| 1. The project management shall develop a conformance testing plan that includes the following information: |
· Type of conformance testing (e.g., vulnerability assessment, security test and evaluation [ST&E], internal and/or external penetration testing)
· Schedule of the testing either periodic (e.g., quarterly) or unannounced
· Resources required to perform individual testing
· Tools to be used for conformance testing (e.g., Internet Security Systems (ISS) Vulnerability Scanner, FSO Gold Disk, nmap, nessus, Retina)
· Current Information Assurance Vulnerability Alerts (IAVA), IAV Bulletins (IAVB), and IAV Technical Advisories (IAV-TA)
· Other vulnerability and patch information from vendors, Common Vulnerabilities& Exposures (CVE), etc.
2. The project management shall determine if the conformance testing will be performed using in-house resources or outsourced.
3. The project management shall establish a conformance test team (e.g., Test Engineer, Test Reviewer) with an adequate degree of independent review and validation.
4. The project management shall review and approve the Rules of Engagement developed by the test team.
5. The project management shall coordinate with personnel involved in the conformance testing for all activities associated with the periodic or unannounced conformance testing.
6. For penetration testing, the project management shall ensure to establish a “White Cell” to coordinate the penetration testing.
7. The test team shall install required testing resources on the workstations/laptops to be used for the testing and configure them properly.
8. The test teams shall perform the testing based on the approved rules (e.g., ST&E Plan, Rules of Engagement) and document the test results.
9. The project management shall review the results of the conformance testing and countermeasures to mitigate the identified potential risks.
10. The project management shall develop a Plan of Actions and Milestones (POAM).
11. The project management shall implement the recommended countermeasures based on the POAM to ensure that the system’s IA capabilities provide adequate assurance against constantly evolving threats and vulnerabilities.
12. The project management shall protect the Conformance Testing Reports at the level of information contained in the reports (e.g., Classified, For Official Use Only).