Department of Defense - INSTRUCTION DOCUMENT
December 30, 1997 - NUMBER 5200.40 - ASD (C31)
Revised August 07, 2002
Reformatted

• Introduction

• E1 References

• E2 Definitions

• E3 Description

• E4 Management Approach

• E5 Acronyms & Abbreviations

• E6 SSAA Outline

• E7 System Classes

• E8 Components

• Footnotes

DITSCAP MANAGEMENT APPROACH

E4.1. MANAGEMENT OVERVIEW

E4.1.1. The management approach for DITSCAP focuses on management at the applicable systems level to execute DITSCAP for a given system.⁽⁹⁾

The management concept integrates existing roles in the C&A process. The concept includes system program or operations management, senior operational staff, users, and working level security managers. The DITSCAP provides visibility into the process to all mangers responsible for system development, operation, maintenance, security, and to system users.

E4.1.1.1. The key roles in the DITSCAP are the system program manager, the DAA, the CA, and the user representative. The program manager represents the interests of the system acquisition or maintenance organization with engineering, schedule, and funding responsibility; or the system operations organization with responsibility for daily operations, performance, and maintenance. The organization the program manager represents is usually determined by the phase in the life-cycle of the system. The DAA is usually a senior operational commander with the authority and ability to evaluate the operational needs for the system in view of the security risks. The DAA must have the authority to oversee the operations and use of systems under his/her purview. The DAA represents the interests of mission need, controls the operating environment, and defines the system level security requirements. The CA provided the technical expertise to conduct the certification. The interests of the systems users are vested in the user representative. In the DITSCAP process, the user representative, at minimum, is concerned with system availability, access, integrity, functionality, and performance.

E4.1.1.2. These managers cooperate to provide the most capable IT system with an acceptable (tolerable) level of risk. They, and their staff, develop and approve the security requirements, manage the C&A process, and review the results. The DITSCAP allows these four managers to tailor and scope the C&A efforts to the particular mission, environment, system architecture, threats, funding, schedule, and criticality of the system. That standard approach establishes the ability to reuse both the technical and non-technical analysis, documentation, and architecture from certification or recertification efforts for similar systems.

E4.2. DITSCAP MANAGEMENT ROLES AND FUNCTIONS

E4.2.1. The organizations involved in the development, fielding, operation, and maintenance of secure IT systems include the acquisition and maintenance organizations, system operator(s), DAA(s), and the users. The key roles in these organizations involved in the C&A process, are the program manager of the organization responsible for the system i.e., the system owner, the DAA, the CA, and the user representative. The organization with engineering and funding responsibility for the system, may change, as a system progresses through the life-cycle phases. During acquisition, this responsibility may be the acquisition organization that will be represented by the system's acquisition program manager. During the system's operations and maintenance phase that responsibility may be the system manager. In the case of a major upgrade, the system may be turned over to a maintenance organization. The upgrade program manager would then represent the maintenance organization. The DAA should be a senior member of the operational chain-of-command where the system is operating. The system users may be part of a single organization or a large diverse community. In either situation, for DITSCAP purposes, the user representative will represent the users interests.

E4.2.1.1. The key parties throughout the DITSCAP are the program manager, the DAA, the CA, and the user representative. They shall reach agreement during phase 1 "negotiation" and approve the SSAA. During phases 2, 3, and 4, if the system is changed, or any of the agreements delineated in the SSAA are modified, the four key parties return to phase 1 negotiation and subsequent revision of the SSAA.

E4.2.1.2. The CA, the ISSO, the threat developer, and the security working groups shall support the C&A process. They provide the security technical expertise to support the DAA, the program manager, and the user representative.

E4.2.1.3. The DITSCAP roles, shown in table E4-1, are described in paragraphs E4.2.2 through E4.2.4 below. The discussion describes the functional relationships and integration of these roles, but is not intended to describe organization or command functions. During the life-cycle of a system, some of these roles may be assumed by a variety of organizations. In some cases, the three roles may be performed by three separate organizations. In other cases, some roles may be combined; i.e., the user representative and the program manager roles may be performed in the same organization.

E4.2.2. Program Management Roles.2.1. Program Management Roles. The acquisition and/or maintenance organizations are responsible for IT system requirements development, architecture, design, procurement, fielding, maintenance and configuration management. The acquisition organization, figure E4-1, is the lead government organization responsible for the development and fielding of IT. After fielding, the system operator will normally designate a system manager (program manager) to oversee the operations and management of the system. If the system is formally turned over to a maintenance organization, the maintenance organization assumes the roles and functions previously assigned to the acquisition organization. The program manager is the lead for all these activities with responsibilities for cost, schedule, and performance responsibilities. The program manager's function in the DITSCAP is to ensure security requirements are integrated into the IT architecture in a way that will result in an acceptable level of risk to the operational infrastructure. The program manager, the DAA, and the CA shall coordinate their efforts to determine which organization will prepare the initial SSAA.

E4.2.2.1. The PM works directly with the development integration, maintenance, configuration management, quality assurance, test independent verification and validation, and SETA organizations. The PM drafts or supports the drafting of the SSAA and coordinates security requirements with the DAA, the CA, and the user representative. The PM continuously keeps all DITSCAP participants informed of acquisition and development action, security requirements, and user needs.

E4.2.3. Security Roles and Responsibilities. Execution of the DITSCAP encompasses multiple security roles, figure E4-2, that at minimum include the DAA, the CA, and the ISSO. Additionally various security support teams may be formed to support the C&A of large systems. Together these roles establish an IT system security posture that will operate at an acceptable level of residual risk to the Department of Defense.

E4.2.3.1. The DAA is the official responsible for ensuring that IT systems provide an acceptable level of risk in the operational computing environment. In reaching that decision, the DAA is supported by the CA, threat developer, ISSO, and security teams. Those roles shall evaluate the technical and non-technical aspects of the design, installation, and operation of the IT system. They also shall support the evaluation of the impact of the operation of the system on the security posture of the DII. From the perspective of a single system, all security related organizations support the DAA.

E4.2.3.2. The DAA shall coordinate the development of the initial SSAA with the program manager. The initial SSAA may be prepared by either organization. In phase 2 and 3 the responsibility for the SSAA updates, maintenance and addition of the certification results shall become the responsibility of the CA. Where the IT system may involve multiple DAAs, agreements shall be established between the cognizant DAAs. Those agreements form an integral portion of the SSAA. In most cases, it will be advantageous to designate a lead DAA to represent the DAAs in developing and maintaining the IT system.

E4.2.3.3. The CA shall support the DAA for the comprehensive evaluation of the technical and non-technical security features of the IT system. When tasked by the DAA, the CA is responsible for preparation of the SSAA, and the software, hardware, TEMPEST, COMSEC, physical, and procedural evaluations. The CA shall be independent from the organization responsible for the system. Organizational independence of the CA eases the potential of conflicts of interest and permits an impartial evaluation.

E4.2.3.4. The CA shall have staff who are technically knowledgeable in IT system design, security design, and the security policies and procedures that satisfy the ITSEC requirements. Although all the technical capabilities may not be available in the CA's organization, the CA is responsible for obtaining the necessary support and providing the necessary oversight of the certification effort. Security teams may be formed to support the C&A or any portion of the process; e.g., security testing. The composition, roles, responsibilities, schedule, and funding of those teams should be defined in the SSAA.

E4.2.3.5. The ISSO is responsible for the secure operation of the system. The ISSO responsibilities will be discussed in the next section.

E4.2.4. User Roles and Responsibilities. The IT system user resides in a computing environment with either direct or indirect accesses to the information and IT system resources that comprise the computing environment's infrastructure. Users are at all levels and echelons within DoD. The users are responsible for the identification of the operational requirements and the secure operation of certified and accredited IT systems, in accordance with the SSAA.

E4.2.4.1. The user representative is the liaison for the user or the user community, particularly during the initial development of a system. The user representative, figure E4-3, is the individual or organization that represents the user community in the specification, acquisition and maintenance of IT system. The user representative defines the system mission and functionality and is responsible for ensuring that the user's interests are maintained throughout system development, modification, integration, acquisition, and deployment.

E4.2.4.2. The security focal point in the user community is usually the ISSO who is responsible for the secure operation of the IT system within the environment agreed on in the SSAA. The ISSO ensures the IT system is employed and operated according to the SSAA through integration of all the security disciplines (COMPUSEC, COMSEC, EMSEC, personnel, physical, and administrative procedures) to maintain an acceptable level of residual risk.

E4.2.4.3. Since the operational scenarios in the DoD Components may vary to a wide degree, the exact location and number of ISSO(s) in a single command or Agency may vary. ITSEC management may require a single ISSO to coordinate the actions of IT systems at multiple sites or environments, or may require the appointment of an ISSO for each site or environment. User organizations shall assign the ISSO(s) to an organizational position where the ISSO has direct access to applicable decision makers. The ISSO shall not be directly assigned to the organization responsible for the daily IT system operations. The ISSO should be separate from the system administration organization but at an equal level within the information resource management unit.