Page 1 A Guide to the Procurement of Trusted Systems: An ... - csirt

More documents

Recommendations

Info

the source language, although the function performed will be correctly done. Linkers (sometimes called "Linkage Editors") can also be a security concern, since access to unintended data areas can Occur through "external reference" directives. Finally, some languages incorporate what is known as "run-time packages," chiefly to perform input-output operations. Run-time packages must be included within the security-relevant boundary, especially at the higher TCB divisions/classes. 3.3.2 THE PROCESS Figure 3-2 illustrates the software development process in terms of documentation required. Different terms are used for some of the design documents, but the document requirements are similar, if not identical. For example, the terms Functional Description, "A" Specification, and System Specification, are usually used interchangeably. Note that the process is iterative, and flows from very general top-level policy and capabilities requirements statements, down to very precise implementation details. Security Policy * Security Policy Model * Functional Description ("A" Specifications Descriptive Top Level Specification (DTLS) Formal Top Level Specification (FTLS, A1 only)) * System/Subsystem Specifications ("B" Specification) * Unit Specifications ("C" Specification) Figure 3-2 Security Protection in the Software Development Process 3.3.3 MANAGING SOFTWARE DEVELOPMENT As noted above, the key to success with software is structure and discipline. Some of the specific success factors follow: 3.3.3.1 DESIGN DOCUMENTATION Documentation must start from the initial statement of requirements and continue through to the details of implementing, operating, and maintaining the system. The root is in the initial statement of requirements. 3.3.3.1.1 SECURITY POLICY An explicit statement of the security policy should be enforced by the AS. The policy should be documented in the specification (requirements) section of the RFP, and should clearly state the security enforcement rules by which the system will operate. 3.3.3.1.2 MODEL Page 42
Each TCB division/class requires a vendor or manufacturer (i.e., contractor) to provide a description of the security protection philosophy and how that philosophy is translated into the TCB. TCB Class B1 requires development of an informal or formal description of the security policy to be enforced by the TCB. TCB Class B2 and above require formal models of the security policy. As might be expected, these models (both informal and formal) require special expertise to develop and evaluate, since they will be written in special mathematical notation (e.g., algebraic specification or set theory). It should be ensured that the expertise needed to review and evaluate the contractor's submissions is available, either internally or from the NSA. 3.3.3.1.3 DESCRIPTIVE TOP-LEVEL SPECIFICATION The DTLS is equivalent to a Security Features Functional Description. This specification describes the security protection capabilities required by the AIS, and is required for TCB Classes B2, B3, and A1. Although written in English prose, this document will contain a good deal of technical language. The DTLS should address both hardware and software capabilities. 3.3.3.1.4 FORMAL TOP-LEVEL SPECIFICATION This document is required for TCB Class A1 only. It is written in a formal mathematical language to ensure that the design is consistent with the model of the security policy being enforced. The FTLS also addresses both hardware and software protection. This specification is accompanied by a separate formal verification of the specification. This verification proves that the design corresponds completely and accurately to the formal security policy model. Special expertise is also required to review and evaluate this document. 3.3.3.1.5 SYSTEM/SUBSYSTEM SPECIFICATION ("B" SPECIFICATION) AND UNIT SPECIFICATION ("C" SPECIFICATION) The design documentation, from this level down, begins to describe, in everincreasing detail, the "how-to" of the TCB build process. At this level of detail, care must be taken when reviewing the contractor's design approach. Concern should focus on thoroughness and completeness, not "how to." If the required capabilities, functions, and features are present, the contractor should have some freedom of choice. The contractor must also comply with the contract-specified standards and specifications. If a question arises as to what the document is saying, the program manager should ask for an informal briefing or chalk-board session. 3.3.3.2 PROGRAMMING Programming, or writing computer programs, is the "build" of the development process. The contractor should not begin to program until after approval of the specifications. This restriction will avoid restarts and changes as the acquisition progresses. 3.3.3.3 TESTING Both the contractor and the Government are heavily involved in testing. The Page 43
Page 1 and 2: A Guide to the Procurement of Trust
Page 3 and 4: 2.5.1.6 OBLIGATION AUTHORITIES 2.5.
Page 5 and 6: SPECIFICATION) 3.3.3.2 PROGRAMMING
Page 7 and 8: 5.3.2 OPERATIONAL TEST AND EVALUATI
Page 9 and 10: 7.4.1.1 LOW COST 7.4.1.1.1 HARDWARE
Page 11 and 12: NCSC-TG-024 Volume 1/4 Library No.
Page 13 and 14: LIST OF FIGURES Figure 1-1 How to U
Page 15 and 16: 1 GENERAL INFORMATION 1.1 INTRODUCT
Page 17 and 18: person. In either case, the princip
Page 19 and 20: 1.8.3.1 SCI REQUIREMENTS The SSO ca
Page 21 and 22: y the National Security Agency - Co
Page 23 and 24: called the PPBS. The PPBS is the of
Page 25 and 26: The safest way to communicate with
Page 27 and 28: PMD. The PMP specifically describes
Page 29 and 30: This documentation describes a full
Page 31 and 32: B C D E F G H I J K L M Supplies or
Page 33 and 34: f. DoD Instruction 7110.1, "DoD Bud
Page 35 and 36: 5200.28-STD. 3.2.1 SECURITY POLICY
Page 37 and 38: sites. 3.2.2.2 THE REQUIREMENTS Eac
Page 39 and 40: architecture must also separate eac
Page 41: Software matters require structure
Page 45 and 46: software must be protected at the h
Page 47 and 48: Dealing effectively with security-r
Page 49 and 50: Whenever possible, the hardware spe
Page 51 and 52: As soon as composition and interfac
Page 53 and 54: such as memory, tapes, disk(ette)s,
Page 55 and 56: The SSCONOPS is an architectural-le
Page 57 and 58: any stored information is to be tre
Page 59 and 60: maintain the system, and how the sy
Page 61 and 62: 4.6.2 PERFORMING A SUBJECTIVE ANALY
Page 63 and 64: g. NCSC-TG-011, "Trusted Network In
Page 65 and 66: 5.2.4 THE EVALUATION PROCESS The NS
Page 67 and 68: parent organization/agency. OT&E us
Page 69 and 70: FOT&E is operational testing conduc
Page 71 and 72: Procedures" - Part 8 of this instru
Page 73 and 74: Risk Analysis Cost/Benefit Analysis
Page 75 and 76: evaluation. Countermeasure(s) will
Page 77 and 78: Other Pertinent Documents (e.g., co
Page 79 and 80: important task in the basic evaluat
Page 81 and 82: 6.5.2.2 SUPPORTING DOCUMENTATION Th
Page 83 and 84: Here, permission to Operate might b
Page 85 and 86: (1) "Introduction to C&A Concepts"
Page 87 and 88: Program management is a necessary i
Page 89 and 90: The Program Manager is responsible
Page 91 and 92: have a separate System Security Con
Page 93 and 94:
This is a major support plan for mo
Page 95 and 96:
that combined set which best fits t
Page 97 and 98:
automated information system securi
Page 99 and 100:
concepts for documents developed to
Page 101 and 102:
APPENDIX A HISTORICAL BASIS A.1 INT
Page 103 and 104:
. National Security Decision Direct
Page 105 and 106:
Provides detailed tasking, outlines
Page 107 and 108:
A. Cover Sheet and Contract FOrm Ge
Page 109 and 110:
Supply Support Plan Specifies how c
Page 111 and 112:
SSR-30 Formal Top-Level Specificati
Page 113 and 114:
Certification Plan Chapter: 6,7, 03
Page 115 and 116:
Chapter: 3, 03 Reference: DoD 5200.
Page 117 and 118:
List of Documents, Exhibits, and Ot
Page 119 and 120:
Reference: DoD 5000.2-M Proposal Ev
Page 121 and 122:
Reference: DoDI 5000.2 (Sect 6D), D
Page 123 and 124:
Reference: DoD-STD-21 67A, DoD-STD-
Page 125 and 126:
DoD 5010.12-L, "Acquisition Managem
Page 127 and 128:
Gasser, M., Buildinq a Secure Compu
Page 129 and 130:
Trusted Systems," September 1, 1991
Page 131 and 132:
DoD Directive 5100.36," Defense Sci
show all

Page 1 A Guide to the Procurement of Trusted Systems: An ... - csirt

Create successful ePaper yourself

Delete template?

Save as template?