TUCoPS :: General Information :: cert_m_1.txt

ABBREVIATED CERTIFICATION METHODOLOGY FOR SENSITIVE INFORMATION TECHNOLOGY SYSTEMS




                     U. S. DEPARTMENT OF COMMERCE

                       ABBREVIATED CERTIFICATION
                              METHODOLOGY
                              GUIDELINES

                     FOR SENSITIVE AND CLASSIFIED 
                        INFORMATION TECHNOLOGY 
                                SYSTEMS












                           December 1, 1992


                     U. S. DEPARTMENT OF COMMERCE
                 ABBREVIATED CERTIFICATION METHODOLOGY
             FOR SENSITIVE INFORMATION TECHNOLOGY SYSTEMS


A.    INTRODUCTION

      It is the policy of the Department of Commerce (DOC) to
      comply fully with all federal statutes and directives on
      information technology (IT) security and to provide
      protection commensurate with the sensitivity of the systems
      or data processed.  

      Protection requirements for each of the individual IT
      systems within the Department will vary according to the
      unique characteristics of the system, environmental
      concerns, data sensitivity and mission related criticality
      of the system or data.  Appropriate levels of security must
      be determined by an evaluation of the threats,
      vulnerabilities and risk factors associated with each
      system.  Cost-effective controls that are adequate to
      achieve an acceptable level of risk for the individual
      system must then be implemented.

      The DOC "Information Technology Accreditation Policy" issued
      on July 6, 1992 established the requirement for
      accreditation of all unclassified sensitive and classified
      national security IT systems.  Accreditation is the
      authorization and approval, granted to a sensitive or
      classified IT system to process, as an acceptable risk, in
      an operational environment.  Accreditation is made on the
      basis of recommendations from a technical certification
      evaluation that the IT system meets all applicable federal
      and DOC policies, regulations, and standards and that all
      installed security safeguards appear to be adequate and
      appropriate for the sensitivity of the system; that they are
      operating correctly; or, that the system must be operated
      under certain specified conditions or constraints.  

      The technical certification evaluation results are the basis
      for the system owner's certification statement in the
      accreditation request.

B.    PURPOSE

      The purpose of this document is to provide guidance on
      appropriate procedures to follow in performing the technical
      certification evaluations of all sensitive and classified
      national security systems within the Department. 

      The DOC issued a "Methodology for Certifying Sensitive
      Computer Applications" in March 1987.  The process described
      in that document was required for any new DOC applications
      or any modification of existing applications that handle
      sensitive information.  It is especially suited for large
      complicated applications, for applications which are in-
      house developed or involve extensive modifications to
      customize for Commerce use, applications with very high
      sensitivity such as major financial applications which
      process high dollar amounts or are subject to fraud or
      abuse, or for new applications without existing security
      documentation.  This original certification methodology
      should be used for systems meeting the above criteria.  

      That methodology has proved to be far too complex for many
      of the Department's systems.  The methodology described in
      this document is an abbreviated form of this process,
      developed to address existing sensitive systems with
      extensive documentation already available.   It is intended
      to handle smaller systems and applications such as those
      associated with personal computers (PCs) or those systems
      with only a few users, and turn-key or commercial systems
      which were procured against a detailed set of security
      specifications.  This abbreviated methodology stresses the
      use of existing documentation wherever possible.  It can be
      used for completing the technical certification evaluation
      requirements for both application systems and general
      support systems.  The term "system" used in this document is
      intended to mean either of the following, as appropriate: 

      1.   Application Systems - Systems that perform clearly
           defined functions for which there are readily
           identifiable security considerations and needs.  Such a
           system might actually comprise many individual
           application programs and hardware, software, and
           telecommunications components.  They can be either a
           major software application or a combination of
           hardware/software where the only purpose of the system
           is to support a specific mission related function.  The
           system may process multiple individual applications, if
           all are related to a single mission function.

      2.   General Support Systems - These consist of hardware and
           software that provide general automated data processing
           or network support for a variety of users and
           applications.  Individual applications may be less
           easily distinguishable than in the previous category,
           but such applications may contain sensitive
           information, or be critical to the mission
           accomplishment of the organization.  Even if none of
           the individual applications are sensitive, the support
           system itself may be considered sensitive if the
           aggregate of applications and support provided are
           critical to the mission of the operating unit.

C.    ABBREVIATED CERTIFICATION METHODOLOGY

      Certification is based on a technical evaluation of a
      sensitive system to see how well it meets its security
      requirements, including all applicable federal policies,
      regulations, and standards.  The results of tests should
      demonstrate that the installed security safeguards are
      adequate and appropriate for the system.  The certification
      process is the final step leading to accreditation of the
      system.  Sensitive systems will be recertified and
      reaccredited when substantial changes are made to the
      system, when changes in requirements result in the need to
      process data of a higher sensitivity, after the occurrence
      of a serious security violation which raises questions about
      the validity of an earlier certification, and in all cases
      no less frequently than three years after a previous
      certification.

      Certification evaluations are conducted by the organization
      that owns the system.  The certification team should get
      input from all who have involvement with the system,
      including:

          IT security staff, 

          system owner staff, 

          computer program development staff, if the application
           was developed in-house, and 

          the computer operations staff, if the application is
           run on a computer managed by a separate organization.  

          users

      Representatives from as many of these organizations as
      possible should be included on the Certification Review
      Team.

      The certification methodology described in this document
      consists of the following steps, which will be described
      more fully in the rest of this document:

           Step 1.  Assemble a team
           Step 2.  Collect existing documents
           Step 3.  Describe the system and its sensitivity
           Step 4.  Identify protection requirements and
      vulnerabilities
           Step 5.  Identify security features needed
           Step 6.  Test the adequacy of controls
           Step 7.  Evaluate test results
           Step 8.  Certify the system

      Worksheet forms to document each step in the certification
      process are provided in Appendix A.




      Definitions

      Certification is a technical evaluation of a sensitive
      system to see how well it meets necessary security
      requirements, such as appropriate federal policies,
      regulations, and standards.  

      The Certifying Official is a senior manager in the
      organization which owns the system.  The system owner is the
      organization which has functional responsibility for the
      system.  The Certifying Official should be a manager who was
      responsible for having the system developed or the
      functional area that the system supports, who has a need for
      the results produced by the system, and can allocate
      resources to correct deficiencies in the security controls
      for the system.

      The Certification Review Team will collect the information
      needed for the certification process, identify
      vulnerabilities, develop a list of needed security features,
      develop tests of the adequacy of the features, and evaluate
      the test results.

      Security features are controls that protect against the
      identified vulnerabilities, such as fire and water alarms,
      passwords and other access protection, use of removable
      media for data storage, data validation controls, audit
      trails, uninterruptable power sources to protect against
      electrical outages, personnel screening, IT security
      awareness training of users, etc.

      A sensitive system is one that requires some degree of
      protection for confidentiality, integrity or availability. 
      This includes data whose improper use or disclosure could
      adversely affect the ability of an agency to accomplish its
      mission, proprietary data, records about individuals
      requiring protection under the privacy Act, and data not
      releasable under the Freedom of Information Act.  If the
      system is required for accomplishment of an agency mission
      it need not contain any sensitive data.   

      Test scenarios are descriptions of the tests to be performed
      to check the effectiveness of the security features
      incorporated into the system.  They may include validation
      of password constraints such as length and composition of
      the password, entry of erroneous data to check data
      validation controls, review of audit information produced by
      the system, review of contingency plans and risk analyses,
      etc.

      Vulnerabilities are ways in which the system may be attacked
      or may fail.  They include susceptibility to physical
      dangers such as fire or water, unauthorized access to
      sensitive data, entry of erroneous data, denial of timely
      service, fraud, etc.

      Methodology Approach

      Step 1 - Assemble a team:  The first step in the abbreviated
      process is to assemble a team to gather the information and
      documentation needed to assess and demonstrate the adequacy
      of security measures used.  The team should include
      representatives of IT security, application owners, software
      development, computer systems, and users.  For very small
      systems the users, software programming staff, and computer
      systems staffs may be the same.  The IT security staff
      provides an outside viewpoint to ensure that the best IT
      security practices are used in protecting sensitive systems. 
      Where computer system staff, software programmers, and users
      are in separate organizations, it is important that all
      points of view are represented in the process, to ensure
      that user expectations of protection needs are addressed,
      and that software and computer system constraints are
      understood.

      Step 2 - Collect existing documents needed for the
      certification evaluation:  These documents include, but are
      not limited to:

           1.    system specifications and documentation
           2.    system security plan
           3.    risk analysis
           4.    contingency and disaster recovery plans
           5.    staff records on personnel and the IT Security
                 Officer identification, training and position
                 sensitivity levels 
           6.    Internal Control Reviews, security reviews, etc.,
      if existing

      Step 3 - Identify and describe the system to be certified
      and describe why it is sensitive:  It is necessary to have a
      written description of the purpose of the system, the
      hardware and software environment on which the system is
      operated, and a description of the sensitivity of the
      system, including any special applicable laws and
      regulations.  This information is readily available in the
      Sensitive System Security Plan for the system being
      certified.  If the certification is for a software
      application system that will be used by others, the hardware
      description should address the hardware needed to operate
      the system, but the certification should focus on the
      software application program.  Complete the blank sections
      of Sensitive System Certification Worksheet 1, System
      Description and attach a copy of the approved Sensitive
      System Security Plan for the system being evaluated.  The
      Worksheet identifies the section numbers in the security
      plan where detailed information can be obtained for review.

      Step 4 - Identify protection requirements and
      vulnerabilities:  Review the description of the protection
      requirements for the system under the headings
      confidentiality, integrity, and availability in Section
      II.B. of the Sensitive System 
      Security Plan.  Enter the levels of protection required
      (high, medium, low) in the blanks provided on Worksheet 1.  

      Identify vulnerabilities for the system related to these
      protection requirements.  Most vulnerabilities will be
      addressed in the existing documents collected in Step 2. 
      All sensitive systems should have a completed risk analysis. 
      The risk analysis will identify vulnerabilities and their
      consequences, such as unauthorized disclosure of
      information, loss of data or other resources, denial of
      service, decisions based on erroneous information, etc. 
      System documentation is another source of information about
      the vulnerabilities.  The security plan for the system being
      evaluated contains information about specific
      vulnerabilities and control measures addressed.  The team
      should also review any existing Internal Control, Inspector
      General (IG) or security review reports on the system, for
      additional information on system vulnerabilities.  In
      addition to the documentation, the team may need to
      interview managers in the user organization to ascertain
      their concerns about the sensitivity of the system and the
      level of protection required.

      Complete the Sensitive System Certification Worksheet 2:
      Identified Vulnerabilities by listing the identified
      vulnerabilities.

      Step 5 - Identify security features needed:  The team next
      needs to review existing documents to identify the controls
      in place to address the vulnerabilities identified above. 
      The risk analysis, security plans, and system documentation
      reviewed for vulnerabilities also contain information on
      controls used to reduce those vulnerabilities.  System
      specifications, if they still exist, will also provide
      information on the controls designed into the system.  The
      team will also need to review the contingency and disaster
      recovery plans for the system.  The team should interview
      the IT System Security Officer to review installation IT
      security procedures.  Staff training records will show the
      level of IT security training given to application and
      computer installation staff.  Staff records should also show
      the sensitivity designation of staff positions and any
      personnel investigations, required and conducted, for staff
      in the affected positions.  Complete the Sensitive System
      Certification Worksheet 3: Security Features.

      Step 6 - Test adequacy of controls:  Once vulnerabilities
      and controls have been identified, the team should
      selectively check the adequacy of the controls.  Some live
      tests may be needed to ensure that documented controls
      actually work.  Other controls may be reviewed through other
      means.  Previous system reviews and system acceptance tests
      may contain records of tests previously performed.  It is
      not necessary to repeat these tests, if the system has not
      changed since they were done.  The review of vulnerabilities
      and controls should identify any areas not adequately
      addressed.  Sensitive System Certification Worksheet 4:
      Security Tests is used to list the tests to be performed. 
      Use Sensitive System Certification Worksheet 5: Security
      Test Results to record the results of the tests.  

      Step 7 - Evaluate the test results:  Once all tests are
      completed, a summary of the evaluation of the tests should
      be prepared. The team should then prepare recommendations
      about certification.  Sensitive System Certification
      Worksheet 6: Evaluation and Recommendations is used to
      record the evaluation of test results and the team's
      recommendation.  The recommendation section should be signed
      by all members of the team and dated.  
 
          If the tests results indicate that all protection
           requirements have been met, the team can recommend
           certification with no further action required.

          The Certification Review Team may determine from the
           test results that the protection requirements were not
           met for the system.  In that case, the evaluation
           discussion of test results should explain the
           inadequacy of the controls in place.

          The team may alternatively certify that the basic
           protection requirements have been met, but recommend
           additional features be required.  This latter form of
           certification is appropriate for certifying a software
           application system which must have certain operating
           system or hardware features in place for approved
           operation.  This may also be used in recommending
           interim accreditation pending installation of some
           additional control not currently available.  

      Step 8 - Certification:  The official Certification document
      is signed by a senior management official in the system
      owning organization.  A sample certification document is
      attached as Appendix B.

      There may be situations when the need for a system is such
      that it must be put into operation before a full
      certification is possible.  In this case, the Certifying
      Official can provisionally certify the system for operation,
      possibly with some restrictions, pending specific actions to
      be completed in a predefined time frame.  This interim
      certification cannot exceed one year.  These actions should
      also be included as milestones in the security plan for the
      system.  The certification process must be flexible enough
      that it accommodates the need for operational efficiency as
      well as adequate protection of the system.

                              APPENDIX A

               SENSITIVE SYSTEM CERTIFICATION WORKSHEETS

This Appendix contains a set of six worksheets to assist with
documenting the certification evaluation of the system.  Each
worksheet is preceded by a set of instructions and definitions
which will provide guidance for completing the evaluation and the
worksheet.

                DIRECTIONS FOR COMPLETING WORKSHEET 1: 
                          SYSTEM DESCRIPTION

Much of the information requested on Worksheet 1 is contained in
the Security Plan for the system.  To avoid having to rewrite
this information and have a ready reference to the needed
information, attach a copy of the Security Plan behind Worksheet
1.  Each worksheet contains blank lines, where information must
be entered.  This step is important to avoid confusion with other
system certification evaluation documentation. 

System Name/Title is the name of the system used in the Security
Plan for a sensitive system (Section I.B of the Security Plan). 
To avoid confusion with other certification evaluation
documentation this should be written on all worksheets.  

System ID is the unique six digit system identification number
assigned for each sensitive system in the Department.  Again, to
avoid confusion with other certification evaluation documentation
this should be written on all worksheets.

System Owner is the name of the contact person in the owning
organization who is knowledgeable about the system and protection
requirements.  It may be the person listed as Information Contact
(Section I.G) in the Security Plan.  Provide full address and
phone number, including area code, for the owner.

Developer is the name of the person who is responsible for
developing the software.  If this is a commercial application,
put the name of the organization in this space.  If there is no
developer or the developer's name is unknown, put "none" in this
space.

General Description/Purpose is a description of the function and
purpose of the system.  This information is contained in Section
I.E of the Security Plan.

System Environment and Special Considerations is a description of
the computer and software environment of the system.  This
information is contained in Section I.F of the Security Plan.

Sensitivity of Information Handled describes why the system is
sensitive.  

      Applicable Laws and Regulations lists any laws and
      regulations that specifically apply to this system, such as
      the Privacy Act.  This information is contained in Section
      II.A of the Security Plan.

      General Description of Information Sensitivity is a
      description of why the system is sensitive and the nature of
      that sensitivity.  This information is contained in the
      introduction to Section II.B of the Security Plan.

Description of Protection Requirements describes what makes the
system sensitive.  The descriptions of protection needs for
confidentiality, integrity, and availability are contained in
Section II.B of the Security Plan.  Write in the designated level
(high, medium, low) in the blanks provided.
              SENSITIVE SYSTEM CERTIFICATION WORKSHEET 1
                          SYSTEM DESCRIPTIONSystem Name/TitleSystem ID:
System Owner

Address:   ______________________________________________________
           _________
           ______________________________________________________
           _________
Phone:     ______________________________________________________
           _________Programmer/Developer:

Address:   ______________________________________________________
           _________
           ______________________________________________________
           _________
Phone:     ______________________________________________________
           _________General Description/Purpose
  (See Section I.E. of attached security plan.)
System Environment and Special Consideration
  (See Section I.F. of attached security plan).

Sensitivity of Information Handled:
  Applicable Laws and Regulations Affecting the System
  (See Section II.A. of attached security plan.)

General Description of Information Sensitivity
  (See Section II.B. of attached security plan.)
Description of Protection Requirements
  See Section II.B. of attached security plan and fill in the
designated level (high, medium, low) in the blanks.

Confidentiality ______

Integrity ______

Availability ______


                DIRECTIONS FOR COMPLETING WORKSHEET 2: 
                      IDENTIFIED VULNERABILITIES


System Name/Title and System ID are the same as on Worksheet 1.

Description of Identified Vulnerabilities should include the
vulnerabilities that the system may have prior to putting
controls in place.  These should have been identified in the risk
analysis.  They might include physical vulnerabilities such as
fire or disk crashes, entry of erroneous data, denial of service,
and unauthorized access to information.
              SENSITIVE SYSTEM CERTIFICATION WORKSHEET 2
                      IDENTIFIED VULNERABILITIESSystem Name/TitleSystem ID:

Description of Identified Vulnerabilities
  (From Risk Analysis, Security Plan, system documentation,
interviews and other review      reports - Risks that exist prior
                                 to putting any controls in place)





























                DIRECTIONS FOR COMPLETING WORKSHEET 3: 
                           SECURITY FEATURES


System Name/Title and System ID are the same as on Worksheet 1.

Description of Security Features is a list of the security
features used to protect this system.  They can be taken from
Sections III.C of the Security Plan and include Management
Controls, Development/Implementation Controls for application
systems, Acquisition/Development/Installation Controls for
general support systems, Operational Controls, Security Awareness
and Training, Technical Controls and Complementary Controls
Provided by General Support Systems for application systems or
Controls Over the Security of Applications for general support
systems.

Although, it is not necessary to include the level of detail
contained in the Security Plan, the controls should be listed to
provide a foundation for selecting tests to be performed to
verify if the controls are adequate and appropriate and are
operating as expected.
              SENSITIVE SYSTEM CERTIFICATION WORKSHEET 3
                           SECURITY FEATURESSystem Name/TitleSystem ID:
Description of Security Features:
































                DIRECTIONS FOR COMPLETING WORKSHEET 4:
                            SECURITY TESTS


System Name/Title and System ID are the same as on Worksheet 1.

Test Scenarios should contain a numbered list of the tests to be
preformed to verify the controls listed on Worksheet 3.  For more
detail about the controls, see Section III.C. of the security
plan.  

          If this is an existing system that has been in
           operation for some time, the tests may selectively test
           the most critical controls. 

          If the system is under, or just completed development,
           or is a turn-key system, all security controls should
           be tested.

          If testing has been done for a another recent review,
           or during recent acceptance testing of the system, it
           may not be necessary to repeat the tests.  It will be
           necessary to review records of the prior tests, and
           determine if the documentation of the tests and results
           are adequate.   If it is determined that it is not
           justified to repeat the tests, a statement should be
           included on Worksheet 4 explaining the reason.  Also,
           include enough information about all supporting
           documentation reviewed, to allow it to be located for
           future reference.  At a minimum, include a list of
           tests from the documentation, that were performed. 
           This list need not contain as much detail for each
           individual test as the referenced documentation. 

              SENSITIVE SYSTEM CERTIFICATION WORKSHEET 4
                            SECURITY TESTSSystem Name/TitleSystem ID:
Test Scenario:
































                DIRECTIONS FOR COMPLETING WORKSHEET 5:
                         SECURITY TEST RESULTS


System Name/Title and System ID are the same as on Worksheet 1.

Test Results reports the results of each of the tests described
on Worksheet 4.  The numbers on Worksheet 5 for each test result
should agree with the numbers on Worksheet 4 for the test
description.  Indicate whether the was "Passed" or "Failed".


              SENSITIVE SYSTEM CERTIFICATION WORKSHEET 5
                         SECURITY TEST RESULTSSystem Name/TitleSystem ID:
Test Results:
































                DIRECTIONS FOR COMPLETING WORKSHEET 6:
                    EVALUATION AND RECOMMENDATIONS


System Name/Title and System ID are the same as on Worksheet 1.

Evaluation of Test Results should discuss the results of the
tests and their relationship to assuring the adequacy of
controls.

Under Recommendations check one of the three responses.  

          Check Tests indicate that protection requirements were
           met if all tests resulted in correct results.

          Check Tests indicate that protection requirements were
           not met if some tests failed and corrections have not
           been, or cannot be implemented.

          Check Tests indicate that protection requirements were
           met; recommend certification with the following
           additional security features required: if there are
           additional security controls needed to meet the
           protection requirements.  This category should be used
           when certifying software applications that require
           hardware or operating system features to assure
           adequate protection.  It should also be used if an
           interim certification is being recommended, pending
           completion of specific actions.

Certifying Team Signatures should included printed names of the
certifying team members, a signature, and a date for each team
member.

              SENSITIVE SYSTEM CERTIFICATION WORKSHEET 6
                    EVALUATION AND RECOMMENDATIONSSystem Name/TitleSystem
ID:
Evaluation of Test Results:







Recommendations:

      _____      Tests indicate that protection requirements were
                 met.
           RECOMMEND CERTIFICATION OF THIS SYSTEM.

      _____      Tests indicate that protection requirements were
                 not met.  RECOMMEND THAT THIS SYSTEM NOT BE
                 CERTIFIED.

      _____      Tests indicate that protection requirements were
                 met; recommend certification with the following
                 additional security features required:




Certifying Team Signatures


     Name                        Signature                      
       Date

_______________________________________________________________
____________

_______________________________________________________________
____________

_______________________________________________________________
____________ 



                              Appendix B

                    Sample Certification Statement


I have carefully examined the certification worksheets for DOC
Information Technology System Number _________, "Insert system
name/title", dated ___________________ .  Based on the
information contained in this package and the results of tests
conducted on the system, it is my judgment that satisfactory
information technology controls are in place to adequately
protect the system and that it is operating at an acceptable
level of risk.  

I hereby certify DOC IT System Number ________, "Insert system
name/title", for a period not to exceed three years.  Should
substantial changes or security incidents occur during that three
year period, which bring the adequacy of the protection measures
for this system into question, a reevaluation and recertification
must be completed earlier.




Certification Official Name/Title: 

      ______________________________________________                   
                 
      ______________________________________________


Signature: _____________________________________________  Date:
____________


   

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH