DEPARTMENT OF DEFENSE (DOD) JOINT SPECIAL ACCESS PROGRAM ...

DEPARTMENT OF DEFENSE (DOD)

JOINT SPECIAL ACCESS PROGRAM (SAP) IMPLEMENTATION GUIDE (JSIG)

11 April 2016

NOTE:

This version of the JSIG is based on NIST SP 800-53, Rev 4 and CNSSI 1253, March 2014.

Chapter 1-Introduction and Roles

PAGE 1-1

PREFACE

The Risk Management Framework (RMF) is a framework designed to be tailored to meet organizational

needs while providing adequate risk management of data and information systems. Transformation to the

RMF is a daunting task and we appreciate all the effort to date within the Department and Industry. We

applaud all the hard work of the Joint SAP Cybersecurity Working Group (JSCS WG) and the spectacular

leadership of the individuals who created this joint ¡°coalition of the willing.¡±

Special Access Programs represent some of the Department¡¯s most sensitive information and must be

protected accordingly. We can no longer rely on physical isolation as a primary risk mitigation strategy.

Threats and risks often outpace our ability to implant robust, multi-disciplinary countermeasures. Cost

and timelines to develop threats to our data almost always pale to the cost and time to implement

countermeasures. Given the rapid increase in cybersecurity threats and prioritization from the SECDEF,

the senior cybersecurity professionals responsible for authorizing information systems to process SAP

have identified three security controls which offer mitigations so significant they can no longer be

tailored. Beginning in this revision of the JSIG, we are introducing controls that are not tailorable.

Historically, the ability to tailor controls has been delegated to the field but senior leadership is no longer

willing to accept the risk of high volume data loss. Recognizing there may be extreme situations in which

it is not feasible to implement these controls in their entirety, the authority to tailor or modify these

controls is delegated to the component SAP senior authorizing official. This waiver authority cannot be

further delegated. The establishment of a senior authorizing official for each DoD component will elevate

the status of cybersecurity functions so they more effectively influence department-wide strategy, policy,

and investments.

Summary of Changes:

?

?

?

Establishment of Component SAP Senior Authorizing Officials

o Each DoD component responsible for authorizing SAP information systems, shall assign

in writing a SAP Senior Authorizing Official for the component. This SAP Senior

Authorizing Official shall be the waiver authority for ¡°non-tailorable controls.¡± This

authority cannot be delegated. Waivers to these controls will be submitted to the DoD

SAPCO and DoD SAP CIO within 30 days of approval.

Establishment of non-tailorable controls

o See AC-6(1), Least Privilege | Authorize Access to Security Functions

? System endpoint protection shall not be tailored out.

o See SA-22,Unsupported System Components

? Added to the baseline and required to be implemented on all SAP systems.

o See SC-28, Protection of Information at Rest

? Encryption of data at rest shall be implemented for all SAP systems.

The entirety of this document is effective immediately.

Policy

The policy of the U.S. Government is that all classified information be appropriately safeguarded to

assure the confidentiality, integrity, and availability of that information. This document provides

standardized security policies and procedures for use in the management of all networks, systems, and

components under the purview of the Department of Defense (DoD) Special Access Program Central

Office (SAPCO) and DoD Service/Agency SAPCOs. This guidance applies to the DoD SAP Community

and all networks, information systems, weapon systems, and applications for which the cognizant SAP

Authorizing Official (AO) has management or oversight responsibility, regardless of the physical

location.

Chapter 1-Introduction and Roles

PAGE 1-2

Responsibilities

The Joint SAP Cybersecurity Working Group (JSCS WG) is chartered to provide DoD SAP cybersecurity

implementation guidance. The JSCS WG provides organizations within the DoD SAP Community a

forum to address all aspects of cybersecurity. JSCS WG functions and activities related to RMF include:

?

?

?

Promote DoD SAP Community coordination in methodologies for assessing and authorizing

SAP information systems and related areas (e.g., documentation, tools, assessment methods,

processes) to provide for consistency in methodologies, approaches, templates, and

organization-defined values across the DoD SAP Community

Develop, maintain, and periodically update the policies and procedures related to RMF to

include, as needed, JSIG, security control overlays, RMF training, templates, and other

supporting documentation

Promote, review, and update training and awareness objectives, material, and availabil ity for all

service, agency, and industry partners on cybersecurity, emphasizing insider threat, community

best practices, and RMF

Additional information on roles and responsibilities related to the Risk Management Framework can be

fou nd in Section 1.5.

Effective Date

This document is effective immediately and organizations should begin tracking the changes from the

Revision 3 to Revision 4 security controls (new, modified and deleted) in an information system

POA&M, with a focus on the three non-tailorable controls identified above. Components may also

provide additional transition guidance.

This document must be reissued, cancelled, or certified current within 5 years of its publication to be

considered current.

¡¤

David B. Been

Brigadier General, USAF

Director, Special Access Program Central Office

Chapter 1-lntroduction and Roles

Kenneth R. Bowen

Chief Information Officer for

DoD Special Access Programs

PAGE 1-3

Table of Contents

TABLE OF CONTENTS ..................................................................................................................... 4

1

INTRODUCTION AND ROLES...................................................................................... 11

1.1 INTRODUCTION ................................................................................................................................... 11

1.2 PURPOSE AND APPLICABILITY ...................................................................................................... 12

1.3 RECIPROCITY ...................................................................................................................................... 12

1.4 CHANGES IN TERMINOLOGY.......................................................................................................... 13

1.5 ROLES AND RESPONSIBILITIES ..................................................................................................... 14

1.5.1

Agency/Component Head .................................................................................................................... 14

1.5.2

Risk Executive (Function) ................................................................................................................... 14

1.5.3

Chief Information Officer (CIO).......................................................................................................... 15

1.5.4

Chief Information Security Officer (CISO) ......................................................................................... 15

1.5.5

Authorizing Official (AO) ................................................................................................................... 16

1.5.6

Delegated Authorizing Official (DAO) ............................................................................................... 17

1.5.7

Security Control Assessor (SCA) ........................................................................................................ 17

1.5.8

Common Control Provider (CCP)........................................................................................................ 18

1.5.9

Program Security Officer (PSO) .......................................................................................................... 18

1.5.10

Information Owner/Steward ................................................................................................................ 18

1.5.11

Mission/Business Owner (MBO) ......................................................................................................... 18

1.5.12

Information System Owner (ISO) ........................................................................................................ 19

1.5.13

Information System Security Engineer (ISSE) .................................................................................... 20

1.5.14

Information System Security Manager (ISSM) ................................................................................... 20

1.5.15

Information System Security Officer (ISSO) ....................................................................................... 21

1.5.16

Privileged Users ................................................................................................................................... 22

1.5.17

General Users ....................................................................................................................................... 22

1.6 DOCUMENT ORGANIZATION AND USE ........................................................................................ 22

2

RISK MANAGEMENT FRAMEWORK (RMF) ............................................................. 24

2.1 INTRODUCTION TO THE RMF .................................................................................................................. 24

2.2 FUNDAMENTALS OF THE RMF ........................................................................................................ 25

2.2.1

Organization-Wide Risk Management ................................................................................................. 25

2.2.2

System Development Life Cycle (SDLC)............................................................................................ 26

2.2.3

Information System Boundaries........................................................................................................... 28

2.3 RMF SIX-STEP PROCESS .................................................................................................................... 30

2.3.1

RMF Step 1, Categorize ....................................................................................................................... 30

2.3.2

RMF Step 2, Select .............................................................................................................................. 33

2.3.3

RMF Step 3, Implement (Develop/Build) ............................................................................................ 35

2.3.4

RMF Step 4, Assess (Test)................................................................................................................... 35

2.3.5

RMF Step 5, Authorize (Deploy/Operate) ........................................................................................... 36

2.3.6

RMF Step 6, Monitor ........................................................................................................................... 38

3

POLICY AND PROCEDURES ....................................................................................... 41

FAMILY: ACCESS CONTROL ..................................................................................................................... 43

AC-1

ACCESS CONTROL POLICY AND PROCEDURES ....................................................................... 43

AC-2

ACCOUNT MANAGEMENT ............................................................................................................ 43

AC-3

ACCESS ENFORCEMENT ................................................................................................................ 48

AC-4

INFORMATION FLOW ENFORCEMENT ....................................................................................... 51

AC-5

SEPARATION OF DUTIES ............................................................................................................... 58

AC-6

LEAST PRIVILEGE ........................................................................................................................... 59

AC-7

UNSUCCESSFUL LOGON ATTEMPTS .......................................................................................... 61

AC-8

SYSTEM USE NOTIFICATION ........................................................................................................ 62

AC-9

PREVIOUS LOGON (ACCESS) NOTIFICATION ........................................................................... 63

AC-10 CONCURRENT SESSION CONTROL.............................................................................................. 63

AC-11 SESSION LOCK ................................................................................................................................. 64

Chapter 1-Introduction and Roles

PAGE 1-4

AC-12 SESSION TERMINATION................................................................................................................. 64

AC-13 SUPERVISION AND REVIEW ¡ª ACCESS CONTROL ................................................................. 65

AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION ...................... 65

AC-15 AUTOMATED MARKING ................................................................................................................ 66

AC-16 SECURITY ATTRIBUTES................................................................................................................. 66

AC-17 REMOTE ACCESS ............................................................................................................................. 69

AC-18 WIRELESS ACCESS .......................................................................................................................... 70

AC-19 ACCESS CONTROL FOR MOBILE DEVICES ................................................................................ 71

AC-20 USE OF EXTERNAL INFORMATION SYSTEMS .......................................................................... 73

AC-21 INFORMATION SHARING ............................................................................................................... 75

AC-22 PUBLICLY ACCESSIBLE CONTENT.............................................................................................. 76

AC-23 DATA MINING PROTECTION ......................................................................................................... 77

AC-24 ACCESS CONTROL DECISIONS ..................................................................................................... 77

AC-25 REFERENCE MONITOR ................................................................................................................... 78

FAMILY: AWARENESS AND TRAINING.................................................................................................. 79

AT-1

SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES ............................... 79

AT-2

SECURITY AWARENESS TRAINING ............................................................................................ 79

AT-3

ROLE-BASED SECURITY TRAINING ............................................................................................ 80

AT-4

SECURITY TRAINING RECORDS .................................................................................................. 83

AT-5

CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS ................................................. 83

FAMILY: AUDIT AND ACCOUNTABILITY ............................................................................................. 84

AU-1

AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES ................................................ 84

AU-2

AUDIT EVENTS ................................................................................................................................. 85

AU-3

CONTENT OF AUDIT RECORDS .................................................................................................... 87

AU-4

AUDIT STORAGE CAPACITY ......................................................................................................... 88

AU-5

RESPONSE TO AUDIT PROCESSING FAILURES ......................................................................... 89

AU-6

AUDIT REVIEW, ANALYSIS, AND REPORTING ......................................................................... 90

AU-7

AUDIT REDUCTION AND REPORT GENERATION ..................................................................... 92

AU-8

TIME STAMPS ................................................................................................................................... 93

AU-9

PROTECTION OF AUDIT INFORMATION .................................................................................... 93

AU-10 NON-REPUDIATION ......................................................................................................................... 95

AU-11 AUDIT RECORD RETENTION......................................................................................................... 96

AU-12 AUDIT GENERATION ...................................................................................................................... 97

AU-13 MONITORING FOR INFORMATION DISCLOSURE ..................................................................... 97

AU-14 SESSION AUDIT ................................................................................................................................ 98

AU-15 ALTERNATE AUDIT CAPABILITY ................................................................................................ 98

AU-16 CROSS-ORGANIZATIONAL AUDITING........................................................................................ 99

FAMILY: SECURITY ASSESSMENT AND AUTHORIZATION ........................................................... 100

CA-1

SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES ............... 100

CA-2

SECURITY ASSESSMENTS ........................................................................................................... 100

CA-3

SYSTEM INTERCONNECTIONS ................................................................................................... 104

CA-4

SECURITY CERTIFICATION ......................................................................................................... 105

CA-5

PLAN OF ACTION AND MILESTONES........................................................................................ 105

CA-6

SECURITY AUTHORIZATION ...................................................................................................... 106

CA-8

PENETRATION TESTING .............................................................................................................. 110

CA-9

INTERNAL SYSTEM CONNECTIONS .......................................................................................... 111

FAMILY: CONFIGURATION MANAGEMENT ...................................................................................... 112

CM-1

CONFIGURATION MANAGEMENT POLICY AND PROCEDURES ......................................... 112

CM-2

BASELINE CONFIGURATION....................................................................................................... 112

CM-3

CONFIGURATION CHANGE CONTROL ..................................................................................... 114

CM-4

SECURITY IMPACT ANALYSIS ................................................................................................... 117

CM-5

ACCESS RESTRICTIONS FOR CHANGE ..................................................................................... 119

CM-6

CONFIGURATION SETTINGS ....................................................................................................... 120

CM-7

LEAST FUNCTIONALITY .............................................................................................................. 122

CM-8

INFORMATION SYSTEM COMPONENT INVENTORY ............................................................. 124

CM-9

CONFIGURATION MANAGEMENT PLAN .................................................................................. 126

Chapter 1-Introduction and Roles

PAGE 1-5

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

Related download
Related searches

©2024 5y1.org, Inc. All rights reserved.