E6. ENCLOSURE 6
The SSAA is a living
document that represents the formal agreement among the DAA, the CA, the user
representative, and the program manager. The SSAA is developed in phase 1 and
updated in each phase as the system development progresses and new information
becomes available. At minimum, the SSAA should contain the information in the
following sample format:
E6.1. SSA outoline
1.Mission Description and
1.1. System name and identification.
1.2. System description.
1.3.1. System capabilities.
1.3.2. System criticality.
1.3.3. Classification and sensitivity of data processed.
1.3.4. System user description and clearance levels.
1.3.5. Life-cycle of the
1.4. System CONOPS summary.
2.1. Operating environment.
2.2. Software development and maintenance environment.
3.System Architectural Description
3.4. System interfaces and external connections.
3.5. Data flow (including data flow diagrams).
3.6. TAFIM DGSA, (reference (o)), security view.
4.ITSEC System Class
4.1. Interfacing mode.
4.3. Attribution mode.
4.4. Mission-reliance factor.
4.5. Accessibility factor.
4.7. Information categories.
4.8. System class level.
Certification analysis level.
5.System Security Requirements
5.1. National and DoD security requirements.
5.2. Governing security requisites.
5.3. Data security requirements.
5.4. Security CONOPS.
Network connection rules.
5.5.1. To connect to this system.
5.5.2. To connect to the other systems defined in the
5.6. Configuration and change management requirements.
5.7. Reaccreditation requirements.
6. Organizations and Resources
6.1. Identification of organizations.
6.1.3. Identification of the user representative.
6.1.4. Identification of the organization responsible for the system.
6.1.5. Identification of the
program manager or system manager.
6.2.1. Staffing requirements.
6.3. Training for certification team.
6.4. Roles and responsibilities.
6.5. Other supporting organizations or working
7. DITSCAP Plan
7.1. Tailoring factors.
7.1.1. Programmatic considerations.
7.1.2. Security environment.
7.1.3. IT system characteristics.
7.1.4. Reuse of previously approved solutions.
7.1.5. Tailoring summary.
7.2. Tasks and milestones.
7.3. Schedule summary.
7.4. Level of effort.
7.5. Roles and
Appendices shall be added to include system C&A artifacts. Optional appendices may be added to meet specific needs. Include all documentation that will be relevant to the systems’ C&A.
APPENDIX A. Acronym list
APPENDIX B. Definitions
APPENDIX D. Security requirements and/or requirements
APPENDIX E. Security test and evaluation plan and
APPENDIX F. Certification results
APPENDIX G. Risk assessment
APPENDIX H. CA’s recommendation
APPENDIX I. System rules of
APPENDIX J. Contingency plan(s)
APPENDIX K. Security awareness
and training plan
APPENDIX L. Personnel controls and technical security
APPENDIX M. Incident response plan
APPENDIX N. Memorandums of
agreement - system interconnect agreements
APPENDIX O. Applicable system
development artifacts or system documentation
APPENDIX P. Accreditation
documentation and accreditation statement