System Certification and Accreditation
System certification is a formal methodology for comprehensive testing and documentation of information system security safeguards, both technical and nontechnical, in a given environment by using established evaluation criteria (the TCSEC).
Accreditation is an official, written approval for the operation of a specific system in a specific environment, as documented in the certification report. Accreditation is normally granted by a senior executive or Designated Approving Authority (DAA). The term DAA is used in the U.S. military and government. A DAA is normally a senior official, such as a commanding officer.
System certification and accreditation must be updated when any changes are made to the system or environment, and they must also be periodically re-validated, which typically happens every three years.
The certification and accreditation process has been formally implemented in U.S. military and government organizations as the Defense Information Technology Security Certification and Accreditation Process (DITSCAP) and National Information Assurance Certification and Accreditation Process (NIACAP), respectively. These important processes are used to make sure that a new (or changed) system has the proper design and operational characteristics, and that it’s suitable for a specific task.
DITSCAP
The Defense Information Technology Security Certification and Accreditation Process (DITSCAP) formalizes the certification and accreditation process for U.S. DoD information systems through four distinct phases:
Definition: Security requirements are determined by defining the organization and system’s mission, environment, and architecture.
Verification: Ensures that a system undergoing development or modification remains compliant with the System Security Authorization Agreement (SSAA), which is a baseline security-configuration document.
Validation: Confirms compliance with the SSAA.
Post-Accreditation: Represents ongoing activities required to maintain compliance, and address new and evolving threats, throughout a system’s life cycle.
NIACAP
The National Information Assurance Certification and Accreditation Process (NIACAP) formalizes the certification and accreditation process for U.S. government national security information systems. NIACAP consists of four phases (Definition, Verification, Validation, and Post-Accreditation) that generally correspond to the DITSCAP phases. Additionally, NIACAP defines three types of accreditation:
Site accreditation: All applications and systems at a specific location are evaluated.
Type accreditation: A specific application or system for multiple locations is evaluated.
System accreditation: A specific application or system at a specific location is evaluated.
DCID 6/3
The Director of Central Intelligence Directive 6/3 is the process used to protect sensitive information that’s stored on computers used by the U.S. Central Intelligence Agency (CIA).
Prep Test
1 The four CPU operating states include all the following except
A Operating
B Problem
C Wait
D Virtual
2 A computer system that alternates execution of multiple subprograms on a single processor describes what type of system?
A Multiprogramming
B Multitasking
C Multiuser
D Multiprocessing
3 An address used as the origin for calculating other addresses describes
A Base addressing
B Indexed addressing
C Indirect addressing
D Direct addressing
4 The four main functions of the operating system include all the following except
A Process management
B BIOS management
C I/O device management
D File management
5 The total combination of protection mechanisms within a computer system, including hardware, firmware, and software, which is responsible for enforcing a security policy defines
A Reference monitor
B Security kernel
C Trusted Computing Base
D Protection domain
6 A system that continues to operate following failure of a network component describes which type of system?
A Fault-tolerant
B Fail-safe
C Fail-soft
D Failover
7 Which of the following access control models addresses availability issues?
A Bell-LaPadula
B Biba
C Clark-Wilson
D None of the above
8 The four basic control requirements identified in the Orange Book include all the following except
A Role-based access control
B Discretionary access control
C Mandatory access control
D Object reuse
9 The purpose of session management in a web application is
A To prevent Denial of Service attacks
B To collect session-based security metrics
C To control the number of concurrent sessions
D To protect sessions from unauthorized access
10 Which of the following ITSEC classification levels is equivalent to TCSEC level B3?
A E3
B E4
C E5
D E6
Answers
1 D. Virtual. The four CPU operating states are operating (or run), problem (or application), supervisory, and wait. Review “CPU.”
2 B. Multitasking. A multiprogramming computer alternates execution of multiple programs on a single processor. A multiuser computer supports several users. A multiprocessing computer executes multiple programs on multiple processors. Review “CPU.”
3 A. Base addressing. Indexed addressing specifies an address relative to an index register. Indirect addressing specifies the address of the desired location. Direct addressing specifies the desired location. Review “Memory.”
4 B. BIOS management. The four main functions of an OS are process management, I/O device management, memory management, and file management. The system BIOS operates independently of the OS. Review “Software.”
5 C. Trusted Computing Base. A reference monitor enforces access controls on an object. A security kernel implements the reference monitor concept. A protection ring is a security concept that implements the principle of least privilege. Review “Trusted Computing Base (TCB).”
6 A. Fault-tolerant. A fail-safe system terminates program execution. A fail-soft system continues functioning in a degraded mode. A failover system automatically switches to a hot backup. Review “Recovery procedures.”
7 D. None of the above. Bell-LaPadula addresses confidentiality issues. Biba and Clark-Wilson address integrity issues. Review “Access Control Models.”
8 A. Role-based access control. The four basic control requirements identified in the Orange Book are discretionary access control, mandatory access control, object reuse, and labels. Review “Trusted Computer System Evaluation Criteria (TCSEC).”
9 D. To protect sessions from unauthorized access. Session management, usually implemented through cookies, hidden variables, or URL variables, is used to track individual application user sessions. Review “Vulnerabilities in security architectures.”
10 C. E5. E3 is equivalent to TCSEC level B1, E4 to B2, and E6 to A1. Review “European Information Technology Security Evaluation Criteria (ITSEC).”