Diacap Report Template by ajy78640

VIEWS: 203 PAGES: 22

More Info
									              [Add appropriate classification markings]




                                                           TRICARE
                                                          Management
                                                             Activity



           [PROGRAM OFFICE NAME]

              [APPLICATION NAME]

 [RISK ASSESSMENT/ANNUAL REVIEW REPORT]


                IN SUPPORT OF THE

[HOSTING INFORMATION SYSTEM/ACCREDITATION]

                    [MONTH YEAR]
                       Version March 2009

           Note: Use Month/Year of DAA’s Signature




                         Prepared for:
            TRICARE Management Activity (TMA)
         Office of the Chief Information Officer (OCIO)
          Information Assurance (IA) Program Office



          [Add appropriate classification marking]
[Application/PO Name]                         Artifact 12 Risk Assessment/Annual Review Report
                                                                                 [Month Year]

                                    INSTRUCTIONS



INSTRUCTIONAL TEXT

This template contains instructional text which includes instructions, guidance, or notes
and is provided, in italic, for the writer and is used to describe what should be contained
in the document or section. The writer will read the instructional text, follow it, and
remove it from the document prior to submission to the TMA IA Team.

When the TMA IA Team reviews the Site’s/Program Office’s documentation, they are to
refer to the template/instructional text to ensure that the instructions were followed and
that the document contains the required information. With the documents that the TMA
IA Team develops, the QA Team will follow the same guidance.

Instructional Text example shown below:

This section should state:

System name

Type of document

Relationship of document to other system-specific documentation (i.e., all other system
documents flow from the Concept of Operations [CONOPS])

Reason for document development (e.g., to support Department of Defense (DoD)
Information Assurance Certification and Accreditation Process [DIACAP])

Authority by/under which the document is issued. This may be:

       The organization that owns either the system or the data processed by the system
       (e.g., Defense Information Systems Agency [DISA]), or

       An individual representing the organization (e.g., Program Manager [PM],
       Commanding Officer, or accreditation authority).

       Person(s) or organization responsible for administering – preparing and
       maintaining – the document (e.g., person – PM; organization - DISA)

       The administration of the document refers to the organization or individuals
       responsible for writing and maintaining the document.

EXAMPLE TEXT

Example text within this document is to be tailored to the Site/Government IS and/or
Government PO’s application (i.e. made site-specific). Again, the writer will tailor the
template with site-specific information such as their organization’s environment,


                        [Add appropriate classification marking]
[Application/PO Name]                          Artifact 12 Risk Assessment/Annual Review Report
                                                                                  [Month Year]

applicable policies, etc and remove “EXAMPLE” prior to submission to the TMA IA
Team.

REPLACEMENT TEXT

Replacement text is denoted in red font, italicized, bold, and is in brackets (e.g. [Site
Name]). Replacement text is provided as a guide to inform the writer that this item
requires the appropriate information. The writer will replace this text with the
appropriate information, remove the brackets, replace the italic, red text, and bold to
normal text.

STANDARD LANGUAGE

Standard language within this template is shown as STANDARD LANGUAGE (Do not
modify). Standard language is NOT to be modified by the Site/Program Office and/or
the TMA IA team member developing this document. However, the author is to remove
“STANDARD LANGUAGE (Do not modify)” from the document prior to submission.

Additional Information:
          Sites/Program Offices are not required to use the TMA IA templates
           o If not used, the Site/Program Office documentation must contain, at a
               minimum, the same information contained in the TMA IA templates
               (document name and order is not required to be the same).
          Sections that do not apply are not removed, however must include a statement
           that it is not applicable and explain why.
       Delete all instructions and questions prior to submission of this document.

NOTE: At a minimum, the Risk Assessment/Accreditation Report must address the
information that is identified in the questions below. The questions that are provided are
to elicit thought into the section(s) being written. The questions are to stimulate the
author’s knowledge and understanding of the site-specific polices and processes that
govern the components and methodology within the certification and accreditation (C&A)
boundary.

The “EXAMPLE” text is provided to aid the author in developing site-specific information
for this document. After developing the site-specific information, the author is to delete the
EXAMPLE text, along with the italicized instructions and questions prior to submission of
this document.

The “STANDARD LANGUAGE” cannot be modified or deleted, but if the site has specific
information to add that will aid the reviewer/approver in better understanding the site-
specific policies and processes, then the author is encouraged to add that information
where it is applicable.

        Also, delete this Instructions Text Box prior to submission of this document.




                        [Add appropriate classification marking]
[Application/PO Name]                         Artifact 12 Risk Assessment/Annual Review Report
                                                                                 [Month Year]



                           EXECUTIVE SUMMARY
Note: Normally the Executive Summary should not exceed two pages. Be sure to include
details about the level of effort involved in the assessment (to include physical security
assessments and the number of locations), status of the site’s personnel background
checks, etc.

Note: Read this document in its entirety. This Risk Assessment/Annual Review Report
reflects a favorable recommendation by the TMA IA Team. However, if this is not the
case, please revise accordingly.


EXAMPLE TEXT: A risk assessment was conducted to analyze the threats to, and
vulnerabilities of, [Program Office (PO) Name] ([PO Name Abbreviation]) [Application
Name] [(Application Abbreviation)]. The risk assessment, as described in this [Risk
Assessment/Annual Review Report], satisfies the requirements for the Department of
Defense (DoD) Information Assurance Certification and Accreditation Process
(DIACAP). This certification identifies the security posture of the [Application
Abbreviation] as described in the [Application Abbreviation] security documentation
dated [Month Year].
The purpose of conducting this risk assessment was to ensure that the required security
safeguards were in place to protect DoD information contained within [PO
Abbreviation’s] [Application Abbreviation]. The risk assessment is consistent with
DIACAP requirements and the TRICARE Management Activity (TMA) Information
Assurance (IA) Program Office’s Certification and Accreditation (C&A) requirements.

The risk assessment was conducted using a combination of the following tools:
automated vulnerability assessment tools, manual testing, interviews, and physical
security assessments.

For standalone application assessments:

EXAMPLE TEXT: The scope of this Risk Assessment included [PO Abbreviation]
[Application Abbreviation] as a commercial off-the-shelf (COTS), Client/Server-based
application that is part of the [Application’s Hosting] IS. The IS has its own
accreditation and is not part of this assessment. The Hosting ISs accreditation can be
found in its DIACAP C&A Package. The [Application Abbreviation] Certification
Package will be appended to the Hosting IS’ C&A Package, on which it resides.

For integrated application risk assessment:

EXAMPLE TEXT: The scope of this Risk Assessment for the [PO Name
Abbreviation] [Application Abbreviation] application, is considered an integrated
application. An integrated application includes an application’s software, hardware and
IS components as defined by TMA IA Program Office. The Risk Assessment includes



                        [Add appropriate classification marking]
[Application/PO Name]                         Artifact 12 Risk Assessment/Annual Review Report
                                                                                 [Month Year]

all application components and locations. The assessment did not include the [Hosting
Information Name]’s IS, as their risk assessment is covered under a separate effort.
Operation of the [Application Abbreviation] ensures the successful support of TMA
users while also providing the level of protection required for DoD information. Refer to
Section 2 of this document for specifics on the application functionalities and its
capabilities.

During the evaluation [PO Abbreviation] showed evidence of appropriate security
safeguards and controls in place to prevent: unauthorized entry into the data processing
facilities; unauthorized access to data and data files; unauthorized software modifications;
and divulgence of sensitive processing procedures, techniques or related information.
The evaluation of compliance started in [Month Year] and ended in [Month Year].

The result of the evaluation is an overall total of [00] vulnerabilities, which breaks down
into [00] high risk items, [00] medium risk items, and [00] low risk items (included in
this total are [00] policy and procedure findings and [00] physical security findings).

[Hosting IS Abbreviation] was also found to be in compliance with the current
Information Assurance Vulnerability Management (IAVMs) items, personnel security
requirements, and does not have any ports, protocols, and/or services that traverse the
Internet to the Defense Information System Network (DISN), or vice versa.

[If Applicable] An analysis was performed on the ports, protocols and services in the
[Hosting IS Name Abbreviation] environment against the requirements outlined in
DoD Instruction 8551.1, “Ports, Protocols, and Services Management (PPSM),” dated
13 August 2004.

Summarize results of ports, protocols, and services analysis in one or two sentences.

The TMA IA Team concludes that the [PO Abbreviation] [Application Abbrev]
application has satisfied the security requirements to support a [favorable Risk
Assessment Signature Letter], and that the overall security risk for [Application
Abbreviation] application is High, Medium, or Low.

Include justification for impact code; this may come from Section 3.2, Determination.




                        [Add appropriate classification marking]
[PO Name]                                                                           Artifact 12 Accreditation/Annual Review Report
                                                                                                                      [Month Year]



                                                TABLE OF CONTENTS
1 INTRODUCTION ..................................................................................................................................... 1
   1.1      Purpose.............................................................................................................................................. 1
   1.2      Scope ................................................................................................................................................. 1
   1.3      Limitations ........................................................................................................................................ 2
   1.4      Assumptions ...................................................................................................................................... 2
   1.5      Responsibility Matrix ........................................................................................................................ 3
   1.6      Document Organization .................................................................................................................... 4
   1.7      Previously Cited Findings ................................................................................................................. 4

2 SYSTEM/APPLICATION DESCRIPTION AND OVERVIEW .......................................................... 5
   2.1      System/Application Description ....................................................................................................... 5
   2.2      Major Functional Capabilities ........................................................................................................... 5
   2.3      System Interfaces and External Connections .................................................................................... 5
   2.4      [Application] System Architecture ................................................................................................... 5
   2.5      Certification Boundary ...................................................................................................................... 5
      2.5.1          Ports, Protocols, and Services .................................................................................................. 5
      2.5.2          Software................................................................................................................................... 6
      2.5.3          Firmware ................................................................................................................................. 6
      2.5.4          Hardware ................................................................................................................................. 6
   2.6      Privacy Act........................................................................................................................................ 6
   2.7      Personnel Security Requirement Validation ..................................................................................... 6
      2.7.1          Automated Data Processing I – Critical-Sensitive Positions ................................................... 6
      2.7.2          Automated Data Processing II – Non-critical-Sensitive Positions .......................................... 7
      2.7.3          Automated Data Processing III – Non-Sensitive Positions ..................................................... 7

3 DETERMINATION .................................................................................................................................. 8
   3.1      Risk Assessment Summary ............................................................................................................... 8
      3.1.1          Policy and Procedure Compliance Summary .......................................................................... 8
   3.2      Determination (alter as applicable) ................................................................................................ 10
   3.3      Conclusions and Recommendations................................................................................................ 11
   3.4      Certification Statement ................................................................................................................... 12
   3.5      Risk Assessment Signature Letter ................................................................................................... 14

4 EVALUATION RESULTS ..................................................................................................................... 15
   4.1      Previously Identified Vulnerabilities .............................................................................................. 15
   4.2      New Vulnerabilities Discovered During this Certification Effort ................................................... 16


                                                            i
                                        [Add appropriate classification markings]
[PO Name]                                     Artifact 12 Accreditation/Annual Review Report
                                                                                [Month Year]


1 INTRODUCTION

1.1    Purpose
EXAMPLE TEXT: The purpose of conducting this risk assessment was to ensure that
the required security safeguards were in place to protect Department of Defense (DoD)
information contained within the [Program Office (PO) Name (PO Name Abbreviation]
[Application Name] (Application Abbrev)] and/or to ensure that the proper security
safeguards are implemented to protect the IS from being exploited . The risk
assessment is consistent with DoD Information Assurance Certification and Accreditation
Process (DIACAP) requirements and the TRICARE Management Activity (TMA)
Information Assurance (IA) Program Office’s Certification and Accreditation (C&A)
requirements to support a [favorable Risk Assessment].

(Of the three paragraphs below, select those that are applicable and modify as
appropriate)

Most cases: The [Application Abbreviation] application is considered [mission
critical/mission essential/mission support], and is [operational/received major
upgrades] and was previously assessed in accordance with DoD IA and TMA IA security
requirements.

New application never certified or accredited: [Application Abbreviation] is a new
application which has not completed a favorable risk assessment. If a full risk
assessment cannot be achieved, a Temporary Risk Assessment Letter may be issued for a
period not to exceed [00] days.

A Signature Letter is currently in place: [Application Abbreviation] is undergoing a
major system change which will affect the security posture. This will require
[Application Abbreviation] application to be assessed at a date determined by the
Certifying Authority (CA). A Temporary Risk Assessment Letter may be granted based
on the most recent results from the security test and findings, and is not to exceed 180
days.

1.2    Scope
EXAMPLE TEXT: A risk assessment was conducted on [Application Abbreviation]
application located at the [PO Abbreviation] [PO Address - (List only those locations
visited by the TMA IA Team.)] to support a Risk Assessment/Annual Review effort. The
risk assessment was conducted in [Month of Baseline Visit] and validated [Month of
Mitigation Visit] [Year]. The risk assessment is based on DoD and TMA IA security
requirements.




                                         1
                      [Add appropriate classification markings]
[Application/PO Name]                            Artifact 12 Risk Assessment/Annual Review Report
                                                                                    [Month Year]

1.3       Limitations
EXAMPLE TEXT: The risk assessment was an evaluation of the [Application
Abbreviation] application to identify potential threats, vulnerabilities, and points of
failure that can affect the confidentiality, integrity, and availability, to include
authentication and non-repudiation. The activity considered major factors in risk
management, the value of the system or application, potential threats, vulnerabilities, and
the effectiveness of the safeguards that were in place.

General limitations under which the security test was conducted are as follows:
         The TMA IA Team did not disrupt mission operations on the [Application
          Abbreviation] located at [PO Abbreviation] facilities in [PO Location].
         Test activities were conducted during the normal business hours without impact to
          the [Hosting IS Abbreviation] IS.
         Two days was required for performing the validation risk assessment.

1.4       Assumptions
EXAMPLE TEXT: The following assumptions were made during the risk assessment:
         The [Application Abbreviation] security test plan was documented in the Artifact
          8, “Security Test Plan.”
         Test [Application Abbreviation] user accounts were created in advance and used
          during the risk assessment.
         The hardware and software configuration remained unchanged between the
          baseline and mitigation testing, unless configuration changes were coordinated
          and approved by TMA IA Program Office.
         The TMA IA Team had access to documented security procedures and operating
          instructions.
         The Designated Accrediting Authority (DAA), CA, the user representative, the
          hosting IS Information Assurance Manager (IAM), and Program Office
          determined the proposed solutions, schedule, security actions, milestones, and
          maximum length of time for the Risk Assessment activities.
         [PO Abbreviation] personnel complied with all applicable established DoD
          security policies, standards, and guidelines throughout the Risk Assessment
          activities.
         The [Application Abbreviation] application operated in a secure environment in
          accordance with program office’s operational and environmental procedures to
          ensure that risk to confidentiality, integrity, availability, authentication, and non-
          repudiation of the information and IS remains at an acceptable risk level.




                                             2
                          [Add appropriate classification markings]
[Application/PO Name]                              Artifact 12 Risk Assessment/Annual Review Report
                                                                                      [Month Year]

1.5      Responsibility Matrix
STANDARD LANGUAGE (Do not modify):

                [Application Name] Risk Assessment Responsibility Matrix

Name                    Title                            Responsibility

[DAA]                   TMA Designated Accrediting       Official with the authority to formally
                        Authority (DAA)                  assume responsibility for operating a
                                                         system at an acceptable level of risk.

[Site/PO POC]           [Site/PO Name Abbreviation]      Individual with the responsibility for and
                                                         authority to accomplish program or
                        [Title]                          IS/application objectives for development,
                                                         production, and sustainment to meet the
                                                         user’s operational needs.

[Site/PO IAM]           Information Assurance            The individual responsible for the
                        Manager (IAM)                    implementation of the organization’s IA
                                                         program for the application.

[Site/PO IAO]           Information Assurance Officer    The individual responsible to the IAM for
                        (IAO)                            ensuring that the appropriate operational
                                                         IA posture is maintained for the
                                                         application.

[Infrastructure IAM]    [Hosting Information System      The individual responsible for the IA
                        Abbreviation] IAM                program of a DoD IS and applications
                                                         being hosted.

[Infrastructure IAO]    [Hosting Information System      An individual responsible to the hosting
                        Abbreviation] IAO                information system IAM for ensuring that
                                                         the appropriate operational IA posture is
                                                         maintained for a DoD IS and associated
                                                         applications.

[Site/PO Name           Data Owner                       Official with statutory or operational
Abbreviation Data                                        authority for specified information and
Owner]                                                   responsibility for establishing the controls
                                                         for its generation, collection, processing,
                                                         dissemination, and disposal.

[CA]                    TMA Certifying Authority         Official having the authority and
                        (CA)                             responsibility for the certification of TMA
                                                         ISs/application.




                                           3
                        [Add appropriate classification markings]
[Application/PO Name]                              Artifact 12 Risk Assessment/Annual Review Report
                                                                                      [Month Year]

                [Application Name] Risk Assessment Responsibility Matrix

Name                     Title                           Responsibility

[TMA IA Team             TMA IA Team Lead                Individuals responsible for performing
Member Names (list                                       activities identified in this report, such as:
all)]                    TMA IA Engineer
                                                                 Security Testing
                         TMA IA Security Analyst                 Risk Analysis/Review
                                                                 Requirements Analysis
                                                                 Policy and Procedure Review

                      Table 1-1: [Risk Assessment] Responsibility Matrix


1.6       Document Organization
EXAMPLE TEXT: This report describes the risk assessment activities for the
[Application Abbreviation] application and is organized as follows:
         Section 1 provides the purpose and scope of the risk assessment. It also identifies
          the roles and responsibilities of key participants in the risk assessment process.
         Section 2 details the [IS/Application Abbreviation] architecture including
          identification of the IS/application capabilities and technical components. It
          describes the certification boundary.
         Section 3 summarizes the residual risk and presents the overall risk determination
          and recommendation.
         Section 4 documents the remaining vulnerabilities and associated mitigation
          strategies along with recommendations that resulted from the risk
          assessment/annual review.

1.7       Previously Cited Findings
EXAMPLE TEXT: During the [Month Year] [Certification or Annual Review effort],
[# of vulnerabilities] vulnerabilities that were mitigated to an acceptable level of risk and
remained for [Application Abbreviation] application. Most of the vulnerabilities were
related to [describe]. The affected [describe devices] are still within the [Application
Abbreviation] certification boundary and were assessed and documented as part of this
previous effort. Of the current remaining [current remaining # of vulnerabilities]
vulnerabilities, [# of vulnerabilities] previously cited vulnerabilities are included in the
totals reported in this [Risk Assessment/Annual Review Report]. Refer to Section 4,
Evaluation Results for a listing of all current vulnerabilities. Please note that
vulnerabilities from the previous effort are found in Section 4.1, Previously Identified
Vulnerabilities.




                                            4
                         [Add appropriate classification markings]
[Application/PO Name]                               Artifact 12 Risk Assessment/Annual Review Report
                                                                                       [Month Year]


2 SYSTEM/APPLICATION DESCRIPTION AND OVERVIEW
EXAMPLE TEXT: Sections 2.1 through 2.5 are extracted from [Application Name]
([Application Abbreviation]) Artifact 1 “Concept of Operations (CONOPS).”

2.1     System/Application Description

2.2     Major Functional Capabilities

2.3     System Interfaces and External Connections

2.4     [Application] System Architecture

2.5     Certification Boundary
Must include diagram and description of all components within the certification
boundary. Ensure that the diagram is legible.

2.5.1 Ports, Protocols, and Services
Please note that if the program office does not have a direct connection to DoD, then a
statement must be written to that effect and the table must be deleted.

EXAMPLE TEXT: The Ports, Protocols, and Services (PPS), along with the
corresponding PPS configuration color code are shown in Table [2-X]. If PPS
configuration color code is Red, the vulnerability has not been fixed. If PPS
configuration color code is Yellow a Mitigation Strategy Report (MSR) has been
provided. If PPS configuration code is Green, it is not shown with the findings.

                               Ports, Protocols, and Services
       Ports          Protocols/Service         Inbound           Outbound      PPS Configuration
                            Used                                                   Color Code

Include ports and List the                  (Y/N)             (Y/N)             (Red, Yellow,
protocols that have Protocols/Services that                                     Green)
been opened         the corresponding
                    ports are utilizing




                           Table [2-X]: Ports, Protocols, and Services




                                             5
                          [Add appropriate classification markings]
[Application/PO Name]                        Artifact 12 Risk Assessment/Annual Review Report
                                                                                [Month Year]

2.5.2 Software
Include description from the CONOPS, but reference Tables from SDD and do not
include them in this document.

2.5.3 Firmware
Include description from the CONOPS but reference Tables from SDD and do not
include them in this document.

2.5.4 Hardware
Include description from the CONOPS but reference Tables from SDD and do not
include them in this document.

2.6       Privacy Act
EXAMPLE TEXT: Any system that contains Privacy Act data is required to comply
with Department of Defense (DoD) Directive 5400.11, Department of Defense Privacy
Program. [PO Abbreviation] maintains a system of records that contain Privacy Act data
and is therefore subject to comply with the Privacy Act Personnel Controls.

2.7       Personnel Security Requirement Validation
EXAMPLE TEXT: The DoD Directive 5200.2-R Personnel Security Program
establishes policies and procedures for personnel occupying Information Technology (IT)
positions designated as Automated Data Processing (ADP)/IT-I, ADP/IT-II and ADP/IT-
III. DoD military, civilian personnel, consultants, and contractor personnel performing
on unclassified ISs may be assigned to one of three position sensitivity designations (in
accordance with Appendix 10 of DoD 5200.2-R) and investigated as follows:

         ADP/IT-I: Background Investigation (BI)

         ADP/IT-II: DoD National Agency Check with Inquiries/National Agency Check
          Plus Written Inquiries (DNACI/NACI)
         ADP/IT-III: National Agency Checks/Entrance National Agency Check
          (NAC/ENTNAC)

2.7.1 Automated Data Processing I – Critical-Sensitive Positions
EXAMPLE TEXT: Those positions in which the incumbent is responsible for the
planning, direction, and implementation of a computer security program; major
responsibility for the direction, planning and design of a computer system, including the
hardware and software; or, can access a system during the operation or maintenance in
such a way, and with a relatively high risk for causing grave damage, or realize a
significant personal gain.



                                           6
                        [Add appropriate classification markings]
[Application/PO Name]                       Artifact 12 Risk Assessment/Annual Review Report
                                                                               [Month Year]

2.7.2 Automated Data Processing II – Non-critical-Sensitive Positions
EXAMPLE TEXT: Those positions in which the incumbent is responsible for the-
direction, planning, design, operation, or maintenance of a computer system, and whose
work is technically reviewed by a higher authority of the ADP-I category to insure the
integrity of the system.

2.7.3 Automated Data Processing III – Non-Sensitive Positions
EXAMPLE TEXT: All other positions involved in computer activities. In establishing
the categories of positions, other factors may enter into the determination, permitting
placement in higher or lower categories based on the Agency's judgment as to the unique
characteristics of the system or the safeguards protecting the system.

The TMA IA Team must include how they validated the ADP/IT positions/compliance and
include the designation required by developers and users.




                                           7
                        [Add appropriate classification markings]
[Application/PO Name]                          Artifact 12 Risk Assessment/Annual Review Report
                                                                                  [Month Year]


3 DETERMINATION

3.1       Risk Assessment Summary
EXAMPLE TEXT: A total of [NUMBER OF RISK ITEMS LISTED IN SECTION 4
THAT ARE NOT MET OR PARTIALLY MET] risk items are documented in this Risk
Assessment/Annual Review Report for [Program Office (PO) Name] ([PO
Abbreviation]) Application Name [(Application Abbreviation)] application. The
following is a summary of the vulnerabilities identified during the assessment: (list # of
High, Mediums, and Lows)
         Continuity – [X risks or exposures] remain at the completion of this risk
          assessment/annual review. (list # of High, Mediums, and Lows)
         Security Design and Configuration – [X risks or exposures] remain at the
          completion of this risk assessment/annual review. (list # of High, Mediums, and
          Lows)
         Enclave Boundary Defense – [X risks or exposures] remain at the completion of
          this risk assessment/annual review. (list # of High, Mediums, and Lows)
         Enclave and Computing Environment – [X risks or exposures] remain at the
          completion of this risk assessment/annual review. (list # of High, Mediums, and
          Lows)
         Identification and Authentication (I&A) – [X risks or exposures] remain at the
          completion of this risk assessment/annual review. (list # of High, Mediums, and
          Lows)
         Physical and Environmental – [X risks or exposures] remain at the completion
          of this risk assessment/annual review. (list # of outstanding vulnerabilities)
         Personnel – [X risks or exposures] remain at the completion of this risk
          assessment/annual review. (list # of High, Mediums, and Lows)
         Vulnerability and Incident Management – [X risks or exposures] remain at the
          completion of this risk assessment/annual review. (list # of High, Mediums, and
          Lows)
         Ports, Protocols, and Services - [X risks or exposures] remain at the completion
          of this risk assessment/annual review. (list # of Reds [High] or Yellows
          [Medium])

3.1.1 Policy and Procedure Compliance Summary
EXAMPLE TEXT: The required documented policy and procedure and their current
status for each appear in Table 3-1.




                                            8
                         [Add appropriate classification markings]
[Application/PO Name]                                Artifact 12 Risk Assessment/Annual Review Report
                                                                                        [Month Year]


                      Policy and Procedure Compliance Summary
 Source(s) of Evaluation                                                     Compliance Status *

 Artifact 1 Concept of Operations

 Artifact 2 Configuration Management Plan

 Artifact 3 Security Design Document

 Artifact 4 Contingency and Business Continuity Plan

 Artifact 5 Incident Response Plan

 Artifact 6 [Hosting Information System] Memorandum of Agreement

 Artifact 7 Privacy Impact Assessment (or PIA Form stating that it is not
 required)

 Artifact 8 Security Test Plan

 Artifact 9 Physical Security Assessment Report and/or Letter

 Artifact 10 Vulnerability Matrix

 Artifact 11 Mitigation Strategy Reports

 Artifact 12 Risk Assessment/Annual Review Report

 Artifact 13 Designated Accrediting Authority Brief/Database Compliance
 Report

 Artifact A Acronyms

 Artifact B Definitions

 Artifact C References

 * Full Compliance; Partial Compliance; Non-Compliant

                     Table 3-1: Policy and Procedure Compliance Summary




                                              9
                           [Add appropriate classification markings]
[Application/PO Name]                          Artifact 12 Risk Assessment/Annual Review Report
                                                                                  [Month Year]


[APPLICATION ABBREVIATION] Vulnerability Summary SAND Chart


         600

         400

         200

             0    [Month YYYY]       [Month YYYY]        [Month YYYY]

      Low               300              150                   75
      Medium            200              100                   50
      High              100               50                   25

        Figure 3-1: [Application Abbreviation] Vulnerability Summary SAND Chart


3.2    Determination (alter as applicable)
EXAMPLE TEXT: The TRICARE Management Activity (TMA) Information
Assurance (IA) Team states that the [Application Abbreviation] application has fully met
all technical, administrative and security policy and procedure requirements and has
provided evidence of use. The [Application Abbreviation] application [partially met/has
not met] the security requirements for Continuity; Security Design and Configuration;
Enclave Boundary Defense; Enclave Computing Environment; Identification and
Authentication; Physical and Environmental; Personnel; Vulnerability and Incident
Management; and Ports, Protocols, and Services.

EXAMPLE TEXT: Considering the [Application Abbreviation] application is hosted
on an IS isolated from the Internet [explain how], the identified vulnerabilities pose a
[High, Medium, Low] risk to the [Application Abbreviation] application, [Hosting IS
Name (Hosting IS Abbreviation)] IS and the Department of Defense (DoD) information
residing on it. The complete isolation and configuration of this IS minimizes known risks
of unauthorized access by local users and ensures that there is no unauthorized remote
access into the IS.

EXAMPLE TEXT: [Application Abbreviation] application is [provide information].
In addition, the [Hosting IS Abbreviation] has undergone a separate Department of
Defense (DoD) Information Assurance Certification and Accreditation Process
(DIACAP) Authorization to Operate (ATO) and is required to meet all DoD and TMA
security requirements. Considering these factors, the identified vulnerabilities pose a
Low risk to the [Application Abbreviation] application and the data residing in it.




                                           10
                        [Add appropriate classification markings]
[Application/PO Name]                         Artifact 12 Risk Assessment/Annual Review Report
                                                                                 [Month Year]

3.3    Conclusions and Recommendations
EXAMPLE TEXT: Based on the evidence of use of the documented policies and
procedures, security testing results, and interviews with [Application Abbreviation]
application developers, network administrators, and the Information Assurance Manager
(IAM), it was determined that adequate security controls were in place to justify approval
for the [Application Abbreviation] application to be hosted/remain on the [Hosting IS]
IS. This risk assessment concluded that the overall risk exposure to the [Application
Abbreviation] application is [High, Medium, Low].

EXAMPLE TEXT: The TMA IA Team recommends that the [PO Abbreviation]
[Application Abbreviation] application is granted a favorable Risk Assessment Signature
Letter for [PO Abbreviation] [Application Abbreviation] application, and allowing it to
continue to reside on the [Hosting IS Abbreviation] IS. The Risk Assessment Signature
Letter will be appended to [Hosting IS Abbreviation]’s Certification and Accreditation
(C&A) package.

This section will go into the first slide of the DAA Presentation.




                                           11
                        [Add appropriate classification markings]
[Application/PO Name]                       Artifact 12 Risk Assessment/Annual Review Report
                                                                               [Month Year]


3.4    Certification Statement
Section 3.4 Certification Statement which includes the Security Evaluation Residual Risk
Summary are included in this Risk Assessment/Annual Review Report for integrated
application risk assessment efforts. Standalone efforts will not include Section 3.4
Certification Statement nor the Security Evaluation Residual Risk Summary, therefore
delete.

                                 Certification Statement

                                           for
                        [Program Office Name] [Application Name]

 Based on the security testing results and the Certifying Authority’s review of the
 Comprehensive Certification and Accreditation (C&A) documentation dated [Month
 Year], the Certifying Authority has determined that required security measures have not
 been taken to permit the issuance of a favorable Risk Assessment to [Application
 Abbreviation Name] application.

 A risk assessment will be conducted no less than annually to validate Department of
 Defense (DoD) Information Assurance Certification and Accreditation Process
 (DIACAP) compliance and the TRICARE Management Activity security requirements.




                                            [CA]


                                            _________________________
                                            Certifying Authority
                                            TRICARE Management Activity




                                            Date: ______________




                                           12
                        [Add appropriate classification markings]
[Application/PO Name]                       Artifact 12 Risk Assessment/Annual Review Report
                                                                               [Month Year]




                                     ATTACHMENT

                        Security Evaluation Residual Risk Summary



 Describe in three to four sentences, a summary of all findings which will provide a
 succinct “bottom-line” statement for a high authority to understand the residual risk
 and the site’s security philosophy of protection by also describing their Defense-in-
 Depth employed at the site(s). Do not list each finding and the associated
 consequence.




                                           13
                        [Add appropriate classification markings]
[Application/PO Name]                        Artifact 12 Risk Assessment/Annual Review Report
                                                                                [Month Year]


3.5    Risk Assessment Signature Letter
If the program office has not completed the required documented policies and
procedures, replace the verbiage in this letter with the verbiage contained in the
Application Temporary Risk Assessment Signature Letter Template. Use the Risk
Assessment Signature Letter Template, on TMA letterhead for the DAA’s signature.
MEMORANDUM FOR [PROGRAM OFFICE NAME]


THROUGH TRICARE MANAGEMENT ACTIVITY CERTIFYING AUTHORITY

SUBJECT: Addendum to the Accreditation of [Hosting Information System Name]

       The [Hosting Information System Name] ([Hosting Information System
Abbreviation]) has integrated the [Application Name] ([Application Abbreviation])
application into its current accreditation boundary and security architecture.

       A security risk assessment has been performed on the [Application Abbreviation]
application and based on the security testing results and the Certifying Authority’s
review of the Comprehensive Certification and Accreditation (C&A) documentation it
has been determined that there will not be a significant increase in risk to the security
posture of the [Hosting Information System Abbreviation] IS as determined by the
review of the [(Application Abbreviation)]’s Risk Assessment documentation dated
[Month Year]. All must fix items identified within the technical, physical,
administrative controls have been satisfactorily fixed or mitigated. [Application
Abbreviation] deficiencies can be found in Section 3 of the Risk Assessment Report
attached.

        This letter will allow the [Application Abbreviation] application to operate as a
component of the [Hosting Information System Abbreviation] IS accreditation boundary
or security architecture and to process information classified at the sensitive information
level in Mission Assurance Category III mode as defined in Department of Defense
(DoD) Instruction 8500.2, “Information Assurance Implementation.”

Approve/Disapprove

                                                Clarissa Reberkenny, Director
                                                Information Assurance Program Office
                                                Designated Accrediting Authority
cc: Dorothy S. Williams
Certifying Authority
Information Assurance Program Office




                                           14
                        [Add appropriate classification markings]
[Application/PO Name]                        Artifact 12 Risk Assessment/Annual Review Report
                                                                                [Month Year]


4 EVALUATION RESULTS
EXAMPLE TEXT: Appended to this report are the residual results listed by
Information Assurance (IA) Control. Those vulnerabilities that existed during the
previous risk assessment effort are listed in Section 4.1 followed by the Mitigation
Strategy Reports (MSR) for the remaining vulnerabilities that are new to this effort.

4.1    Previously Identified Vulnerabilities
Include the signed (original) MSRs by IA Control in this order: Continuity; Security
Design and Configuration; Enclave Boundary Defense; Enclave Computing
Environment; Identification and Authentication; Physical and Environmental; Personnel;
Vulnerability and Incident Management; and Ports, Protocols, and Services




                                           15
                        [Add appropriate classification markings]
[Application/PO Name]                       Artifact 12 Risk Assessment/Annual Review Report
                                                                               [Month Year]


4.2    New Vulnerabilities Discovered During this Certification Effort
Include the signed (original) MSRs by IA Control in this order: Continuity; Security
Design and Configuration; Enclave Boundary Defense; Enclave Computing
Environment; Identification and Authentication; Physical and Environmental; Personnel;
Vulnerability and Incident Management; and Ports, Protocols, and Services.




                                           16
                        [Add appropriate classification markings]

								
To top