||DoDI 5200.40: DoD Information Technology Security Certification and Accreditation Proc
Figure E7-1. System Description Elements.
E7.4. DETERMINATION OF SYSTEM CLASS
E7.4.1. A key step in the use of system classes is first to prepare an accurate description of the system being considered. While the details of the system may not be clear at the outset of development, its outlines and boundaries should be understood. It is important to know what is not part of the system as well as what is part of the system. The system description shall include those items in figure E7-1.
Mission Need Statement
1. Mission of the system.
2. Functions this system will perform.
3. Interfaces with other systems.
4. Interactions across system interfaces.
users of this system.
Information categories to be processed.
7. Time frame
for developing and implementing the system.
Components of the system that will be automated versus
9. Budget limitations that may affect the
10. Other system constraints or assumptions that will
impact the system.
Table E7-2. ITSEC Class Characteristics.
E7.4.2. These questions define the boundaries of the system compared to
those that this system may interact. That description shall be sufficiently
clear and comprehensive to provide an unambiguous definition of when the
system may be certified and accredited. If information or understanding
about the system is insufficient for that system description to be written,
the DITSCAP is not ready to begin.
E7.4.3. Determining the applicable system class is essential to
development of the minimal security requirements necessary for the
certification and eventual accreditation of the system. By determining the
applicable class, the security engineer automatically develops the minimum
set of security requirements for the system being analyzed. The various
system classes also are associated with specific DITSCAP activities that
must be performed. As a result, early in system development the minimum set
of security requirements as well as the DITSCAP activities are known to the
program manager, the DAA, the user representative, and the CA.
E7.4.4. A system class is determined by first selecting the applicable
entries for the first three columns of table E7-1. Next the first three
entries are resolved to reflect the most applicable value for the fourth
column so that the system will adequately support the needs defined in the
first three columns. That will result in a system with the minimum security
requirements required in the context of its associated operation, data, and
infrastructure. Future DITSCAP application guidance will give further
instruction with specific examples and rules in selecting the applicable
alternatives for each characteristic as it applies to each system aspect.
For example, a completed system class chart could look like the
||Benign, Passive, or Active|
|Dedicated, Compartmented, System High,
||None, Rudimentary, Selected, Basic, or
||None, Cursory, Partial, or Total|
||Reasonable, Soon, ASAP, or
||Not-applicable, Approximate, or
Code 552 (reference(l)), Financially Sensitive, Administrative,
Proprietary, or Other), Collateral Classified, or Compartmented and/or Special Access