Okay, So the common criteria is going to be the international answer to the tick sec that it said there was also an evaluation criteria out of Canada called the CTC Peck. Um, all these different come countries. We're kind of doing their own thing for evaluation.
And then the International Organization of Standards comes out with ice. 0 15 for 08
the common criteria. And that's what's in use a tea east currently today. So there's several elements of the common criteria. We have a protection profile, tow target of evaluation, security target. They're also security packages and e a l ratings. So ultimately, what happens with this
is a customer has a need, right? So let's say I'm a government agency,
and I realized that I need 1500 desktop computers for use in a particular environment, and I have a certain degree of security that needs to be on these systems. Okay, so I'm gonna write up those requirements in a document called the Protection Profile. The protection profile comes from the client.
All right, now, when I release a list of needs, vendors come out of the woodwork and say, I can meet your needs and what they do is vendors provide or design a system called the target of evaluation. So this is the actual system designed to meet the needs in the protection profile.
Along with that, the vendor provides a document called the Security Target
that details just exactly how their toe meets the client's protection profile. They can also offer some additional security packages for different environments. Kind of Adeline features, if you will,
and then an auditor are basically the system has sent all four evaluation and is assigned an E A L rating
evaluation assurance level rating from 1 to 77 is the best. Meaning it, it is, has been The testing has been to the highest degree. It's ah, in a very stringent testing environment. That's the best rating is a seven.
What most companies and most systems are are looking for is an e a l four.
Ah, basically that means that they've been methodically tested and designed and reviewed so that we can get that reasonable assurance that it works. It costs a lot of money to get evaluated and the higher the e A l rating. You want the more money in the more time it takes.
So most government agencies just need the system. The system to be evaluated at E. A. L four.
So that's what most companies are looking for. Anything over that, there's no return on the cost. Another system that can be used to evaluate an organization. Now this isn't for system. Specifically, this is ah means of evaluating software development organizations,
and this is the capabilities maturity model integrated. The C M. M. I
and the CNN eyes kind of based on the idea that if you show me a perfect process, you'll yield a very good product. Let's let's stay away from the word perfect cause we know perfections very difficult to attain. So show me a strong process. You'll yield a strong product.
So what the C. M. M. I does is it comes in and evaluates an organization or divisions.
Project management maturity. The more mature your organization is in its approach to project management than the idea is, the better the product it will produce. This comes to us from the folks at Carnegie Mellon, specifically the Software Engineering Institute, and they assigned 51 of five levels to an organization in relation
to their project management
maturity. Ah, you might write down the phrase to remember these levels. I really don't mind oranges.
I really don't mind oranges
and I r D M o so initial repeatable defined. I really don't mind managed and optimize. See, it'll help you remember. Ah, and with each level of increase, you get more assurance in the project management capabilities.
So nobody is shooting for a Level one.
Right. Level one is kind of like the thanks for coming in sort of level. Basically, it's described as a chaotic environment that requires heroic efforts from staff to be successful. What that really means is you might produce a product on time and get it except accepted by the customer.
But your staff is working 18 hour days the last week before the products do.
I think we've probably all been in those environments. Repeatable is a little better. It we're getting into Project management because here we're really not managing a project. We're producing stuff, but when we get to repeatable, we're starting Hughes Project management terms.
We have consideration for the triple constraint of time,
scope and cost were tracking budget. We're tracking those elements. Ah, we have a schedule. Those ideas where most organizations again, usually organizations air, not striving for the very utmost level. Most organizations heir to content with a level three, which is defined.
So we have, well, the fine processes put in place.
Um, we have consistency within our organization whether you're managing a highway construction project and I'm managing ah course where development project, whatever that might be. We follow the same processes, so some of the activities, of course, will be different.
But the documents that we use and the processes that we put in place from a project management perspective
should be, ah, well defined throughout the organization.
Now managed and optimize. This goes those next steps. You know, someone like, uh, NASA or divisions of Lockheed Martin. Boeing would go for optimized where perhaps even managed these air. The best manage means we're really, really examining the process under the microscope,
and we understand quantitatively how a change
relates to the product and then level five optimized. Sometimes you'll hear the word kaizen. It's a Japanese term K i Z E. In the Japanese term, that means continuous improvement. We can always make the process or the product or both better.
Okay, so that's see mm, I
other certification in accreditation mechanisms. Nycap die cap risk management framework. If you work in the government, you're probably familiar with these. I would have a high level understanding of them for the exam. So if we look att ni a cap National Information assurance certification Accreditation. Um,
when we talk about the term certification,
we're looking to get a technical evaluation of the security components of a product in a particular environment. So this is the technical doesn't provide the degree of security we want. And if that happens, then we would move to accreditation, which is management's acceptance of the product.
So nightcap was to make sure that all national security systems
meet certain standards for the sea and a process. Now, I'll tell you the truth. These terms more throughout the years. Ah, we'll talk about Dia cavities to be ditz cap. Now everything's moving, supposedly toe or m f. And these things are becoming obscure, and that's all fine. But the bottom line is the concepts are the same.
Build security into the component,
design it to meet the needs and make sure those needs include security is a requirement. A now with nightcap. The document that's the primary document you're working with is called an SS AI system Security authorization agreement system security authorization agreement.
And this is a document that gets built and updated throughout the entire process.
So this is where you define the requirements and you add to the results of testing, Whether you know, when we get the penetration testing vulnerability assessments. The main document here nightcap is the S s A. So what you can see is therefore phases of nightcap, where you define, verify, validate
So phase one, which is definition. This is where we figure out our requirements, right. We determine the requirements, we document them and we make sure that our requirements include security
A. And if the product isn't secure than it doesn't work. Sometimes we talk about the formal functional baseline and that formal, functional baseliner, all the requirements of what the product must do.
The formal functional baseline must include security. No longer do we say. Does it work? Is it secure? The question is now, does it work securely or doesn't work at all? Where do we establish what that means here in phase one and definitions. This is where the SS AI gets drafted.
Now we move to phase two for verification,
verification and certification. Go very closely together. Verification Is the product correct? Did we meet the requirements? Doesn't do what it's supposed to do from a technical standpoint, and if it does,
then ideally the product would become certified right. This is the initial analysis for certification.
Then we move on to validation and validations pretty closely kind toe accreditation. Because validation deals with doesn't solve a real world need do we want to implement it? So we talked about accreditation. That's management's acceptance of the product that would be the ideal into face. Three. The validation.
And then ultimately,
after the product is accredited in out in the field, we go into operations and maintenance mode. So those are the four phases of nightcap. Now, as we move on to die a cap this for the D. O D systems for certification Accreditation.
We've got lots of documents used with Dia Cap. The primary one really is the Dia Caps score card
where we rank Ah, this product and we use a document called plan of actions and milestones in order to indicate plans for improvement, you know. Alright, we're gonna test this product if it doesn't meet the goals. What are our plans of action in relation to that? So with Dia Cap, we have five steps in the process.
So we start the plan.
Ah, basically, we ah, get the team together. We look at the very high level implementation needs the requirements. We move into the control phase where we put the plan in place. We look at the certification and accreditation decisions
that's based on vulnerability assessments and pen testing.
We get the authority to operate, which means sign off from an authorizing authority. Ah, and then ultimately the system's pulled out of use through Decommissioning on. That has to of course, be done securely as well. So same ideas.
Now, this is an example of a Dia cap scorecard where we would look at certain
security mechanisms of a product what the vulnerability is, and then any sort of plan of action. Okay. And I don't need you to know any of these elements that are part of the card, but you can see the fields that we have you know, here's what we're doing here is the control. Here is the vulnerability. And then how we're gonna modify that
plan of action in milestones again? Ah, documentation to go with Dia cap and again will provide corrective actions. What's replacing guy cap and ideally, is gonna become sort of. The new standard is the risk management framework, and there's rumors that they'll be risk management framework, die cap and all these different flavors.
But I think this is a very good idea because all security is
is risk management. So NIST outlines the processes of the risk management framework. Some documents, really. The main document that's part of this is called the system security plan. We start that and then we document it's almost like the scorecard or, um
ah, the documents with nightcap as well.
So we have the steps, the security life cycle as, ah, documented through n'est you categorize the system, figure out what security controls are appropriate. You implement the controls, you test the controls, the system gets authorized and then monitored.
For those of you that have done anything with quality planning. If you've ever studied the plan, do check act model
Ah, by short, you'll see we're really going through plan Do check, Act, plan Do Check Act. And that's such an important idea because we're never done with the system because it's secure today doesn't mean it'll be secure tomorrow, and that's the risk management framework.
This is all in a very high level for a purpose.
This exam is just a kn overview of some of these ideas. You do not need to go into any more depth, but just understanding the flow of r E M F.