PLATFORM IT GUIDANCE.docx
《PLATFORM IT GUIDANCE.docx》由会员分享,可在线阅读,更多相关《PLATFORM IT GUIDANCE.docx(63页珍藏版)》请在冰豆网上搜索。
PLATFORMITGUIDANCE
PLATFORMITGUIDANCE
1.Introduction
1.1PurposeandScope
Acquisitionguidancedetailedinreferences(a)through(c)statesthatMajorDefenseAcquisitionPrograms(MDAP)andMajorAutomatedInformationSystemPrograms(MAISP)thatincludeinformationtechnology(IT)alwayshaveinformationassurance(IA)requirements,buttheseIArequirementsmaybesatisfiedthroughthenormalsystemdesignandtestregimen,andtheseprogramsmaynotberequiredtocomplywiththeDoDInformationAssurancePolicy(reference(d)).Reference(d)definesPlatformIT(PIT)andstatesthatprogramsthatdevelopPITmustincludeIArequirements,butdonothavetocomplywithreference(e).However,references(a)through(e)donotclearlyarticulateguidanceforcertificationandaccreditationofPITorguidancetointegrateIAintothenormalsystemdesignandtestregimenforMDAPsandMAISPsthathavebeendesignatedPIT.
ThisdocumentprovidesguidancetoProgramManagers(PM),AcquisitionProfessionals,InformationAssuranceManagers(IAM),andassociatedIAprofessionalstobetterintegrateIAintotheacquisitionprocessforMDAPsandMAISPsthatwillbeorhavebeendesignatedPIT,andensuresthatIAisincorporatedintothefunctionaldesignofallsystems.ForclarityinguidanceandtoaccountfordifferencesbetweenSYSCOMs,PEOs,andPrograms,theterms“PM”and“IAM”willrefertotheprogrammanagementteamandIAprofessionalstaffsupportingaparticularprogram.Thisguidebookincludesinformationonthedesignationprocess,implementationofIArequirements,andauthorizationtooperateforPlatformITsystems.
1.2Applicability
TheguidelinescontainedhereinareapplicabletoDepartmentoftheNavy(DON)MDAPsandMAISPs(includingACATIVandabbreviatedacquisitionprograms)thathavebeendesignatedPIT.Thisdocumentiswritteninaccordancewithreferences(a)through(q);definitions,conceptsandinterpretationarederivedfromthesesources.ThisdocumentprovidesguidancetosupportstandardizationofIAacrosstheDONandshouldbetailoredasnecessarytosupporttheprogramunderdevelopment.IfasystemisanMAISPorMDAPanddesignatedPIT,butisnotrequiredtoadheretothemandatesoftheDoDAcquisitionProcess,thenthatprogramshouldcomplywithreference(e).
1.3Cancellation
Thisdocumentsupersedesreference(q).
1.4References
(a)DoDDirective5000.1,TheDefenseAcquisitionSystem,May2003
(b)DoDInstruction5000.2,OperationoftheDefenseAcquisitionSystem,Dec2008
(c)DefenseAcquisitionGuidebook,Chapter7,Dec2004
(d)DoDDirective8500.01E,InformationAssurancePolicy,Oct2002
(e)DoDInstruction8510.01InformationAssuranceCertificationandAccreditationProcess(DIACAP),Nov2007
(f)DoDInstruction8500.2,InformationAssuranceImplementation,Feb2003
(g)DoDInstruction8580.1,InformationAssurance(IA)intheDefenseAcquisitionSystem,Jul2004
(h)DoDManual8570.01-M,InformationAssuranceWorkforceImprovementProgram,Dec2005(Change1incorporatedMay2008).
(i)SECNAVINST5239.3A,DepartmentoftheNavyInformationAssurance(IA)Policy,Dec2004
(j)SECNAVM-5239.1DepartmentoftheNavyInformationAssuranceProgram,InformationAssuranceManual,Nov2005
(k)DONCIOPlatformITPolicyMemorandum
(l)NavyCANavyCertificationAgentQualificationStandardsandRegistrationGuidebook,Version1.1(RevisionA),Feb2008
(m)CJCSI3170.01FJointCapabilitiesIntegrationandDevelopmentSystem,May2007
(n)RiskManagementGuideforDoDAcquisition,SixthEdition,Version1.0,Aug2006
(o)NavalSYSCOMRiskManagementPolicy,Jul2008
(p)DoDI4630.8,ProceduresforInteroperabilityandSupportabilityofInformationTechnology(IT)andNationalSecuritySystems(NSS),Jun2004
(q)NavyCAPlatformITClarificationGuidance,May2007
1.5AcronymsandDefinitions
RefertoAppendixG.
2.PlatformITDesignation
ThischapterprovidesguidancetothePMandIAMintendedtodefinetermsanddescribestheprocessforobtainingastatementofexemptionfromtheC&AprocessforITsystemsandITcomponentsdesignatedasPlatformIT(PIT).PerDoDD8500.1,theC&Aprocess(e.g.,DIACAP)isapplicabletoallDON-ownedorcontrolledinformationsystemsthatreceive,process,store,displayortransmitDoDinformation,regardlessofMAC,classificationorsensitivity,except-perDoDD8500.1Paragraph2.3-ITthatisconsideredPlatformIT.
2.1Stand-AloneSystems
PerDoDD8500.1,systemshavingnoexternalconnections(stand-alonesystems)aresubjecttotheC&AprocessunlesstheyhavebeendesignatedasPIT.Forstand-alonesystemsthathavebeendesignatedasPIT,theprocessesoutlinedinthisguidebookshouldbefollowed.
2.2ActionsRequiredofProgramManagers
ToobtainadesignationofanITsystemorITcomponentasPlatformIT,thePMshouldfollowtheproceduresinthisguidebook.ThesystemwillbeevaluatedagainstthedefinitionofPlatformITandthefinaldesignationstatementwillbeissuedbytheOperationalDesignatedAccreditingAuthority(ODAA)orMarineCorpsEnterpriseNetworkDesignatedAccreditingAuthority(MCENDAA).
2.3ProcessSteps
ThePITDesignationProcessisshowninFigure1.ToinitiatethePITDesignationprocess,PMsneedtosubmitthefollowinginformation:
∙Identifythespecialpurposesystem,includingitsName,AcronymandVersionNumber
∙CompletethePlatformITDeterminationChecklistprovidedinAppendixA
∙Describethespecialpurposesystemanditsmission.Inadditiontoabrief,textualdescription,includeahigh-levelblockdiagramofthesystemthatalsodepictsthePITboundary.ThediagramshouldallowtheCertificationAuthority(CA)andDAAtoclearlyunderstandandidentifythesystem’shardware,softwareandothercomponents,aswellasanyinterconnectionwithothersystems,networksorIT.Forsystemswithmultiplevariants,ifthediagramaccuratelydescribesthevariantsthenasinglediagrammaybesubmittedtocovermultiplevariants.Thediagramshouldclearlyidentifythesystemandanyvariantsitdescribes.
∙ThePM’sjustificationandrationaleshouldincludesupportingstatementsthatdescribehowthesystemmeetsthecriteriaforPIT.
∙RequestevaluationtodetermineiftheITsystemorITcomponentisPlatformIT.
ThecompletedPITDeterminationpackageissubmittedtothecognizantEchelonII(EII)orMajorSubordinateCommand(MSC).EII/MSCwillreviewthepackagetodetermineifthepackageiscompleteandifthesystem/componentmeetsthePITdeterminationcriteria.Atthispoint,theEII/MSCwilleither:
(1)ReturntherequesttothePMtoaddressanyidentifiedpackagedeficiencies
-or-
(2)EndorseandforwardtherequesttotheCA
IfthepackageisforwardedtotheCA,theywilleither:
(1)ReturntherequesttoEII/MSCtoaddressanyidentifiedissues
-or-
(2)EndorsetherequestandforwardittotheODAA/MCENDAAforfinaldeterminationanddesignationofPlatformIT
TheODAA/MCENDAAwillreviewthepackageandtheCA’sassessment,andissueastatementtothePMclassifyingtheITsystemorITcomponentasPlatformIT,ortheODAA/MCENDAAwillexplainwhythesystemdoesnotmeetthecriteriaforPlatformIT.
Figure1PITDesignationProcess
3.
ObjectivesandImplementationofIAintoPlatformITDesign
3.1IAObjectives
Theobjectiveofthischapteris:
∙tohelpthePMunderstandwhyheneedstoconsiderinformationassuranceprinciplesduringthedevelopmentofhisprogramstrategy
∙tohelpthePMandIAM/IAOunderstandwhereheneedstogotofindinformationandguidancefordevelopinganInformationAssuranceStrategy
∙tohelpthePMandIAM/IAOunderstandtheresources(intermsoffundingandpersonnel)thatarerequiredtoeffectivelyimplementinformationassurance.
PM’sandProgramLeadSystemsEngineerswhoareunfamiliarwiththedetailsoftheDoDIAregulationsandpoliciesmayfinditeasiertoconsiderthefollowingfiveprincipleswhentryingtobalancespecificIArequirementswiththeotherrequirementsthatapplytotheirsystem:
∙Confidentiality-Onlyauthorizedpersonsgainaccesstotheinformationreceived,processed,storedorpublishedbythesystem.
∙Integrityoftheinformationreceived,processed,storedorpublishedmeaningithasnotbeenalteredeitherbydefectormalicioustampering.
∙Availabilityoftheinformationreceived,processed,storedorpublishedtothosewhoneeditwhentheyneedit.
∙Non-repudiationbythosewhogainaccesstotheinformationreceived,processed,storedorpublishedbythesystemsothattheycannotdenyhavinginteractedwiththesystemoritsinformation.
∙Authenticationofthosewhogainaccesstotheinformationreceived,processed,storedorpublishedbythesystem.Authenticationtakesconfidencetothenextlevelandimposesmorespecificandrigorousrequirementsforaccess.
Moreover,itiscriticaltounderstandthatIAextendsbeyondtheboundsofinformationsecurity,toalsoinclude:
∙SoundEngineering–includedesignfeaturesthatpromotestabilityandsecurity
∙TrainingandAwareness–shouldprovideFleetwithpropertrainingtoensuretheyarevigilant
∙Response,Recovery,andRestoration-activelyrespondtointernalandexternalmaliciousattacks,aswellasrecoverfromsystemfailurescausedbyinadvertentoperatorerror,internalandexternalmaliciousattack,andmajorcalamities
3.2IAImplementation
ThefirstpartoftheIAImplementationProcessisshowninFigure2.OnceaPITdeterminationhasbeenissuedforaparticularsysteminwritingbytheODAA/MCENDAA,thePMisresponsibleforensuringduediligenceinmeetinginformationassurancerequirementsthroughoutthelifecycleoftheprogram.Theprocessisintendedtobetailoredtotheindividualprogram,inkeepin