Security Risk in Web 2.0 Application

Document Sample
Security Risk in Web 2.0 Application Powered By Docstoc
					                                                            ]




                                               TRICARE
                                              Management
                                                 Activity


 TRICARE MANAGEMENT ACTIVITY
        [APPLICATION NAME]
    INTEGRATED APPLICATION
        SECURITY TEST PLAN




            IN SUPPORT OF A
[ANNUAL REVIEW/RISK ASSESSMENT]
                [Month Year]
                 Version May 2009




                   Prepared For:
      TRICARE Management Activity (TMA)
   Office of the Chief Information Officer (OCIO)
    Information Assurance (IA) Program Office




    [Add appropriate classification marking]
[Application Name]                                                 Artifact 8 Security Test Plan
                                                                                  [Month Year]


                                     INSTRUCTIONS
INSTRUCTIONAL TEXT
This template contains instructional text which includes instructions, guidance, or notes
and is provided, in italic, for the writer and is used to describe what should be contained
in the document or section. The writer will read the instructional text, follow it, and
remove it from the document prior to submission to the TMA IA Team.
When the TMA IA Team reviews the Site’s/Program Office’s documentation, they are to
refer to the template/instructional text to ensure that the instructions were followed and
that the document contains the required information. With the documents that the TMA
IA Team develops, the QA Team will follow the same guidance.
Instructional Text example shown below:
This section should state:
System name
Type of document
Relationship of document to other system-specific documentation (i.e., all other system
documents flow from the Concept of Operations [CONOPS])
Reason for document development (e.g., to support Department of Defense (DoD)
Information Assurance Certification and Accreditation Process [DIACAP])
Authority by/under which the document is issued. This may be:
       The organization that owns either the system or the data processed by the system
       (e.g., Defense Information Systems Agency [DISA]), or
       An individual representing the organization (e.g., Program Manager [PM],
       Commanding Officer, or accreditation authority).
       Person(s) or organization responsible for administering – preparing and
       maintaining – the document (e.g., person – PM; organization - DISA)
       The administration of the document refers to the organization or individuals
       responsible for writing and maintaining the document.
EXAMPLE TEXT
Example text within this document is to be tailored to the Site/Government IS and/or
Government PO’s application (i.e. made site-specific). Again, the writer will tailor the
template with site-specific information such as their organization’s environment,
applicable policies, etc and remove “EXAMPLE” prior to submission to the TMA IA
Team.
REPLACEMENT TEXT
Replacement text is denoted in red font, italicized, bold, and is in brackets (e.g. [Site
Name]). Replacement text is provided as a guide to inform the writer that this item
requires the appropriate information. The writer will replace this text with the


                                           ii
                        [Add appropriate classification marking]
[Application Name]                                                Artifact 8 Security Test Plan
                                                                                 [Month Year]

appropriate information, remove the brackets, replace the italic, red text, and bold to
normal text.
STANDARD LANGUAGE
Standard language within this template is shown as STANDARD LANGUAGE (Do not
modify). Standard language is NOT to be modified by the Site/Program Office and/or
the TMA IA team member developing this document. However, the author is to remove
“STANDARD LANGUAGE (Do not modify)” from the document prior to submission.
Additional Information:
          Sites/Program Offices are not required to use the TMA IA templates
            If not used, the Site/Program Office documentation must contain, at a
               minimum, the same information contained in the TMA IA templates
               (document name and order is not required to be the same).
          Sections that do not apply are not removed, however must include a statement
           that it is not applicable and explain why.
       Delete all instructions and questions prior to submission of this document.


NOTE: At a minimum, the Security Test Plan must address the information that is
identified in the questions below. The questions that are provided are to elicit thought into
the section(s) being written. The questions are to stimulate the author’s knowledge and
understanding of the site-specific polices and processes that govern the components and
methodology within the certification and accreditation (C&A) boundary.
The “EXAMPLE” text is provided to aid the author in developing site-specific information
for this document. After developing the site-specific information, the author is to delete the
EXAMPLE text, along with the italicized instructions and questions prior to submission of
this document.
The “STANDARD LANGUAGE” cannot be modified or deleted, but if the site has specific
information to add that will aid the reviewer/approver in better understanding the site-
specific policies and processes, then the author is encouraged to add that information
where it is applicable.
        Also, delete this Instructions Text Box prior to submission of this document.




                                         iii
                       [Add appropriate classification marking]
Application Name]                                                                                                    Artifact 8 Security Test Plan
                                                                                                                                              [Month Year]



                                                TABLE OF CONTENTS
1      INTRODUCTION ................................................................................................................................. 1
    1.1     Scope ................................................................................................................................................. 1
    1.2     Application Description .................................................................................................................... 2
    1.3     Responsibility Matrix ........................................................................................................................ 2
    1.4     TRICARE Management Activity [Application Name] Application Status ...................................... 3

2      SECURITY TEST APPROACH.......................................................................................................... 4
    2.1     Security Assessment Approach ......................................................................................................... 4
    2.2     Security Assessment Boundary ......................................................................................................... 5
    2.3     Security Assessment Resources ........................................................................................................ 5
       2.3.1         Security Assessment Documentation ...................................................................................... 6
       2.3.2         Application Resources ............................................................................................................. 6
       2.3.3         Security Assessment Personnel ............................................................................................... 7
    2.4     Available Information Assurance Security Assessment Tools.......................................................... 9
       2.4.1         Defense Information Systems Agency Gold Disks ............................................................... 10
    2.5 TRICARE Management Activity Semi-Automated Application Assessment Process Application
    Assessment Checklist Procedures ............................................................................................................. 11
       2.5.1         Automated Security Assessment Tools ................................................................................. 11
       2.5.2         Testing Requirements ............................................................................................................ 12
    2.6     Testing Approach ............................................................................................................................ 13
       2.6.1         Preparation for Deployment .................................................................................................. 14
       2.6.2         Application Assessment Checklist Procedures ...................................................................... 14
       2.6.3         Assessment Policy for Annual Review Efforts...................................................................... 16
       2.6.4         Retina, AppDetective, and WebInspect Assessment Policy .................................................. 17
       2.6.5         Gold Disk, Security Readiness Review, and Manual Checklists Assessment Policy ............ 18
    2.7     Ports, Protocols, and Services Testing ............................................................................................ 18

3      LIMITATIONS ................................................................................................................................... 19

4      ASSUMPTIONS .................................................................................................................................. 20

5      SECURITY ASSESSMENT CONDUCT .......................................................................................... 21

6      SECURITY ASSESSMENT REPORTING ...................................................................................... 22
    6.1     DIACAP Severity Category ............................................................................................................ 22
       6.1.1         CATEGORY I Weaknesses ................................................................................................... 22
       6.1.2         CATEGORY II Weaknesses ................................................................................................. 22
       6.1.3         CATEGORY III Weaknesses ................................................................................................ 23


                                                           i
                                        [Add appropriate classification marking]
[Application Name]                                                                                          Artifact 8 Security Test Plan
                                                                                                                                   [Month Year]

    6.2     Vulnerability Impact Code Determination ...................................................................................... 23
    6.3     Vulnerability Risk Assessment Report ........................................................................................... 24
    6.4     Vulnerability Baseline/Validation Matrix ....................................................................................... 24

7      CERTIFICATION AND ACCREDITATION BOUNDARY DEVICE MATRIX ........................ 25

8  DEPARTMENT OF DEFENSE INFORMATION ASSURANCE CONTROLS ADDITIONAL
INFORMATION ......................................................................................................................................... 26




                                                         ii
                                      [Add appropriate classification marking]
Application Name]                                                 Artifact 8 Security Test Plan
                                                                                 [Month Year]


1     INTRODUCTION
EXAMPLE TEXT: This Security Test Plan (STP) has been developed under the
authority of the TRICARE Management Activity (TMA) Certifying Authority (CA)
specifically for the [Application Name] [(Application Name Abbreviation)] application,
as a means of outlining the Department of Defense (DoD) Information Assurance
Certification and Accreditation Process (DIACAP) [Risk Assessment/Annual Review]
effort.
As part of the DIACAP, it is required that the [Application Name Abbreviation]
application undergo a security assessment to determine its compliance with the DoD
Information Assurance (IA) Controls. In order to be housed on the [Site Name]
Information System (IS), the [Application Name Abbreviation] application must meet
the criteria documented within the DoD Instruction 8500.2, “Information Assurance (IA)
Implementation,” IA Controls and the TMA IA requisite security requirements as
specified in the TMA Semi-automated Application Assessment Process (TSAAP).
This document has been created to define the security testing approach, objectives, and
procedures that will be utilized during the baseline and mitigation/validation activities of
the DIACAP security assessment for the [Application Name Abbreviation] application.
It serves as a program management tool for scheduling activities and resources, and as a
technical specification for the execution of the security assessment.
This security assessment will result in a TMA IA Program Office Risk Assessment
Report to inform the CA of identified vulnerabilities within the [Application Name
Abbreviation] application, the impact code of the vulnerability, and the TMA IA Team’s
recommendations for vulnerability resolution.
The STP identifies the TMA IA Team as the main point of contact for the [Application
Name Abbreviation] application security assessment. The TMA IA Team and [Program
Office (PO) Name] are responsible for planning and conducting the security assessment
in addition to documenting the results of the security assessment.

1.1   Scope
EXAMPLE TEXT: The security assessment will be conducted against the [Application
Name Abbreviation] application on the [development/production] server via a
[operating system] workstation and applicable interface, located at [Test Site Address].
If the security assessment is conducted in the development environment, the TMA IA
Team will return once the application is placed in the production environment.
Hardware and application software configurations will also be examined during the risk
assessment process, utilizing the methods depicted throughout this document. The
issuance of a favorable Risk Assessment Signature Letter relies on the risk factors
documented in the [Application Name Abbreviation] Risk Assessment Report, upon
successful completion of test objectives and results.
This STP addresses [Application Name Abbreviation] as a [Client/Server, Web-Based,
Standalone] application housed on the [Site Name] IS. The STP specifies security test
requirements for the application to ascertain the level of compliance with DoD
Instruction 8500.2 and TMA IA requisite security requirements.

                                          1
                       [Add appropriate classification marking]
[Application Name]                                                       Artifact 8 Security Test Plan
                                                                                        [Month Year]

1.2     Application Description
Insert description of application, type and function.
EXAMPLE TEXT: The [Application Name Abbreviation] application is a commercial-
off-the-shelf (COTS) software development tool developed by [Application Developer
Name]. [Application Name Abbreviation] has been selected as the portfolio
management application solution for the enterprise-wide portfolio of TMA. It has
numerous features, unique functionality, scalability, and configurability to manage just
about any kind of portfolio. The powerful security features and flexible user interface
assist in collaboration among all stakeholders in the organization.
[Application Name Abbreviation] provides everything from data entry forms for details
about a single investment, to scorecards for evaluation a set of investments in a portfolio,
to investor maps, supporting what-if analysis across a portfolio of investments, or even
across a portfolio of portfolios. [Application Name Abbreviation] is built specifically for
proposing, planning, and controlling portfolios of investments in a collaborative way,
following an objective and transparent process. The result is gains in efficiencies and
improvement in business performance.

1.3     Responsibility Matrix
STANDARD LANGUAGE (Do not modify): Table 1-1 lists key personnel of the
TMA DIACAP and their responsibilities:

                [Application Name] Risk Assessment Responsibility Matrix

Name                    Title                           Responsibility

[DAA]                   TMA Designated Accrediting      Official with the authority to formally
                        Authority (DAA)                 assume responsibility for operating a
                                                        system at an acceptable level of risk.

[Site/PO POC]           [Site/PO Name Abbreviation]     Individual with the responsibility for and
                        [Title]                         authority to accomplish program or
                                                        IS/application objectives for development,
                                                        production, and sustainment to meet the
                                                        user’s operational needs.

[Site/PO IAM]           Information Assurance           The individual responsible for the
                        Manager (IAM)                   implementation of the organization’s IA
                                                        program for the application.

[Site/PO IAO]           Information Assurance Officer   The individual responsible to the IAM for
                        (IAO)                           ensuring that the appropriate operational
                                                        IA posture is maintained for the
                                                        application.
[Infrastructure IAM]    [Hosting Information System     The individual responsible for the IA
                        Abbreviation] IAM               program of a DoD IS and applications
                                                        being hosted.




                                           2
                        [Add appropriate classification marking]
[Application Name]                                                      Artifact 8 Security Test Plan
                                                                                          [Month Year]

                [Application Name] Risk Assessment Responsibility Matrix

Name                     Title                         Responsibility

[Infrastructure IAO]     [Hosting Information System   An individual responsible to the hosting
                         Abbreviation] IAO             information system IAM for ensuring that
                                                       the appropriate operational IA posture is
                                                       maintained for a DoD IS and associated
                                                       applications.
[Site/PO Name            Data Owner                    Official with statutory or operational
Abbreviation Data                                      authority for specified information and
Owner]                                                 responsibility for establishing the controls
                                                       for its generation, collection, processing,
                                                       dissemination, and disposal.
[CA]                     TMA Certifying Authority      Official having the authority and
                         (CA)                          responsibility for the certification of TMA
                                                       ISs/application.
[TMA IA Team             TMA IA Team Lead              Individuals responsible for performing
Member Names (list       TMA IA Engineer               activities identified in this report, such as:
all)]                                                          Security Testing
                         TMA IA Security Analyst
                                                               Risk Analysis/Review
                                                               Requirements Analysis
                                                               Policy and Procedure Review
       Table 1-1: [Application Name Abbreviation] Risk Assessment Responsibility Matrix

1.4      TRICARE Management Activity [Application Name] Application Status
STANDARD LANGUAGE (Do not modify): The [Site Name] IS currently holds an
accreditation. [Application Name Abbreviation] is one of the applications [housed/to be
housed] on the [Site Name] IS. As such, [Application Name Abbreviation] must
complete the [Risk Assessment/Annual Review] effort and receive a Risk Assessment
Signature Letter which will be appended to the [Site Name] IS C&A Package.
[PO Abbreviation] and the Designated Accrediting Authority (DAA) must sign the Letter
of Agreement (LOA) prior to the beginning of any security testing.




                                            3
                         [Add appropriate classification marking]
[Application Name]                                                  Artifact 8 Security Test Plan
                                                                                   [Month Year]


2     SECURITY TEST APPROACH

2.1       Security Assessment Approach
EXAMPLE TEXT: In order to successfully perform the security assessment, as part of
the risk assessment, the TRICARE Management Activity (TMA) Information Assurance
(IA) Team will utilize the TMA Semi-automated Application Assessment Process
(TSAAP) to develop the test approach for compliance with Department of Defense
(DoD) IA Controls and TMA IA requisite security requirements. The specific tests will
focus on the [Application Name] [(Application Name Abbreviation)] application
boundary as described in Section 2.2, the [Application Name Abbreviation] application
Security Assessment Boundary, and will be discussed throughout the following sections.
The security assessments are a measure within TMA’s DoD Information Assurance
Certification and Accreditation Process (DIACAP) to ascertain the security threats and
vulnerabilities of the [Application Name Abbreviation] application. The [PO Name]
[(PO Abbreviation)] and TMA IA Team will work together to conduct the security
assessment, which typically entails a baseline and a mitigation/validation visit.
The baseline security assessment is a preliminary evaluation of the [Application Name
Abbreviation] application to uncover potential threats, vulnerabilities, and points of
failure that can affect the confidentiality, integrity, availability, authentication, and non-
repudiation of the application. Testing activities considers major factors in risk
management, the value of the system or application, threat, vulnerabilities, and the
effectiveness of the proposed safeguards.
The mitigation security assessment is a follow-up evaluation of the [Application Name
Abbreviation] application to validate corrections to potential threats, vulnerabilities, and
points of failure that were discovered during the baseline security assessment.
[Application Name Abbreviation] application risk assessment activities will include:
          Automated security assessment scans
          Defense Information Systems Agency (DISA) Field Security Operations (FSO)
           Security Readiness Review (SRR) scripts and manual checklists for the Microsoft
           SQL database
          DISA Gold Disk using the Platinum Policy Version [2.0.3.1, March 2007]
          Technical review of the DISA checklists findings and discrepancies
          Hands on assessment and test criteria
          Policies and Procedures review of DoD and Military Health System (MHS) IA
           Policy Guidance and associated Implementation Guides
The following process will be adhered to while performing the security testing of the
[Application Name Abbreviation] application:
          All applicable testing tools that will be executed during the risk assessment can be
           found in TMA [Application Name Abbreviation] Integrated Application Security
           Test Plan Section 2.4, “Available Information Assurance Security Testing Tools.”

                                             4
                          [Add appropriate classification marking]
[Application Name]                                                     Artifact 8 Security Test Plan
                                                                                      [Month Year]

           The [PO Abbreviation] will provide a tester to perform the actual testing.
           The TMA IA Team will observe the [PO Abbreviation] tester performing the test
            procedures.
           These tests are performed against the [Application Name Abbreviation]
            application as specified in TMA [Application Name Abbreviation] Integrated
            Application Security Test Plan Section 2.6, “Testing Approach.”

2.2       Security Assessment Boundary
EXAMPLE TEXT: TMA has defined the certification boundary as any system or
network that transmits, processes, stores, displays, or accesses DoD information and/or
connects to any DoD IS. Therefore, [Application Name Abbreviation] application and
network infrastructure components that meet this criterion must be protected by measures
appropriate for DoD information operations in accordance with DoD IA Controls.
Insert boundary description.
EXAMPLE TEXT: Although the [Application Name Abbreviation] application will be
housed on the [PO Abbreviation] IS, the scope of this security assessment will be limited
to the application environment depicted in diagram and as described below.
The [Application Name Abbreviation] application to be assessed and the boundary are
depicted in Figure 2-1 below.
Insert diagram and provide description.
          Figure 2-1: [Application Name Abbreviation] Application Certification Boundary

2.3       Security Assessment Resources
EXAMPLE TEXT: For successful completion of the risk assessment against the
[Application Name Abbreviation] application, both the [PO Abbreviation] and the TMA
IA Team will require the testing resources listed in Table 2-1.

                              Security Assessment Resources
 Required Element                              Provided By               Due Date/Status
 Hardware and Software Configurations          [PO Abbreviation]         [pull from TMA-
                                                                         Approved Timeline]
 Security Assessment Policies and Procedures   TMA IA Team               [pull from TMA-
                                                                         Approved Timeline]
 Certification and Accreditation (C&A)         [PO Abbreviation]         [pull from TMA-
 Documentation                                                           Approved Timeline]
 Personnel                                     [PO Abbreviation] and     [pull from TMA-
                                               TMA IA Team               Approved Timeline]
 Security Assessment Tools                     TMA IA Team               [pull from TMA-
                                                                         Approved Timeline]
                            Table 2-1: Security Assessment Resources



                                              5
                           [Add appropriate classification marking]
[Application Name]                                                   Artifact 8 Security Test Plan
                                                                                         [Month Year]

2.3.1 Security Assessment Documentation
EXAMPLE TEXT: To conduct the security risk assessment, the following activities
will need to occur prior to commencement of the security assessment:
      The TMA IA Team and the [PO Abbreviation] will meet to review the internal
       design documentation and application development life cycle process.
      The TMA IA Team and the [PO Abbreviation] will meet to review and discuss
       tools associated with the C&A process.
      The [PO Abbreviation] will provide the TMA IA Team with the [Application
       Name Abbreviation] application Source Code Documentation, if applicable.

2.3.2 Application Resources

2.3.2.1 Application Documentation
EXAMPLE TEXT: The core application documentation utilized for successful
completion of the security testing against the [Application Name Abbreviation]
application includes:
      DISA checklists
      Hands on assessments and test criteria
      Policies and Procedures review of DoD and MHS IA Policy Guidance and
       associated Implementation Guides

2.3.2.2 Application Server Information
EXAMPLE TEXT: Table 2-2 contains a list of all application servers. Gold Disk
testing will be performed on the servers. Information regarding application and version,
installed on the server, along with scan status has also been provided.

                 [Application Name] Application Server Information
                                                Reviewed?




                                                                                  Reviewed?




                 IP             Operating                   Application
                                                                                              Physical
 Host Name       Address/       System and                  Service Software
                                                                                              Location
                 Mask           Version                     and Version




                                          6
                       [Add appropriate classification marking]
[Application Name]                                                    Artifact 8 Security Test Plan
                                                                                          [Month Year]


                 [Application Name] Application Server Information




                                                 Reviewed?




                                                                                   Reviewed?
                 IP             Operating                    Application
                                                                                               Physical
 Host Name       Address/       System and                   Service Software
                                                                                               Location
                 Mask           Version                      and Version




        Table 2-2: [Application Name Abbreviation] Application Server Information

2.3.2.3 Application Workstation Information
EXAMPLE TEXT: In order to adequately perform the security assessment of the
[Application Name Abbreviation] application, access to a workstation running the users’
typical OS will be required. The workstation must meet the requirements necessary to
fully execute all operations of the application, including network connectivity and
hardware components (e.g., printer, scanner, etc.).

2.3.3 Security Assessment Personnel
EXAMPLE TEXT: At a minimum, the personnel involved in the security testing can be
classified in the following functional categories:
      [Application Name Abbreviation] Application Security Tester – Performs any
       required hands-on security testing.
      TMA IA Team – Conducts the security assessment and records results.
      [PO Abbreviation] System, Database and Network Administrators – Respond
       to security assessment questions and verifies results.
      [PO Abbreviation] Developer – Involved in the development of [Application
       Name Abbreviation] application on hand for questions about the application code
       and internal design documentation.
      [PO Abbreviation] Documentation Subject Matter Expert (SME) – For
       questions about the DIACAP documentation, application requirements and
       system design documentation.
Not all of the security assessment personnel will need to be present for the onsite
assessment at all times. However, depending on the assessment parameters, the system
administrator, database administrator or network administrator may need to be available
to provide support in their area of responsibility. It is anticipated that the [Application
Name Abbreviation] Security Tester and Developer will be available for the entire onsite
assessment duration. Afterwards, the support administrators should be available for
consultation in person or via telephone.




                                          7
                       [Add appropriate classification marking]
[Application Name]                                                 Artifact 8 Security Test Plan
                                                                                   [Month Year]

2.3.3.1 Availability
EXAMPLE TEXT: The TMA IA Team Lead, via the TMA IA Program Office, has
coordinated with the Program Office of the [Application Name Abbreviation] application
to schedule the baseline and mitigation (if needed) assessment. Although every effort
will be made to complete the assessment in [# of Days] days, if extra time is needed, both
parties must agree to extend their visit and arrangements will need to be made to work
longer days or during the weekend until the assessment is complete.
The baseline security assessment is scheduled for [Day of Week], [Start Date (DD
Month YYYY)] through [Day of Week], [End Date] at the [PO Abbreviation] facilities in
[City, State]. The baseline security assessment will be conducted during normal business
hours to commence on [Day of Week] at [Start Time] and ending no later than [Day of
Week] at [End Time]. See Table 2-3 for high-level listing of activities. A detailed
agenda will be provided prior to the onsite visit.
Although a mitigation visit may not be required, keep the following paragraph in the
event a mitigation visit is required.
The mitigation security assessment is scheduled for [Day of Week], [Start Date] through
[Day of Week], [End Date] at the [PO Abbreviation] facilities in [City, State]. The
mitigation security assessment will be conducted during normal business hours to
commence on [Day of Week] at [Start Time] and ending no later than [Day of Week] at
[End Time].
The TMA IA Team Lead will be responsible for developing and maintaining the security
assessment schedule and will validate that the necessary measures are taken to meet all
milestones and completion dates with minimal disruption to the [PO Abbreviation]
operations.
See Table 2-3 for a high level listing of activities. A detailed agenda will be provided
prior to the onsite visit.

        [Application Name] Application Security Assessment Schedule

 Location                     Activity      Dates /Start Time     Assigned

[Test Site Address]         In-brief and   [Start Date] to [End Security Testing Personnel in
                            baseline       Date] at [Local Start Section 2.3.3
                            assessment     Time] to [Local End
                                           Time]
[Test Site Address]         In-brief and   [Start Date] to [End Security Testing Personnel in
                            mitigation     Date] at [Local Start Section 2.3.3
                            assessment     Time] to [Local End
                                           Time]
  Table 2-3: [Application Name Abbreviation] Application Security Assessment Schedule




                                          8
                       [Add appropriate classification marking]
[Application Name]                                             Artifact 8 Security Test Plan
                                                                              [Month Year]

2.4   Available Information Assurance Security Assessment Tools
STANDARD LANGUAGE (Do not modify): In order to complete the risk assessment
against the [Application Name Abbreviation] application, the TMA IA Team will utilize
the guidance provided in the TSAAP SRR Reviewer Procedure Manual.
DoD Directive 8500.01E establishes policy and assigns responsibilities to DISA to
develop and provide security configuration guidance for IA and IA-enabled information
technology (IT) products, in coordination with the National Security Agency (NSA).
Paragraph 4.18 of DoD Directive 8500.01E states, “All IA and IA-enabled IT products
incorporated into DoD information systems shall be configured in accordance with DoD-
approved security configuration guidelines.” DISA FSO develops the guidelines, which
are called Security Technical Implementation Guides (STIGs).
However, when guidance does not exist or lacks the checks to validate confidentiality,
integrity, availability, authentication, and non-repudiation, TMA IA Program Office adds
or augments the existing guidance based on the type of information being protected.
The TMA IA Team will utilize the Customer Site CD Version [Month Year of Customer
Site CD] and the following tools specifically for the [Application Name Abbreviation]
application’s security assessment to include the tools for the integrated application
components:
          Gold Disk Version [2 (Platinum)] will be used on Microsoft Windows based
           servers version 2000 or higher within the certification boundary. The Gold
           Disk v2 test security compliance for various components such as desktop
           applications, IIS web server, web browsers, and the operating system
           platform. Version [2.0.3.1, March 2007]
          Retina Network Security Scanner will be used internally for security
           assessments for security policy compliance on all network servers within the
           certification boundary. Version [5.8.3.1680]
          AppDetective will be used to conduct security assessments on all supported
           databases within the certification boundary for security compliance. Version
           [5.2.4]
          WebInspect application security assessment tool will be used for vulnerability
           assessments for web application security and the security of critical
           information by identifying known and unknown vulnerabilities within the
           Web application layer. Web server security will be assessed by including
           checks that validate the Web server is configured properly. Version [7.5]
          TSAAP Reviewer Procedure Manual Version [2, June 2007]
The Index File lists and identifies the versions of the DISA Checklists, STIGs, SRRs, and
DIACAP Artifact templates the TMA IA Team anticipates using during this assessment.
(See attachment)
(Insert here the Index File Excel spreadsheet from the Customer Site CD used by the
TMA IA Team and add a column entitled “Anticipated” after the “Date” column on the
Checklists, STIGs, and SRR tabs of the Index File Excel spreadsheet. The TMA IA Team
is to mark the cells with “YES” or “NO” accordingly next to each manual tool listed.


                                         9
                      [Add appropriate classification marking]
[Application Name]                                               Artifact 8 Security Test Plan
                                                                                [Month Year]

Ensure that a hard copy of the Index File is printed and attached to the Security Test
Plan for review/approval by all reviewers/approvers.
To insert file icon, go to “Insert” in the toolbar, select “Object” , then choose “Create
from File” tab. Select the “Browse…” button, highlight the file, then click “Insert”
button. Check the “Display as icon” box, then click “OK”)
Note: The guides and checklists referenced in this section are current as of the creation
of this STP. Please be sure to check that you are using the most current versions of these
documents.
During the actual baseline and mitigation/validation assessment testing, the [Application
Name Abbreviation] application will remain frozen. The freeze is only in place during
the actual testing periods. Changes can be made between baseline testing and
mitigation/validation testing, as long as the changes are coordinated and approved by the
TMA IA Program Office in advance. If no more than 45 calendar days have passed,
between the baseline and mitigation/validation assessment testing, the same testing tools
and policies will be used, with the exception of the current Information Assurance
Vulnerability Management (IAVMs) Notices to include Alerts (IAVAs), Bulletins
(IAVBs), and Technical Advisories (IAVTs) as well as any vulnerability identified that
would pose a significant risk to the DoD data.

2.4.1 Defense Information Systems Agency Gold Disks
STANDARD LANGUAGE (Do not modify): The Gold Disk is an automated script
that has been created with the intent of verifying NSA and DISA security policies.
In order to run the Gold Disk on Windows operating systems (OS), it must run locally on
the target system via a CD-ROM with specific administrative privileges using the
Platinum Policy. Once executed, the Gold Disk collects security-related information
from the OS scanned. It then reports how many vulnerabilities were checked, how many
errors occurred, and how many manual checks remain. This information is then
presented in a Graphical User Interface (GUI).
The reviewer must examine the results via this GUI by expanding all possible menus next
to each security check. Each check will have an icon next to it, indicating whether it was
a finding, not a finding, or must be checked manually. Once a finding has been fixed, the
status of the finding can be altered through the GUI. Finally, the information from
running the Gold Disk will be exported to a file on a portable medium. This file, along
with all files generated from Gold Disk run on similar systems, will then be imported into
an application that can produce various reports regarding the current security posture of
these systems.
Note: The TMA IA Program Office hereby informs the [PO Abbreviation] that the
following feature of the Gold Disk IS NOT TO BE USED:
     After running the Gold Disk on a device, there will be an option to “Remediate”
     vulnerabilities. It is believed that if this option is used, it may cause unknown
     changes to the device or system. The TMA IA Program Office highly recommends
     that the [PO Abbreviation] NOT USE this feature on their servers. The TMA IA
     Program Office hereby removes itself from responsibility for, and any liability and

                                         10
                       [Add appropriate classification marking]
[Application Name]                                                Artifact 8 Security Test Plan
                                                                                 [Month Year]

      consequences resulting from, the use of this feature by the [PO Abbreviation] on
      their servers. Any use of this functionality on the [Application Name
      Abbreviation] servers against the TMA IA Program Office’s recommendation,
      stated herein, will be at the sole risk and responsibility of the [PO Abbreviation].

2.5   TRICARE Management Activity Semi-Automated Application
      Assessment Process Application Assessment Checklist Procedures
STANDARD LANGUAGE (Do not modify): The TMA IA Team will also utilize the
TSAAP SRR Reviewer Procedure Manual, Application Services Security Checklist, and
Application Security and Development Checklist for compliance with the DoD IA
Controls and the TMA IA requisite security requirements as specified in the application
STIGs for DISA Standard Application Security Requirements and DISA’s Application
Developer’s Guide. The specific tests will focus on the [Application Name
Abbreviation] application.
The TSAAP procedures will include hands-on assessment and test criteria as outlined in
Section 2.6, Testing Approach.

2.5.1 Automated Security Assessment Tools
STANDARD LANGUAGE (Do not modify): The TMA IA Team utilizes eEye
Digital’s Retina Network Security Scanner to scan all servers. AppDetective, made by
Application Security, Inc. (AppSec, Inc.) is used to scan various types of databases.
Additionally, SPI Dynamics WebInspect application security assessment tool will be
used to scan all web applications and web services within the C&A boundary.

2.5.1.1 Retina Overview
STANDARD LANGUAGE (Do not modify): Retina discovers networked devices
using wired and wireless connections to identify which operating systems, applications,
databases and wireless access points are present. Any unauthorized applications, such as
peer to peer (P2P), malware, or spyware, will be detected and identified. Retina is
capable of scanning all ports on every server to provide the basis for remediation. Retina
will quickly scan security threats on each server identifying all types of OS or custom
applications.
Retina’s interface provides flexibility in sorting and viewing discovery and vulnerability
data, and features complete technical and executive reports, in addition to customized
reports that can be tailored for specific data.
Retina’s advanced OS discovery utilizes Internet Control Message Protocol (ICMP),
registry, NetBIOS, and the Nmap signature database, as well as eEye’s proprietary OS
fingerprinting for more accurate and definitive OS identification. Additionally, Retina
has profiles for nearly 2,000 of the most commonly utilized ports, and allows for
scanning of all 65,536 ports on a network device. These scans use a series of security
checks that assess multiple security risks associated with the following audit categories:
          Password Policy Configuration
          Account Lockout Configuration


                                          11
                        [Add appropriate classification marking]
[Application Name]                                                Artifact 8 Security Test Plan
                                                                                 [Month Year]

          Kerberos Policy (Domain Controllers Only)
          User Rights Policy Configuration
          Security Options Configuration
          Event Log Configuration
          Service Object Permissions
          Registry Key Permissions and Auditing
          File and Directory Permissions

2.5.1.2 AppDetective Overview
STANDARD LANGUAGE (Do not modify): A network-based, vulnerability
assessment scanner, AppDetective discovers database applications within the
infrastructure and assesses their security strength. In contrast to other solutions,
AppDetective modules allow targeted devices assessment of all three primary application
tiers through a single interface: Web front-end, application/middleware, and back-end
database.
Databases are accessed across the network and reviewed for a wide range of database-
specific vulnerabilities. These scans use a series of security checks that assess multiple
security risks associated with the following audit categories:
          Access Control
          Application Integrity
          Identification/Password Control
          OS Integrity

2.5.1.3    WebInspect Overview
STANDARD LANGUAGE (Do not modify): SPI Dynamics’ WebInspect application
security assessment tool ensures web security and the security of critical information by
identifying known and unknown vulnerabilities within the Web application layer.
WebInspect also helps ensure Web server security by including checks that validate that
the Web server is configured properly. It performs security assessments on Web
applications and Web services.
WebInspect combines all of the industry's known Web application vulnerabilities with
SPI Dynamics' AdaptiveAgent technology that crawls applications and manipulates
parameters to find specific vulnerabilities. WebInspect’s scanning capabilities are
designed to automatically keep up with changing applications and security problems.
Accordingly, it is updated with the latest known vulnerabilities and attack methods from
SPI Dynamics’ SPI Labs through SmartUpdate™.

2.5.2 Testing Requirements
STANDARD LANGUAGE (Do not modify): During the security testing, a
vulnerability identification scan will be performed internally using Retina. In order to
effectively conduct an objective assessment of the [Application Name Abbreviation]


                                         12
                       [Add appropriate classification marking]
[Application Name]                                              Artifact 8 Security Test Plan
                                                                               [Month Year]

application, the TMA IA Team will initiate and conduct all testing activities from their
laptop using the Retina, AppDetective and WebInspect tools will require the following:
         [One] static Internet Protocol (IP) address(es) for the laptop
         The ability to scan with [one] laptop
         A connection to the test network at Falls Church, Virginia within the
          certification boundary
        IP addresses for all systems being scanned
        Uniform Resource Locators (URLs) of the Web applications being assessed
2.6   Testing Approach
STANDARD LANGUAGE (Do not modify): The processes and checklists described
in this section will be performed on all applications during the baseline application
assessment of [Application Name Abbreviation] application. The TMA IA Team will
test all devices within the certification boundary and will perform the following manual
checks and run the following automated tools against all applicable applications and
systems within the certification boundary:
          TSAAP Reviewer Procedure Manual:
           o New Password after expiration
           o DAC Access levels
           o Encrypted cookies only for sensitive data
           o Audit of Schema Objects
          DISA Application Services Security Checklist (Web):
           o For Applications running Apache Jakarta Tomcat and Sun Microsystems
             JVM, conduct the SRR in Sections 2A & 3A
           o For Applications running BEA Weblogic, conduct the SRR in Sections 2B
             & 3B
           o For Microsoft’s .NET and other application servers, refer to DISA’s
             Application Services STIG for further guidance
          DISA Application Security and Development Checklist (Web and Non-Web):
           o IE Internet Options & Security Zone Settings Section 1.3
           o Generic Checks Section 3
           o Lab Environment Checks Section 3A
           o Production Environment Checks Section 3B
          Retina Network Security Assessment Tool
          AppDetective Security Assessment Tool
          WebInspect Vulnerability Assessment Tool
          DISA Gold Disk
          Ports Protocols and Services (PPS) Interview
                                         13
                       [Add appropriate classification marking]
[Application Name]                                                       Artifact 8 Security Test Plan
                                                                                        [Month Year]

              DoD 8500.2 IA Control Checklist
              DISA Application Security and Development STIG
              DISA Application Services STIG
During the actual baseline and mitigation security assessments, the [Application Name
Abbreviation] application Program Office will freeze any changes to the [Application
Name Abbreviation] application. Changes can be made between the baseline and
mitigation assessments as long as they are coordinated and approved by the TMA IA
Program Office in advance.

2.6.1 Preparation for Deployment
STANDARD LANGUAGE (Do not modify): This section verifies that the application
is correctly prepared for installation and deployment. The TMA IA Lead Engineer will
interview the [PO Abbreviation] Application POC to validate that the following action
items have been taken:
              Remove Debugger Hooks and Other Developer Backdoors
              Explicit Debugger Commands
              Remove Data-Collecting Trapdoors
              Protect Cookies at Rest and in Transit
              Remove Hard-Coded Credentials
              Remove Default Accounts
              Replace Relative Pathnames
              Remove Sensitive Comments
              Remove Unnecessary Files, Pathnames, and URLs
              Remove Unneeded Calls
              Run-time Considerations
              Secure Installation and Configuration
              Application Level Auditing
              Preparation for deployment to production
Note: This Application will not be migrated to production or could be removed from the
network until the above deployment checks are completed.

2.6.2 Application Assessment Checklist Procedures
STANDARD LANGUAGE (Do not modify): Please perform the checks below in
addition to the DISA Application Security Checklists
TMA Security                Requirement: New password after expiration
Requirement Information
Description:                The application must not authenticate a user whose password has expired
                            until the user changes the expired password.
CAT II


                                            14
                          [Add appropriate classification marking]
[Application Name]                                                          Artifact 8 Security Test Plan
                                                                                             [Month Year]

TMA Security                Requirement: New password after expiration
Requirement Information
Test Objective:             Verify that the application forces a user whose password has expired to
                            select a new password before authenticating him/her.
Assumptions and             The application performs user I&A based on UserID and static password.
Constraints:
Requirement/Test            {Enter Justification for non-applicability of test and requirement}
Exemption
Criteria/Justification:
Test Procedures
Step                        Procedure                                Expected Results
1.                          Attempt to login as a user whose         User will be forced to change
                            password has expired                     password before they are
                                                                     authenticated into the application.



TMA Security                Requirement: DAC access levels
Requirement Information
Description:                The application must provide the necessary APIs to an underlying OS and
                            Web server that implements DAC that can support, at a minimum, three
                            levels of access: (1) Open access (no I&A required); (2) Controlled access
                            (requires individual I&A); (3) Restricted access to specific community of
                            interest (requires need to know)
Test Objective:             Verify that the access controls used by the application support at least three
                            different access levels, and that the appropriate I&A is required before a user
                            is granted access to a particular level. Verify that the access controls used by
                            the application to separate and protect Restricted Access data prevent any
                            account set up to be outside of the community of interest (as defined by role
                            or user group) from accessing those data.
Assumptions and             The application is a Web server application.
Constraints:
Requirement/Test            {Enter Justification for non-applicability of test and requirement}
Exemption
Criteria/Justification:
Test Procedures
Step                        Procedure                               Expected Results
1.                          Refer to Section 1.1.1, Special         IE settings should reflect settings in
                            Security Settings for Web-Based         Section 1.1.1
                            Applications



TMA Security                Requirement: Encrypted cookies only for sensitive data
Requirement Information
Description:                Only encrypted non-persistent (one-time) cookies may be used for
                            transmitting sensitive data. Unencrypted cookies and persistent cookies
                            (encrypted or not) must never be used to transmit sensitive data.

                                            15
                          [Add appropriate classification marking]
[Application Name]                                                         Artifact 8 Security Test Plan
                                                                                             [Month Year]

TMA Security                Requirement: Encrypted cookies only for sensitive data
Requirement Information
CAT II
Test Objective:             Verify that the application does not use persistent or unencrypted cookies to
                            store or transmit sensitive data.
Assumptions and             The application is a Web application.
Constraints:
Requirement/Test            {Enter Justification for non-applicability of test and requirement}
Exemption
Criteria/Justification:
Test Procedures
Step                        Procedure                               Expected Results
1.                          Refer to Section 1.1.1, Special         IE settings should reflect settings in
                            Security Settings for Web-Based         Section 1.1.1
                            Applications.



TMA Security                Requirement: Audit of schema objects.
Requirement Information
Description:                The application’s audit facility shall log all schema objects, allowing
                            auditing to be turned on or off on a per-object basis.
CAT II
Test Objective:             Verify that all schema objects are being audited (e.g., by querying the
                            DBA_OBJ_AUDIT_OPTS table in Oracle). Database scanner will be used
                            to verify this check.
Assumptions and             The application is database or directory application.
Constraints:
Requirement/Test            {Enter Justification for non-applicability of test and requirement}
Exemption
Criteria/Justification:
Test Procedures
Step                        Procedure                               Expected Results
1.                          Reference database scanner              See mitigation recommendation in
                                                                    ISS technician report.

2.6.3 Assessment Policy for Annual Review Efforts
Annual Review (AR) efforts will include full Gold Disk assessments on new or
significantly changed systems only, all systems will be scanned with Retina using the
Retina “IAVA” policy from the Customer Site CD Version [Month Year of Customer
Site CD] associated with the AR effort. Along with the Retina scans the TMA IA Team
will perform Gold Disk assessments for servers and workstations. The AR effort will
also incorporate any new checklists or new checks added to existing checklists that are
applicable to the IS environment in addition to any open findings from the checklists
identified during the previous effort.
                                            16
                          [Add appropriate classification marking]
[Application Name]                                              Artifact 8 Security Test Plan
                                                                               [Month Year]

2.6.4 Retina, AppDetective, and WebInspect Assessment Policy
STANDARD LANGUAGE (Do not modify): The TMA IA Team while onsite will
need to verify active devices provided in the C&A Boundary Device Matrix.
Retina, AppDetective, and WebInspect have the following requirements:
          When using Retina, the TMA IA engineers will need a [Program Office] POC
           with domain administrator privileges available to assist for full interrogation
           of the targeted devices.
          For AppDetective, the TMA IA engineers will need a [Program Office] POC
           with administrator rights available to assist with the server hosting the
           database instance, and database owner privileges for each database.
               o NOTE: For Microsoft SQL server and Oracle database platforms, only
                   the Database SRRs will be used to conduct the assessment while
                   AppDetective will be used to assess other database platforms.
          When using WebInspect, if the Web Application being assessed requires
           authentication, then WebInspect must be configured to use the appropriate
           user credentials. These credentials may include public key infrastructure
           (PKI), domain, and application level authentication.
When scanning with WebInspect the TMA IA Engineer will:
          Use the “MHS Web Policy” located in the “MHS-TMA IA Testing Tools
           Policies” folder of the Customer Site CD.
          Exercise a three phase approach
               o Phase One – A crawl will be initiated to identify Web Applications,
                   Web Environment and components. The TMA IA Engineer will
                   review the results from that crawl with the appropriate subject matter
                   expert or application developer to identify which URLs are to be
                   excluded from the scan.
               o Phase Two – Scans sessions will be segmented and customized to
                   ensure minimal impact to the Web Application environment and to
                   ensure successful completion of the scan.
               o Phase Three – Initiate the scan.

                   NOTE: If possible, the TMA IA Engineer will leverage WebInspect’s
                   ability to simultaneously crawl and audit (SCA) a web application to
                   reduce the overall length of scanning time.
          The Retina “IAVAs” policy will be used to perform the security assessment
           against the [Application Name Abbreviation] application to:
           o Perform the security assessment scans using Retina on servers.
The [PO Abbreviation] program office can always be confident that scan reports will
reflect the results from the most recent known checks against industry-wide
vulnerabilities. Web-based updates are performed on a frequent basis to validate that the
TMA IA Team is performing security assessments using the agreed upon/latest security
policy checks.

                                         17
                       [Add appropriate classification marking]
[Application Name]                                                     Artifact 8 Security Test Plan
                                                                                      [Month Year]

2.6.5 Gold Disk, Security Readiness Review, and Manual Checklists
      Assessment Policy
STANDARD LANGUAGE (Do not modify): The TMA IA Team uses a
comprehensive assessment approach that utilizes; both DISA and third party automated
tools, as well as manual checklists. The general approach is to assess devices based on
their platform type using a formula. The formula validates that TMA IA engineers
review an accurate representation of devices within the certification boundary.

2.7    Ports, Protocols, and Services Testing
STANDARD LANGUAGE (Do not modify): As part of the certification boundary
definition and maintenance process, the [PO Abbreviation] must document all PPS and
associated applications that transmit to/from the certification boundary. In accordance
with DoD Instruction 8551.1, the assessment process will focus on PPS to identify any
Code Red or Code Yellow PPS configuration that represents a vulnerability and security
exposure to the network layer. Tables 2-4 and 2-5 provide documentation of that
information. The TMA IA Team will conduct the PPS Q&A/Interview with the [PO
Abbreviation] developer.
EXAMPLE TEXT: The [Application Name Abbreviation] Web server will
communicate with users through [Hypertext Transfer Protocol (HTTP)] using port [80],
and running [SSL] through port [443] using [Hypertext Transfer Protocol Secure
(HTTPS)]. The Web server communicates with its database through port [1443].

                        Applications in Use to/from the C&A Boundary

Application    Application       Ports           Protocols/Services         Inbound     Outbound
               Purpose                           Used
Application    Description of    Include Ports   List the Protocols/        (Y/N)       (Y/N)
Name           Application       and Protocols   Services that the
               Usage             used by the     corresponding ports
                                 Application     are utilizing


                  Table 2-4: Applications in Use to/from the C&A Boundary



                         Active DoD Application Ports and Protocols

DoD           Application       Ports            Protocols/Service Used       Inbound     Outbound
Application   Purpose
Application   Description of    Include Ports    List the Protocols/          (Y/N)       (Y/N)
Name          Application       and Protocols    Services that the
              Usage             used by the      corresponding Ports are
                                Application      utilizing


                     Table 2-5: Active DoD Application Ports and Protocols




                                           18
                         [Add appropriate classification marking]
[Application Name]                                                 Artifact 8 Security Test Plan
                                                                                  [Month Year]


3   LIMITATIONS
STANDARD LANGUAGE (Do not modify): The security assessment is an evaluation
of the [Application Name] [(Application Name Abbreviation)] application to uncover
potential threats, vulnerabilities, and points of failure that can affect the confidentiality,
integrity, and availability of the application and potentially the Department of Defense
(DoD) Information System (IS). These activities consider major factors in risk
management, the value of the system or application, threats, vulnerabilities, and the
effectiveness of the proposed safeguards. This security assessment is a measure within
the TRICARE Management Activity (TMA) Information Assurance (IA) Certification
and Accreditation (C&A) process to ascertain the security threats and vulnerabilities of
the [Application Name Abbreviation] application as part of the [PO Name] IS
accreditation.
General limitations under which the security assessment will be conducted are as follows:
       The security assessment will be limited to the specific elements described
        throughout this document.
       The TMA IA Team will not disrupt mission operations on the production network
        located at [Test Site Address].
       The TMA IA Team will perform the security assessment during normal business
        hours or at otherwise mutually agreed upon times.
       A minimum of [# of Days] days is scheduled to perform the security assessment.
        This period does not account for any hardware, software, data, or test procedure
        problems encountered during the security testing. Requirements to extend the
        security assessment duration must be approved by each participant’s governing
        official.




                                          19
                        [Add appropriate classification marking]
[Application Name]                                                Artifact 8 Security Test Plan
                                                                                 [Month Year]


4   ASSUMPTIONS
STANDARD LANGUAGE (Do not modify): The following assumptions are made
during the security testing:
       [Application Name] [(Application Name Abbreviation)] test user accounts will
        be created in advance and used during the security assessment and will be
        removed after the assessment.
       A [PO Name] [(PO Abbreviation)] point of contact with domain or root level
        administrator account access must be available to assist with the automated scans.
       During baseline and mitigation security assessment, the application remains
        frozen, unless configuration changes are coordinated and approved in advance by
        the TRICARE Management Activity (TMA) Information Assurance (IA) Program
        Office.
       The TMA IA Team will have access to documented security procedures or
        operating instructions, and source code.
       The Designated Accrediting Authority (DAA), Certifying Authority (CA), and
        Program Office will determine the proposed solutions, schedule, security actions,
        milestones, and maximum length of time for the validity of the Risk Assessment
        Signature Letter.
       During the mitigation visit of the Department of Defense (DoD) Information
        Assurance Certification and Accreditation Process (DIACAP), the TMA IA Team
        will review and validate all changes and fixes to the vulnerabilities identified
        during the baseline scan.
       [PO Abbreviation] personnel will comply with all applicable established DoD
        security policies, standards and guidelines throughout the application
        development life cycle.
       The [Application Name Abbreviation] application will be tested in a secured test
        environment that mirrors the production environment of the [Application Name
        Abbreviation] application in accordance with the Program Office’s operational
        and environmental procedures to validate that risk to confidentiality, integrity, and
        availability of the information and network remains acceptable.




                                          20
                        [Add appropriate classification marking]
[Application Name]                                            Artifact 8 Security Test Plan
                                                                             [Month Year]


5   SECURITY ASSESSMENT CONDUCT
STANDARD LANGUAGE (Do not modify): This section provides general steps taken
during the security assessment:
          Perform an in brief. The TRICARE Management Activity (TMA)
           Information Assurance (IA) Team will provide a short in brief to any
           participating personnel of the TMA [PO Name] [(PO Abbreviation)].
          Collect, compile and provide assessment data.
          Review assessment data. The TMA IA Team will analyze the assessment
           results.
          Annotate any assessment discrepancy. Explain any conditions that seemingly
           caused an error or assessment discrepancy to occur. Any assessment
           discrepancies should be annotated in the security assessment procedures, with
           a pass or fail rating to an executed assessment procedure. Any anomaly found
           to be certification-relevant must be included in the assessment report.
          Perform an exit brief. The TMA IA Team will provide an exit brief to the
           participating personnel of the TMA [PO Abbreviation]. The brief will
           include:
           o Preliminary results (raw data) of the security assessment and specific
               findings
           o Answers to any questions posed by the [PO Abbreviation] personnel
           o Preliminary conclusions [and recommendations] based on the preliminary
               assessment results
           o Review of the timeline and discussion of the next milestone(s)
           o An update on discrepancies noted during the interview and documentation
               review




                                        21
                      [Add appropriate classification marking]
[Application Name]                                                  Artifact 8 Security Test Plan
                                                                                   [Month Year]


6     SECURITY ASSESSMENT REPORTING
STANDARD LANGUAGE (Do not modify): The TRICARE Management Activity
(TMA) Information Assurance (IA) Team will create and provide a vulnerability matrix
(VM) to the TMA senior management. This VM will allow for measurement of the
overall progress associated with the baseline and mitigation/validation of vulnerabilities
on the [Application Name] [(Application Name Abbreviation)] application.
The VM is a TMA IA Program Office document used to inform the Certifying Authority
(CA) of identified vulnerabilities within an application, the impact code of the
vulnerability, and the recommendations for vulnerability resolution.
A customized, unique vulnerability executive summary report will be generated and
sorted by vulnerability impact code and then by internet protocol (IP) address. The report
will be sent to TMA senior management within [two weeks] of both the baseline
assessment and mitigation scans, for action and final approval prior to sending to the
[Program Office (PO) Name] [(PO Abbreviation)].

6.1       DIACAP Severity Category
STANDARD LANGUAGE (Do not modify): Upon completion of all security testing,
the TMA IA Team will identify vulnerabilities including Category I (CAT I), Category II
(CAT II), and Category III (CAT III) weaknesses as defined in the Department of
Defense (DoD) Instruction 8510.01, “DoD Information Assurance Certification and
Accreditation Process (DIACAP).”

6.1.1 CATEGORY I Weaknesses
      STANDARD LANGUAGE (Do not modify):
          Shall be corrected or satisfactorily mitigated before an Authorization to Operate
           (ATO) is granted.
          Only the TMA Chief Information Officer (CIO) shall authorize operation of an IS
           through an Interim Authorization to Operate (IATO).
          If a CAT I (High) weakness is discovered within an IS and cannot be mitigated
           within 30 business days, the IS must revert to an IATO in accordance with the
           DIACAP requirement. Additionally, the TMA CIO must report and provide a
           signed copy of the authorization memorandum with supporting rationale to the
           DoD Senior Information Assurance Officer (SIAO).

6.1.2 CATEGORY II Weaknesses
STANDARD LANGUAGE (Do not modify):
          Shall be corrected or satisfactorily mitigated before an ATO is granted.
          If a CAT II (Medium) weakness is discovered on an IS operating with a current
           ATO and cannot be corrected or satisfactorily mitigated by the completion of the
           mitigation testing, the IS must revert to an IATO. Additionally, the IS Designated


                                            22
                          [Add appropriate classification marking]
[Application Name]                                                   Artifact 8 Security Test Plan
                                                                                    [Month Year]

           Accrediting Authority (DAA) must report and provide a signed copy of the
           authorization memorandum with supporting rationale to the TMA CIO.

6.1.3 CATEGORY III Weaknesses
STANDARD LANGUAGE (Do not modify):
          Shall be corrected or satisfactorily mitigated by the completion of the mitigation
           testing to support the continuation of an accreditation/current effort. (Select one
           as appropriate)

6.2       Vulnerability Impact Code Determination
STANDARD LANGUAGE (Do not modify): When all security-testing activities have
been completed, the TMA IA Team will identify vulnerabilities, which will be
categorized by IA controls and sorted by impact codes. An impact code indicates
Department of Defense’s (DoD) assessment of the likelihood that a failed IA Control will
have IA consequences that have system-wide consequences. It is also an indicator of the
impact associated with non-compliance or exploitation of the IA Control. The Impact
code may also indicate the urgency with which corrective action should be taken. Impact
codes are expressed as High, Medium, Low where High is the indicator of greatest
impact or urgency.
There are three impact codes for identified IA Control vulnerabilities:
          High Impact Code: The absence or incorrect implementation of this IA Control
           may result in the loss of information resources, unauthorized disclosure of
           information, or failure to maintain information integrity. Such an exploitation
           may severely disrupt or impede Global Information Grid (GIG) situational
           awareness, management, and control; system operations; or user access. Must be
           fixed within the specified time period mandated by the CA.
          Medium Impact Code: The absence or incorrect implementation of this IA
           Control may moderately disrupt or impede GIG situational awareness,
           management, and control; system operations; or user access. Must be fixed
           within the specified time period mandated by the CA.
          Low Impact Code: The absence or incorrect implementation of this IA Control
           may minimally disrupt or impede GIG situational awareness, management, and
           control; system operations; or user access. Must be fixed/mitigated within the
           specified period mandated by the CA.
If technical or programmatic constraints prohibit vulnerability resolution, the DAA
responsible for the application may elect to accept the risk posed by a vulnerability. This
risk acceptance must be documented using the Mitigation Strategy Forms and provided to
the CA for approval.
Impact code designation of vulnerabilities requires careful analysis and depends on the
following factors:
          Nature of the security vulnerability
          Relationship of the vulnerability to the overall business function
                                             23
                           [Add appropriate classification marking]
[Application Name]                                                   Artifact 8 Security Test Plan
                                                                                    [Month Year]

          Role of the vulnerability within the system’s baseline infrastructure
          Effect of the vulnerability on the system security posture
          Operational environment
          Risk factor
          Alternate mitigation strategies

6.3       Vulnerability Risk Assessment Report
STANDARD LANGUAGE (Do not modify): The TMA IA Team will create and
provide the Risk Assessment Report and VM to the CA. These management reports
contain the residual risk and will allow for measurement of the overall progress of
baseline and the mitigation/validation of vulnerabilities on the [Application Name
Abbreviation] application.
The Risk Assessment Report describes the residual results of the security assessment by
the TMA IA Team. It also contains technical evidence that the [PO Abbreviation] has
implemented the appropriate safeguards that allow the [Application Name Abbreviation]
application to process sensitive information (SI) with an acceptable level of risk as
required by DoD Directive 8500.01E. The Risk Assessment Report will also support the
CA’s recommendation to the DAA to issue or revoke an [Annual Review/Risk
Assessment Signature Letter].
The TMA IA Team will prepare the Risk Assessment Report and will include in it, at a
minimum:
          All devices that were tested in the certification boundary
          A complete description of the system configuration
          A summary of the security assessment results
          All vulnerabilities rated in accordance with Section 6.1, “Vulnerability Impact
           Code Determination”
          TMA IA Team recommendations for vulnerability resolution
          TMA IA Team overall risk assessment determinations
          Next-step activities within the risk assessment process
          Plan of Action & Milestones (POA&M) (if applicable)

6.4       Vulnerability Baseline/Validation Matrix
STANDARD LANGUAGE (Do not modify): The TMA IA baseline VM will be
provided to the [PO Abbreviation] by the date identified in the timeline. Once received,
the [PO Abbreviation] will fill in the VM with their mitigation strategy and completion
dates. Mitigation Strategy Reports (MSRs) will be created for vulnerabilities that the
[PO Abbreviation] are unable to fix/mitigate. Once approved, this report will be used
when returning for the mitigation visit to validate fixes.


                                            24
                          [Add appropriate classification marking]
[Application Name]                                               Artifact 8 Security Test Plan
                                                                                [Month Year]


7 CERTIFICATION AND ACCREDITATION BOUNDARY DEVICE MATRIX
STANDARD LANGUAGE (Do not modify): The Certification and Accreditation
(C&A) Boundary Device Matrix has been completed with site/target specific information
for all devices (including printers) included in the C&A boundary.
See the attached C&A Boundary Device Matrix Excel spreadsheet for detailed
information.
To view the C&A Boundary Device Matrix double click the embedded icon below.


(Insert C&A Boundary Device Matrix Excel spreadsheet icon here. Ensure that a hard
copy of the C&A Boundary Device Matrix is printed and attached to the Security Test
Plan for review/approval by all reviewers/approvers.
To insert file icon, go to “Insert” in the toolbar, select “Object” , then choose “Create
from File” tab. Select the “Browse…” button, highlight the file, then click “Insert”
button. Check the “Display as icon” box, then click “OK”)




                                         25
                       [Add appropriate classification marking]
     [Application Name]                                                       Artifact 8 Security Test Plan
                                                                                              [Month Year]


     8       DEPARTMENT OF DEFENSE INFORMATION ASSURANCE CONTROLS
             ADDITIONAL INFORMATION
     STANDARD LANGUAGE (Do not modify): The following table provides additional
     information, including the description for the Department of Defense (DoD) Information
     Assurance (IA) Controls for Mission Assurance Category (MAC) III, Sensitive
     Information Systems (IS) and applications.

                     DoD IA Controls for MAC III, Sensitive IS and Applications

 Subject Area     Control   Control Name             Control Description               IA Service        IA
                    No                                                                                 Impact
                                                                                                        Code

Continuity       COAS-1     Alternate Site      Alternate site exists that permits   Availability     Medium
                            Designation         the partial restoration of mission
                                                or business essential functions.
Continuity       COBR-1     Protection of       Backup and restoration               Availability     Medium
                            Backup and          procedures are in place for
                            Restoration         hardware, software, and
                            Assets              firmware.
                 CODB-1     Data Backup         Data backup is performed at          Availability     Medium
Continuity
                            Procedures          least weekly.
                 CODP-1     Disaster and        Disaster recovery procedures         Availability     Low
Continuity
                            Recovery            exist and provide partial
                            Planning            resumption of mission- or
                                                business-essential functions
                                                within five days of activation.
                 COEB-1     Enclave             Alternate site boundary defense      Availability     Medium
Continuity
                            Boundary            is equal to the security measures
                            Defense             in place at the primary location.
                 COED-1     Scheduled           Continuity of operations             Availability     Medium
Continuity
                            Exercises and       exercises occur annually.
                            Drills
                 COEF-1     Identification of   Mission- and business-essential      Availability     Medium
Continuity
                            Essential           functions are identified for
                            Functions           priority restoration planning.
                 COMS-1     Maintenance         Within 24 hours of failure,          Availability     Medium
Continuity
                            Support             maintenance support for key IT
                                                assets is available.
                 COPS-1     Power Supply        Manually-activated power             Availability     Low
Continuity
                                                generators exist, in the event of
                                                loss of electrical power.
                 COSP-1     Spares and Parts    Within 24 hours of failure,          Availability     Medium
Continuity
                                                maintenance spares and spare
                                                parts for key IT assets can be
                                                obtained.




                                              26
                            [Add appropriate classification marking]
     [Application Name]                                                   Artifact 8 Security Test Plan
                                                                                             [Month Year]

                     DoD IA Controls for MAC III, Sensitive IS and Applications

 Subject Area     Control   Control Name          Control Description              IA Service           IA
                    No                                                                                Impact
                                                                                                       Code

                  COSW-1    Backup Copies    Critical software is stored in a    Availability        High
Continuity
                            of Critical      fire-rated container or separated
                            Software         with other operational software.
                  COTR-1    Trusted          Recovery procedures exist to        Availability        High
Continuity
                            Recovery         ensure that recovery is done in a
                                             secure and verifiable manner.
                                             Any circumstances that inhibit a
                                             trusted recovery are
                                             documented, and appropriate
                                             mitigating procedures are in
                                             place.
Security Design   DCAR-1    Procedural       Annual IA reviews are               Availability        Medium
and                         Review           conducted.
Configuration
                  DCAS-1    Acquisition      All GOTS and COTS products          Confidentiality     Medium
Security Design
and                         Standards        are evaluated and validated.
Configuration

                  DCBP-1    Best Security    Incorporation of best security      Integrity           Medium
Security Design
and                         Practices        practices.
Configuration

                  DCCB-1    Control Board    Chartered configuration control     Integrity           Medium
Security Design
and                                          board exists and meets regularly.
Configuration

                  DCCS-1    Configuration    Security configuration of IA-       Integrity           Medium
Security Design
and                         Specifications   enabled IT products follows
Configuration                                STIGs, security recommendation
                                             guides, or commercially-
                                             accepted best practices.
                  DCCT-1    Compliance       A minimum of a baseline             Availability        Medium
Security Design
and                         Testing          security assessment was
Configuration                                conducted. A comprehensive set
                                             of procedures were implemented
                                             that tested upgrades and new
                                             applications prior to
                                             deployment.
                  DCDS-1    Dedicated IA     Formal risk assessment includes     Integrity           Medium
Security Design
and                         Services         any dedicated IA
Configuration                                services/devices




                                              27
                            [Add appropriate classification marking]
     [Application Name]                                                      Artifact 8 Security Test Plan
                                                                                               [Month Year]

                     DoD IA Controls for MAC III, Sensitive IS and Applications

 Subject Area     Control   Control Name            Control Description              IA Service           IA
                    No                                                                                  Impact
                                                                                                         Code

                  DCFA-1    Functional         The following functional            Integrity           Medium
Security Design
and                         Architecture for   architecture components are
Configuration               Information        identified, developed and
                            System             maintained:
                            Applications       External interfaces
                                               User roles
                                               Unique security requirements
                                               Categories of sensitive
                                               information processed or stored
                                               Restoration priority of
                                               subsystems
                  DCHW-1    Hardware           Artifact 1 - CONOPS contains        Availability        Medium
Security Design
and                         Baseline           inventory of all hardware,
Configuration                                  including:
                                               Manufacturer
                                               Type
                                               Model
                                               Physical location
                                               Network topology
                  DCID-1    Interconnection    A list of all hosted information    Integrity           Medium
Security Design
and                         Documentation      system applications and/or
Configuration                                  enclaves is maintained, along
                                               with connection rules and
                                               requirements.
                  DCII-1    IA Impact          All proposed changes are            Integrity           Medium
Security Design
and                         Assessment         assessed for IA and accreditation
Configuration                                  impact prior to implementation.

                  DCIT-1    IA for IT          All outsourcing of IA services      Integrity           Medium
Security Design
and                         Services           explicitly address IA roles, and
Configuration                                  responsibilities are specified.

                  DCMC-1    Mobile Code        Use of mobile code meets            Integrity           Medium
Security Design
and                                            requirements.
Configuration

                  DCNR-1    Non-               NIST FIPS 140-2 validated           Integrity           Medium
Security Design
and                         Repudiation        cryptography is used for
Configuration                                  encryption, digital signatures,
                                               and hash.




                                              28
                            [Add appropriate classification marking]
     [Application Name]                                                        Artifact 8 Security Test Plan
                                                                                                 [Month Year]

                     DoD IA Controls for MAC III, Sensitive IS and Applications

 Subject Area     Control   Control Name             Control Description               IA Service           IA
                    No                                                                                    Impact
                                                                                                           Code

                  DCPD-1    Public Domain       All software packages in use are     Availability        Medium
Security Design
and                         Software            evaluated for IA impact and
Configuration               Controls            approved for use by the DAA.
                                                Use of shareware or freeware is
                                                prohibited unless no alternative
                                                IT solutions are available.
                  DCPP-1    Ports, Protocols,   All network ports, protocols, and    Availability        Medium
Security Design
and                         and Services        services in use by information
Configuration                                   system applications are
                                                identified.
                  DCPR-1    Configuration       A configuration management           Integrity           Medium
Security Design
and                         Management          process is implemented and
Configuration               (CM) Process        includes the following:
                                                Formally documented CM roles,
                                                responsibilities, and procedures
                                                Configuration control board
                                                Testing process to verify
                                                proposed configuration changes
                                                Verification process to ensure
                                                CM process is working
                                                effectively.
                  DCSD-1    IA                  IA documentation is complete         Availability        Medium
Security Design
and                         Documentation       and maintained to ensure
Configuration                                   accuracy. All appointments to
                                                IA roles are established in
                                                writing.
                  DCSL-1    System Library      Privileged programs are              Integrity           Medium
Security Design
and                         Management          protected to prevent the
Configuration               Controls            introduction of unauthorized
                                                code.
                  DCSQ-1    Software            Requirements and validation          Integrity           Medium
Security Design
and                         Quality             methods to minimize negative
Configuration                                   impacts on integrity or
                                                availability are specified during
                                                software development.
                  DCSR-2    Specified           Sensitive information that is        Confidentiality     Medium
Security Design
and                         Robustness –        transmitted across public
Configuration               Medium              networks, or resides on systems
                                                accessible by individuals not
                                                authorized to information on the
                                                system, is protected by medium-
                                                robustness COTS IA and IA-
                                                enabled products.



                                              29
                            [Add appropriate classification marking]
     [Application Name]                                                    Artifact 8 Security Test Plan
                                                                                               [Month Year]

                     DoD IA Controls for MAC III, Sensitive IS and Applications

 Subject Area     Control   Control Name          Control Description                IA Service           IA
                    No                                                                                  Impact
                                                                                                         Code

                  DCSS-1    System State     System is configured to remain        Integrity           Medium
Security Design
and                         Changes          in a secure state during
Configuration                                shutdown, process termination,
                                             and initialization.
                  DCSW-1    Software         A current inventory of all            Availability        Medium
Security Design
and                         Baseline         software is maintained and
Configuration                                includes the following
                                             information:
                                             Manufacturer
                                             Type
                                             Version
                                             Installation Manuals and
                                             Procedures.
Enclave           EBBD-2    Boundary         Firewalls and network IDS are         Confidentiality     Medium
Boundary                    Defense          deployed at the enclave
Defense                                      boundary to the wide area
                                             network, at layered or internal
                                             enclave boundaries and at key
                                             points in the network, as
                                             required. Internet access is
                                             proxied through Internet access
                                             points that are physically or
                                             logically separated from other
                                             DoD information systems.
Enclave           EBCR-1    Connection       DoD connection rules and              Availability        Medium
Boundary                    Rules            approval processes are
Defense                                      established and functional.
Enclave           EBPW-1    Public WAN       A DMZ is required for                 Confidentiality     High
Boundary                    Connection       connections between DoD
Defense                                      enclaves and the Internet or
                                             other public or commercial wide
                                             area networks.
Enclave           EBRP-1    Remote Access    Remote access for privileged          Confidentiality     Medium
Boundary                    for Privileged   functions is permitted only for
Defense                     Functions        compelling operational needs, is
                                             strictly controlled, and is audited
                                             completely.
Enclave           EBRU-1    Remote Access    All remote access always uses         Confidentiality     Medium
Boundary                    for User         encryption and is mediated
Defense                     Functions        through a managed access
                                             control point. Session level
                                             encryption equals or exceeds the
                                             robustness specified in ECCT.
                                             Remote access mechanism
                                             information is also protected.

                                              30
                            [Add appropriate classification marking]
    [Application Name]                                                       Artifact 8 Security Test Plan
                                                                                               [Month Year]

                    DoD IA Controls for MAC III, Sensitive IS and Applications

 Subject Area    Control   Control Name           Control Description                IA Service           IA
                   No                                                                                   Impact
                                                                                                         Code
Enclave         EBVC-1     VPN Controls      All VPN traffic is visible to         Availability        Medium
Boundary                                     intrusion detection systems
Defense                                      (IDS).
Enclave and     ECAD-1     Affiliation       Contractors and Foreign               Confidentiality     Medium
Computing                  Display           Nationals are identified as such
Environment                                  in DoD email addresses, display
                                             names, and automated signature
                                             blocks.
                ECAN-1     Access for        Access to all DoD information is      Confidentiality     Medium
Enclave and
Computing                  Need-to-Know      determined by both its
Environment                                  classification and user need-to
                                             know.
                ECAR-2     Audit Record      Audit records include the             Confidentiality     Medium
Enclave and
Computing                  Content           following:
Environment                                  UserID
                                             Successful and unsuccessful
                                             attempts to access security files
                                             Date and time of events
                                             Type of events
                                             Success or failure of event
                                             Successful and unsuccessful
                                             logons
                                             Denial of access resulting from
                                             excessive number of logon
                                             attempts
                                             Blocking or blacklisting a
                                             UserID, terminal or access port,
                                             and the reason for the action
                                             Activities that might modify,
                                             bypass, or negate safeguards
                                             controlled by the system.
                ECAT-1     Audit Trail       Auditing logs are reviewed            Integrity           Medium
Enclave and
Computing                  Monitoring,       regularly, and suspected
Environment                Analysis and      violations are analyzed and
                           Reporting         reported in accordance with
                                             DoD information system IA
                                             procedures.
                ECCD-1     Changes to Data   Security mechanisms prevent           Integrity           Medium
Enclave and
Computing                                    unauthorized access and changes
Environment                                  to data.




                                             31
                           [Add appropriate classification marking]
    [Application Name]                                                     Artifact 8 Security Test Plan
                                                                                              [Month Year]

                    DoD IA Controls for MAC III, Sensitive IS and Applications

 Subject Area    Control   Control Name           Control Description               IA Service           IA
                   No                                                                                  Impact
                                                                                                        Code

                ECCR-1     Encryption for    NIST-certified cryptography is       Confidentiality     Medium
Enclave and
Computing                  Confidentiality   used to encrypt stored sensitive
Environment                (Data at Rest)    information if required by the
                                             Data Owner.
                ECCT-1     Encryption for    Sensitive and unclassified data      Confidentiality     Medium
Enclave and
Computing                  Confidentiality   transmitted through a
Environment                (Data in          commercial or wireless network,
                           Transit)          is encrypted using NIST-
                                             certified cryptography.
                ECIC-1     Interconnection   DoD information systems              Confidentiality     High
Enclave and
Computing                  s among DoD       operating at the same
Environment                Systems and       classification but with different
                           Enclaves          need-to-know access rules, can
                                             utilize discretionary access
                                             controls as an IA mechanism.
                                             DoD information systems
                                             operating at different
                                             classification levels require a
                                             controlled interface, which is
                                             addressed in separate guidance.
                ECIM-1     Instant           Independent end-user                 Integrity           Medium
Enclave and
Computing                  Messaging         installation of instant messaging
Environment                                  clients that interact with public
                                             service providers, is prohibited.
                ECLO-1     Logon             Successive logon attempts are        Confidentiality     Medium
Enclave and
Computing                                    controlled using one or more of
Environment                                  the following:
                                             Access is denied after multiple
                                             unsuccessful logon attempts.
                                             The number of access attempts
                                             in a given period is limited.
                                             Time-delay control system is
                                             employed.
                                             If a system allows multiple-
                                             logon sessions for each UserID,
                                             the system provides the
                                             capability to control the number
                                             of logon sessions.
                ECLP-1     Least Privilege   In addition to an appropriate        Confidentiality     Medium
Enclave and
Computing                                    security clearance and need-to-
Environment                                  know authorization, access
                                             procedures enforce the
                                             principles of separation of duties
                                             and “least privilege.”



                                             32
                           [Add appropriate classification marking]
    [Application Name]                                                    Artifact 8 Security Test Plan
                                                                                             [Month Year]

                    DoD IA Controls for MAC III, Sensitive IS and Applications

 Subject Area    Control   Control Name          Control Description               IA Service           IA
                   No                                                                                 Impact
                                                                                                       Code

                ECML-1     Marking and      Information and DoD                  Confidentiality     Medium
Enclave and
Computing                  Labeling         information systems that store,
Environment                                 process, transmit, or display data
                                            in any form or format that is not
                                            approved for public release,
                                            comply with all requirements for
                                            marking and labeling contained
                                            in policy and guidance
                                            documents, such as DoD
                                            Directive 5200.1-R.
                ECMT-1     Conformance      Conformance testing is planned,      Confidentiality     Medium
Enclave and
Computing                  Monitoring and   scheduled, and conducted
Environment                Testing          regularly to ensure the system’s
                                            IA capabilities continue to
                                            provide adequate assurance
                                            against evolving threats and
                                            vulnerabilities.
                ECND-1     Network Device   A program exists for network         Integrity           Medium
Enclave and
Computing                  Controls         device control and includes the
Environment                                 following:
                                            Instructions for re-start and
                                            recovery procedures
                                            Restrictions on source code
                                            access
                                            System utility access
                                            System documentation
                                            Protection from deletion of
                                            system and application files
                                            Structured process for
                                            implementation of directed
                                            solutions (i.e., Information
                                            Assurance Vulnerability Alerts,
                                            or IAVAs).
                ECNK-1     Encryption for   Information in transit that must     Confidentiality     Medium
Enclave and
Computing                  Need-to-Know     be separated for need-to-know
Environment                                 reasons is encrypted with NIST-
                                            certified cryptography.
                ECPA-1     Privileged       Information Assurance Manager        Integrity           Medium
Enclave and
Computing                  Account          (IAM) tracks privileged role
Environment                Control          assignments.

                ECPC-1     Production       Ability to change production         Integrity           Medium
Enclave and
Computing                  Code Change      code and data is limited to
Environment                Controls         privileged users, and access is
                                            periodically reviewed.


                                             33
                           [Add appropriate classification marking]
    [Application Name]                                                      Artifact 8 Security Test Plan
                                                                                              [Month Year]

                    DoD IA Controls for MAC III, Sensitive IS and Applications

 Subject Area    Control   Control Name            Control Description              IA Service           IA
                   No                                                                                  Impact
                                                                                                        Code

                ECRC-1     Resource           No residual data is available to    Confidentiality     Medium
Enclave and
Computing                  Control            any subject once the object has
Environment                                   been released back to the
                                              system.
                ECRG-1     Audit Reduction    Tools are available to allow the    Integrity           Low
Enclave and
Computing                  and Report         review and report generation of
Environment                Generation         audit records.

                ECRR-1     Audit Record       Audit records are retained for at   Integrity           Medium
Enclave and
Computing                  Retention          least one year, unless the DoD
Environment                                   information system contains
                                              sources and methods intelligence
                                              (SAMI), in which case records
                                              are retained for five years.
                ECSC-1     Security           All DoD security configuration      Availability        High
Enclave and
Computing                  Configuration      or implementation guides are
Environment                Compliance         applied to the enclave or
                                              information system application.
                ECSD-1     Software           Software development change         Integrity           Medium
Enclave and
Computing                  Development        controls are in place to prevent
Environment                Change             unauthorized modifications.
                           Controls
                ECTC-1     Tempest            Measures to protect against any     Confidentiality     Medium
Enclave and
Computing                  Controls           comprising emanations are
Environment                                   implemented according to DoD
                                              Directive S-5200.19.
                ECTM-1     Transmission       Integrity checks are in place for   Integrity           Medium
Enclave and
Computing                  Integrity          COTS, GOTS, and custom-
Environment                Controls           developed solutions.

                ECTP-1     Audit Trail        Audit trails have file protection   Integrity           Medium
Enclave and
Computing                  Protection         controls.
Environment

                ECVI-1     Voice over IP      Unapproved personal use VOIP        Availability        Medium
Enclave and
Computing                  (VOIP)             solutions are blocked in both
Environment                                   directions at the enclave
                                              boundary.
                ECVP-1     Virus Protection   Virus protection with the ability   Availability        Medium
Enclave and
Computing                                     to receive automatic updates, is
Environment                                   in place on all servers,
                                              workstations, and mobile
                                              computing devices.




                                             34
                           [Add appropriate classification marking]
     [Application Name]                                                      Artifact 8 Security Test Plan
                                                                                               [Month Year]

                        DoD IA Controls for MAC III, Sensitive IS and Applications

 Subject Area        Control   Control Name         Control Description              IA Service           IA
                       No                                                                               Impact
                                                                                                         Code

                     ECWM-1    Warning          Appropriate privacy and security   Confidentiality     Medium
Enclave and
Computing                      Message          notices warn all users prior to
Environment                                     entering a Government
                                                information system, and notify
                                                them that they are subject to
                                                monitoring, recording and
                                                auditing.
Enclave and          ECWN-1    Wireless         Any wireless devices in use are    Availability        High
Computing                      Computing and    operated according to DoD
Environment                    Networking       wireless policy and are not
                                                independently configured by end
                                                users. Unused wireless devices
                                                are disabled.
Enclave and          IAAC-1    Account          A comprehensive account            Confidentiality     Medium
Computing                      Control          management process is
Environment                                     implemented and ensures only
                                                authorized users have access to
                                                workstations, applications, and
                                                networks.
Identification and   IAGA-1    Group            Group authenticators for           Confidentiality     Medium
Authentication                 Identification   application or network access
                               and              are used in conjunction with an
                               Authentication   individual authenticator. If the
                                                use of group authenticators is
                                                not based on the DoD PKI, they
                                                must be explicitly approved by
                                                the DAA.
                     IAIA-1    Individual       Individual identifiers are         Confidentiality     High
Identification and
Authentication                 Identification   required for DoD information
                               and              system access. Passwords meet
                               Authentication   the standards described in the
                                                STIGs.
                     IAKM-1    Key              Only approved key management       Integrity           High
Identification and
Authentication                 Management       technology and processes are
                                                used for symmetric keys.
                                                Asymmetric keys utilize DoD
                                                PKI Class 3 certificates or pre-
                                                placed keying material.
Identification and   IATS-1    Token and        DoD PKI Class 3 certificates       Integrity           Medium
Authentication                 Certificate      and hardware security tokens are
                               Standards        used for I&A.




                                                 35
                               [Add appropriate classification marking]
     [Application Name]                                                    Artifact 8 Security Test Plan
                                                                                           [Month Year]

                     DoD IA Controls for MAC III, Sensitive IS and Applications

 Subject Area     Control   Control Name           Control Description              IA Service        IA
                    No                                                                              Impact
                                                                                                     Code

Physical and     PECF-1     Access to         Only authorized personnel with      Confidentiality   Medium
Environmental               Computing         a need-to-know are granted
                            Facilities        physical access to computing
                                              facilities that process sensitive
                                              or unclassified information that
                                              has not been cleared for release.
Physical and     PECS-1     Clearing and      All documents, equipment, and       Confidentiality   High
Environmental               Sanitizing        machine-readable media
                                              containing sensitive data are
                                              cleared and sanitized according
                                              to DoD 5200.1 and ASD(C3I)
                                              Memorandum, dated June 4,
                                              2001 subject: “Disposition of
                                              Unclassified DoD computer
                                              Hard Drives” before release.
                 PEDI-1     Data              Devices that display or output      Confidentiality   Medium
Physical and
Environmental               Interception      sensitive information in human-
                                              readable form are positioned to
                                              deter unauthorized individuals
                                              from reading the information.
                 PEEL-1     Emergency         Emergency exits at evacuation       Availability      Medium
Physical and
Environmental               Lighting          routes have automatic
                                              emergency lighting.
                 PEFD-1     Fire Detection    Smoke detectors are installed in    Availability      Low
Physical and
Environmental                                 the facility.

                 PEFI-1     Fire Inspection   Periodic fire marshal inspections   Availability      Low
Physical and
Environmental                                 take place, and deficiencies are
                                              promptly resolved.
                 PEFS-1     Fire              Handheld fire extinguishers or      Availability      Low
Physical and
Environmental               Suppression       fixed fire hoses are available.
                            System
                 PEHC-1     Humidity          Humidity controls are installed     Availability      Low
Physical and
Environmental               Controls          and provide an alarm in case of
                                              fluctuations potentially harmful
                                              to personnel or equipment
                                              operation.
                 PEMS-1     Master Power      Emergency cut-off switch to IT      Availability      Low
Physical and
Environmental               Switch            equipment is present, located
                                              near the main entrance of the IT
                                              area, labeled, and protected by a
                                              cover to prevent accidental shut-
                                              off.




                                              36
                            [Add appropriate classification marking]
     [Application Name]                                                       Artifact 8 Security Test Plan
                                                                                                  [Month Year]

                     DoD IA Controls for MAC III, Sensitive IS and Applications

 Subject Area     Control   Control Name            Control Description                 IA Service           IA
                    No                                                                                     Impact
                                                                                                            Code

                 PEPF-1     Physical           Physical access points to              Confidentiality     Medium
Physical and
Environmental               Protection of      facilities that contain, process, or
                            Facilities         display sensitive or unclassified
                                               information that has not been
                                               cleared for release are controlled
                                               during working hours and
                                               guarded or locked during non-
                                               working hours.
                 PEPS-1     Physical           Periodic, unannounced attempts         Confidentiality     Low
Physical and
Environmental               Security Testing   to penetrate key computing
                                               facilities, occur as part of a
                                               facility penetration testing
                                               process.

                 PESL-1     Screen Lock        Screen locks are present on user       Integrity           Medium
Physical and
Environmental                                  workstations to occur with
                                               specified periods of inactivity or
                                               enabled explicitly by the user.
                 PESP-1     Workplace          Procedures are implemented to          Confidentiality     Medium
Physical and
Environmental               Security           ensure the proper handling and
                            Procedures         storage of information.

                 PESS-1     Storage            Approved containers or facilities      Confidentiality     High
Physical and
Environmental                                  are used to store documents and
                                               equipment in accordance with
                                               DoD 5200.1-R.

                 PETC-1     Temperature        Temperature controls are               Availability        Low
Physical and
Environmental               Controls           installed and provide an alarm
                                               when temperature fluctuations
                                               that are potentially harmful to
                                               personnel or equipment
                                               operation, are detected.
                 PETN-1     Environmental      Employees receive initial and          Availability        Low
Physical and
Environmental               Control            periodic training in the operation
                            Training           of environmental controls.
                 PEVC-1     Visitor Control    Current signed procedures exist        Confidentiality     Medium
Physical and
Environmental               to Computing       for controlling visitor access and
                            Facilities         maintaining a detailed log of all
                                               visitors to the computing
                                               facility.

                 PEVR-1     Voltage            Automatic voltage control is           Availability        Low
Physical and
Environmental               Regulators         implemented for key IT assets.




                                              37
                            [Add appropriate classification marking]
     [Application Name]                                                       Artifact 8 Security Test Plan
                                                                                                 [Month Year]

                       DoD IA Controls for MAC III, Sensitive IS and Applications

 Subject Area       Control   Control Name           Control Description               IA Service           IA
                      No                                                                                  Impact
                                                                                                           Code

                    PRAS-1    Access to         DoD personnel security policies      Confidentiality     Medium
Personnel
                              Information       are followed when granting
                                                individuals access to sensitive
                                                information.
                    PRMP-1    Maintenance       Only authorized personnel            Confidentiality     Medium
Personnel
                              Personnel         perform maintenance. The
                                                process for determining
                                                authorization is documented
                                                along with the list of authorized
                                                maintenance personnel.
                    PRNK-1    Access to Need-   Only individuals with a valid        Confidentiality     Medium
Personnel
                              to-Know           need-to-know demonstrated by
                              Information       assigned official Government
                                                duties are granted access to
                                                sensitive information. These
                                                individuals must satisfy all
                                                personnel security criteria, with
                                                special protection measures or
                                                restricted distribution as
                                                established by the Data Owner.
                    PRRB-1    Security Rules    Policy exists that describes the     Availability        Medium
Personnel
                              of Behavior or    set of rules necessary for IA
                              Acceptable Use    operations and clearly delineate
                              Policy            IA responsibilities and expected
                                                behavior of all personnel.
                                                Consequences of non-
                                                compliance to the rules are also
                                                included. A signed
                                                acknowledgement of the rules is
                                                a condition of access.
                    PRTN-1    Information       A training program is                Integrity           Medium
Personnel
                              Assurance         implemented to ensure all
                              Training          personnel receive initial and
                                                periodic training to perform their
                                                assigned IA responsibilities.
                    VIIR-1    Incident          Incident Response Plan exists in     Availability        Medium
Vulnerability and
Incident                      Response          accordance with DoD
Management                    Planning          Instruction O-8530.2 and is
                                                exercised annually.
                    VIVM-1    Vulnerability     Process is in place for              Availability        High
Vulnerability and
Incident                      Management        identification and mitigation of
Management                                      software and hardware
                                                vulnerabilities.
            Table 8-1: DoD IA Controls for MAC III Systems and Applications Certification



                                                38
                              [Add appropriate classification marking]

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:37
posted:8/12/2011
language:English
pages:43
Description: Security Risk in Web 2.0 Application document sample