Case Study – US Government

A US federal agency initiated a project to systematically automate the Certification and Accreditation (C&A) of secure IT systems, and incorporate various “best practices” from national and international C&A standards, including ISO/IEC 15408 Common Criteria methodology.

Many of the design features of this custom solution have been used in Formark's Process-Driven Collaboration application

Current C&A Process

The existing C&A process often requires the manual assembly of security plans with more than 800 pages of information – a feat that can take months to complete. After many more months of testing, a final system security document could be more than 1,500 pages long, and the entire C&A cycle may take 12-18 months from start to finish. It is not uncommon for systems to become effectively obsolete before they can be certified.

The cost of this effort and the elapsed time required impacts the ability to deploy needed systems. IT systems must also be re-certified every three years, which currently means just starting over again.

The individual steps in the C&A process are simple – the complexity is in the sheer number of combinations that can exist among the security requirements, the hardware and software configurations, the tests to be performed and the tester skill sets.

Collaborative C&A

The Collaborative C&A solution protects users from the complexity by providing a gated workflow that leads security officers through each step in the process – information gathering, generation of the system security plan, tracking of the test results and the creation of the final version of the plan.

1. The solution uses Livelink to manage the many documents, test descriptions and templates, along with a database containing the security requirements, the configuration data and the test results.
2. The system relies exclusively on a role-based user interface, similar to the one in the diagram below, which is tailored to each user’s role in the process and the task at hand. The spreadsheet-like screen shows the major stages across the top, the required steps down the left side, and the details of the current step in the middle. The solution controls the major workflow stages along the top and will not allow users to move to the next stage until the current stage has been completed.
3. Once configuration data is collected, an automatic agent is launched to determine the tests that must be performed to comply with the protection profiles chosen by the security officer. After being selected, a description of each test is customized with the configuration information to ensure it is specific enough to be understood and executed properly by the testers. The system then assembles all of the collected and generated information into a system security plan to be reviewed and digitally signed by the appropriate security officer.
4. In the validation stage, each of the potentially hundreds of testing actions is assigned to the workflow queues of qualified testers, so that as they log in, testers see only those tests they are qualified to perform. When the last test result is recorded, another automated agent assembles the test results into the security plan document for risk assessment by security officers.
5. Once the risk assessments are complete, a final security plan is produced for the senior manager who will review it and decide whether or not to grant accreditation to the IT system.

Current C&A Process

The existing C&A process often requires the manual assembly of security plans with more than 800 pages of information – a feat that can take months to complete. After many more months of testing, a final system security document could be more than 1,500 pages long, and the entire C&A cycle may take 12-18 months from start to finish. It is not uncommon for systems to become effectively obsolete before they can be certified.

The cost of this effort and the elapsed time required impacts the ability to deploy needed systems. IT systems must also be re-certified every three years, which currently means just starting over again.

The individual steps in the C&A process are simple – the complexity is in the sheer number of combinations that can exist among the security requirements, the hardware and software configurations, the tests to be performed and the tester skill sets.

Agency Benefits

Although still at the early stages of deployment, the immediate productivity improvements and associated cost savings appear to be staggering – in side-by-side comparisons the Collaborative C&A solution required less than 10% of the time currently required.

The savings may be even higher when the systems need to be re-certified, as the process can start with the configuration data already in place.

A key strategic benefit is that over time the database will contain configuration data for all systems within a facility or across the agency, which will allow security officers to instantly determine which systems are affected by newly discovered threats or vulnerabilities and respond much faster than they can today.