UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Program Manager will ensure a System Security Plan (SSP) is established to describe the technical, administrative, and procedural IA program and policies governing the DoD information system, and identifying all IA personnel and specific IA requirements and objectives.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6197 APP2010 SV-6197r2_rule DCSD-1 Medium
Description
If the DAA, IAM, or IAO are not performing assigned functions in accordance with DoD requirements, it could impact the overall security of the facility, personnel, systems, and data, which could lead to degraded security. If the DAA and the IAM/IAO are not appointed in writing, there will be no way to ensure they understand the responsibilities of the position and the appointment criteria. The lack of a complete System Security Plan (SSP) could lead to ineffective secure operations and impede accreditation. A System Identification Profile (SIP) and the DIACAP Implementation Plan (DIP) may be considered as sufficient proof of compliance as long as the documentation provides all of the information that is needed to meet the requirement.
STIG Date
Application Security and Development Checklist 2014-12-22

Details

Check Text ( C-3061r1_chk )
The Program Manager will ensure all appointments to required IA roles are established in writing to include assigned duties and appointment criteria, such as training, security clearance, and IT designation. The IAO will ensure all appointments to required IA roles are established in writing to include assigned duties and appointment criteria such as training, security clearance, and IT designation.

Interview the application representative and validate that the required IA roles are established in writing. These roles are DAA and the IAM/IAO. This written notification must include assigned duties and appointment criteria such as training, security clearance, and IT-designation.

If a traditional review is conducted at the same time as the application review, this check is not applicable.

Also validate a SSP exists and describes the technical, administrative, and procedural IA program and policies that govern the DoD information system, and identifies all IA personnel and specific IA requirements and objectives (e.g., requirements for data handling or dissemination, system redundancy and backup, or emergency response).

1) If the SSP does not exist or is incomplete, it is a finding.

2) If the IA Roles and assigned duties and appointment criteria are not made in writing, it is a finding.

Ask site personnel which IAO or IAM for the systems/application is part of the application review.

3) If the IAO or IAM is unknown, or not assigned, this is a finding.
Fix Text (F-5232r1_fix)
Establish the required IA roles in writing. The directive must include assigned duties and appointment criteria such as training, security clearance, and IT-designation.
Prepare a SSP that describes the technical, administrative, and procedural IA program and policies that govern the DoD information system, and identifies all IA personnel and specific IA requirements and objectives (e.g., requirements for data handling or dissemination, system redundancy and backup, or emergency response).