Block 1 Day 3
Change Management - Ensures continuity of operations as changes ae validated, approved, and implemented on AF networks
Work Order Management - Software that allows facilities managers to track/manage all work order information through a single dashboard….includes creating work orders, updating requests, and tracking work completion.
Incident and Change Requests - An incident is an unplanned interruptions
Remedy - Customer relationship tool which can be used to log/monitor the issues or problems faced by customers
Information Assurance Officer (IAO) Express - Developed to help address the most common requests made to the ESD. Through a web-based portal, CSL/CSS from every Air Force location can access IAO Express to submit
Assessment and Authorization Tools
Xacta - Helps meet the complex challenges of managing IT risk with continuous compliance monitoring, security assessment, and ongoing authorization.
Xacta enables you to:
• Establish a centralized cyber risk management platform for enterprise security intelligence.
• Streamline assessment and authorization (A&A) processes.
• Collect extensive IT asset inventory data.
• Inherit controls from IT systems on-premises, in the cloud, and hybrid.
• Dynamically map IT assets, vulnerabilities, and controls sets
• Detect, identify, and remediate threats to system security.
• Generate the reports and documentation needed for regulatory compliance.
So you can:
• Get IT systems to compliance faster.
• Conduct OS configurations, patch-level analysis, and other tests faster.
• Reduce time to research new vulnerabilities and generate regulatory documentation of your IT security procedures.
Enterprise Mission Assurance Support Service (eMASS) - eMASS is the automated Cyber Security Management tool designed to develop, collect and manage DoD Information Technology.
The eMASS automates the step-by-step activities for performing the DoD RMF process.
Upload and store all documentation and artifacts developed or required to support the assessment and authorization of an IS or PIT system.
eMASS produces the security authorization package and a variety of other reports to assist in managing IS or PIT systems.
Access to the eMASS is based on each user’s role in their associated registered system.
RMF Knowledge Service (KS) - Provides guidance and tools for implementing and executing the RMF.
• Is the authoritative source for RMF guidance and the repository for DoD RMF policy.
• Is available to all individuals with IT risk management responsibilities.
• Provides convenient access to security controls baselines, overlays, individual security controls and security control implementation guidance and assessment procedures.
• The KS hosts a library of tools, diagrams, process maps, documents, etc., to support and aid in the execution of the RMF. It is also a collaboration workspace for the RMF user community to develop, share, and post lessons learned, best practices, cybersecurity news and events, and other cybersecurity-related information resources.
Information Technology Investment Portfolio Suite (ITIPS) - ITIPS is designed to support the IT Budget submission requirements of the Air Force.
ITIPS is an automated project portfolio management tool.
ITIPS manages IT investments and provides decision support for IT Managers, Portfolio Managers, Program Managers and other applicable stakeholders.
Security Technical Implementation Guides (STIGs) - Developed by DISA to protect against cyberattacks and minimize the risk of exposure. are a compilation of DoD policies, security regulations and best practices for Securing an IA or IA-Enabled Device (operating system, network, application software, etc.).
The goals of STIGs are intrusion avoidance, intrusion detection, response and recovery, and security
implementation guidance.STIGs are available to cover areas of networks/perimeters, operating systems, applications, cross-domain solutions, and users.
Vulnerability Management Tools
Assured Compliance Assessment Solution (ACAS) - automatically identifies configuration
vulnerabilities threatening the security of the DoD's computer. The tool includes a scanning device, report generator, and hierarchical reporting capability to the Vulnerability Management System (VMS).
ACAS provides automated:
• Network vulnerability scanning
• Configuration assessment
• Application vulnerability scanning
• Device configuration assessment
• Network discovery
Vulnerability Management System (VMS) - A DoD information system used to record, track and disseminate critical vulnerability information throughout the DoD Enterprise network.
Security Content Automation Protocol (SCAP) - Method for using specific standards to enable the automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA compliance.
The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP.
The Security Content Automation Protocol (SCAP), pronounced "ess-cap", comprises a number of open standards that are widely used to enumerate software flaws and configuration issues related to security.
Applications within SCAP conduct security monitoring using standards to find vulnerabilities, and offer methods to score those findings in order to evaluate the possible impact.
Risk Management Framework (RMF) - Disciplined and structured process to perform AF IT security and risk management activities and to integrate those activities into the system development life cycle.
Changes the traditional focus of Certification and Accreditation (C&A) as a static, procedural activity to a more dynamic approach.
Incorporates strategy, policy, awareness/training, assessment, continuous monitoring, authorization, implementation, and remediation.
Encompasses life cycle risk management to determine and manage the residual cybersecurity risk created by vulnerabilities and threats associated with objectives in military, intelligence, and business operations.
DoD IT Types
Must complete RMF process before use
IT Products (Hardware, Software, Applications)
Will be configured in accordance with applicable STIGs under a cognizant ISSM and security control assessor SCA
IT Services (Software support, Cloud computing, Data storage, etc.).
Are outside the service user organization’s authorization boundary, and the service user’s organization has no direct control over the application or assessment of required security controls
DoD organizations that use IT services are typically not responsible for authorizing them (i.e., issue an authorization decision).
Internal IT services are delivered by DoD ISsDoD organizations that use external IT services provided by a non-DoD federal government agency must ensure the categorization of the IS delivering the service is appropriate.
DoD organizations that use external IT services provided by a commercial or other non-federal government entity must ensure the security protections of the IS delivering the service is appropriate
DoD organizations will assess the adequacy of security proposed by potential service providers, and
1. Accept the proposed approach
2. Negotiate changes to the approach to meet DoD needs, or
3. Reject the offer.
The accepted security approach must be documented in the resulting contract or order.
Platform Information Technology (Special purpose systems, Aircraft, Ships, even Airman in the field)
The specific cybersecurity needs of PIT must be assessed on a case-by-case basis and security controls applied as appropriate.
Air Force IT Category
Includes but is not limited to: information systems (IS) (major applications and enclaves), platform information technology (PIT), IT services (Internal & External), and IT products (software, hardware, and applications).
Security Objectives
The Federal Information System Modernization Act (FISMA) defines three security objectives for information and information systems:
Confidentiality
“Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…”
Integrity
“Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…”
Availability
“Ensuring timely and reliable access to and use of information…”Potential Impact on Orgs/Individuals
FIPS Publication 199 defines three levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability).
Low, Moderate, High.
Roles and Responsibilities
Secretary of the Air Force, Office of Information Dominance and Chief Information Officer (SAF/CIOA6) - Appoint the Chief Information Security Officer (CISO).
Secretary of the Air Force for Acquisition (SAF/AQ) - Acquires all AF electronic systems through organic programs within the AF, commercial-off-the- shelf (COTS) systems, or non-developmental item (NDI) programs.
Deputy Chief of Staff, Intelligence, Surveillance, and Reconnaissance (AF/A2) - Maintains visibility of the cybersecurity posture of AF SCI and the DoD portion of the Intelligence Mission Area.
Chief Information Security Officer (CISO), SAF/CIO A6Z - Will develop, implement, maintain, and enforce the AF Cybersecurity Program and the RMF process, roles, and responsibilities.
Authorizing Official (AO) - Only person with authority to grant authorization decisions within their area of responsibility.
Air Force Enterprise Authorizing Official (AF Enterprise AO) - The AF Enterprise AO is the only authority permitted to grant an Approval to Connect (ATC) to the Air Force Information Networks (AFIN).
AO Designated Representative (AODR)- Perform responsibilities as assigned by the AO.
• The AODR may perform any and all duties of an AO except for accepting risk by issuing an authorization decision.
Security Control Assessor (SCA) - Periodically assess security controls employed within and inherited by the IT IAW the Information Security Continuous Monitoring strategy.
Security Controls Assessor Representative (SCAR) - This position may be an organic or contracted resource. The SCAR works with the PM, ISSM, ISSO, and RMF team to assess security controls for the SCA.
Agent of the Security Controls Assessor (ASCA) - The ASCA is a licensed 3rd-party agent assisting in assessment activities and provides an independent report for the SCA. Cannot make decisions on behalf of the government but can only provide advice and guidance.
Information System Owners (ISO)- Official responsible for the overall procurement, development, integration, modification, and operation and maintenance of AF IT.
Program Manager (PM) - Identify, implement, and ensure full integration of cybersecurity into all phases of the acquisition, upgrade, or modification programs, including initial design, development, testing, fielding, operation, and sustainment.
Communications Squadron Commander (CS/CC) - Serves as the PM or ISO for the base enclave.
Information System Security Manager (ISSM) - The ISSM is the primary cybersecurity technical advisor to the AO, PM, and ISO.
For base enclaves, the ISSM manages the installation cybersecurity program, typically as a function of the Wing Cybersecurity Office.
May also serve as the system ISSM for the enclave and reports to the CS/CC as the PM for the base enclave.
Information System Security Officer (ISSO) - The ISSO is responsible for ensuring the appropriate operational security posture is maintained for assigned IT.
ISSOs will:
• Ensure all users have the requisite security clearances and need-to-know, complete annual cybersecurity training, and are aware of their responsibilities before being granted access to the IT according to AFMAN 17-1301.
• Maintain all authorized user access control documentation IAW the applicable AF Records Information Management System (AFRIMS).
• Ensure software, hardware, and firmware complies with appropriate security configuration guidelines (e.g., Security Technical Implementation Guides (STIGs)/Security Requirement Guides (SRG)).
Information Systems Security Engineer (ISSE) - an individual, group, or organization responsible for conducting information system security engineering activities.
Information Owner (IO)/Steward - An organizational official with statutory, management, or operational authority for specified information and the responsibility for establishing the policies and procedures governing its generation, classification, collection, processing, dissemination, and disposal.
MAJCOM Cybersecurity Office or Function - Develop, implement, oversee, and maintain a MAJCOM cybersecurity program that adheres to cybersecurity architecture, requirements, objectives, policies, processes, and procedures.
User Representative (UR) - Represents operational and functional requirements of the user community for a particular system during the RMF process.
RMF System Development Lifecycle
Each agency should have a documented and repeatable SDLC policy and guideline that
Change Management - Ensures continuity of operations as changes ae validated, approved, and implemented on AF networks
Work Order Management - Software that allows facilities managers to track/manage all work order information through a single dashboard….includes creating work orders, updating requests, and tracking work completion.
Incident and Change Requests - An incident is an unplanned interruptions
Remedy - Customer relationship tool which can be used to log/monitor the issues or problems faced by customers
Information Assurance Officer (IAO) Express - Developed to help address the most common requests made to the ESD. Through a web-based portal, CSL/CSS from every Air Force location can access IAO Express to submit
Assessment and Authorization Tools
Xacta - Helps meet the complex challenges of managing IT risk with continuous compliance monitoring, security assessment, and ongoing authorization.
Xacta enables you to:
• Establish a centralized cyber risk management platform for enterprise security intelligence.
• Streamline assessment and authorization (A&A) processes.
• Collect extensive IT asset inventory data.
• Inherit controls from IT systems on-premises, in the cloud, and hybrid.
• Dynamically map IT assets, vulnerabilities, and controls sets
• Detect, identify, and remediate threats to system security.
• Generate the reports and documentation needed for regulatory compliance.
So you can:
• Get IT systems to compliance faster.
• Conduct OS configurations, patch-level analysis, and other tests faster.
• Reduce time to research new vulnerabilities and generate regulatory documentation of your IT security procedures.
Enterprise Mission Assurance Support Service (eMASS) - eMASS is the automated Cyber Security Management tool designed to develop, collect and manage DoD Information Technology.
The eMASS automates the step-by-step activities for performing the DoD RMF process.
Upload and store all documentation and artifacts developed or required to support the assessment and authorization of an IS or PIT system.
eMASS produces the security authorization package and a variety of other reports to assist in managing IS or PIT systems.
Access to the eMASS is based on each user’s role in their associated registered system.
RMF Knowledge Service (KS) - Provides guidance and tools for implementing and executing the RMF.
• Is the authoritative source for RMF guidance and the repository for DoD RMF policy.
• Is available to all individuals with IT risk management responsibilities.
• Provides convenient access to security controls baselines, overlays, individual security controls and security control implementation guidance and assessment procedures.
• The KS hosts a library of tools, diagrams, process maps, documents, etc., to support and aid in the execution of the RMF. It is also a collaboration workspace for the RMF user community to develop, share, and post lessons learned, best practices, cybersecurity news and events, and other cybersecurity-related information resources.
Information Technology Investment Portfolio Suite (ITIPS) - ITIPS is designed to support the IT Budget submission requirements of the Air Force.
ITIPS is an automated project portfolio management tool.
ITIPS manages IT investments and provides decision support for IT Managers, Portfolio Managers, Program Managers and other applicable stakeholders.
Security Technical Implementation Guides (STIGs) - Developed by DISA to protect against cyberattacks and minimize the risk of exposure. are a compilation of DoD policies, security regulations and best practices for Securing an IA or IA-Enabled Device (operating system, network, application software, etc.).
The goals of STIGs are intrusion avoidance, intrusion detection, response and recovery, and security
implementation guidance.STIGs are available to cover areas of networks/perimeters, operating systems, applications, cross-domain solutions, and users.
Vulnerability Management Tools
Assured Compliance Assessment Solution (ACAS) - automatically identifies configuration
vulnerabilities threatening the security of the DoD's computer. The tool includes a scanning device, report generator, and hierarchical reporting capability to the Vulnerability Management System (VMS).
ACAS provides automated:
• Network vulnerability scanning
• Configuration assessment
• Application vulnerability scanning
• Device configuration assessment
• Network discovery
Vulnerability Management System (VMS) - A DoD information system used to record, track and disseminate critical vulnerability information throughout the DoD Enterprise network.
Security Content Automation Protocol (SCAP) - Method for using specific standards to enable the automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA compliance.
The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP.
The Security Content Automation Protocol (SCAP), pronounced "ess-cap", comprises a number of open standards that are widely used to enumerate software flaws and configuration issues related to security.
Applications within SCAP conduct security monitoring using standards to find vulnerabilities, and offer methods to score those findings in order to evaluate the possible impact.
Risk Management Framework (RMF) - Disciplined and structured process to perform AF IT security and risk management activities and to integrate those activities into the system development life cycle.
Changes the traditional focus of Certification and Accreditation (C&A) as a static, procedural activity to a more dynamic approach.
Incorporates strategy, policy, awareness/training, assessment, continuous monitoring, authorization, implementation, and remediation.
Encompasses life cycle risk management to determine and manage the residual cybersecurity risk created by vulnerabilities and threats associated with objectives in military, intelligence, and business operations.
DoD IT Types
Must complete RMF process before use
IT Products (Hardware, Software, Applications)
Will be configured in accordance with applicable STIGs under a cognizant ISSM and security control assessor SCA
IT Services (Software support, Cloud computing, Data storage, etc.).
Are outside the service user organization’s authorization boundary, and the service user’s organization has no direct control over the application or assessment of required security controls
DoD organizations that use IT services are typically not responsible for authorizing them (i.e., issue an authorization decision).
Internal IT services are delivered by DoD ISsDoD organizations that use external IT services provided by a non-DoD federal government agency must ensure the categorization of the IS delivering the service is appropriate.
DoD organizations that use external IT services provided by a commercial or other non-federal government entity must ensure the security protections of the IS delivering the service is appropriate
DoD organizations will assess the adequacy of security proposed by potential service providers, and
1. Accept the proposed approach
2. Negotiate changes to the approach to meet DoD needs, or
3. Reject the offer.
The accepted security approach must be documented in the resulting contract or order.
Platform Information Technology (Special purpose systems, Aircraft, Ships, even Airman in the field)
The specific cybersecurity needs of PIT must be assessed on a case-by-case basis and security controls applied as appropriate.
Air Force IT Category
Includes but is not limited to: information systems (IS) (major applications and enclaves), platform information technology (PIT), IT services (Internal & External), and IT products (software, hardware, and applications).
Security Objectives
The Federal Information System Modernization Act (FISMA) defines three security objectives for information and information systems:
Confidentiality
“Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…”
Integrity
“Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…”
Availability
“Ensuring timely and reliable access to and use of information…”Potential Impact on Orgs/Individuals
FIPS Publication 199 defines three levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability).
Low, Moderate, High.
Roles and Responsibilities
Secretary of the Air Force, Office of Information Dominance and Chief Information Officer (SAF/CIOA6) - Appoint the Chief Information Security Officer (CISO).
Secretary of the Air Force for Acquisition (SAF/AQ) - Acquires all AF electronic systems through organic programs within the AF, commercial-off-the- shelf (COTS) systems, or non-developmental item (NDI) programs.
Deputy Chief of Staff, Intelligence, Surveillance, and Reconnaissance (AF/A2) - Maintains visibility of the cybersecurity posture of AF SCI and the DoD portion of the Intelligence Mission Area.
Chief Information Security Officer (CISO), SAF/CIO A6Z - Will develop, implement, maintain, and enforce the AF Cybersecurity Program and the RMF process, roles, and responsibilities.
Authorizing Official (AO) - Only person with authority to grant authorization decisions within their area of responsibility.
Air Force Enterprise Authorizing Official (AF Enterprise AO) - The AF Enterprise AO is the only authority permitted to grant an Approval to Connect (ATC) to the Air Force Information Networks (AFIN).
AO Designated Representative (AODR)- Perform responsibilities as assigned by the AO.
• The AODR may perform any and all duties of an AO except for accepting risk by issuing an authorization decision.
Security Control Assessor (SCA) - Periodically assess security controls employed within and inherited by the IT IAW the Information Security Continuous Monitoring strategy.
Security Controls Assessor Representative (SCAR) - This position may be an organic or contracted resource. The SCAR works with the PM, ISSM, ISSO, and RMF team to assess security controls for the SCA.
Agent of the Security Controls Assessor (ASCA) - The ASCA is a licensed 3rd-party agent assisting in assessment activities and provides an independent report for the SCA. Cannot make decisions on behalf of the government but can only provide advice and guidance.
Information System Owners (ISO)- Official responsible for the overall procurement, development, integration, modification, and operation and maintenance of AF IT.
Program Manager (PM) - Identify, implement, and ensure full integration of cybersecurity into all phases of the acquisition, upgrade, or modification programs, including initial design, development, testing, fielding, operation, and sustainment.
Communications Squadron Commander (CS/CC) - Serves as the PM or ISO for the base enclave.
Information System Security Manager (ISSM) - The ISSM is the primary cybersecurity technical advisor to the AO, PM, and ISO.
For base enclaves, the ISSM manages the installation cybersecurity program, typically as a function of the Wing Cybersecurity Office.
May also serve as the system ISSM for the enclave and reports to the CS/CC as the PM for the base enclave.
Information System Security Officer (ISSO) - The ISSO is responsible for ensuring the appropriate operational security posture is maintained for assigned IT.
ISSOs will:
• Ensure all users have the requisite security clearances and need-to-know, complete annual cybersecurity training, and are aware of their responsibilities before being granted access to the IT according to AFMAN 17-1301.
• Maintain all authorized user access control documentation IAW the applicable AF Records Information Management System (AFRIMS).
• Ensure software, hardware, and firmware complies with appropriate security configuration guidelines (e.g., Security Technical Implementation Guides (STIGs)/Security Requirement Guides (SRG)).
Information Systems Security Engineer (ISSE) - an individual, group, or organization responsible for conducting information system security engineering activities.
Information Owner (IO)/Steward - An organizational official with statutory, management, or operational authority for specified information and the responsibility for establishing the policies and procedures governing its generation, classification, collection, processing, dissemination, and disposal.
MAJCOM Cybersecurity Office or Function - Develop, implement, oversee, and maintain a MAJCOM cybersecurity program that adheres to cybersecurity architecture, requirements, objectives, policies, processes, and procedures.
User Representative (UR) - Represents operational and functional requirements of the user community for a particular system during the RMF process.
RMF System Development Lifecycle
Each agency should have a documented and repeatable SDLC policy and guideline that
