Block 1 Day 2
Identity, Credential and Access Management (ICAM)
Enable the right individual to access the right resource at the right time for the right reason.
Tools, policies, and systems that allow an org to manage, monitor, and secure access to protected resources.
Authentication is proving you are who you claim to be; authorization determines what access you get on the network.
Identity Life Cycle
Credential Life Cycle
Access
• Access Management is the set of practices and services for ensuring only those with proper permissions can interact with a given resource.
• Access Control policies at all levels govern requirements for access.
• Authentication verifies that a claimed identity is genuine based on valid credentials.
• Authorization is the decision to grant or deny access to a resource based on policy.
Validating Identity
• Three Authentication Factors
Something you know (e.g., password, PIN)
Something you have (e.g., ID badge)
Something you are (e.g., fingerprint)
Access Decision
• Access control policies define who/what may act upon a resource.
• The authorization service validates identity attributes to ensure the claimant is allowed to access a resource.
COMPUSEC- Includes all measures to safeguard ISs and info against sabotage, tampering, denial of service, espionage, fraud, misappropriation, misuse, or release to unauthorized persons.
Requires adequate training and proper application of cybersecurity/IA resources.
End Point Security
General Protection
Authorized users should protect networked/standalone ISs against tampering, theft, and loss.
Identify and authenticate users before gaining access to any government IS.
ISSM/ISSO provide protection from threats by ensuring proper configuration of technical security mechanisms.
Protect devices at the applicable security classification of the information stored in the device.
Protect display devices to prevent inadvertent viewing of classified and controlled or sensitive information by unauthorized users (e.g., away from windows, doorways, public areas).
Control viewing of US-Only ISs and equipment by Foreign Nationals (FN)/Local Nationals (LN) IAW CJCSI 6510.01.
Ensure the transmission of sensitive/classified information is encrypted.
Ensure ISs meet TEMPEST requirements where classified is processed.
Appropriately mark and label IT devices with the highest level of classification.
Monitors, projectors, televisions, are required to be either physically marked or technically configured to display the classification banner.
Mark and label all KVM switches (regardless of classification environment) to identify the switch position and the associated classification of the connected systems IAW the DISA Keyboard, Video, Mouse Switch Security STIG.
Contact the org security manager for devices involved in data spillage/security incidents.
Software Security
The ISSM ensures all software is included in the IS security authorization package.
Prohibit use of trial/demo software due to its unreliability and potential source-code flaws.
Malicious Logic Protection
Protect ISs from malicious logic attacks by applying a mix of human and technological preventative measures.
Implement antivirus software with current signature files.
Use only security patches and antivirus tools/signature files/data files obtained from the Defense Asset Distribution Systems (DADS) hosted at the DoD Patch Repository.
Configure virus scanning frequency and real-time protection IAW the applicable DISA STIG.
Report malicious logic intrusions or any other deviation and misconfiguration.Data Spillage/Classified Message Incidents (CMIs)
Data spillage incidents occur when a higher classification level of data is placed on a lower classification level system/device.
The individual discovering the incident initiates security incident procedures.
COMPUSEC Assessments
Assist with implementing and maintaining a cybersecurity program.
“find and fix” program review Augments the Air Force Inspection System (AFIS) and strengthen the AF cybersecurity program.
Assessment Process
WCO will perform annual assessments of all units utilizing IT under the control of the base communications unit, including IT of tenant units.
For Joint bases, the AF is responsible for all AF-owned IT and infrastructure.
Annual period is defined as the 12-month timeframe since either the last WCO Assessment or Major Command (MAJCOM) Inspector General (IG) Inspection.
Assessments consist of an interview and site visit with the applicable ISSO/ISSM/ Commander Support Staff (CSS).
The WCO reviews responses annotated on the COMPUSEC MICT SAC.
WCO may assess org compliance with any COMPUSEC criteria.
Sample assessment items may be found on the IACE.
For GSUs, remote interviews (i.e., over the phone) are acceptable in lieu of a site visit when travel costs are a concern.
In-brief, out-brief, and other formalization of assessment processes are at the discretion of the WCO and the assessed unit.
Assessments are not graded, but should instead provide org CC’s an accurate COMPUSEC posture indication by itemizing deficient COMPUSEC items and summarizing additional observations, recommendations, and best practices.
Reports
COMPUSEC Assessment Reports provide a narrative description of the deficiencies and significant trends identified during the annual COMPUSEC Assessment.
Consists of detailed unit reports, follow-up reports, and annual executive summaries.
Identity, Credential and Access Management (ICAM)
Enable the right individual to access the right resource at the right time for the right reason.
Tools, policies, and systems that allow an org to manage, monitor, and secure access to protected resources.
Authentication is proving you are who you claim to be; authorization determines what access you get on the network.
Identity Life Cycle
Credential Life Cycle
Access
• Access Management is the set of practices and services for ensuring only those with proper permissions can interact with a given resource.
• Access Control policies at all levels govern requirements for access.
• Authentication verifies that a claimed identity is genuine based on valid credentials.
• Authorization is the decision to grant or deny access to a resource based on policy.
Validating Identity
• Three Authentication Factors
Something you know (e.g., password, PIN)
Something you have (e.g., ID badge)
Something you are (e.g., fingerprint)
Access Decision
• Access control policies define who/what may act upon a resource.
• The authorization service validates identity attributes to ensure the claimant is allowed to access a resource.
COMPUSEC- Includes all measures to safeguard ISs and info against sabotage, tampering, denial of service, espionage, fraud, misappropriation, misuse, or release to unauthorized persons.
Requires adequate training and proper application of cybersecurity/IA resources.
End Point Security
General Protection
Authorized users should protect networked/standalone ISs against tampering, theft, and loss.
Identify and authenticate users before gaining access to any government IS.
ISSM/ISSO provide protection from threats by ensuring proper configuration of technical security mechanisms.
Protect devices at the applicable security classification of the information stored in the device.
Protect display devices to prevent inadvertent viewing of classified and controlled or sensitive information by unauthorized users (e.g., away from windows, doorways, public areas).
Control viewing of US-Only ISs and equipment by Foreign Nationals (FN)/Local Nationals (LN) IAW CJCSI 6510.01.
Ensure the transmission of sensitive/classified information is encrypted.
Ensure ISs meet TEMPEST requirements where classified is processed.
Appropriately mark and label IT devices with the highest level of classification.
Monitors, projectors, televisions, are required to be either physically marked or technically configured to display the classification banner.
Mark and label all KVM switches (regardless of classification environment) to identify the switch position and the associated classification of the connected systems IAW the DISA Keyboard, Video, Mouse Switch Security STIG.
Contact the org security manager for devices involved in data spillage/security incidents.
Software Security
The ISSM ensures all software is included in the IS security authorization package.
Prohibit use of trial/demo software due to its unreliability and potential source-code flaws.
Malicious Logic Protection
Protect ISs from malicious logic attacks by applying a mix of human and technological preventative measures.
Implement antivirus software with current signature files.
Use only security patches and antivirus tools/signature files/data files obtained from the Defense Asset Distribution Systems (DADS) hosted at the DoD Patch Repository.
Configure virus scanning frequency and real-time protection IAW the applicable DISA STIG.
Report malicious logic intrusions or any other deviation and misconfiguration.Data Spillage/Classified Message Incidents (CMIs)
Data spillage incidents occur when a higher classification level of data is placed on a lower classification level system/device.
The individual discovering the incident initiates security incident procedures.
COMPUSEC Assessments
Assist with implementing and maintaining a cybersecurity program.
“find and fix” program review Augments the Air Force Inspection System (AFIS) and strengthen the AF cybersecurity program.
Assessment Process
WCO will perform annual assessments of all units utilizing IT under the control of the base communications unit, including IT of tenant units.
For Joint bases, the AF is responsible for all AF-owned IT and infrastructure.
Annual period is defined as the 12-month timeframe since either the last WCO Assessment or Major Command (MAJCOM) Inspector General (IG) Inspection.
Assessments consist of an interview and site visit with the applicable ISSO/ISSM/ Commander Support Staff (CSS).
The WCO reviews responses annotated on the COMPUSEC MICT SAC.
WCO may assess org compliance with any COMPUSEC criteria.
Sample assessment items may be found on the IACE.
For GSUs, remote interviews (i.e., over the phone) are acceptable in lieu of a site visit when travel costs are a concern.
In-brief, out-brief, and other formalization of assessment processes are at the discretion of the WCO and the assessed unit.
Assessments are not graded, but should instead provide org CC’s an accurate COMPUSEC posture indication by itemizing deficient COMPUSEC items and summarizing additional observations, recommendations, and best practices.
Reports
COMPUSEC Assessment Reports provide a narrative description of the deficiencies and significant trends identified during the annual COMPUSEC Assessment.
Consists of detailed unit reports, follow-up reports, and annual executive summaries.
