US Department of Defense Information Assurance: Achieving Successful DITSCAP with eZ publish as a Platform

As part of the DITSCAP, a Certifying Authority will conduct at minimum a four-hour interview to determine that all security assurance measures, planning, procedures and documentation are available to support the system. This interview includes a line-by-line check of the SSAA's Requirements Traceability Matrix (RTM) and the Minimum Security Activity Checklists.

Requirements Traceability Matrix (RTM)

The RTM is a traceability matrix with information assurance directives and security requisites (national directives, OMB circulars, DOD / Navy / Agency directives) that are used to create a list of system security requirements. The DASN (ACQ) One Source RTM was 35 pages long.

Minimum Security Activity Checklists

The Minimum Security Activity Checklists are used for the Certification Test and Evaluation Plan and Procedures. The Certifier uses these checklists to formally record the security activities and tasks associated with the system to ensure proper completion.

The Minimum Security Activity checklists are categorized into the following areas:

• System Architecture Analysis
• Software, Hardware, Firmware design Analysis
• Network Connection Rule Compliance Analysis
• Integrity Analysis of Integrated Products
• Life Cycle Management Analysis
• Vulnerability Assessment
• Security Test and Evaluation
• Penetration Testing
• System Management Analysis
• Site Accreditation Survey
• Contingency Plan Evaluation
• Risk Management Review

If Sensitive or Classified information resides on the system then the following checklists also apply:

• TEMPEST and RED/BLACK Verification
• COMSEC Compliance Verification

Certifier interview

The Certifier conducting the interview will need to determine whether the system complies with each RTM item. The Certifier will designate a Material Review Category based on materials, responses and information shared during the interview process. The categories include Observation (Certifier observation), Document Review (existence of supporting documentation), Interview (responses during interview), or Testing Technique (Certifier was able to test). For each item the interview will designate any or all of the categories.

For the Minimal Security Activity checklists, the Certifier will simply check "Yes", "No" or "Not Applicable".

The Certifier will use the information gathered in the interview to make a decision on whether or not you are prepared to continue to the next phase.

How to ensure a successful certification interview

To help ensure a successful certification interview, it is strongly recommended that you conduct an internal review of the entire RTM and the Minimum Security Activity Checklists prior to the interview. Conduct the internal review with the pertinent members of your system's project team.

The ATI team took the necessary time to review and evaluate / test each associated security requirement within the RTM and made a determination whether or not the system met the requirement. If we found any security requirements that our system did not meet, we made the changes that were needed to comply before the scheduled interview. In addition, for each item we made sure we had supporting proof of concurrence.

Wherever possible, ATI ensured standard operating procedures, formal processes, documentation, system administration logs, forms, etc, were available to support the items. (See the list in the section "Level 1 Documenation" for examples.) The Certifier will want to see some form of proof for the compliance.