The Program Manager will ensure a System Security Plan (SSP) is established to describe the technical, administrative, and procedural IA program and policies governing the DoD information system, and identifying all IA personnel and specific IA requirements and objectives.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6197	APP2010	SV-6197r2_rule	DCSD-1	Medium

Description
If the DAA, IAM, or IAO are not performing assigned functions in accordance with DoD requirements, it could impact the overall security of the facility, personnel, systems, and data, which could lead to degraded security. If the DAA and the IAM/IAO are not appointed in writing, there will be no way to ensure they understand the responsibilities of the position and the appointment criteria. The lack of a complete System Security Plan (SSP) could lead to ineffective secure operations and impede accreditation. A System Identification Profile (SIP) and the DIACAP Implementation Plan (DIP) may be considered as sufficient proof of compliance as long as the documentation provides all of the information that is needed to meet the requirement.

Description

If the DAA, IAM, or IAO are not performing assigned functions in accordance with DoD requirements, it could impact the overall security of the facility, personnel, systems, and data, which could lead to degraded security. If the DAA and the IAM/IAO are not appointed in writing, there will be no way to ensure they understand the responsibilities of the position and the appointment criteria. The lack of a complete System Security Plan (SSP) could lead to ineffective secure operations and impede accreditation. A System Identification Profile (SIP) and the DIACAP Implementation Plan (DIP) may be considered as sufficient proof of compliance as long as the documentation provides all of the information that is needed to meet the requirement.

STIG	Date
Application Security and Development Checklist	2014-01-07

Details

Check Text ( C-3061r1_chk )
The Program Manager will ensure all appointments to required IA roles are established in writing to include assigned duties and appointment criteria, such as training, security clearance, and IT designation. The IAO will ensure all appointments to required IA roles are established in writing to include assigned duties and appointment criteria such as training, security clearance, and IT designation. Interview the application representative and validate that the required IA roles are established in writing. These roles are DAA and the IAM/IAO. This written notification must include assigned duties and appointment criteria such as training, security clearance, and IT-designation. If a traditional review is conducted at the same time as the application review, this check is not applicable. Also validate a SSP exists and describes the technical, administrative, and procedural IA program and policies that govern the DoD information system, and identifies all IA personnel and specific IA requirements and objectives (e.g., requirements for data handling or dissemination, system redundancy and backup, or emergency response). 1) If the SSP does not exist or is incomplete, it is a finding. 2) If the IA Roles and assigned duties and appointment criteria are not made in writing, it is a finding. Ask site personnel which IAO or IAM for the systems/application is part of the application review. 3) If the IAO or IAM is unknown, or not assigned, this is a finding.

Check Text ( C-3061r1_chk )

The Program Manager will ensure all appointments to required IA roles are established in writing to include assigned duties and appointment criteria, such as training, security clearance, and IT designation. The IAO will ensure all appointments to required IA roles are established in writing to include assigned duties and appointment criteria such as training, security clearance, and IT designation.

Interview the application representative and validate that the required IA roles are established in writing. These roles are DAA and the IAM/IAO. This written notification must include assigned duties and appointment criteria such as training, security clearance, and IT-designation.

If a traditional review is conducted at the same time as the application review, this check is not applicable.

Also validate a SSP exists and describes the technical, administrative, and procedural IA program and policies that govern the DoD information system, and identifies all IA personnel and specific IA requirements and objectives (e.g., requirements for data handling or dissemination, system redundancy and backup, or emergency response).

1) If the SSP does not exist or is incomplete, it is a finding.

2) If the IA Roles and assigned duties and appointment criteria are not made in writing, it is a finding.

Ask site personnel which IAO or IAM for the systems/application is part of the application review.

3) If the IAO or IAM is unknown, or not assigned, this is a finding.

Fix Text (F-5232r1_fix)
Establish the required IA roles in writing. The directive must include assigned duties and appointment criteria such as training, security clearance, and IT-designation. Prepare a SSP that describes the technical, administrative, and procedural IA program and policies that govern the DoD information system, and identifies all IA personnel and specific IA requirements and objectives (e.g., requirements for data handling or dissemination, system redundancy and backup, or emergency response).

Fix Text (F-5232r1_fix)

Establish the required IA roles in writing. The directive must include assigned duties and appointment criteria such as training, security clearance, and IT-designation.
Prepare a SSP that describes the technical, administrative, and procedural IA program and policies that govern the DoD information system, and identifies all IA personnel and specific IA requirements and objectives (e.g., requirements for data handling or dissemination, system redundancy and backup, or emergency response).