The SSAA is developed in Phase 1 and updated in each phase as the system development progresses and new information becomes available. Optional appendixes may be added to meet specific needs. A Requirements Traceability Matrix RTM is used by project managers to manage user requirements for defining new systems. The RTM is used in a variety of ways throughout the systems development life cycle.
It is commonly part of the SSAA as an addendum. The manner in which these security protection features are considered with respect to the requirements is usually contained in the Security Test Plan and Procedures subset of the SSAA. Figure An RTM database tool. For example, the database tool enables the certifier to compile security requirements derived from multiple sources e.
These tools are also a great help in establishing the relationship of interdependent standards to the system and its environment. Figure shows a page of the report output from the RTM database. An excellent example of a sample Traceability Matrix can be found at www.
Figure RTM report example. The goal of Phase 2 is to obtain a fully integrated system for certification testing and accreditation. Phase 2 occurs between the signing of the initial version of the SSAA and the formal accreditation of the system.
Phase 2 activities verify security requirements during system development, or modification by certification analysis and assessment of the certification results. As shown in Figure , Phase 2 process activities include:.
At each stage of development or modification, details are added to the SSAA. Throughout Phase 2 the SSAA is reviewed and updated to include changes made during system development and the results of the certification analysis.
Any changes in the system that affect its security posture must be submitted to the DAA, certifier, program manager, and user representative for approval and inclusion in the revised SSAA. The specific activities will vary depending on the overall program strategy, the life cycle management process, and the position of the information system in the life cycle. The initial certification analysis determines whether the information system is ready to be evaluated and tested under Phase 3.
It verifies by analysis, investigation, and comparison methodologies that the IS design implements the SSAA requirements and that the IS components critical to security function properly. This verifies that the development, modification, and integration efforts will result in a higher probability of success for an accreditable IS before Phase 3 begins. When the Phase 2 initial certification analysis is completed, the system should have a documented security specification, comprehensive test procedures, and written assurance that all network and other interconnection requirements have been implemented.
At the conclusion of each development or integration milestone, the certification analysis results are reviewed for SSAA compliance. If the risk exceeds the maximum acceptable risk, the system must return to Phase 1 for reconsideration of the IS business functions, operating environment, and IS architecture.
During Phases 2, 3, and 4, these four key individuals return to Phase 1 negotiation and subsequent revision of the SSAA if the system is changed or any of the agreements delineated in the SSAA are modified. The specific subtasks relating to the certification tasks are:.
At the end of the Certification Phase, and before proceeding to the Accreditation Phase, two important questions need to be answered. To what extent are the security controls in the information system implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system? What specific actions have been taken or are planned to correct deficiencies in the security controls and to reduce or eliminate known vulnerabilities in the information system?
Phase 1, Definition, is focused on understanding the IS business case, environment, and architecture to determine the security requirements and level of effort necessary to achieve certification and accreditation. Answer a describes the objectives of Phase 2.
Answer b describes the objectives of Phase 3. Answer d describes the objectives of Phase 4. Initial Certification Analysis is a Phase 2 activity. The other three are the Phase 1 activities. General How Do I Cite? The template includes: a title page; a sample assignment page; and a references list in APA format. The Word document sample paper template may display incorrect margins. Please double check to ensure 1" margins on all sides. Headings If your instructor requires you to use APA style headings and sub-headings, this document will show you how they work.
Appendix If you are adding an appendix to your paper there are a few rules to follow that comply with APA guidelines: The Appendix appears after the References list If you have more than one appendix you would name the first appendix Appendix A, the second Appendix B, etc.
The appendices should appear in the order that the information is mentioned in your essay Each appendix begins on a new page.
Watch Demo. Source: www. Official websites use. Share sensitive information only on official, secure websites. JavaScript appears to be disabled on this computer. Please click here to see any active alerts. These facilities must meet the eligibility criteria for a qualified facility and have no individual aboveground oil storage containers greater than 5, gallons.
Note: Some states do not allow self-certification. A list of State PE licensing board contacts is available.
0コメント