SSP for Multi-User Stand-Alone Systems

SSP for Multi-User Stand-Alone Systems

EFW, Inc.

AIS Tester

SSP for Multi-User Stand-alone Systems

(ODAA Unique Identifier: 0EWC9-20061023-00007)

ISSM: Carolyn Shugart

Review Results:

We carefully reviewed the System Security Plan and found the following items were either not discussed or need clarification in the plan:

Regulatory Compliance Issues:

  • The submitted SSP does not contain a statement signed by the ISSM that the system has all required protection measures in place and validating they provide the protection intended.

Ref: NISPOM 8-201

  • The submitted SSP does not adequately provide for clearing of memory and media.

Ref: NISPOM 8-301a

  • The submitted SSP does not adequately provide for sanitization of memory and media.

Ref: NISPOM 8-301b

  • The submitted SSP does not ensure that security relevant software is adequately tested to ensure that security features function as specified.

Ref: NISPOM 8-302a&8-610a

  • The submitted SSP does not indicate all relevant objects to be audited.

Ref: NISPOM 8-602

  • The submitted SSP does not contain a signed statement by the ISSM certifying that the system complies with PL requirements and Levels of Concern.

Ref: NISPOM 8-610

  • The submitted SSP does not ensure that system recovery will occur in a controlled manner.

Ref: NISPOM 8-612a

ODAA Recommendations:

  • The submitted SSP references ISLs in section 1.1 of the General Procedures. The ODAA recommends removing these as they have been rescinded.
  • The submitted SSP states that the ISSM will self-certify new information systems. The ODAA recommends removing any reference to ‘new’ systems as self-certification only applies to additional like system.
  • The submitted SSP States that media markings will conform to the requirements of the Standard Practice Procedures. The ODAA recommends adding that markings will also conform with NISPOM Chapter 4.
  • The submitted SSP states that self-certification is requested in the General Procedures but the Protection Profile states that self-certification is not requested. The ODAA recommends correcting the conflicting information.
  • The submitted SSP lists “power down” as a method of clearing and sanitizing a printer. The ODAA recommends amending this to read “remove power” and include printing one page of random text in order to be in compliance with the approved Clearing and Sanitization Matrix.
  • The submitted SSP states that software written by a foreign Government is used on the IS but does not have any procedures to perform a line by line code inspection to ensure the software performs as specified. The ODAA recommends including detailed procedures on how the software is examined to ensure it is free of malicious code.
  • The submitted SSP still contains instructional text from the FAISSR template. The ODAA recommends removing this text in order to avoid confusion.
  • The submitted SSP includes a certification text for SUSE Linux but does not identify this Operating System in the software baseline or the configuration diagram. The ODAA recommends amending the Protection Profile to reflect the actual configuration of the system.

Please update the SSP and resubmit the plan to ODAA. We appreciate your efforts to properly document this system and will expedite processing of your new submittal.

EFW, Inc.

AIS Tester

SSP for Multi-User Stand-alone Systems

(ODAA Unique Identifier: 0EWC9-20061023-00007)

ISSM: Carolyn Shugart

Review Results:

We carefully reviewed the System Security Plan and found the following items were either not discussed or need clarification in the plan:

Regulatory Compliance Issues:

  • The submitted SSP does not ensure that security relevant software is adequately tested to ensure that security features function as specified.

Ref: NISPOM 8-302a&8-610a

  • The submitted SSP does not indicate all relevant objects to be audited.

Ref: NISPOM 8-602

  • The submitted SSP does not ensure that system recovery will occur in a controlled manner.

Ref: NISPOM 8-612a

ODAA Recommendations:

  • The submitted SSP states that software written by a foreign Government is used on the IS but no procedures to perform a line by line code inspection to ensure the software performs as specified are provided in the SSP. Since NISPOM requires a line by line code review of software of this nature, DSS will work in coordination with the GCA and EFW, Inc. to determine the best course of action in this situation.
  • The submitted SSP does not indicate that the blocking or blacklisting of a user terminal or access port is audited. The ODAA recommends including this in the plan as NISPOM requires this object to be audited.
  • The submitted SSP does not ensure that in the event that the system needs to be recovered security relevant functions are returned to operational status and that only the ISSM or designee shall have control of the system if off-normal conditions arise.

Please update the SSP and resubmit the plan to ODAA. We appreciate your efforts to properly document this system and will expedite processing of your new submittal.

EFW Inc.

System Security Plan IS#2 for PL1 Small Internal LAN in a Closed Area

(ODAA Unique Identifier: 0WEC9-20040315-00002)

ISSM: Carolyn Shugart

Review Results:

We carefully reviewed the System Security Plan and found the following items were either not discussed or need clarification in the plan:

Regulatory Compliance Issues:

  • Section 3.4b identifies that retesting will occur prior to implementation of a new version of software. Retesting should occur after the loading of new software to verify that security features are still working properly.

REF: NISPOM 8-302a&8-610a

  • The submitted MSSP does not provide for on-going testing.

REF: NISPOM 8-610

ODAA Recommendations:

  • For ease of reference and consistency, please label the SSP and attached Protection Profile with the plan’s unique identifier. (0WEC9-20040315-00002)

Bell Helicopter Textron, Inc.

System Security Plan # Single User System Standalone IS4 in a Restricted Area

(ODAA Unique Identifier: 97499-20070131-00004)

ISSM: Harold Freeze

Review Results:

We carefully reviewed the System Security Plan and found the following items were either not discussed or need clarification in the plan:

Regulatory Compliance Issues:

  • The Submitted SSP indicates that sanitization will be accomplished by “powering off” the device. The correct method to sanitize volatile memory is the removal of power to included battery power. Please verify that the sanitization procedures listed in the hardware baseline are in accordance with the DSS Clearing and Sanitization Matrix.

REF: NISPOM 8-301a & 8-301b

  • Section 3.4b identifies that retesting will occur prior to implementation of a new version of software. Retesting should occur after the loading of new software to verify that security features are still working properly.

REF: NISPOM 8-302a&8-610a

  • It is unclear if the submitted SSP conforms to the NISPOM Chapter 4 with regard to the marking of media and the DoD Guide to Marking Classified Documents in Section 11 Classified Media marking

REF: NISPOM 8-306

  • The Protection Profile indicates that other NSA approved methods of destruction will be used. Please annotate the other approved NSA destruction method in use.

REF: NISPOM 8-610

  • The SSP indicates that media will be sent to NSA for destruction. Please be aware that NSA no longer accepts all media for destruction. Please check with your IS Rep to ensure that your facility is approved to send media to NSA for destruction.

REF: NISPOM 8-610

  • The submitted SSP does not provide for adequate audit logs, the protection of the audit logs, or the weekly review of any audit log data.

Ref: NISPOM 8-602

  • The submitted SSP does not provide for on-going testing.

Ref: NISPOM 8-610

  • The submitted SSP does not include all the required manual audit logs.

REF: ISL 01-1, 53

ODAA Recommendations:

  • For ease of reference and consistency, please label the SSP and attached Protection Profile with the plan’s unique identifier. (97499-20070131-00004)
  • Marking of media and hardware as described in the SSP appear to be in compliance with NISPOM. The SSP references the Contractor Security Manual as the marking guidance instruction. Recommend adding a statement that the Contractor Security Manual guidance is in accordance with NISPOM Chapter 4.
  • Recommend removing closed area verbiage for physical location in the plan since it is a restricted area.
  • The submitted SSP includes a Laptop that could have wireless technology. However, the SSP does not indicate whether or not the laptop contains wireless technology and what security procedures have been implemented to prevent the use of wireless in a classified area.
  • The Submitted SSP listed SEM 1666 shredder as other method of destruction. Please be aware that this is not of one of NSA approved destruction devices. Please make correction to this as soon as possible.

Bell Helicopter Textron

System Security Plan

(ODDA Unique ID: 97499-20060701-00050)

ISSM: Harold Freeze

Review Results:

We carefully reviewed the System Security Plan and found the following items were either not discussed or need clarification in the plan:

Regulatory Compliance Issues:

  • Section 3.4 (a) addresses security testing. Security testing should occur after implementation of any new software version to ensure verification of correct operation of security protection measures for the IS.

REF: NISPOM 8-614

  • Section 5.2.2. states that after 5 unsuccessful attempts to access the system, the user will be locked out for 5 minutes. The Protection Profile indicates that the user will be locked out for 30 minutes after 5 unsuccessful attempts to access the system. Please clarify.

REF: NISPOM 8-609 a

  • Section 5.4 (c) (2) recommends that virus signature files be updated every 30 days. Please include the actual schedule of virus signature updates.

REF: NISPOM 8-305

  • Section 5.6 does not adequately address system recovery. Please include the process that ensures security mechanisms are re-enabled during system recovery. Also, please include limited access until recovery.

REF: NIISPOM 612 & 613

  • The DSS Form 147 for the Closed Area is not attached to the SSP.

REF: NISPOM 8-308

  • The Protection Profile indicates that periods processing is used on the system. There is no additional information on periods processing in the SSP. Please provide additional information on the use of periods processing on this system.

REF: NISPOM 8-502 & 8-610

  • The Protection Profile indicates there is a physical disconnection. There is no disconnection shown in the configuration diagram in Attachment 4. Please provide more information on the usage of this disconnection along with the security policies and procedures.

REF: NISPOM 8-610

  • The Protection Profile indicates the LAN is interconnected. The SSP does not include any security support structure no general network/transmission policies or procedures. Also, the network diagram provided in the SSP does not show any WAN connections. Please clarify.

REF: NISPOM 8-610

  • The Protection Profile indicates no encryption is used and that there is also STU III connection. Please clarify.

REF: NISPOM 8-610

  • The Protection Profile indicates that trusted downloading is used on this IS. The document attached includes both DSS approved and unapproved DSS trusted downloading procedures. Are unapproved DSS procedures used on this IS?

REF: NISPOM 8-610

  • The Protection Profile does not include audit log management information.

REF: NISPOM 8-610

  • The hardware baseline contains several devices with non-volatile memory. The sanitization method listed for these devices is “Remove all Power Reset to Default.” Please provide more information about these procedures s they do not meet the approved DSS Clearing and Sanitization Matrix requirements for non-volatile memory.

REF: NISPOM 8-301

  • The network configuration diagram in Attachment 4 of the SSP does not show the STU III, WAN connection and disconnection or the closed area boundary.

REF: NISPOM 8-610

  • The mobile procedures are incomplete. There is no information on the length of stay, security controls at the destination (i.e., stored in GSA approved safe), example letter for transfer of cognizance or IS Rep notification.

REF: NISPOM 8-610

  • Attachment 9 of the SSP lists mobile locations for the IS. This attachment is referenced under special procedures for the STU III. Are there any remote connections to this IS? Are there connections to government systems? Is cognizance of the IS transferred? Are there any MOUs in place for this IS?

REF: NISPOM 8-610

ODAA Recommendations:

  • Recommend identifying ODAA or Clem Boyleston as the DAA within the protection profile.
  • Section 1.2 states that the confidentiality level will be Top Secret or Secret respectively. The Protection Profile lists the highest classification level of data as Secret. Recommend adding Top Secret in the Protection Profile.
  • Recommend changing “shall appoint” to “has appointed” in Section 2.1 (b) for the appointment of ISSM Harold Freeze.
  • The SSP indicates that hard drives are not overwritten, but sent to the NSA or an approved facility for destruction. Please be aware that the NSA no longer accepts all media for destruction. Please check with your IS Rep to ensure that your facility is approved to send media to the NSA for destruction.
  • Marking of media and hardware as described in Section 11 of the SSP appear to be in compliance with NISPOM. The SSP references Bell Helicopter Textron’s requirements as the marking guidance instruction. Recommend adding a statement that the Bell Helicopter Textron requirements are in accordance with NISPOM Chapter 4.

Please update theSystem Security Plan and resubmit the plan to ODAA. We appreciate your efforts to properly document this system and will expedite processing of your new submittal.

Page 1 of 9

Top View