the system under the security guidelines established in the SSAA.
Figure E3-14. System Operation Tasks
System Operation Tasks
1. System maintenance.
2. System security management.
3. Contingency planning.
E220.127.116.11. Secure system management is an ongoing process that manages risk against the IT, the computing environment, and its resources. Effective management of the risk continuously evaluates the threats that the system is exposed, evaluates the capabilities of the system and environment to minimize the risk, and balances the security measures against cost and system performance. Secure system management preserves the acceptable level of residual risk based on the relationship of mission, environment, and architecture of the information system and itís computing environment. Secure system management is a continuous review and approval process that involves the users, ISSOs, acquisition or maintenance organizations, and the DAA.
E18.104.22.168. Contingency planning is the task that develops a plan for
emergency response, backup operations, and post-disaster recovery. That
task shall ensure the availability of critical resources that will support
the continuity of operations in an emergency situation. The operations and
maintenance organizations, with the knowledge and approval of the ISSO,
should develop contingency plans.
E3.6.4. Change Management. After an IT system is approved
for operation in a specific computing environment, changes to the IT system
and the computing environment must be controlled, figure E3-15. While
changes may adversely affect the overall security posture of the
infrastructure and the IT system, change is ongoing as it responds to the
needs of the user and new technology developments. As the threats become
more sophisticated or focused on a particular asset, countermeasures must be
strengthened or added to provide adequate protection. Therefore, change is
required to maintain an acceptable level of residual risk.
Figure E3-15. Change Management Tasks
Change Management Tasks
1. Support system configuration management.
2. Risk-based management review
E22.214.171.124. Accreditation is based on security assumptions that tie certified hardware and software of each system to the configuration of the computing environment. Changes in the information system configuration, operational mission, computing environment, or to the computing environmentís configuration may invalidate the security assumptions.
E126.96.36.199. The ISSO and system users shall support
the system configuration management process. They shall be involved in the
change management process to ensure that changes do not have an adverse
affect on the security posture of the system and itís associated IT. The
strategy for managing change shall be defined in the SSAA. The ISSO shall
review and approve changes relating to security and document the
implementation of a change in the SSAA. Changes that significantly affect
the system security posture must be forwarded to the DAA, the CA, the user
representative, and the program manager (phase 1 of the DITSCAP ).
E3.6.5. Compliance Validation. Periodic review of
the operational system and its computing environment shall occur at the
predefined intervals, defined in the SSAA.7 The purpose of this process activity, figure E3-16, is to ensure the continued compliance with the security requirements, current threat assessment, and concept of operations as stated and agreed on in the SSAA. The compliance review should ensure that the contents of the SSAA adequately address the functional environment into which the IT has been placed.
Figure E3-16. Compliance Validation Tasks
Compliance Validation Tasks
1. Physical security analysis.
2. Review the SSAA.
3. Risk-based management review.
4. Procedural analysis.
5. Compliance reverification.
7OMB, DoD, Service, and Agency directives have mandatory recertification and reaccreditation requirements. These requirements shall be included in the SSAA, governing security requisites