Security Test Plan by cus77764

VIEWS: 85 PAGES: 31

									                   FOR OFFICIAL USE ONLY




                                                 TRICARE
                                                Management
                                                   Activity


TRICARE MANAGEMENT ACTIVITY SEMI-AUTOMATED
   APPLICATION ASSESSMENT PROCESS FOR
 STAND-ALONE AND INTEGRATED APPLICATIONS


         REVIEWER’S PROCEDURE MANUAL




                           VERSION 2.1
                           October 2007




                            Prepared by:
   Military Health System (MHS)/TRICARE Management Activity (TMA)
               Office of the Chief Information Officer (OCIO)
                 Information Assurance (IA) Program Office




                    FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                                                                                                  June 2007




                                                       TABLE OF CONTENTS
1       INTRODUCTION ..............................................................................................................................................1
    1.1          Authority ...................................................................................................................................................1
    1.2          Applicability and Scope............................................................................................................................2
    1.3          Available Information Assurance Security Assessment Tools ..............................................................2
    1.4          Organization of TSAAP ...........................................................................................................................3
    1.5          References .................................................................................................................................................3

2  TRICARE MANAGEMENT ACTIVITY SEMI-AUTOMATED APPLICATION ASSESSMENT
PROCESS .....................................................................................................................................................................5
    2.1          Generic Checks .........................................................................................................................................7
        2.1.1         Identification and Authentication ......................................................................................................8
        2.1.2         User Account Management .................................................................................................................8
        2.1.3         Data Protection ....................................................................................................................................8
        2.1.4         Audit .....................................................................................................................................................8
        2.1.5         Application Operation .........................................................................................................................8
        2.1.6         Production Application Configuration ..............................................................................................8
        2.1.7         Enclave Impact .....................................................................................................................................9
        2.1.8         Application Configuration and Authorization ..................................................................................9
        2.1.9         Mobile Code .........................................................................................................................................9
        2.1.10            Code Based Elements ......................................................................................................................9
        2.1.11            MHS/TMA Required Checks .........................................................................................................9
    2.2          Lab Checks ................................................................................................................................................9
        2.2.1         Application Configuration and Authorization ................................................................................ 10
        2.2.2         Code Based Elements......................................................................................................................... 10
    2.3          Production Checks .................................................................................................................................. 10
        2.3.1         User Account Management ............................................................................................................... 10
        2.3.2         Application Operation ....................................................................................................................... 10
        2.3.3         Production Application Configuration ............................................................................................ 10
        2.3.4         Enclave Impact ................................................................................................................................... 10
        2.3.5         Application Configuration and Authorization ................................................................................ 10
    2.4          Application Security Domain Requirements ........................................................................................ 10
        2.4.1         Application Interaction with Underlying Host ................................................................................ 10
        2.4.2         General Use of Cryptography ........................................................................................................... 11
        2.4.3         Design and Coding ............................................................................................................................. 11
        2.4.4         Identification and Authentication .................................................................................................... 11

                                                                                       i
                                                           FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                                                                                                June 2007


         2.4.5       Authorization and Session Control .................................................................................................. 11
         2.4.6       Access Control .................................................................................................................................... 11
         2.4.7       Confidentiality.................................................................................................................................... 11
         2.4.8       Integrity .............................................................................................................................................. 11
         2.4.9       Availability ......................................................................................................................................... 11
         2.4.10           Accountability ............................................................................................................................... 11
         2.4.11           Non-Repudiation ........................................................................................................................... 11
         2.4.12           Preparation for Deployment ........................................................................................................ 11

3        APPLICATION PRE-ASSESSMENT PROCESS ........................................................................................ 12
    3.1     Military Health System/TRICARE Management Activity Application Assessment Checklist
    Process 12
    3.2          Certification Methodology ..................................................................................................................... 14
         3.2.1       Pre-Kickoff Activities ........................................................................................................................ 14
         3.2.2       Kickoff Activities ............................................................................................................................... 15

4        APPLICATION ASSESSMENT TESTING PROCEDURES ..................................................................... 17
    4.1          Pre-Baseline Application Assessment Process...................................................................................... 19
    4.2          Onsite Application Assessment Baseline Process ................................................................................. 19
    4.3          Post Baseline Application Assessment Process..................................................................................... 20
    4.4          Pre-Site Mitigation Application Assessment Process .......................................................................... 21
    4.5          Onsite Application Assessment Mitigation Process ............................................................................. 21
    1.       The MHS/TMA IA Team goes onsite to conduct the application mitigation risk assessment. ............. 21
    2.       The MHS/TMA IA Team conduct in brief with Application POC. ........................................................ 21
    4.6          Post Mitigation Application Assessment Process ................................................................................. 22
    4.7          Server Overview ..................................................................................................................................... 23
    4.8          Oracle Database Information ................................................................................................................ 24
    4.9          SQL Database Information .................................................................................................................... 24
    4.10         DB2 Database Information .................................................................................................................... 24
    4.11         Sybase Database Information ................................................................................................................ 25

5        ACRONYMS .................................................................................................................................................... 26




                                                                                     ii
                                                          FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                          June 2007



INTRODUCTION
The TRICARE Management Activity (TMA) Semi-automated Application Assessment Process
(TSAAP) Reviewer Procedure Manual provides an overview of the TSAAP as a tool for
conducting application risk assessments. The Military Health System (MHS)/TMA Information
Assurance (IA) Team and the Application Program Office are the intended audience for this
manual. The TSAAP Reviewer Procedure Manual is intended to establish the framework and
provide an overview of the tools necessary to conduct an application risk assessment to achieve
compliance with the Department of Defense (DoD) IA Certification and Accreditation Process
(DIACAP) and MHS/TMA’s requisite security requirements.
DIACAP will be used to ensure the visibility and control of the implementation of IA
capabilities and services for the MHS/TMA IA Program Office application risk assessment
process. TSAAP will be used to test for the implementation of IA capabilities, services, and
accreditation decisions authorizing the operation of the application to include web services-
enabled software systems and associated devices. The use of TSAAP will validate compliance
with Federal, DoD and MHS/TMA IA Program Office requirements.
The TSAAP describes security requirements to be applied to the application, application server,
databases, hosted web applications, and services used in the DoD environments. The TSAAP
provides both general and product-specific security guidance across all application security
domains. Vendor and open source implementation of application server functions varies as most
open source and commercial products provide only subsets of the available security-related
options and configurations.
The TSAAP assigns responsibilities to the engaged personnel, including the Application Owner,
Data Owner, Application Server Administrator, and the MHS/TMA IA Team. The Application
Server Administrator is assigned the privileges, access, and responsibility to configure and
maintain the security and operation of the evaluated application, application server, databases
and network devices.
TSAAP is designed to reduce the risk associated with the application to a “Low Risk” and to
establish a security posture that meets the Federal, DoD and MHS/TMA IA Program Office
security requirements for all applications. For integrated application assessments, application
servers are evaluated separately using the DISA Production Gold Disk (PGD) and MHS/TMA
IA automated scanning tools.
1.1   Authority
DoD Directive 8500.1 requires that “all Information Assurance (IA) and IA-enabled Information
Technology (IT) products incorporated into DoD information systems shall be configured in
accordance with DoD-approved security configuration guidelines” and tasks DISA to “develop
and provide security configuration guidance for IA and IA-enabled IT products in coordination
with the Director of National Security Agency (NSA).” This document is provided under the
authority of DoD Directive 8500.1 and DoD Instruction 8500.2. The use of the processes and
guidelines outlined in the TSAAP will provide an environment that meets or exceeds the security
requirements of DoD systems operating at the Mission Assurance Category (MAC) II and III and
the Confidentiality level, Sensitive or Public.



                                            1
                                  FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                           June 2007


1.2       Applicability and Scope
The types of applications covered in the TSAAP include web and non-web applications and risk
assessments for stand-alone and integrated applications. Stand-alone application risk
assessment is an assessment of the software only, and the hardware and network components are
assessed part of a separate risk assessment effort. Integrated application risk assessment includes
the software, hardware and network components.
The TSAAP encompasses components of an application, including, but not necessarily limited to
the following items supporting the application:
          Application code
          Web server(s)
          Database server(s)
          Directory and authentication device(s) (e.g., Windows domain controllers, RADIUS, etc.)
          Firewall(s)
          Network and enclave configuration required to support the application
          Operating System (OS) platforms for any of the above
          Documentation review
Stand-alone application risk assessments involve the use of manual checks to assess the
application’s security posture. For an integrated application risk assessment, an SRR is
performed on each of the components listed above. For example, if the application infrastructure
consisted of a front-end web server running on Windows domain controller, and a backend
database running on UNIX, then the assessment would consist of SRRs for the web server,
database, Windows domain controller, and UNIX OS in addition to the Application risk
assessment. Automated scans will also be performed as part of the assessment on each of the
individual components as applicable.
1.3       Available Information Assurance Security Assessment Tools
DoD Directive 8500.1 establishes policy and assigns responsibilities to DISA to develop and
provide security configuration guidance for IA and IA-enabled Information Technology (IT)
products, in coordination with the National Security Agency (NSA). Accordingly, the DISA
Field Security Operations (FSO) develops the guidelines.
To complete the application risk assessment, the MHS/TMA IA Team will utilize DISA STIGs
and Checklists, SRRs, and automated security assessment tools as well as conduct any Physical
Security Assessments (PSAs) if required and perform a documentation review.
The MHS/TMA IA Team will utilize the following tools specifically for the stand-alone
application risk assessment:
          TSAAP Reviewer Procedure Manual
          DISA Application Manual Checklists:
                 a. DISA Application Services Security Checklist Version
                 b. DISA Application Security Checklist
                 c. DISA Checklist for applicable databases, OS and network devices
          MHS/TMA IA Program Office Security Test Plan

                                                  2
                                   FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                             June 2007


In addition to the above manual checklists, for an integrated application risk assessment,
compliance with the security requirements for the application’s components will be measured
using the following tools:
         eEye Digital’s Retina Network Security Scanner will be used for vulnerability
          assessments for security policy compliance on workstations, servers, and printers if
          applicable.
         DISA SRR Scripts and Manual Checklists, to include but not limited to, applications,
          Windows NT OSs; UNIX and UNIX variants; databases, web servers, and non-standard
          OS/DBMS.
         DISA PGD (Platinum) will be used on Windows 2000/2003 servers (domain
          controllers/member servers) and Windows 2000/XP Professional workstations.
         Application Security Inc.’s AppDetective will be used to conduct security assessments on
          the following elements for security compliance: Microsoft SQL; Oracle; IBM
          DB2/UDB; mainframe and mid-range platforms; Sybase; MySQL; Oracle Application
          Server; and Lotus Notes/Domino databases.
As noted above, the TSAAP is intended for use in conjunction with other DISA STIGs. The OS
STIGs provide crucial guidance for securing the platforms and associated databases on which
application servers run. The Database STIG and Web Server STIG provide the security
requirements for Database Management Systems (DBMS) and web servers utilized by
application servers. Desktop application security requirements are tested with the DISA PGD.
Together these checklists will validate that application servers are properly secured. The TSAAP
provides guidance on how to utilize the DISA STIG, checklists, SRRs, PGD, and the use of
automated scans for a successful risk assessment.

1.4       Organization of TSAAP
This reviewer’s guide is organized in the following manner:
         Section 1 contains the introduction, authority, applicability and scope, assessment tools,
          and references.
         Section 2 describes the TSAAP and the functional assessment areas, security domains,
          and applicable checks that will be used during the risk assessment.
         Section 3 provides the application risk assessment methodology and pre-assessment
          activities of the application assessment.
         Section 4 provides a step-by-step guide of the application risk assessment and required
          forms to be completed.
         Section 5 contains a list of acronyms used in this document.
1.5       References
The following Federal and DoD policy references were employed to support the MHS/TMA IA
application risk assessment:
          “Interim DoD Certification and Accreditation Process Guidance,” 6 July 2006
          DoD Directive 8500.1, “Information Assurance (IA),” 24 October 2002

                                                   3
                                    FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                      June 2007


       DoD Instruction 8500.2, “Information Assurance (IA) Implementation,” 6 February
        2003
       DoD Directive 8100.1, “Global Information Grid (GIG) Overarching Policy,” 19
        September 2002
       DoD Directive 8115.01, “Information Technology Portfolio Management,” 10 October
        2005
       DoD Public Key Infrastructure (PKI), 12 August 2000
       DISA Application Services Security Checklist Version 1, Release 1.1, dated 31 July
        2006](Web)
       DISA Application Security Checklist Version 2 Release 1.9, dated 24 November 2006
        (Web and Non-Web)
       DISA Application Security Technical Implementation Guides (STIGs)
       Information Assurance Technology Framework Forum (IATFF) version 3.1, September
        2002
       “Military Health System (MHS) Information Assurance (IA) Policy Guidance,”
        27 March 2007 and associated implementation guides




                                             4
                                  FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                          June 2007



TRICARE MANAGEMENT ACTIVITY SEMI-AUTOMATED APPLICATION
   ASSESSMENT PROCESS
During the security testing, a security assessment checklist and identification scan will be
performed on the application and the associated components. To conduct an objective
assessment of the application, the Military Health System (MHS)/TRICARE Management
Activity (TMA) Information Assurance (IA) Team will initiate and conduct all testing activities
using the TMA Semi-automated Application Assessment Process (TSAAP) and the automated
assessment tools when required.
The process described in this section will be adhered to while performing an assessment of
application and the associated components. The MHS/TMA IA Team will test the application
and the components within the certification boundary and will utilize the TSAAP to evaluate the
following functional assessment areas as outlined in the Defense Information Systems Agency
(DISA) Application Checklist:
          Identification and Authentication (I&A)
          User Account Management
          Data Protection
          Auditing
          Application Operation
          Production Application Configuration
          Enclave Impact
          Mobile Code
          Code Based Checks
These functional assessment areas, shown in Table 2-1, map to the Application Security
Domains as well as the DoD IA Controls.




                                            5
                                  FOR OFFICIAL USE ONLY
      TSAAP Reviewer Procedure Manual                                                                June 2007



       Functional Application                Application Security Domain          DoD IA Controls Category
        Assessment Areas
I&A                                    Cryptography and I&A                    I&A
User Account Management                I&A                                     Enclave Boundary Defense
Data Protection                        Cryptography                            Enclave and Computing Environment
Auditing                               Integrity                               Continuity
                                       Confidentiality
Application Operation                  Design and Coding                       Security Design and Configuration
                                       Authorization and Session Control
                                       Availability
                                       Application Operation with Underlying
                                       Host
Production Application Configuration                                           Vulnerability and Incident
                                       Design and Coding                       Management
Enclave Impact                         Design and Coding                       Security Design and Configuration
Mobile Code                            Design and Coding                       Enclave and Computing Environment
Code Based Checks                      Design and Coding                       Enclave and Computing Environment
                                       Confidentiality
                                       Integrity
                                       Availability

           Table 2-1: Application Checklist Mapping to Application Security Domain and DoD IA Controls

           The functional application assessment area checks used by DISA in the application checklist
           are further organized into categories relative to the type of environment the application
           resides in at the time the risk assessment is conducted. The categories are as follows:
                 Generic
                 Lab
                 Production
           Generic Checks
           The Generic checks will be conducted on all applications regardless of its current or future
           operating environment. Additionally, the Generic checks are technology independent.
           Lab Checks
           The Lab checks are applied to systems that are specifically in a lab environment and on
           systems that have not undergone a prior assessment by an MHS/TMA IA Team. A lab
           environment includes a development, acceptance, test, or pilot system and is defined as an
           environment that is pre-production, where resources, source code, and configuration, are in a
           state of change.



                                                           6
                                         FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                            June 2007


   Production Checks
   The Production checks are applied to deployment environments that are considered the
   application’s final location where the resources have been allocated and assigned; the
   configuration has been thoroughly documented and proven stable, and formal reviews are
   performed before changes or upgrades are implemented.
   The following table illustrates how each of the procedures in the categories listed above
   applies to the types of applications undergoing a risk assessment.



              Environment/Application Type           Generic       Lab        Production
           Production Stand-Alone Web
           Applications                                 X                         X
           Production Stand-Alone Non-Web
           Applications                                 X                         X
           Production Integrated Web Application        X                         X
           Production Integrated Non-Web
           Application                                  X                         X
           Applications - First time being Risk
           Assessed                                     X           X             X
           Lab-Based Applications (All types)           X           X

                                            Table 2-2: TMA Checklist Matrix
   For web applications, complete the DISA Application Security Checklist and all checks in
   the DISA Application Services Security Checklist. The DISA Application Services Security
   Checklist covers securing the following web components:
          Apache Jakarta Tomcat
          Sun's Java JRE
          Sun's Java JVM
          BEA WebLogic
   For Microsoft’s .NET and other application servers, refer to DISA’s Application Services
   STIG for further guidance.
   Refer to the DISA Application Security Checklist for the actual checks to be performed in
   the following areas as described in the subsections below.
   1.6 Generic Checks
   Generic Checks apply to all environments (e.g., lab, staging, test, production) and used
   regardless of the technology employed (i.e., programming language, operating system [OS],
   and hardware).




                                                    7
                                    FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                           June 2007


   1.6.1 Identification and Authentication
   The Identification and Authentication (I&A) checks in this section are used to evaluate how
   users and processes authenticate to the system.
   The MHS/TMA IA Engineer will need a point of contact (POC) with administrator privileges
   on the hosting information system available to conduct testing.
   Prior to beginning the risk assessment, identify all areas of the application that require I&A
   and apply these checks to each of those areas.
   1.6.2 User Account Management
   Checks in this section examine the existing user accounts to determine if any weaknesses
   exist.
   The MHS/TMA IA Engineer will need to identify where the application access credentials
   are stored. If the user accounts are only OS or database accounts, these checks should have
   been examined as part of a separate automated scanning procedure (validate).
   1.6.3 Data Protection
   Data protection relates to the use of permissions and cryptography to protect data while at
   rest and in transit. The checks in this section pertain to the protection of sensitive data.
   Department of Defense (DoD) Directive 8500.1 Section E2.1.41 defines sensitive data as:
          Information which the loss, misuse, or unauthorized access to or modification of
          could adversely affect the national interest or the conduct of Federal programs, or the
          privacy to which individuals are entitled under Section 552a of Title 5, United States
          Code, "The Privacy Act" but which has not been specifically authorized under criteria
          established by Executive Order or an Act of Congress to be kept secret in the interest
          of national defense or foreign policy (Section 278g-3 of Title 15, United States Code,
          "The Computer Security Act of 1987").
   This includes information in routine DoD payroll, finance, logistics, and personnel
   management systems. Sensitive data sub-categories include, but are not limited to the
   information classified as “For Official Use Only (FOUO)” and various Privacy Data.
   1.6.4 Audit
   These checks validates that the correct transactions and system events are audited correctly.
   It also ensures that the log files are protected from unauthorized deletion, modification, or
   disclosure.
   1.6.5 Application Operation
   These checks validate that the operation of the application is secure by confirming various
   application process checks, for example, checks for role-based access control, authorization
   compliance prior to execution, and appropriately set privileges for the application’s
   processing/operation.
   1.6.6 Production Application Configuration
   These checks confirms that the application is configured properly before released into the
   production environment.

                                                8
                                  FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                            June 2007


   1.6.7 Enclave Impact
   These checks assesses the impact that the application may have on the enclave by validating
   that resources are protected, access control lists (ACLs) are correct, and that ports, protocols,
   and services (PPS) are verified.
   1.6.8 Application Configuration and Authorization
   These checks ensure that configuration and authorization of transactions are properly
   configured. Examples of checks found in this section include the Warning Banner for user
   logon, the application does not store user credentials on client computers, and that users
   cannot perform privileged functions.
   1.6.9 Mobile Code
   These checks validate that the DoD mobile code policy is being correctly enforced. Mobile
   Code is divided into three categories – Category 1 (ActiveX, shell and batch scripts when
   used as mobile code), Category 2 (Java Applets, VBA), and Category 3 (JavaScript,
   VBScript, PDF, and Shockwave/Flash).
   1.6.10 Code Based Elements
   This check tests the error messages and validates that the application does not disclose
   information that could be used by an attacker.
   1.6.11 MHS/TMA Required Checks
   For the following checks, refer to the DISA MHS/TMA IA Security Test Plan for the
   following procedures to validate that the application meets or exceeds the requirements as
   listed.

                                     MHS/TMA Required Checks

                       New Password After Expiration

                       DAC Access Levels

                       Encrypted Cookies Only For Sensitive Data

                       Audit of Schema Objects


   1.7 Lab Checks
   The checks in this section apply to lab environments and application risk assessments. A lab
   environment is defined as any state that is pre-deployment/pre-production. Pre-production is
   usually a period in which many configuration changes may take place prior to release into the
   production environment.




                                                   9
                                  FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                            June 2007


   1.7.1 Application Configuration and Authorization
   The checks in this section validate that the configuration and authorization of the
   application’s transactions maintain the appropriate level of security and include checks for
   hard-coded credentials and invalid references to network resources.
   1.7.2 Code Based Elements
   This check ensures that the code behaves in a secure manner by checking for residual objects
   in memory after termination, properly validating user input prior to processing, and ensuring
   that buffer overflows are adequately handled.
   1.8 Production Checks
   This check applies to production (final) configuration and new application reviews.
   Production checks must be performed in the production environment due to the differences
   that may exist between production and any other environment. Production environments are
   expected to be well documented, static, and formal reviews are performed prior to changes or
   upgrades taking place.
   1.8.1 User Account Management
   This check addresses existing user accounts for possible security weakness.
   1.8.2 Application Operation
   This check involves the operational environment of the application which ensures that the
   application operates according to the appropriate classification level and scope.
   1.8.3 Production Application Configuration
   This check validates that the configuration of the application slated for release into the
   production environment ensures that the application is collocated from the data and
   unnecessary services are disabled.
   1.8.4 Enclave Impact
   This check validates that the risk to existing applications is minimized during the inclusion
   the new application. Risk to the existing and new applications are minimized thus ensuring
   the availability of the new application by creating a disaster recovery plan, backup
   procedures, and maintenance of log files.
   1.8.5 Application Configuration and Authorization
   This check ensures that the configuration of the application and authorization of transactions
   are configured correctly for the production environment.
   1.9 Application Security Domain Requirements
   The Generic, Lab, and Production checks also correspond to the following security domains.
   1.9.1 Application Interaction with Underlying Host
   Verifies how the application should securely interact with its underlying host environment.




                                                10
                                  FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                             June 2007


   1.9.2 General Use of Cryptography
   These checks verify how the application should use cryptography in general (vs.
   cryptography to implement a particular security service).
   1.9.3 Design and Coding
   Validates requirements for the application’s design and coding to ensure its security.
   1.9.4 Identification and Authentication
   Verifies how the application should implement I&A for users and processes.
   1.9.5 Authorization and Session Control
   These checks verify how the application should implement authorization of users and
   processes.
   1.9.6 Access Control
   Verifies how the application will implement access control on its resources.
   1.9.7 Confidentiality
   Verifies that the application will ensure the confidentiality of the data it handles and uses.
   1.9.8 Integrity
   These checks verify how the application will ensure the integrity of the data it handles, and
   of its own operation and data.
   1.9.9 Availability
   Verify how the application will ensure the availability of the data it handles, and of its own
   resources and operation.
   1.9.10 Accountability
   Verifies how the application will ensure the accountability of its users.
   1.9.11 Non-Repudiation
   Confirms how the application will ensure non-repudiation of actions performed by its users.
   1.9.12 Preparation for Deployment
   This section verifies that the application is correctly prepared for installation and
   deployment. The MHS/TMA IA Lead Engineer will interview the Application POC to
   ensure that the following action items have been taken:
          Remove Debugger Hooks and Other Developer Backdoors
          Explicit Debugger Commands
          Remove Data-Collecting Trapdoors
          Protect Cookies at Rest and in Transit
          Remove Hard-Coded Credentials
          Remove Default Accounts
          Replace Relative Pathnames

                                                11
                                  FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                        June 2007


          Remove Sensitive Comments
          Remove Unnecessary Files, Pathnames, and URLs.
          Remove Unneeded Calls
          Run-time Considerations
          Secure Installation and Configuration
          Application Level Auditing
          Preparation for deployment to production
Note: This Application will not be migrated to production or could be removed from the network
until the above deployment checks are completed.

   APPLICATION PRE-ASSESSMENT PROCESS
   The application assessment process depicted below identifies the functional activities for
   conducting an application risk assessment on a stand-alone and integrated application as well
   as for web and non-web based applications.
   1.10    Military Health System/TRICARE Management Activity Application
     Assessment Checklist Process
   Figure 3-1 depicts an overview of the MHS/TMA Application Assessment Process.




                                              12
                                  FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                                       June 2007



                                                          TMA
                                                        Customer
                                                         Site CD
        Application Owner                                                                  TMA IA Team




             DISA Recommended
                                         DISA Application               TMA         DISA Appication
             Standard Application
                                             STIGs                   Requirements      Checklists
            Security Requirements


                                                   TMA IA Application
                                                 Engineers & Application
                                                Owner Conduct Assessment
                                                     on Applications
                                                 (Stand-Alone/Integrated & Web/
                                                           Non-Web)




                                                        Application
                                                         Results




                                                            High
           RSG create             Submit                  Medium
                                                          Findings
           Vulnerability        findings to                 Low
           Matrix (VM)             RSG                    Findings




            TMA IA Engineer
                                     TMA CA                VM submit to
           Review/Update VM
                                     Approves               Application
             and verify new/
                                    VM & MSRs                 Owner
             existing MSRs



                                                        Application Owner
                                                      Interfaces with TMA IA
                                                      Engineer to coordinate            Terminate
                                                     discrepancies and create           Processing
                                                        new and applicable
                                                               MSRs


               Figure 3-1: Overview of the MHS/TMA Application Assessment Process




                                                      13
                                    FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                        June 2007


   1.11       Certification Methodology
   Once the MHS/TMA IA Program Office directs or approves that an application and
   associated components undergo the C&A process, information regarding that decision is
   immediately provided to the MHS/TMA IA Team Program Manager (PM). The MHS/TMA
   IA PM assigns a MHS/TMA IA Team, consisting of at least three members: Team Lead,
   Lead Engineer, and a Security Analyst. For more complex environments, additional
   engineers will be assigned to accommodate the workload. It should be noted that in some
   cases, the team lead will also function as the lead engineer. This section identifies duties
   specifically assigned to the function/role of the team lead and engineer(s).
   1.11.1 Pre-Kickoff Activities
   The following steps should be taken in preparation for the TRICARE Management Activity
   Semi-automated Application Assessment Process (TSAAP) kickoff visit/teleconference:
   1. The MHS/TMA IA Team Lead initiates contact with the Application Program Office
      POC and begins coordinating a mutually agreeable time and/or location for the kickoff
      meeting
   2. The MHS/TMA IA Team Lead contacts the MHS/TMA IA Program Office for the
      application’s Program Office Budget Analyst are invited to the kickoff. Contact your
      MHS/TMA Representative for the contact information of the Program Office’s
      Contracting Officer (if applicable).
   3. If this is an annual review, follow-up with the Security Posture Questionnaire and
      updated network diagrams.
   4. If application has undergone a previous C&A effort, be sure to obtain the C&A
      documentation and review for an understanding of the application’s capabilities, security
      posture, and operating environment.
          a. If the previous effort was not conducted by the MHS/TMA IA Program Office
             using MAAP/TSAAP, the team must complete a map and gap of the previous risk
             assessment and discuss the deltas with the MHS/TMA IA Program Office
   5. If non-government C&A effort and not already obtained, request Non-Disclosure
      Agreement (NDA) from Program Office and provide to the team’s Project Manager for
      review and approval prior to signing
   6. The MHS/TMA IA Team Lead prepares the DIACAP notification and coordinates the
      development of a draft certification timeline
   7. The MHS/TMA IA Team Lead prepares a DIACAP information package, which includes
      the following:
          a. Kickoff agenda
                  i. NOTE: As with all meetings, ensure that the TMA and Application
                     Program Office’s Budget Analyst are invited



                                              14
                                  FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                       June 2007


          b. Draft timeline
                  i. NOTE: Although pre-approved by TMA, this timeline is considered to be
                     “DRAFT” since the Site has not yet had input
          c. Overview of manual checks and automated assessment scanning tool(s)
          d. Letter of Agreement (LOA) for discussion
          e. Site CD containing the TSAAP Reviewer’s Guide, Security Technical
             Implementation Guidelines (STIGs), SRR scripts, Retina/AppDetective/PGD
             Policies, the DISA Application Checklists and references, and C&A
             documentation templates to include the Privacy Impact Assessment (PIA) form.
          f. Application Network/Server Matrix (to be completed by the Program Office)
          g. DIACAP In Brief for Applications
   1.11.2 Kickoff Activities
   The following activities are performed during the kickoff meeting:
   1. MHS/TMA IA Program Office Representative conducts the in brief.
   2. The MHS/TMA IA Program Office Representative works with the Application Program
      Office to identify funding and personnel to assist the MHS/TMA IA Team with the
      TSAAP.
   3. During the kickoff meeting, it should be determined whether the application will be
      assessed as a stand-alone or as an integrated application and as a web or non-web
      application.
   4. If it is determined that the application will introduce new hardware for the servers and
      databases, the MHS/TMA IA Lead Engineer will prepare to perform automated scans of
      the operating system (OS) and databases, where applicable, in addition to the PGD and
      SRRs.
   5. Identify, define, and document the certification boundary applicable to the application
      and/or associate components, such as servers, workstations, databases, etc.
   6. Identify the Data Owner and obtain the Point of Contact (POC) information.
   7. Request a network diagram depicting the certification boundary to include external
      interfaces.
   8. If it is determined that the application will use existing servers and databases, the
      MHS/TMA IA Team Lead will interface with the appropriate IS Team Lead and
      MHS/TMA IA Team Lead for the hosting information system to obtain copies of the
      most current finding and mitigation actions for the applicable servers and databases.
   9. The MHS/TMA IA Team Lead will schedule a technical meeting to:
           a. Provide the Application Program Office with a copy of the Customer Site CD
           b. Review the applicable for folders and subfolders on the Customer Site CD with
                the Application POC.
           c. Review the DISA Checklists with the Application POC to determine appropriate
                checks and ensure understanding of how the checks will be performed.


                                              15
                                  FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                       June 2007


           d. Review the Reviewer’s Procedure Guide to ensure that the Application Owner
              fully understands the application risk assessment process
           e. Complete the requested information and Server/Network and Database (if
              applicable) matrices identified in Sections 4.7 through 4.11 (if applicable)
   10. Submit Letter of Agreement (LOA) to the Application POC for review and to identify the
       signature authority
   11. Obtain and begin reviewing the application C&A documentation.
   12. Obtain a matrix of user types and associated functions within the application which may
       be found in the system application documentation.
   13. Obtain dataflow diagram which may be found in the system application documentation.
   14. Work with Application Program Office to coordinate the use of a client machine to be
       used for testing




                                              16
                                  FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                           June 2007



APPLICATION ASSESSMENT TESTING PROCEDURES
The following subsections define the activities that will take place during onsite application risk
assessments visits. The processes described in this section will be followed to while performing
the baseline and mitigation assessment of applications and associated components. The Military
Health System (MHS)/TRICARE Management Activity (TMA) Information Assurance (IA)
Team will test the application and associated components within the certification boundary using
the following assessment tools:
      Retina Network Vulnerability Assessment Tool
      AppDetective Vulnerability Assessment Tool
      Defense Information System Agency (DISA) Security Readiness Review (SRR)
      DISA Production Gold Disk (PGD) – Platinum Policy
      DISA Application Manual Checklists:
       o Application Services Security Checklist Version 1 Release 1.1, 31 July 2006
       o Application Security Checklist Version 2 Release 1.9, 24 November 2006
      DISA Checklist for applicable databases, Operating System (OS) and network devices
      MHS/TMA IA Required Checks
       For the following checks, reference and follow the Security Test Plan for specific
       procedures to ensure that the application meets or exceeds the requirements as applicable.

                                        MHS/TMA Checks

                       New Password After Expiration

                       DAC Access Levels

                       Encrypted Cookies Only For Sensitive Data

                       Audit of Schema Objects

Table 4-1 depicts an overview of the implementation of the application assessment procedures.




                                            17
                                  FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                                                              June 2007



         Application
       Owner/ Program                                            TSAAP                                         TMA IA Egineers
           Office


                                                         Conduct Assessment on
                                                          Application using most
                                                         current versions of DISA
                                                          Checklists and STIGs.




                                                           Application will utilize
                                                                                            No       Perform automated scans of the
                                                             existing servers,
                                                                                                        OS, network devices and
                                                          databases and network
                                                                                                       databases in addition to the
                                                              devices on the
                                                                                                            PGD and SRRs.
                                                            TRICARE network?
                       Perform Mitigation
                            process.


                                                               Yes         Interface to appropriate TMA IA Team
                                                                            Lead and Engineers to obtain copies
                                                                              of the most current findings and
                                                                             mitigation actions for the applicable
                                                                              servers, databases and network
                                                                                           devices.




                           Yes                                                TMA IA Team and RSG create/
                                                                             update and QA Vulnerability Matrix
                                                                                     (VM) and MSRs




                                                  Approved VM and
                No                                                                Submit VM and MSRs for
                              Post                MSRs submitted to
                                                                                  approval by the Certifying
                            Baseline?             Application Owner
                                                                                         Authority
                                                   Program Office

       Start the Post-
      mitigation Process




                                  Risk Assessment
       TMA IA Team                Report and C&A
                                                              Migrate Applications to
     Develops and QAs               Package are              Production if new servers                          Terminate
     a Risk Assessment           revised and signed          and conduct any residual                           Processing
           Report                 by the Certifying           production verifications.
                                      Authority




              Figure 4-1: Application Assessment Implementation Procedure Overview




                                                                 18
                                            FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                          June 2007


1.12 Pre-Baseline Application Assessment Process
   1. Prepare for onsite baseline application risk assessment testing activities.
   2. Verify that the Server/Network and Database (if applicable) are completed.
   3. Complete the C&A Boundary MOA and obtain a copy of the network diagram depicting
      the certification boundary and submit them to the TMA Regional Support Group (RSG)
      along with the Server/Network and Database Matrices, and C&A Boundary MOA
      Routing Slip (and Security Posture Questionnaire if this is an annul review).
   4. Verify traceability between the certification boundary, network diagram, and the
      Server/Network and Database Matrices.
   5. Develop and obtain approval for the Security Test Plan.
   6. The MHS/TMA IA Team Lead obtains signatures authorizing the MHS/TMA IA Team
      to conduct an onsite risk assessment of the application and associated components.
   7. The MHS/TMA IA Team prepares for onsite visit for the baseline risk assessment of
      application(s)/components.
   8. If this is an annual review or re-assessment and no changes or upgrades have occurred,
      review the previously approved Mitigation Strategy Reports (MSRs) and submit to the
      RSG for pre-approval.
   9. The MHS/TMA IA Lead Engineer will print a hardcopy of the DISA Applications
      Checklists from the version of the Customer Site CD that was provided to the Program
      Office during the kickoff.
   10. The MHS/TMA IA Lead Engineer will review all manual checks and procedures in the
       checklist and will ensure that all processes and procedures are fully understood.
   11. MHS/TMA IA Engineers will ensure that scanning laptops have been requested from the
       TMA RSG in the specified timeframe allotted in the Standard Operating Procedure
       (SOP), if applicable.
   12. MHS/MHS IA Engineers will ensure that they are using the correct version of the
       scanning policies given to the Program Office during the kickoff meeting.
   13. MHS/MHS IA Engineers will ensure that they have hardcopies of all the necessary DISA
       supporting documents.
   14. MHS/TMA IA Team conducts Test Readiness Review (TRR) and confirms onsite
       application testing timeframes and availability with Application POC based on the
       Security Test Plan.

1.13 Onsite Application Assessment Baseline Process
   1. Go onsite to conduct baseline risk assessment of application/components.
   2. The MHS/TMA IA Team conducts in brief with Application POC.
   3. The MHS/TMA IA Team and Application POC conduct application risk assessment
      using the applicable assessment tools identified in the Security Test Plan.

                                                19
                                  FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                      June 2007


   4. If approved by the CA, the MHS/TMA IA Lead Engineer will allow the Application POC
      to conduct mitigation activities if this is an accelerated application risk assessments.
   5. The MHS/TMA IA Team completes the application risk assessment activities with the
      Application POC.
   6. The MHS/TMA IA Team Lead provides the Application POC with a copy of the
      assessment results (MHS/TMA IA Lead Engineer will maintain the original).
   7. The MHS/TMA IA Team Lead will instruct the Application POC to begin mitigating
      application vulnerabilities.
   8. The MHS/TMA IA Lead Engineer will work with the Application POC to complete the
      required MSRs.
   9. The MHS/TMA IA Security Analyst will review the documentation and discussed and
      any Physical Security Assessments (PSA) (if applicable) with the Application Program
      Office Subject Matter Expert (SME).
   10. The MHS/TMA IA Team will conduct an out brief and review test results with the
       Application POC.
1.14 Post Baseline Application Assessment Process
   1. The MHS/TMA IA Team Lead and Lead Engineer will conduct an analysis of the manual
      checks and automated test results.
   2. The MHS/TMA IA Lead Engineer will submit the checklist and automated scan results,
      if applicable, to the TMA RSG to be included in the development of the Vulnerability
      Matrix (VM).
   3. The MHS/TMA IA Team Lead will submit the completed MSRs to the TMA RSG for
      review and pre-approval.
   4. The MHS/TMA IA Team Lead will submit the pre-approved MSRs and the appropriate
      routing slip to MHS/TMA IA Program Office for final approval.
   5. The TMA RSG will develop the VM from the applicable application checklist and
      automated scan findings.
   6. The MHS/TMA IA Lead Engineer will perform minor VM modifications if needed.
   7. The MHS/TMA IA Team Lead will ensure that the VM undergoes a proper Quality
      Assurance (QA) process prior to submitting the VM to the CA for approval.
   8. The MHS/TMA IA Team Lead will submit the VM to MHS/TMA CA for
      review/approval.
   9. The MHS/TMA IA Team Lead will submit the approved VM to the application Program
      Office for review and for their mitigation strategies.
   10. The MHS/TMA IA Lead Engineer and the Application POC will reconciling
       vulnerabilities during the weekly meetings.



                                             20
                                  FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                        June 2007


1.15 Pre-Site Mitigation Application Assessment Process
   1. Follow up with TMA on the MSRs that were submitted. Note: All known MSRs should
      be completed/approved prior to the mitigation visited departure.
   2. The MHS/TMA IA Team Lead obtain an updated VM depicting the Application Program
      Office’s mitigation strategies.
   3. The MHS/TMA IA Lead Engineer will update the Security Test Plan and resubmit for
      QA and TMA approval.
   4. MHS/TMA IA Engineers will request that scanning laptops from the TMA RSG in the
      specified timeframe allotted in the SOP, (for integrated application risk assessments).
   5. MHS/TMA IA Engineers will ensure that they are scanning with the scanning policies
      used during the baseline assessment (if not exceeded 45 calendar days).
   6. MHS/TMA IA Engineers will ensure that they have the application checklists used
      during the baseline assessment and hardcopies of all the necessary DISA supporting
      documents (e.g., STIGs, applicable reference documents).
   7. Security Analyst reviews the application’s C&A documentation with the Application
      Program Office’s SME.
   8. MHS/TMA IA Team and Application Program Office conduct TRR and verify that the
      onsite application testing timeframes and availability of the Application POC based on
      the Security Test Plan.

1.16 Onsite Application Assessment Mitigation Process
   1. The MHS/TMA IA Team goes onsite to conduct the application mitigation risk
      assessment.
   2. The MHS/TMA IA Team conduct in brief with Application POC.
   3. The MHS/TMA IA Team Lead and Lead Engineer review the VM with Application POC
      and obtain a status of the application mitigation activities.
   4. The MHS/TMA IA Team Lead, Lead Engineer, and Application POC conduct
      application risk assessment using a hardcopy of the checklists used during the baseline
      visit and conduct automated scans if applicable.
   5. The MHS/TMA IA Lead Engineer allows the Application POC to conduct mitigation
      activities and perform rescans and validate manual checks when applicable.
   6. The MHS/TMA IA Team completes application assessment activities with the
      Application POC.
   7. The MHS/TMA IA Team Lead provides the Application POC with a copy of the risk
      assessment test results (the MHS/TMA IA Lead Engineer will maintain the original).
   8. The MHS/TMA IA Security Analyst and Application Program Office Documentation
      SME will finalize the documentation and conduct the validation of any PSA findings (if
      applicable).



                                              21
                                  FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                     June 2007


   9. The MHS/TMA IA Team will conduct an application assessment out brief and review
      test results with Application POC.

1.17 Post Mitigation Application Assessment Process
   1. The MHS/TMA IA Team Lead and Lead Engineer will conduct review of the risk
      assessment results.
   2. The MHS/TMA IA Lead Engineer will submit the checklist and automated scan results
      (if applicable) to the TMA RSG to be included in the VM.
   3. The TMA RSG will develop the VM from the applicable application checklists and
      automated scan findings.
   4. The MHS/TMA IA Lead Engineer will perform minor VM modifications if needed.
   5. The MHS/TMA IA Team Lead will ensure that the VM undergoes the proper QA process
      and submitting procedures consistent with the SOP.
   6. The MHS/TMA IA Team Lead will submit any new MSRs to the TMA RSG for review
      and pre-approval.
   7. The MHS/TMA IA Team Lead will submit the TMA RSG’s pre-approved MSRs and the
      appropriate routing slip to MHS/TMA IA Program Office for final approval.
   8. The MHS/TMA IA Team Lead will submit the VM (the MSRs as applicable) to the
      MHS/TMA CA for review/approval.
   9. The MHS/TMA IA Team Lead will submit the final/approved VM to the Application
      Program Office.
   10. The MHS/TMA IA Team will prepare final C&A Package for a Risk Assessment.
   11. The MHS/TMA IA Team Lead will submit final C&A Package for QA which includes
       the QA Analyst and the MHS/TMA IA Project Manager review/approval prior to
       submission to the MHS/TMA CA and Designated Accrediting Authority (DAA).
   12. The MHS/TMA IA Team will provide the final C&A Package, including the Risk
       Assessment Letters to the CA and DAA for signatures.
   13. The MHS/TMA IA Team will provide the final C&A Package, including the Risk
       Assessment Letters to the Program Office.
   14. MHS/TMA IA Team Lead will ensure that all information pertaining to the application
       risk assessment is archived on HA/TMA’s network shared drive.




                                            22
                                  FOR OFFICIAL USE ONLY
   TSAAP Reviewer Procedure Manual                                                                  June 2007


   1.18 Server Overview
   List all of the application servers, regardless of whether they are reviewed or not. If an OS SRR
   has been or will be performed on that server, place a “Y” in the “Reviewed?” column to the right
   of the “Operating System and Version” column. Otherwise, enter an “N.” For each server, note
   what application software and version is installed (e.g., web, database, LDAP, etc.) and whether
   or not SRRs have been or will be performed on those components.




                                                Reviewed?




                                                                                        Reviewed?
                                  Operating
                IP Address         System                                                             Physical
Host Name                                                         Application Service
               Subnet Mask           and                                                              Location
                                   Version                       Software and Version




                                                            23
                                     FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                               June 2007


1.19 Oracle Database Information

    Network IP Address      Database Name        Database   SYSID if   Data Owner
                                                   Type     ORACLE     Contact Info.

1

2

3

4

5



1.20 SQL Database Information

    Network IP Address      Database Name        Database   SYSID if   Data Owner
                                                   Type      SQL       Contact Info.

1

2

3

4

5



1.21 DB2 Database Information

    Network IP Address      Database Name        Database   SYSID if   Data Owner
                                                   Type      DB2       Contact Info.

1

2

3

4

5




                                            24
                                  FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                              June 2007


1.22 Sybase Database Information

 Network IP Address       Database Name         Database   SYSID if   Data Owner
                                                  Type     Sybase     Contact Info.

1

2

3

4

5




                                           25
                                  FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                               June 2007



ACRONYMS

Acronym                       Definition

ACL                           Access Control List

ATO                           Authorization to Operate

C&A                           Certification and Accreditation

CA                            Certification Authority

CD                            Compact Disk

DIACAP                        Department of Defense Information Assurance Certification and
                              Accreditation Process

DAA                           Designated Accrediting Authority

DAC                           Discretionary Access Control

DBMS                          Database Management System

DID                           Defense-in-Depth

DII                           Defense Information Infrastructure

DISA                          Defense Information Systems Agency

FOUO                          For Official Use Only

FSO                           Field Security Operation

GIG                           Global Information Grid

I&A                           Identification and Authentication

IA                            Information Assurance

IATO                          Interim Authorization to Operate

IAVA                          Information Assurance Vulnerability Alert

IS                            Information System

IT                            Information Technology




                                            26
                                  FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                       June 2007



IATFF                         Information Assurance Technology Framework Forum

JRE                           Java Runtime Environment

JVM                           Java Virtual Machine

LOA                           Letter of Agreement

MAAP                          Military Health System Application Assessment Process

MAC                           Mission Assurance Category

MHS                           Military Health System

MOA                           Memorandum of Agreement

MSR                           Mitigation Strategy Report

NIAP                          National Information Assurance Partnership

NSA                           National Security Agency

OS                            Operating System

PGD                           Production Gold Disk

PIA                           Privacy Impact Assessment

PKI                           Public Key Infrastructure

POC                           Point of Contact

PPS                           Ports, Protocols, and Services

QA                            Quality Assurance

RSG                           Regional Support Group

SME                           Subject Matter Expert

SOP                           Standard Operating Procedures

SRR                           Security Readiness Review

STIG                          Security Technical Implementation Guide

TMA                           TRICARE Management Activity


                                                  27
                                  FOR OFFICIAL USE ONLY
TSAAP Reviewer Procedure Manual                                                   June 2007



TRR                           Test Readiness Review

TSAAP                         TMA Semi-automated Application Assessment Process

VM                            Vulnerability Matrix




                                               28
                                  FOR OFFICIAL USE ONLY

								
To top