DEPARTMENT OF DEFENSE (DOD) JOINT SPECIAL ACCESS PROGRAM ...
DEPARTMENT OF DEFENSE (DOD)
JOINT SPECIAL ACCESS PROGRAM (SAP) IMPLEMENTATION GUIDE (JSIG)
11 April 2016
NOTE:
This version of the JSIG is based on NIST SP 800-53, Rev 4 and CNSSI 1253, March 2014.
Chapter 1-Introduction and Roles
PAGE 1-1
PREFACE
The Risk Management Framework (RMF) is a framework designed to be tailored to meet organizational
needs while providing adequate risk management of data and information systems. Transformation to the
RMF is a daunting task and we appreciate all the effort to date within the Department and Industry. We
applaud all the hard work of the Joint SAP Cybersecurity Working Group (JSCS WG) and the spectacular
leadership of the individuals who created this joint ¡°coalition of the willing.¡±
Special Access Programs represent some of the Department¡¯s most sensitive information and must be
protected accordingly. We can no longer rely on physical isolation as a primary risk mitigation strategy.
Threats and risks often outpace our ability to implant robust, multi-disciplinary countermeasures. Cost
and timelines to develop threats to our data almost always pale to the cost and time to implement
countermeasures. Given the rapid increase in cybersecurity threats and prioritization from the SECDEF,
the senior cybersecurity professionals responsible for authorizing information systems to process SAP
have identified three security controls which offer mitigations so significant they can no longer be
tailored. Beginning in this revision of the JSIG, we are introducing controls that are not tailorable.
Historically, the ability to tailor controls has been delegated to the field but senior leadership is no longer
willing to accept the risk of high volume data loss. Recognizing there may be extreme situations in which
it is not feasible to implement these controls in their entirety, the authority to tailor or modify these
controls is delegated to the component SAP senior authorizing official. This waiver authority cannot be
further delegated. The establishment of a senior authorizing official for each DoD component will elevate
the status of cybersecurity functions so they more effectively influence department-wide strategy, policy,
and investments.
Summary of Changes:
?
?
?
Establishment of Component SAP Senior Authorizing Officials
o Each DoD component responsible for authorizing SAP information systems, shall assign
in writing a SAP Senior Authorizing Official for the component. This SAP Senior
Authorizing Official shall be the waiver authority for ¡°non-tailorable controls.¡± This
authority cannot be delegated. Waivers to these controls will be submitted to the DoD
SAPCO and DoD SAP CIO within 30 days of approval.
Establishment of non-tailorable controls
o See AC-6(1), Least Privilege | Authorize Access to Security Functions
? System endpoint protection shall not be tailored out.
o See SA-22,Unsupported System Components
? Added to the baseline and required to be implemented on all SAP systems.
o See SC-28, Protection of Information at Rest
? Encryption of data at rest shall be implemented for all SAP systems.
The entirety of this document is effective immediately.
Policy
The policy of the U.S. Government is that all classified information be appropriately safeguarded to
assure the confidentiality, integrity, and availability of that information. This document provides
standardized security policies and procedures for use in the management of all networks, systems, and
components under the purview of the Department of Defense (DoD) Special Access Program Central
Office (SAPCO) and DoD Service/Agency SAPCOs. This guidance applies to the DoD SAP Community
and all networks, information systems, weapon systems, and applications for which the cognizant SAP
Authorizing Official (AO) has management or oversight responsibility, regardless of the physical
location.
Chapter 1-Introduction and Roles
PAGE 1-2
Responsibilities
The Joint SAP Cybersecurity Working Group (JSCS WG) is chartered to provide DoD SAP cybersecurity
implementation guidance. The JSCS WG provides organizations within the DoD SAP Community a
forum to address all aspects of cybersecurity. JSCS WG functions and activities related to RMF include:
?
?
?
Promote DoD SAP Community coordination in methodologies for assessing and authorizing
SAP information systems and related areas (e.g., documentation, tools, assessment methods,
processes) to provide for consistency in methodologies, approaches, templates, and
organization-defined values across the DoD SAP Community
Develop, maintain, and periodically update the policies and procedures related to RMF to
include, as needed, JSIG, security control overlays, RMF training, templates, and other
supporting documentation
Promote, review, and update training and awareness objectives, material, and availabil ity for all
service, agency, and industry partners on cybersecurity, emphasizing insider threat, community
best practices, and RMF
Additional information on roles and responsibilities related to the Risk Management Framework can be
fou nd in Section 1.5.
Effective Date
This document is effective immediately and organizations should begin tracking the changes from the
Revision 3 to Revision 4 security controls (new, modified and deleted) in an information system
POA&M, with a focus on the three non-tailorable controls identified above. Components may also
provide additional transition guidance.
This document must be reissued, cancelled, or certified current within 5 years of its publication to be
considered current.
¡¤
David B. Been
Brigadier General, USAF
Director, Special Access Program Central Office
Chapter 1-lntroduction and Roles
Kenneth R. Bowen
Chief Information Officer for
DoD Special Access Programs
PAGE 1-3
Table of Contents
TABLE OF CONTENTS ..................................................................................................................... 4
1
INTRODUCTION AND ROLES...................................................................................... 11
1.1 INTRODUCTION ................................................................................................................................... 11
1.2 PURPOSE AND APPLICABILITY ...................................................................................................... 12
1.3 RECIPROCITY ...................................................................................................................................... 12
1.4 CHANGES IN TERMINOLOGY.......................................................................................................... 13
1.5 ROLES AND RESPONSIBILITIES ..................................................................................................... 14
1.5.1
Agency/Component Head .................................................................................................................... 14
1.5.2
Risk Executive (Function) ................................................................................................................... 14
1.5.3
Chief Information Officer (CIO).......................................................................................................... 15
1.5.4
Chief Information Security Officer (CISO) ......................................................................................... 15
1.5.5
Authorizing Official (AO) ................................................................................................................... 16
1.5.6
Delegated Authorizing Official (DAO) ............................................................................................... 17
1.5.7
Security Control Assessor (SCA) ........................................................................................................ 17
1.5.8
Common Control Provider (CCP)........................................................................................................ 18
1.5.9
Program Security Officer (PSO) .......................................................................................................... 18
1.5.10
Information Owner/Steward ................................................................................................................ 18
1.5.11
Mission/Business Owner (MBO) ......................................................................................................... 18
1.5.12
Information System Owner (ISO) ........................................................................................................ 19
1.5.13
Information System Security Engineer (ISSE) .................................................................................... 20
1.5.14
Information System Security Manager (ISSM) ................................................................................... 20
1.5.15
Information System Security Officer (ISSO) ....................................................................................... 21
1.5.16
Privileged Users ................................................................................................................................... 22
1.5.17
General Users ....................................................................................................................................... 22
1.6 DOCUMENT ORGANIZATION AND USE ........................................................................................ 22
2
RISK MANAGEMENT FRAMEWORK (RMF) ............................................................. 24
2.1 INTRODUCTION TO THE RMF .................................................................................................................. 24
2.2 FUNDAMENTALS OF THE RMF ........................................................................................................ 25
2.2.1
Organization-Wide Risk Management ................................................................................................. 25
2.2.2
System Development Life Cycle (SDLC)............................................................................................ 26
2.2.3
Information System Boundaries........................................................................................................... 28
2.3 RMF SIX-STEP PROCESS .................................................................................................................... 30
2.3.1
RMF Step 1, Categorize ....................................................................................................................... 30
2.3.2
RMF Step 2, Select .............................................................................................................................. 33
2.3.3
RMF Step 3, Implement (Develop/Build) ............................................................................................ 35
2.3.4
RMF Step 4, Assess (Test)................................................................................................................... 35
2.3.5
RMF Step 5, Authorize (Deploy/Operate) ........................................................................................... 36
2.3.6
RMF Step 6, Monitor ........................................................................................................................... 38
3
POLICY AND PROCEDURES ....................................................................................... 41
FAMILY: ACCESS CONTROL ..................................................................................................................... 43
AC-1
ACCESS CONTROL POLICY AND PROCEDURES ....................................................................... 43
AC-2
ACCOUNT MANAGEMENT ............................................................................................................ 43
AC-3
ACCESS ENFORCEMENT ................................................................................................................ 48
AC-4
INFORMATION FLOW ENFORCEMENT ....................................................................................... 51
AC-5
SEPARATION OF DUTIES ............................................................................................................... 58
AC-6
LEAST PRIVILEGE ........................................................................................................................... 59
AC-7
UNSUCCESSFUL LOGON ATTEMPTS .......................................................................................... 61
AC-8
SYSTEM USE NOTIFICATION ........................................................................................................ 62
AC-9
PREVIOUS LOGON (ACCESS) NOTIFICATION ........................................................................... 63
AC-10 CONCURRENT SESSION CONTROL.............................................................................................. 63
AC-11 SESSION LOCK ................................................................................................................................. 64
Chapter 1-Introduction and Roles
PAGE 1-4
AC-12 SESSION TERMINATION................................................................................................................. 64
AC-13 SUPERVISION AND REVIEW ¡ª ACCESS CONTROL ................................................................. 65
AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION ...................... 65
AC-15 AUTOMATED MARKING ................................................................................................................ 66
AC-16 SECURITY ATTRIBUTES................................................................................................................. 66
AC-17 REMOTE ACCESS ............................................................................................................................. 69
AC-18 WIRELESS ACCESS .......................................................................................................................... 70
AC-19 ACCESS CONTROL FOR MOBILE DEVICES ................................................................................ 71
AC-20 USE OF EXTERNAL INFORMATION SYSTEMS .......................................................................... 73
AC-21 INFORMATION SHARING ............................................................................................................... 75
AC-22 PUBLICLY ACCESSIBLE CONTENT.............................................................................................. 76
AC-23 DATA MINING PROTECTION ......................................................................................................... 77
AC-24 ACCESS CONTROL DECISIONS ..................................................................................................... 77
AC-25 REFERENCE MONITOR ................................................................................................................... 78
FAMILY: AWARENESS AND TRAINING.................................................................................................. 79
AT-1
SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES ............................... 79
AT-2
SECURITY AWARENESS TRAINING ............................................................................................ 79
AT-3
ROLE-BASED SECURITY TRAINING ............................................................................................ 80
AT-4
SECURITY TRAINING RECORDS .................................................................................................. 83
AT-5
CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS ................................................. 83
FAMILY: AUDIT AND ACCOUNTABILITY ............................................................................................. 84
AU-1
AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES ................................................ 84
AU-2
AUDIT EVENTS ................................................................................................................................. 85
AU-3
CONTENT OF AUDIT RECORDS .................................................................................................... 87
AU-4
AUDIT STORAGE CAPACITY ......................................................................................................... 88
AU-5
RESPONSE TO AUDIT PROCESSING FAILURES ......................................................................... 89
AU-6
AUDIT REVIEW, ANALYSIS, AND REPORTING ......................................................................... 90
AU-7
AUDIT REDUCTION AND REPORT GENERATION ..................................................................... 92
AU-8
TIME STAMPS ................................................................................................................................... 93
AU-9
PROTECTION OF AUDIT INFORMATION .................................................................................... 93
AU-10 NON-REPUDIATION ......................................................................................................................... 95
AU-11 AUDIT RECORD RETENTION......................................................................................................... 96
AU-12 AUDIT GENERATION ...................................................................................................................... 97
AU-13 MONITORING FOR INFORMATION DISCLOSURE ..................................................................... 97
AU-14 SESSION AUDIT ................................................................................................................................ 98
AU-15 ALTERNATE AUDIT CAPABILITY ................................................................................................ 98
AU-16 CROSS-ORGANIZATIONAL AUDITING........................................................................................ 99
FAMILY: SECURITY ASSESSMENT AND AUTHORIZATION ........................................................... 100
CA-1
SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES ............... 100
CA-2
SECURITY ASSESSMENTS ........................................................................................................... 100
CA-3
SYSTEM INTERCONNECTIONS ................................................................................................... 104
CA-4
SECURITY CERTIFICATION ......................................................................................................... 105
CA-5
PLAN OF ACTION AND MILESTONES........................................................................................ 105
CA-6
SECURITY AUTHORIZATION ...................................................................................................... 106
CA-8
PENETRATION TESTING .............................................................................................................. 110
CA-9
INTERNAL SYSTEM CONNECTIONS .......................................................................................... 111
FAMILY: CONFIGURATION MANAGEMENT ...................................................................................... 112
CM-1
CONFIGURATION MANAGEMENT POLICY AND PROCEDURES ......................................... 112
CM-2
BASELINE CONFIGURATION....................................................................................................... 112
CM-3
CONFIGURATION CHANGE CONTROL ..................................................................................... 114
CM-4
SECURITY IMPACT ANALYSIS ................................................................................................... 117
CM-5
ACCESS RESTRICTIONS FOR CHANGE ..................................................................................... 119
CM-6
CONFIGURATION SETTINGS ....................................................................................................... 120
CM-7
LEAST FUNCTIONALITY .............................................................................................................. 122
CM-8
INFORMATION SYSTEM COMPONENT INVENTORY ............................................................. 124
CM-9
CONFIGURATION MANAGEMENT PLAN .................................................................................. 126
Chapter 1-Introduction and Roles
PAGE 1-5
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- implementation plan october 2015
- department of defense dod joint special access program
- system authorization access request saar disa
- 3 a current dod information assurance awareness or cyber
- acceptable use policy aup
- enterprise mission assurance support service emass
- information assurance ia requirements for tsa government
- army information system privileged access
- information systems security program management department
- industrial security field operations
Related searches
- department of defense financial management
- department of defense regulations
- department of defense financial management regulation
- department of defense financial management regulations
- department of defense student loan repayment program
- department of defense instructions
- department of defense directive
- department of defense forms
- the department of defense financial ma
- department of defense 7000 14 r
- the department of defense financial management regulation
- department of defense repayment program