Sunday 19 November 2006 8:23:00 am
As part of the DITSCAP, a Certifying Authority will conduct at minimum a four-hour interview to determine that all security assurance measures, planning, procedures and documentation are available to support the system. This interview includes a line-by-line check of the SSAA's Requirements Traceability Matrix (RTM) and the Minimum Security Activity Checklists.
The RTM is a traceability matrix with information assurance directives and security requisites (national directives, OMB circulars, DOD / Navy / Agency directives) that are used to create a list of system security requirements. The DASN (ACQ) One Source RTM was 35 pages long.
The Minimum Security Activity Checklists are used for the Certification Test and Evaluation Plan and Procedures. The Certifier uses these checklists to formally record the security activities and tasks associated with the system to ensure proper completion.
The Minimum Security Activity checklists are categorized into the following areas:
If Sensitive or Classified information resides on the system then the following checklists also apply:
The Certifier conducting the interview will need to determine whether the system complies with each RTM item. The Certifier will designate a Material Review Category based on materials, responses and information shared during the interview process. The categories include Observation (Certifier observation), Document Review (existence of supporting documentation), Interview (responses during interview), or Testing Technique (Certifier was able to test). For each item the interview will designate any or all of the categories.
For the Minimal Security Activity checklists, the Certifier will simply check "Yes", "No" or "Not Applicable".
The Certifier will use the information gathered in the interview to make a decision on whether or not you are prepared to continue to the next phase.
To help ensure a successful certification interview, it is strongly recommended that you conduct an internal review of the entire RTM and the Minimum Security Activity Checklists prior to the interview. Conduct the internal review with the pertinent members of your system's project team.
The ATI team took the necessary time to review and evaluate / test each associated security requirement within the RTM and made a determination whether or not the system met the requirement. If we found any security requirements that our system did not meet, we made the changes that were needed to comply before the scheduled interview. In addition, for each item we made sure we had supporting proof of concurrence.
Wherever possible, ATI ensured standard operating procedures, formal processes, documentation, system administration logs, forms, etc, were available to support the items. (See the list in the section "Level 1 Documenation" for examples.) The Certifier will want to see some form of proof for the compliance.