A Guide to the Procurement of Trusted Systems: An Introduction to Procurement Initiators on Computer Security Requirements - Volume 1 of 4
Table of Contents
FOREWORD
ACKNOWLEDGEMENTS
1 GENERAL INFORMATION
1.1
INTRODUCTION
1.2 DEFINITION OF TERMS
1.3 APPLICABILITY
1.4 PURPOSE
1.4.1 ASSUMPTIONS
1.4.2 ACQUISITION MANAGEMENT OFFICE
1.5 SCOPE
1.6 REGULATORY HIERARCHY
1.7 OVERVIEW OF THE GUIDELINE
1.8 HOW TO GET HELP
1.8.1 REFERENCE SOURCES
1.8.2 MAJOR AGENCY OR ORGANIZATION COUNTERPARTS
1.8.3 SENSITIVE COMPARTMENTED INFORMATION (SCI)
1.8.3.1 SCI REQUIREMENTS
1.8.3.2 THREAT SUMMARY
1.8.4 OTHER PROGRAM OFFICES
1.8.5 NSA
1.9 REQUIRED DOCUMENTS
2 THE ACQUISITION PROCESS
2.1 INTRODUCTION
2.2 ACQUISITION PARTICIPANTS
2.2.1 PLANNING, PROGRAMMING AND BUDGETING
2.2.2 REQUIREMENTS GENERATION
2.2.3 ACQUISITION MANAGEMENT
2.3 FINANCIAL MANAGEMENT
2.4 CONTRACTOR/GOVERNMENT INTERFACE
2.4.1 BEFORE CONTRACT AWARD
2.4.1.1 MAILING OR BIDDER'S LISTS
2.4.1.2 COMMERCE BUSINESS DAILY
2.4.1.3 SMALL BUSINESSES
2.4.2 DURING SOURCE SELECTION
2.4.3 AT CONTRACT AWARD
2.4.3.1 POST-AWARD DEBRIEFING
2.4.3.2 AWARD CONFERENCE
2.4.4 AFTER CONTRACT AWARD
2.4.4.1 OBLIGATING THE GOVERNMENT
2.4.4.2 CONTRACT SCOPE
2.4.4.3 TECHNICAL INTERCHANGE MEETING
2.4.4.4 CONTRACT CHANGES
2.4.4.5 INFORMAL CONTACT
2.5 DOCUMENT PREPARATION
2.5.1 PLANNING AND FINANCIAL MANAGEMENT DOCUMENTS
2.5.1.1 POLICY AND STRATEGY DOCUMENTS
2.5.1.2 THE PROGRAM OBJECTIVE MEMORANDUM (POM)
2.5.1.3 PROGRAM DECISION MEMORANDUM
2.5.1.4 BUDGETS
2.5.1.5 APPROPRIATIONS
2.5.1.6 OBLIGATION AUTHORITIES
2.5.1.7 PROGRAM DECISION PACKAGE
2.5.2 PROGRAM MANAGEMENT DOCUMENTS
2.5.2.1 PROGRAM MANAGEMENT DIRECTIVE (PMD)
2.5.2.2 PROGRAM MANAGEMENT PLAN (PMP)
2.5.2.3 CONFIGURATION MANAGEMENT PLAN (CMP)
2.5.2.4 SOURCE SELECTION PLAN (SSP)
2.5.2.5 PROPOSAL EVALUATION GUIDE (PEG)
2.5.2.6 ACQUISITION DECISION MEMORANDUM
2.5.2.7 ACQUISITION PROGRAM BASELINES
2.5.2.8 COMPUTER RESOURCES LIFE-CYCLE MANAGEMENT PLAN (CRLCMP)
2.5.2.9 TEST AND EVALUATION MASTER PLAN (TEMP)
2.5.2.10 INTEGRATED LOGISTICS SUPPORT PLAN (ILSP)
2.5.3 MISSION USER DOCUMENTS
2.5.3.1 MISSION NEED STATEMENT (MNS)
2.5.3.2 JUSTIFICATION FOR MAJOR SYSTEMS NEW START
2.5.3.3 SYSTEM THREAT ASSESSMENT REPORT (STAR)
2.5.3.4 OPERATIONAL REQUIREMENTS DOCUMENT (ORD)
2.5.3.5 SECURE AUTOMATED INFORMATION SYSTEM REQUIREMENTS DOCUMENT (AISRD)
2.5.3.6 FUNCTIONAL DESCRIPTION
2.5.3.7 SYSTEM/SUBSYSTEM SPECIFICATIONS
2.5.3.8 2.5.3.8 SOFTWARE UNIT SPECIFICATIONS
2.5.3.9 CONTRACTING DOCUMENTS
2.5.3.10 INFORMATION FOR BID
2.5.3.11 REQUEST FOR QUOTE (RFQ)
2.5.3.12 REQUEST FOR INFORMATION (RFI)
2.5.3.13 REQUEST FOR PROPOSAL
2.6 REFERENCES
2.6.1 GENERAL DOCUMENTS
2.6.2 PLANNING AND FINANCIAL MANAGEMENT DOCUMENTS
2.6.3 CONTRACTING DOCUMENTS
2.6.4 PROGRAM MANAGEMENT DOCUMENTS
2.6.5 MISSION USER DOCUMENTS
2.6.6 DOCUMENTS FOR BOTH PROGRAM MANAGEMENT AND MISSION USER
3 COMPUTER SECURITY
3.1 INTRODUCTION
3.2 COMPUTER SECURITY REQUIREMENTS
3.2.1 SECURITY POLICY
3.2.1.1 SECURITY PROTECTION OTHER THAN COMPUSEC
3.2.1.2 COMPUSEC PROTECTION
3.2.2 TRUSTED COMPUTING BASE
3.2.2.1 THE DIVISIONS/CLASSES
3.2.2.2 THE REQUIREMENTS
3.2.2.2.1 SECURITY POLICY
3.2.2.2.1.1 Discretionary Access Control (DAC) (all classes):
3.2.2.2.1.2 Object Reuse (Class C2 and above):
3.2.2.2.1.3 Labels (Class B1 and above):
3.2.2.2.1.4 Label Integrity (Class B1 and above):
3.2.2.2.1.5 Exchanging Labeled Information (Class 01 and above):
3.2.2.2.1.6 Labeling Human-Readable Output (Class B1 and above):
3.2.2.2.1.7 Mandatory Access Control (Class B1 and above):
3.2.2.2.1.8 Subject Sensitivity Labels (Class B2 and above):
3.2.2.2.1.9 Device Labels (Class B2 and above):
3.2.2.2.2 ACCOUNTABILITY
3.2.2.2.2.1 Identification and Authentication (all classes):
3.2.2.2.2.2 Audit (Class C2 and above):
3.2.2.2.2.3 Trusted Path (Class B2 and above):
3.2.2.2.3 ASSURANCE
3.2.2.2.3.1 System Architecture (all classes):
3.2.2.2.3.2 System Integrity (all classes):
3.2.2.2.3.3 Covert Channel Analysis (Class B2 and above):
3.2.2.2.3.4 Trusted Facility Management (Class B2 and above):
3.2.2.2.3.5 Security Testing (all classes):
3.2.2.2.3.6 Design Specification and Verification (Class B1 and above):
3.2.2.2.3.7 Configuration Management (Class B2 and above):
3.2.2.2.3.8 Trusted Recovery (Class B3 and above):
3.2.2.2.3.9 Trusted Distribution (Class A1):
3.2.2.2.4 DOCUMENTATION
3.2.2.2.4.1 3.2.2.2.4.1 Security Features User's Guide (all classes):
3.2.2.2.4.2 Trusted Facility Manual (all classes):
3.2.2.2.4.3 Test Documentation (all classes):
3.2.2.2.4.4 Design Documentation (all classes):
3.3 SOFTWARE
3.3.1 PRINCIPAL SOFTWARE FACTORS
3.3.1.1 STRUCTURE AND DISCIPLINE
3.3.1.2 COST ESTIMATING
3.3.1.3 PROGRAMMING LANGUAGE
3.3.1.4 DATABASE MANAGEMENT SYSTEMS (DBMSs)
3.3.1.5 UTILITIES
3.3.2 THE PROCESS
3.3.3 MANAGING SOFTWARE DEVELOPMENT
3.3.3.1 DESIGN DOCUMENTATION
3.3.3.1.1 SECURITY POLICY
3.3.3.1.2 MODEL
3.3.3.1.3 DESCRIPTIVE TOP-LEVEL SPECIFICATION
3.3.3.1.4 FORMAL TOP-LEVEL SPECIFICATION
3.3.3.1.5 SYSTEM/SUBSYSTEM SPECIFICATION ("B" SPECIFICATION) AND UNIT SPECIFICATION ("C" SPECIFICATION)
3.3.3.2 PROGRAMMING
3.3.3.3 TESTING
3.3.3.4 CONFIGURATION MANAGEMENT
3.3.3.5 AUDIT
3.3.3.6 PASSWORD GENERATION AND MANAGEMENT
3.3.3.7 TCB IMPLEMENTATION CORRESPONDENCE
3.3.4 CLASSIFIED SOFTWARE
3.3.5 ACQUISITION TASKS
3.4 HARDWARE
3.4.1 PRINCIPAL HARDWARE FACTORS
3.4.1.1 INITIAL PROGRAM LOAD (IPL)
3.4.1.2 PROCESSOR STATES
3.4.1.3 PROTECTION DOMAIN GRANULARITY
3.4.1.4 SENSITIVITY LABEL MAPPING TO PROTECTION DOMAIN
3.4.1.5 INTEGRITY CHECKING MECHANISMS
3.4.1.6 DIRECT MEMORY ACCESS (DMA) PROTECTION
3.4.1.7 ASYNCHRONOUS EVENT MECHANISMS
3.4.2 CAVEATS
3.4.3 MANAGING HARDWARE
3.4.3.1 IDENTIFY SECURITY PROTECTION FUNCTIONS
3.4.3.1.1 SECURITY PROTECTION CAPABILITIES
3.4.3.1.2 HARDWARE INFORMATION
3.4.3.1.3 SPECIFIC DETAILS ON THE HARDWARE FEATURES
3.4.3.2 CONFIGURATION MANAGEMENT, MAINTENANCE, AND
3.5 NETWORKS
3.6 COVERT CHANNELS
3.6.1 DETECTION
3.6.2 RATES
3.6.3 COVERT CHANNEL ANALYSIS
3.7 MAGNETIC REMANENCE
3.7.1 GUIDELINES
3.7.2 REQUIREMENTS
3.7.3 MAINTENANCE
3.7.4 DECLASSIFICATION AND DESTRUCTION
3.8 RATIONALE FOR SINGLE-ENTITY APPROACH
3.8.1 INTERPRETING THE ORANGE BOOK
3.8.2 PROCUREMENT CONSTRAINTS
3.8.3 MULTIPLE-ENTITY SYSTEMS
3.8.3.1 ENTITY PROTECTION
3.8.3.2 ENTITIES WITH THE SAME DIVISION/CLASS
3.8.4 RECOMMENDATIONS
3.8.5 WHAT TO DO IN THE MEANTIME
3.9 REFERENCES
4 THREAT RISK MANAGEMENT - ANALYSIS, DESIGN, AND IMPLEMENTATION
4.1 INTRODUCTION
4.2 SECURITY REQUIREMENTS
4.2.1 DOCUMENTING SECURITY REQUIREMENTS
4.2.2 SYSTEM SECURITY PLAN
4.2.3 SECURITY POLICY
4.2.3.1 REGULATORY
4.2.3.2 OPERATIONAL
4.2.4 SYSTEM SECURITY CONCEPT OF OPERATIONS (SSCONOPS)
4.2.5 ACQUISITION SYSTEM PROTECTION PROGRAM (ASPP)
4.3 RISK ASSESSMENT
4.3.1 RISK INDEX
4.3.1.1 DATA SENSITIVITY
4.3.1.2 USER CLEARANCE
4.3.1.3 REQUIRED TRUSTED COMPUTING BASE
4.3.2 SECURITY MODE OF OPERATION
4.3.2.1 DEDICATED SECURITY MODE
4.3.2.2 SYSTEM HIGH SECURITY MODE
4.3.2.3 PARTITIONED SECURITY MODE
4.3.2.4 MULTILEVEL SECURITY MODE
4.4 COST/BENEFIT ANALYSIS
4.4.1 PERFORMING THE ANALYSIS
4.4.2 SATISFYiNG SECURITY REQUIREMENTS
4.4.3 RELATION TO SYSTEM LEVEL ANALYSES
4.4.4 EXAMPLES OF TRADEOFFS
4.5 THREAT ASSESSMENT
4.5.1 THE SYSTEM THREAT ASSESSMENT REPORT (STAR)
4.5.2 FORWARDING THE INFORMATION
4.5.3 VALIDATION BY THE DIA
4.5.4 CLANDESTINE VULNERABILITY ANALYSIS
4.6 RISK ANALYSIS
4.6.1 DIFFICULTIES
4.6.2 PERFORMING A SUBJECTIVE ANALYSIS
4.6.3 FACTORS IN A RISK ANALYSIS METHODOLOGY
4.7 SAFEGUARD SELECTION AND IMPLEMENTATION
4.7.1 DEVELOPER RESPONSIBILITIES
4.7.2 THE DEVELOPMENT ENVIRONMENT
4.7.3 REGULATIONS THAT APPLY TO DEVELOPMENT
4.8 REFERENCES
5 SECURITY TEST AND EVALUATION
5.1 INTRODUCTION
5.2 SECURITY TEST AND EVALUATION
5.2.1 TERMS
5.2.1.1 EVALUATION
5.2.1.2 SECURITY TEST AND EVALUATION
5.2.1.3 ENDORSE
5.2.2 ST&E AND THE ACQUISITION PROCESS
5.2.3 USE OF EVALUATED PRODUCTS
5.2.4 THE EVALUATION PROCESS
5.2.4.1 THE EVALUATED PRODUCTS LIST
5.2.4.2 PRODUCT TYPES
5.2.5 TEST AND EVALUATION (T&E) AND THE LIFE-CYCLE PROCESS
5.2.5.1 DETERMINATION OF MISSION NEED
5.2.5.2 CONCEPT EXPLORATION AND DEFINITION
5.2.5.3 DEMONSTRATION AND VALIDATION
5.2.5.4 ENGINEERING AND MANUFACTURING DEVELOPMENT
5.2.5.5 PRODUCTION AND DEPLOYMENT
5.3 THE TESTING PROCESS
5.3.1 DEVELOPMENTAL TEST AND EVALUATION
5.3.1.1 QUALIFICATION TEST AND EVALUATION (QT&E)
5.3.1.2 PREPRODUCTION QUALIFICATION TEST (PPQT)
5.3.1.3 PRODUCTION QUALIFICATION TEST (PQT)
5.3.2 OPERATIONAL TEST AND EVALUATION
5.3.2.1 INITIAL OPERATIONAL TEST AND EVALUATION (IOT&E)
5.3.2.2 QUALIFICATION OPERATIONAL TEST AND EVALUATION (QOT&E)
5.3.2.3 FOLLOW-ON OPERATIONAL TEST AND EVALUATION (FOT&E)
5.4 PLANNING AND IMPLEMENTING THE ST&E
5.4.1 TEST AND EVALUATION MASTER PLAN (TEMP)
5.4.2 TEST PLANS
5.4.3 TEST REPORTS
5.5 REFERENCES
6 CERTIFICATION AND ACCREDITATION
6.1 INTRODUCTION
6.2 THE CONCEPT
6.2.1 TERMS
6.2.1.1 CERTIFICATION
6.2.1.2 ACCREDITATION
6.2.2 THE PROCESS
6.3 METHODOLOGY
6.3.1 TEAM APPROACH
6.3.2 GOVERNMENT OR CONTRACTOR PERSONNEL
6.3.3 ITERATIVE PROCESS
6.3.4 STRATEGY
6.4 CERTIFICATION
6.4.1 KEY ELEMENTS
6.4.1.1 ANALYSIS OF SECURITY FEATURES
6.4.1.2 SUPPORTING DOCUMENTATION
6.4.1.3 SUPPLEMENTARY DOCUMENTATION
6.4.2 GOVERNMENT-CONDUCTED CERTIFICATION ACTIVITIES
6.4.2.1 PLANNING
6.4.2.1.1 HIGH-LEVEL REVIEWS
6.4.2.1.2 PLACING BOUNDARIES ON THE EFFORT
6.4.2.1.3 PARTITIONING THE WORK AMONG AVAILABLE ANALYSTS
6.4.2.1.4 SCHEDULING AND PLANNING
6.4.2.1.5 IDENTIFYING AREAS TO EMPHASIZE
6.4.2.1.6 SKETCHING OUT THE DOCUMENTATION REQUIREMENTS
6.4.2.1.7 ASSUMPTIONS AND CONSTRAINTS
6.4.2.2 DATA COLLECTION
6.4.2.3 CERTIFICATION EVALUATION
6.4.2.3.1 SECURITY REQUIREMENTS EVALUATION
6.4.2.3.2 SECURITY PROTECTION FEATURE EVALUATION
6.4.2.3.3 SECURITY CONTROL IMPLEMENTATION
6.4.2.3.4 METHODOLOGY REVIEW
6.4.2.4 REPORT OF FINDINGS
6.4.2.5 CLASSIFICATION OF FINDINGS
6.5 ACCREDITATION
6.5.1 CONSIDERATIONS
6.5.1.1 THE MISSION
6.5.1.2 THE THREAT
6.5.1.3 THE COUNTERMEASURES
6.5.1.4 THE RISK
6.5.1.5 THE COST
6.5.2 KEY ELEMENTS
6.5.2.1 ASSESSMENT OF RISK
6.5.2.2 SUPPORTING DOCUMENTATION
6.5.3 CONTRACTOR-PROVIDED ACCREDITATION SUPPORT
6.5.3.1 STATEMENT OF WORK TASKS
6.5.3.1.1 ACCREDITATION PLAN
6.5.3.1.2 ACCREDITATION SUPPORT
6.5.3.2 GOVERNMENT REVIEW
6.5.3.2.1 ACCREDITATION PLAN
6.5.3.2.2 ACCREDITATION SUPPORT
6.5.3.3 BRIEFING
6.5.4 GOVERNMENT-CONDUCTED ACCREDITATION ACTIVITIES
6.5.5 MANAGING PROBLEMS
6.5.5.1 THE DECISION
6.5.5.1.1 GRANT FULL OPERATIONAL AUTHORITY
6.5.5.1.2 GRANT CONDITIONAL OPERATIONAL AUTHORITY
6.5.5.1.3 GRANT LIMITED OPERATIONAL AUTHORITY
6.5.5.2 CAVEATS
6.5.5.3 PROVIDING ADDITIONAL SECURITY PROTECTION FEATURES
6.5.5.3.1 ADDING CONTROLS
6.5.5.3.2 RESTRICTING PROCESSING
6.5.5.3.3 REMOVING VULNERABLE FUNCTIONS
6.5.5.3.4 RESTRICTING USERS
6.5.5.3.5 REMOVING REMOTE ACCESS
6.6 HANDLING RESTRICTIONS AND SENSITIVITY MARKINGS
6.7 REFERENCES
7 MANAGING THE ACQUISITION OF SECURE SYTEMS
7.1 INTRODUCTION
7.2 MANAGEMENT POLICY AND OBJECTIVES
7.2.1 POLICY
7.2.2 OBJECTIVES
7.2.3 THE FUTURE
7.2.4 USER EDUCATION
7.3 PROGRAM MANAGEMENT ACTIVITIES
7.3.1 PLANNING
7.3.1.1 HOW THE PROGRAM MADE IT THIS FAR
7.3.1.2 INADEQUATE RESOURCES
7.3.1.3 HEADS-UP
7.3.2 MANAGEMENT
7.3.2.1 CONTROL MECHANISM
7.3.2.2 LIFE-CYCLE SUPPORT
7.3.3 COMMUNICATION
7.3.3.1 SECURITY MANAGEMENT
7.3.3.2 TECHNICAL REPRESENTATIVE FOR CONTRACTS
7.3.4 COORDINATION
7.3.4.1 STANDARD AUTOMATED INFORMATION SYSTEM ASSETS
7.3.4.1.1 LEAD-TIMES
7.3.4.1.2 INCREASE IN TRUSTED SYSTEMS
7.3.4.2 COORDINATION WITH NSA
7.4 PREPARING THE PROGRAM PLAN
7.4.1 ISSUES PRIOR TO PLAN PREPARATION
7.4.1.1 LOW COST
7.4.1.1.1 HARDWARE REUSE
7.4.1.1.2 SOFTWARE REUSE
7.4.1.1.3 OTHER SOURCES
7.4.1.2 PROGRAM FUNDING PROFILE
7.4.1.3 PROGRAM STATUS REPORTING
7.4.2 PROGRAM MANAGEMENT PLAN
7.4.2.1 PROGRAM MANAGEMENT STRUCTURE
7.4.2.2 "CALL-OUT" OF SUPPORT PLANS
7.5 CONCEPT DEVELOPMENT
7.5.1 CONCEPT OF OPERATIONS
7.5.2 CONCEPT OF ENGINEERING
7.5.3 CONCEPT OF MAINTENANCE
7.5.4 CONCEPT AND SUPPORT PLANS
7.6 SUPPORT PLANS
7.6.1 SUPPORT PLANS RELATED TO THE CONCEPT OF OPERATIONS
7.6.1.1 SURVIVABILITY SUPPORT PLAN
7.6.1.2 TRAINING SUPPORT PLAN
7.6.2 SUPPORT PLANS RELATED TO THE CONCEPT OF ENGINEERING
7.6.2.1 CONTRACTING AND ACQUISITION SUPPORT PLAN
7.6.2.2 SOURCE SELECTION PLAN
7.6.2.3 CONFIGURATION MANAGEMENT PLAN (CMP)
7.6.2.4 SOFTWARE DEVELOPMENT SUPPORT PLAN
7.6.2.5 HARDWARE AND SOFTWARE TURNOVER SUPPORT PLAN
7.6.2.6 TEST AND EVALUATION MASTER PLAN (TEMP)
7.6.2.7 QUALITY ASSURANCE SUPPORT PLAN
7.6.3 SUPPORT PLANS RELATED TO THE CONCEPT OF MAINTENANCE
7.6.3.1 MAINTENANCE PLANNING `SUPPORT PLAN
7.6.3.2 SUPPLY SUPPORT PLAN
7.6.3.3 SUPPORT EQUIPMENT PLAN
7.6.3.4 TECHNICAL DATA SUPPORT PLAN
7.6.3.5 COMPUTER RESOURCES LIFE-CYCLE MANAGEMENT PLAN (CRLCMP)
7.6.3.6 PACKING, HANDLING, STORAGE, AND TRANSPORTATION
7.7 LIFE-CYCLE PHASES AND DATA DELIVERABLES
7.7.1 FINEST BREAKDOWN OF LIFE-CYCLE PHASES
7.7.2 GOVERNMENT/CONTRACTOR PERSONNEL MIX
7.7.3 DATA DELIVERABLES
7.7.3.1 CONCEPT AND DEFINITION PHASE
7.7.3.1.1 EARLY PLANNING DOCUMENTS
7.7.3.1.2 MORE SPECIFIC PLANS
7.7.3.1.3 EARLY WORK EFFORT
7.7.3.2 DESIGN, DEVELOPMENT, AND TEST PHASE
7.7.3.2.1 ENGINEERING SPECIFICATIONS
7.7.3.2.2 TEST DOCUMENTATION
7.7.3.2.3 OTHER TECHNICAL DOCUMENTS
7.7.3.3 OPERATION AND IMPLEMENTATION PHASE
7.7.3.3.1 USER DOCUMENTATION
7.7.3.3.2 ACCREDITATION SUPPORT
7.7.4 USE OF DOD 5010.1 2-L ACQUISITION MANAGEMENT SYSTEM AND DATA REQUIREMENTS CONTROL LIST (AMSDL)
7.7.4.1 AMSDL ORGANIZATION
7.7.4.2 WHAT THE AMSDL DOES NOT CONTAIN
7.7.5 DELIVERABLE MEDIA
7.8 FIELDING THE SYSTEM
7.8.1 PROGRAM MANAGEMENT RESPONSIBILITY TRANSFER
7.8.2 COMPLETION OF CERTIFICATION
7.8.3 THE FIELDED SYSTEM
7.9 REFERENCES
APPENDIX A HISTORICAL BASIS
A.1 INTRODUCTION
A.2 DISCUSSED IN THE ORANGE BOOK
A.3 SINCE THE ORANGE BOOK
APPENDIX B PLAN AND DELIVERABLE DOCUMENT SUMMARIES
B.1 DOCUMENTS RELATED TO FUNCTIONAL AREAS
B.1.1 PLANNING AND FINANCIAL MANAGEMENT DOCUMENTS
B.1.2 PROGRAM MANAGEMENT DOCUMENTS