what s the path to a ssp n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
What’s the path to a SSP? PowerPoint Presentation
Download Presentation
What’s the path to a SSP?

Loading in 2 Seconds...

play fullscreen
1 / 25

What’s the path to a SSP? - PowerPoint PPT Presentation


  • 142 Views
  • Uploaded on

What’s the path to a SSP?. Information System Profile Contractor: Lockheed Martin, Missiles and Fire Control Address: 1701 W. Marshall Dr. Grand Prairie, Texas 75051 Cage Code: 64059 IS Number: 240 This IS Profile is associated with ODAA Unique Identifier: 64059-20040803-00001.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'What’s the path to a SSP?' - ornice


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
what s the path to a ssp
What’s the path to a SSP?

Information System

Profile

Contractor:

Lockheed Martin, Missiles and Fire Control

Address:

1701 W. Marshall Dr. Grand Prairie, Texas 75051

Cage Code:

64059

IS Number:

240

This IS Profile is associated with ODAA Unique Identifier:

64059-20040803-00001

slide2

Preparing System Security Plans

JSAC

13 -14 April 2011

contract instrument

Contract Instrument

DD254

The Federal Acquisition Regulation (FAR) requires that a DD Form 254 be incorporated in each classified contract. The DD Form 254 provides to the contractor (or a subcontractor) the security requirements and the classification guidance that would be necessary to perform on a classified contract.

Invitation for Bid (IBF), Independent Research and Development (IRAD), Request for Proposal (RFP), Request for Quotation.

certification and accrediation
Certification and Accrediation
  • Security classification guide or other relevant security docs (Required prior to beginning a IS profile)
  • Identify classification and handling caveats
    • Identify IS USER required training based on classification and handling caveats
    • COMSEC: information includes accountable or non-accountable COMSEC information and controlled cryptographic items (CCI).
    • Closed area/ Safe training required
it tech apps
IT/Tech Apps
  • “White board” meeting to discuss computing system requirements
  • Engineering and program requirements
  • Unclassified and Classified systems
  • Allocate, Build and pre-Certify systems based upon ODAA technical baseline settings.
slide8

Why the Defense Security Service denies (DSS) an Interim Approval to Operate (IATO)

  • Missing or incomplete Unique Identifier (UID)
  • ISSM did not sign the IS Security Package Submission and Certification Statement
  • Missing Hardware List / Software List / Configuration Diagram
  • Physical Security not adequately explained
  • No signed DSS Form 147 (Record of Controlled Area) if the system is in a Closed Area
  • No Certification Test Guide or NISP Tool Results were provided
  • Missing letter from Government Contracting Activity (GCA) if any variances are needed
  • Missing MOA when required
  • Identification and Authentication not adequately addressed
  • Any unique issues that would require denial of the IATO
slide11

Any unique issues that would require denial of the IATO

Special Procedures

Other Special procedures: N/A Yes If yes, describe:      

Other Comments or Additional Information:

Classified media may be utilized at the same or higher classification and or handling caveat,

contact the ISSM for specific details. Hard drives and other media will be destroyed by

sending it to the NSA or by returning it as classified back to the data owner. Overwriting

of hard drives is NOT an approved method of Sanitization.

Temporarily inactive drives or infrequent use of the hard drives is not uncommon.  These

procedures pertain to drives not used for a Week or longer.  In lieu of conducting Weekly

online audits of the hard drive, the drives will be placed in Bag and the opening sealed with

Tamper Proof Seals.  Each week, the Bags will be inspected to ensure usage has not taken

place.  If or when a Seal is broken, an entry will be made in the Seal Log identifying the reason.

When the drives are used, the anti-virus definitions will be updated, work conducted, then an

on-line audit of the drive completed and then the drive will be bagged and seal placed over

the opening.  The action will be recorded in the Maintenance and or Seal Logs as appropriate

and in the weekly record audit.

The ASTi / Telestra 4 hardware has a BIOS password length limitation of 7 characters. It will

accept upper/lower case and special characters, but does not enforce any complexity requirements.

slide17

Missing MOA when required

  • MOU Requirements
  • When information systems accredited by different DAAs are to be interconnected,
  • an MOU is required to be completed and signed by the DAAs for the systems
  • involved. MOUs are created to describe the security responsibilities and other
  • information as agreed upon by two or more designated approving authorities or DAAs.
  • Contractor-to-Contractor system interconnections do not require an MOU when DSS
  • is the DAA for all systems involved.
slide18

Missing letter from GCA if any variances are needed

  • A signed copy of the customers Risk Acceptance Letter on Government letterhead.
  • stating they are willing to assume the residual risk for the alternate trusted download procedures.
  • Note that Risk Acceptance Letter's must be updated when the plan is reaccredited every three years.
  • For special purpose systems not part of a larger system the facility needs to explain the need to the
  • GCA and get risk acceptance letter to include GCA security guidance since the system won't meet
  • NISPOM requirements.
  • Operating system must be NISPOM compliant, or have a Risk Acceptance Letter from the GCA.
slide23

Missing or incomplete UID

ISSM did not sign the IS Security Package Submission and Certification Statement