DoDD 8500.1 DoDI 8500.2
Transcription
DoDD 8500.1 DoDI 8500.2
DoDD 8500.1 DoDI 8500.2 Tutorial Lecture for students pursuing NSTISSI 4011 INFOSEC Professional COMP 6370 – Supplemental – DoDD 8500.1 & DoDI 8500.2 1 Scope of DoDD 8500.1 • Information Classes: – Unclassified – Sensitive information – Classified • All ISs to include: – All DoD owned or controlled information systems – Information systems under contract to DoD – Outsourced information based processes (ex. Those supporting e-commerce or e-business) – Information systems of non-appropriated fund (NAF) activities – Stand-alone information systems – Mobile computing devices (i.e. laptop, PDA, handheld) COMP 6370 – Supplemental – DoDD 8500.1 & DoDI 8500.2 2 DoDD 8500.1 Policy • Information Assurance Requirements and new/upgraded systems – According to this directive, IA requirements will be identified and included in the design, acquisition, installation, upgrade, or replacement of any information system within DoD. Also, Public Key Infrastructure (PKI) certificates and biometrics will be incorporated into all new and upgraded systems whenever possible. • All DoD information systems shall maintain an appropriate level of confidentiality, integrity, authentication, non-repudiation, and availability that reflects a balance among: – the importance and sensitivity of the information and information assets – documented threats and vulnerabilities – the trustworthiness of users and interconnected systems – the impact or destruction of the system – cost effectiveness • For IA purposes, all DoD Systems are organized and managed within 4 categories – Automated Information Systems (AIS) applications – Enclaves (includes networks) – outsourced IT-based processes – Platform IT interconnections • IA readiness is a critical element of overall mission readiness. It will be monitored, reported, and evaluated throughout DoD and validated by the DoD CIO. COMP 6370 – Supplemental – DoDD 8500.1 & DoDI 8500.2 3 DoDD 8500.1 Information Assurance • DoDD 8500.1 became effective on 24 October 2002. (Certified current as of 21 Nov 2003). Its purpose is to establish policy and assign responsibilities in order to achieve Department of Defense (DoD) information assurance (IA). It accomplishes this by utilizing a defense-in-depth approach that integrates the capabilities of personnel, operations, and technology, and supports the evolution to network-centric warfare. • This directive supercedes the following documents: – – – – • DoD Directive 5200.28 -- “Security Requirements for Automated Information Systems” DoD 5200.28-M -- “ADP Security Manual” DoD 5200.28-STD -- “DoD Trusted Computer Security Evaluation Criteria” DoD Chief Information Officer (CIO) Memorandum 6-8510 It designates the Secretary of the Army as the Executive Agent for the integration of common biometric technologies throughout the Department of Defense. COMP 6370 – Supplemental – DoDD 8500.1 & DoDI 8500.2 4 DoDD 8500.1 COTS IA Compliance • National Security Telecommunications and Information Systems Security Policy Number 11 – • NSTISSP #11 is a national security community policy governing the acquisition of information assurance (IA) and IA enabled information technology products. The policy was issued by the Chairman of the National Security Telecommunications and Information Systems Security Committee (NSTISSC), now known as the Committee on National Security Systems (CNSS) in January 2000 and revised in June 2003. The policy mandates, effective 1 July 2002, that departments and agencies within the Executive Branch shall acquire, for use on national security systems, only those COTS products or cryptographic modules that have been validated with the International Common Criteria for Information Technology Security Evaluation, the National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS), or by the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) The objective of NSTISSP #11 is to ensure that COTS IA and IA-enabled IT products acquired by the U.S. Government for use in national security systems perform as advertised by their respective manufacturers, or satisfy the security requirements of the intended user. To achieve this objective, the policy requires COTS products be evaluated and validated in accordance with either the International Common Criteria for Information Technology Security Evaluation, or the National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 140-2. Supportive of the intent and implementation of NSTISSP #11, the NSA and NIST have collaborated to establish the following two evaluation and validation programs: – – National Information Assurance Partnership's (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) Program http://niap.nist.gov/cc-scheme/index.html NIST Federal Information Processing Standard (FIPS)Cryptographic Module Validation Program (CMVP) http://csrc.nist.gov/cryptval/cmvp.htm COMP 6370 – Supplemental – DoDD 8500.1 & DoDI 8500.2 5 8500 Series IA Compliance Decision Tree ** Compliance with applicable guidance in the 8500 series is recommended for all other systems with embedded IT assets. COMP 6370 – Supplemental – DoDD 8500.1 & DoDI 8500.2 6 IA Compliance by Acq. Program Type COMP 6370 – Supplemental – DoDD 8500.1 & DoDI 8500.2 7 DoDI 8500.2 Overview Multi-Echelon Management Structure COMP 6370 – Supplemental – DoDD 8500.1 & DoDI 8500.2 8 DoDI 8500.2 Overview Multi-Echelon Management Structure COMP 6370 – Supplemental – DoDD 8500.1 & DoDI 8500.2 9 IA Controls (Enclosure 4, DoDI 8500.2) • • • • IA Control Subject Area. One of eight groups indicating the major subject or focus area to which an individual IA Control is assigned. (Next Slide) IA Control Number. A unique identifier comprised of four letters, a dash, and a number. The first two letters are an abbreviation for the subject area name and the second two letters are an abbreviation for the individual IA Control name. The number represents a level of robustness in ascending order that is relative to each IA Control. (Next Slide) IA Control Name. A brief title phrase that describes the individual IA Control. IA Control Text. One or more sentences that describe the IA condition or state that the IA Control is intended to achieve. COMP 6370 – Supplemental – DoDD 8500.1 & DoDI 8500.2 10 Another IA Control Example COMP 6370 – Supplemental – DoDD 8500.1 & DoDI 8500.2 11 IA Control Subject Areas Enclosure 4, DoDI 8500.2 • In the example to the right --> the control level is two (2), which means there is a related IA Control, ECCT-1, that provides less robustness. There may also be an IA Control, ECCT-3, that provides greater robustness. COMP 6370 – Supplemental – DoDD 8500.1 & DoDI 8500.2 12 Baseline Information Assurance Levels • Mandated DoDD 8500.1, described in DoDI 8500.2 – All DoD information systems shall be assigned a mission assurance category. – The mission assurance category reflects the importance of information relative to the achievement of DoD goals and objectives, particularly the warfighters' combat mission. • DOD has three defined mission assurance categories: – Mission Assurance Category I (MAC I) • Systems handling information that is determined to be vital to the operational readiness or mission effectiveness of deployed and contingency forces in terms of both content and timeliness. The consequences of loss of integrity or availability of a MAC I system are unacceptable and could include the immediate and sustained loss of mission effectiveness. MAC I systems require the most stringent protection measures. COMP 6370 – Supplemental – DoDD 8500.1 & DoDI 8500.2 13 DOD has three defined mission assurance categories: (cont.) – Mission Assurance Category II (MAC II) • Systems handling information that is important to the support of deployed and contingency forces. The consequences of loss of integrity are unacceptable. Loss of availability is difficult to deal with and can only be tolerated for a short time. The consequences could include delay or degradation in providing important support services or commodities that may seriously impact mission effectiveness or operational readiness. MAC II systems require additional safeguards beyond best practices to ensure adequate assurance. – Mission Assurance Category III (MAC III) • Systems handling information that is necessary for the conduct of day-today business, but does not materially affect support to deployed or contingency forces in the short term. The consequences of loss of integrity or availability can be tolerated or overcome without significant impacts on mission effectiveness or operational readiness. The consequences could include the delay or degradation of services or commodities enabling routine activities. MAC III systems require proactive measures, techniques, or procedures generally commensurate with commercial best practices. COMP 6370 – Supplemental – DoDD 8500.1 & DoDI 8500.2 14 Mission Assurance Category Summary DoDI 8500.2 Enclosure 3 • • The baseline sets of IA controls are pre-defined based on the determination of the Mission Assurance Category (MAC) and Confidentiality Levels as specified in the formal requirements documentation or by the info owner. IA Controls addressing availability, confidentiality, integrity, authentication and nonrepudiation requirements are keyed to the system’s MAC based on the importance of the information to the mission, particularly the warfighters' combat mission, and on the sensitivity or classification of the information. COMP 6370 – Supplemental – DoDD 8500.1 & DoDI 8500.2 15 Mission Assurance Category Levels for IA Controls • IA Controls addressing confidentiality requirements are based on the sensitivity or classification of the information. There are three MAC levels and three confidentiality levels with each level representing increasingly stringent information assurance requirements. COMP 6370 – Supplemental – DoDD 8500.1 & DoDI 8500.2 16 Determining Baseline IA Controls COMP 6370 – Supplemental – DoDD 8500.1 & DoDI 8500.2 17 JCIDS Process and Acquisition Decisions CJCSI 3170.01E COMP 6370 – Supplemental – DoDD 8500.1 & DoDI 8500.2 18 JCIDS and Information Assurance • Information Assurance - Information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality and nonrepudiation. • This includes providing for restoration of information systems by incorporating protection, detection and reaction capabilities. • Net-ready Key Performance Parameter (NR-KPP) (see following) COMP 6370 – Supplemental – DoDD 8500.1 & DoDI 8500.2 19