See NETCOM Operational Tactics, Techniques, and Procedures, "Stand-Alone Information System and Closed Restricted Network Assessment and Authorization," Version 1.0, 27 June 2016 on RMFKS US Army Component Workspace - Operations
page.
Highlights:
-
Authorizing Official (AO) authorizes Stand-Alone System (SIS) or Closed Restricted Network (CRN) through eMASS.
-
SCA-O performs the functions of SCA-V, SCA-R, and SCA-A. The SCA-O must be designated in writing and approved by the AO, and is usually the O-ISSM or P-ISSM.
-
4 types: I - IV (see below)
-
Type IV CRNs require MOA, SLA, or ISA that clearly defines all parties' security reponsibilities.
-
Register in APMS and eMASS. eMASS record has special formatting requirements ("CRN - T#").
-
Controls which are applicable per the categorization and/or overlay that are not intended to be implemented by the PM/ISO must be marked "Planned" in the Implementation Plan with comments that explain why implementing the control will cause unacceptable degradation of the mission or increase in project cost. The Estimated Completion date must be set to approximately one year from the date that the Implementation Plan is completed. Each "Planned to Not Implement" control must be reviewed during the annual security review required by FISMA.
-
DoD Public Key Enabling (PKE) not required.
-
For Type I and II, the following HBSS modules can be implemented without an HBSS server (e.g. ePO) but require manual updates. Contact the HBSS Program Office for assistance:
-
Antivirus/Antispyware
-
McAfee Agent
-
Asset Baseline Monitor
-
Device Control Module
-
Host Intrustion Prevention System
-
-
For Type III SiS and Type IV CRN, HBSS can be fully implemented (e.g. ePO) but with manual updates and no upstream reporting. All SIS or CRN that determine implementing HBSS in any fashion is infeasible and that the risks of doing so are acceptable must seek a waiver (how?).
-
HBSS components must be updated IAW the categorization of the system (high water mark) per Table 1 (30 days to 1 year).
-
SIS and CRN are not required to use Defense Enterprise Email (DEE).
-
Type I and II SIS cannot support implementing ACAS.
-
Type III SIS and Type IV CRN are capable of utilizing an instance of ACAS for vulnerability scanning. Instructions for implementing a stand-alone instance of ACAS can be found on the DoD Patch Repository: https://patches.csd.disa.mil) under ACAS>ACAS Software>ACAS Stand-alone Guidance.
-
Vulnerabilty scanning to determine compliance with STIGs, SRGs, and IAVMs must be performed IAW Table 1 depending on the high water mark of the information type(s) received, processed, stored, transmitted, or displayed on the system.
-
The NETCOM SCA-R will audit three SIS/CRN records per quarter IAW the checklist in Appendix B.
-
The SCA-O creates the Security Assessment Report (SAR) and an SCA-O recommendation memorandum IAW the NETCOM SCA-V TTP.
The following artifacts are required in the Artifacts section of the Security Plan Approval Package:
-
CONOPS (see TTP for details)
-
System Authorization Boundary Diagram
-
Hardware/Software/Firmware List
-
Rational for marking the system a SIS or CRN (can be part of CONOPS)
-
Any approvals for exceptions granted by HQDA CIO/G-6
Critical Controls per Appendix C: Critical Controls Table cannot be marked as "Planned to Not Implement" without further mitigations beyond physical or cryptographic isolation. These controls cannot be marked as risk acceptated unless exceptional compelling reasons are provided. Controls do not need to be added if they are not part of the baseline based on the system categorization.
Number of critical security controls by SIS or CRN type:
- Type I (Stand-Alone System - No Media): 108
- Type II (Stand-Alone System - with Media): 107
- Type III (Stand-Alone Network): 136
- Type IV (Closed Restricted Network): 143
- https://rmfks.osd.mil/rmf/collaboration/Component%20Workspaces/USArmyCW/USArmyOperations/Pages/default.aspx?RootFolder=%2frmf%2fcollaboration%2fComponent%20Workspaces%2fUSArmyCW%2fUSArmyOperations%2fRMF%20Operations%20Document%20Library%2fTTPs%2fStand%20Alone%20%2d%20Close%20Restricted%20Network&FolderCTID
- US Army NETCOM Stand-Alone System and Closed Restricted Network Assessment and Authorization Operational Tactics, Techniques, and Procedures, Version 1.0, 27 June 2016.
No comments:
Post a Comment