Security Package Documents

Question 1

What is the SSP? Define it and it’s objective.

Answer 1

• The System Security Plan

- Living document that is meant to improve the Protection is system resources.

Question 2

List the 15 major content/sections of the SSP

Answer 2

1- system name and unique identifier
2- system categorization
3- system owner
4- authorizing official
5- other designated contacts
6- assignment of responsibilities
7- system operational status
8- information system type (gas? Major app?)
9- general description/ purpose of system
10- system environment ( Small Office? Agency?)
11- system interconnection/ information sharing
12- laws, regulations & policies affecting the system
13- security controls selection
- Control title, status, scoping guide, etc.
14- completion and approval dates
15- ongoing system security plan maintenance

Question 3

At which RMF step is the SSP initiated?

Answer 3

Categorization

Question 4

At which RMF step is the SSP approved?

Answer 4

Selection

Question 5

NIST publication for developing the SSP?

Answer 5

SP 800-18 rev 1

Question 6

How many components make up the SSP?

Answer 6

About 12-15

Question 7

Who approves the SSP?

Answer 7

Authorizing Official (AO)

Question 8

How many pages is your SSP doc?

Answer 8

~150

The template for the FedRAMP SSP is 352 pages long.

Question 9

Define and Explain the POA&M

Answer 9

The plan of action and Milestones.

This document contains all the vulnerabilities and findings that were found during the assessment.
This tool is used to track the progress of material weaknesses that were tracked during/after assessment or during continuous monitoring.

Question 10

What are the contents of a POA&M?

Answer 10

• weakness number /ID
• creation date
• description of weakness
• status (open or closed)
• criticality (priority) level
• point of contact (POC)
• Risk category (low, mod, high)
• resources required ( estimated dollar amount)
• severity
• type (System specific or inherited?)
• material weakness indication
• scheduled completion date
• estimated completion date
• actual completion date
• link to related control title, name or numbers
• source of weakness
• milestone changes
• milestone with completion date

Question 11

What tools can be used to create a POA&M?

Answer 11

One can use an excel spreadsheet

Some automated tools or application such as

• TAF (Trusted Agent Fisma) (used by DOD & DHS)
• Xacta IA Manager or 360 (DHS)
• CFACTS (CMS Fisma Controls Tracking System) (CMS- center for Medicaid/Medicare services)
• CSAM (DOJ)(most fed agencies)
• Risk Vision ( veterans affairs and NIH)

Question 12

Automation tools that fully implement the six (seven) steps of the RMF?

Answer 12

• TAF (Trusted Agent Fisma) (used by DOD & DHS)
• Xacta IA Manager or 360 (DHS)
• CFACTS (CMS Fisma Controls Tracking System) (CMS- center for Medicaid/Medicare services)
• CSAM (DOJ)(most fed agencies)
• Risk Vision ( veterans affairs and NIH)

*these tools manage, monitor and track ATOs, POA&Ms, control assessments and ongoing authorizations for all FISMA systems/ major applications of the org. which sometimes range from 50-100.

Question 13

At which RMF step is the POA&M initiated?

Answer 13

• Assessment

- Continuous Monitoring

Question 14

What is the SAR?

Answer 14

The Security Assessment Report: contains the findings that were uncovered during the assessment. Notes their criticality - low, mod or high.

Question 15

What is the PTA?

Answer 15

Privacy Threshold Analysis: an artifact that is used in the categorization step of the RMF. This is done if a system tests positive for PII and is a threshold for creating a PIA.

Question 16

What are the specific PTA questions?

Answer 16

• description of program/project purpose
• program/project status
• from whom does the prog. collect, maintain, use or disseminate information?
• what specific information about individuals could be collected, generated or retained? Does the prog use SSN?
• checklist of technologies - does the system use them? CCTV, social media? Etc.
• does the program connect, receive or share PII with other programs or systems?
• does the program connect, receive or share PII with any external programs or systems?

Question 17

What is the PIA?

Answer 17

Privacy Impact Analysis; discusses the risk of storing, using or transmitting PII on a system.

Question 18

What is a SORN? And what is it’s purpose?

Answer 18

System of Records Notice

As required by the Privacy Act, whenever a federal agency maintains I formation about an individual in a system of records and retrieves the information by a personal identifier, it must publish a SORN in the Federal Register.

SORN describes what, why and how the records in the relevant system are collected, maintained, and used. SORN is published on new systems and updated and republished if and when system changes are made that affect the factors earlier reported.

Question 19

What is the MOU? Purpose and content?

Answer 19

Memorandum of Understanding

A formal agreement that discusses the terms of two or more organizations as they establish an official partnership. Although not legally binding, they do carry a degree of seriousness.

Names the parties, describes the project on which they are agreeing, details each party’s roles and responsibilities.

Question 20

What is an SLA? Purpose?

Answer 20

Service Level Agreement

Dictates the minimum level of services that would be required as part of the agreement. Uptime, response time agreement, etc.

Question 21

What is BPA? Purpose?

Answer 21

Business Partners Agreement

Commonly seen between organisations that have longer term and broader relationships. Eg between a Manufacturer and a Reseller.

Question 22

What is ISA? Purpose?

Answer 22

Interconnection Security Agreement

Required as part of the US Federal Government to define security controls when different depts are connecting to each other.

Legally binding. Defines the physical and logical boundaries between the organizations. Lays rules for the expectations of establishing a secured connection between both organizations. The state of utilities that would be in use, etc etc.

Question 23

What is E-Authentication? Levels? Examples.

Answer 23

Authentication that can be established when accessing a system from a remote location. There are two levels:

1- single factor authentication
2- multi factor authentication

Type of authentication :
1- something you know: password, pin, combinations, code words, secret handshakes etc

2- something you have: piv card, keys, smart phones, token devices, etc

3- something you are: biometrics; voice verification, retina and Palm screening, finger print, face scan, etc.

Question 24

What is the contingency plan (CP)?

Answer 24

Both an artifact and a control, the contingency plan is one of the most critical components of an organization’s policy agenda.

A plan that discusses the controls and procedures in place to ensure that there is business continuity and resilience in case of any disruption of services.

Question 25

What is The contingency plan test (CPT)?

Answer 25

Document that seeks to ‘test’ the how as well as the effectiveness of the contingency plan were it to actually be executed. This is done in two ways:

• Classroom/ Tabletop Exercise : discussion based exercises. Personal meet in classroom setting or break out in groups to discuss their roles during an emergency and their response to emergency situations. Scenario based. Doesn’t involve deploying equipment or other resources.
• Functional Exercise (Limited scope or Integrated Testing): simulation based exercise. Functional exercises that allow staff to execute their roles and responsibilities as they would in actual emergency situations- but in a simulated manner.

Question 26

What is the Disaster Recovery Plan (DRP)?

Answer 26

The disaster recovery plan defines and describes critical mission systems. And charts recovery plans were there to be a disruption to the Critical Mission Systems in order to ensure continuity of operations in the events of a disaster. System components and location are important here.
This is where we would discuss things like hot, warm or cold site.
The DRP can be just part of the CP or the CP can contain multiple DRPs for its multiple critical systems. Whereas for smaller orgs, the DRP and the CP could be one and the same.

Question 27

What is the Business Impact Analysis (BIA)

Answer 27

The BIA clearly clearly identifies and analyzes the impact of any service disruption to critical mission systems. This is because the BIA creates a hierarchy of systems that need to be attended to. It also includes a Recovery Time Objective and Recovery Point Objective for each system. The BIA is sometimes a doc on its own but it is also an integral part of the CP and the Continuity of Operations Plan (COOP) in general.

Question 28

What is a Risk Assessment (RA)?

Answer 28

The Qualitative and Quantitative evaluation of risk based on levels of criticality and sensitivity.

Question 29

What is Incident Response (IR)?

Answer 29

The timely intervention to any incident in order to mitigate risk.

Question 30

What is the SAP?

Answer 30

The Security Assessment Plan.
Discusses The Who, What, When and Where of the assessment. It also discusses the scope and personnel involved. Would talk of the ROE if vulnerability scans or penetration tests would be part of the assessment.

Question 31

What is a system registration?

Answer 31

Document uses to officially recognize and justify the existence of a system. This doc legalizes the system.