SOW Annex D - Ministerio de Defensa

NATO UNCLASSIFIEDAMD-7 TO IFB-CO-12546-POL GAG - SOW Annex D• System Interconnection Security Requirement Statement (SISRS)• Security Operating Procedures (SECOPS)• Security Test and Evaluation Plan (ST&E)• Key Management Plan (KMP)1.1.8 The deliverables of the Security Accreditation Support package shall be composed inaccordance with the NATO Security policies and guidelines, as well as taking into accountthe National security rules of the Host Nation. Further on, those deliverables shall bedeveloped specifically for the GAG system and any of its interfaces to National assets (e.g.to the NDN or other National networks or systems).1.2 Schedule1.2.1 A Draft-1, Draft-2, Final Draft 1 and Final version of the Security Accreditation Supportpackage shall be delivered by the Contractor according to the Schedule of Supplies andServices (SSS) and according to section 13 of the SOW.1.3 References1.3.1 The following references shall apply:A. AC/35-D/2005-REV1: INFOSEC Management directive for communication andinformation systems (19 October 2006).B. AC/35-D/1017-Rev2: Guidelines for the Security Risk assessment and riskmanagement of communication and information system (26 February 2003).C. AC/35-D/1015-Rev 2: Guidelines for the development of Security RequirementStatements (SRSs) (29 April 2004).D. AC/35-D/1014 Rev 1: Guidelines for the structure and content of security operatingprocedures (Sec Ops) for communication and information systems (24 January 2000).E. AC/322-D/0047-REV2: INFOSEC Technical and Implementation Directive onCryptographic Security and Cryptographic Mechanisms (9 April 2009).1.3.2 The security accreditation process is described in Reference A above.1 The term “Final Draft” is defined in section 1.2.1 of the SOW.NATO UNCLASSIFIEDPage 3 of 14

1.4 Contractor responsibilitiesNATO UNCLASSIFIEDAMD-7 TO IFB-CO-12546-POL GAG - SOW Annex D1.4.1 It is the overall responsibility of the Contractor to develop an appropriate GAG systemdesign and provide all necessary statements and documents to ensure security accreditationapproval (including ATO-System and ATO-Site) before the Provisional Site Acceptance(PSA) of the respective GAG sites and CE sites.1.4.2 Obtaining the ‘Approval To Operate’ (ATO) will depend on the successful approval of theSecurity Accreditation Support package. The approval of the Security Accreditation Supportpackage will depend on the maturity of the respective documents that are comprising thispackage, and which are described in section 1.5 below.1.4.3 In support of producing those deliverables the Contractor shall also closely engage directlywith representatives of the Host Nation in order to discuss particular security-relatedrequirements but also to clarify and/or enhance the documentation to be provided as part ofthe Security Accreditation Support package. This process may be organised in the form ofone or several meetings or workshops, which will be attended by the Contractor and byrepresentatives of the Host Nation. Location of the meetings and workshops shall be definedby the Host Nation and shall typically take place at a facility located in the Host Nation.1.4.4 The Security Accreditation Support package in its Final Draft shall be presented by theContractor to the Host Nation and its Security Accreditation Authority, including but notlimited to a formal presentation. The location of this presentation shall be defined by theHost Nation and shall typically take place at a facility located in the Host Nation.1.4.5 The Contractor shall recognise the NATO security demands as well as particular Nationalrules of the Host Nation, in order to take into account all related requirements in theresulting GAG system design and installation thereof.1.4.6 Complementary to the information provided in the Security Accreditation Support package,and as part of the Site Installation Data Package (SIDP), the Contractor shall providedetailed installation plans that provide sufficient information about equipment, cabling andpower provisions.1.4.7 The delivery of all hardware, software and workmanship necessary to address the varioussecurity requirements shall be within scope of the contractual activities.1.5 Security Accreditation Support package1.5.1 Security Accreditation Plan (SAP)a. The Security Accreditation Plan (SAP) shall be the first document to be prepared by theContractor and shall describe the Contractor’s plans on how to develop and implementthe content of the Security Accreditation Support package.b. The SAP shall be sufficiently detailed to ensure the Purchaser is able to assess theContractor’s plans and capability to develop the content of the Security AccreditationSupport package.c. If necessary, and since the respective situation per individual GAG and CE site maydiffer substantially, any of the documents included in the Security AccreditationNATO UNCLASSIFIEDPage 4 of 14

NATO UNCLASSIFIEDAMD-7 TO IFB-CO-12546-POL GAG - SOW Annex DSupport package may be composed of several sub-sections or Appendices, addressingrespectively the individual sites. The Contractor is invited to describe his intent in theSAP.d. As a minimum, the SAP shall address in detail all elements as described in the templateof the NATO Security Accreditation Plan which is attached as Appendix 1 to Annex Dof the SoW.e. A Final Draft and Final version of the SAP shall be delivered as a standalone documentby the Contractor according to section 13 of the SOW.1.5.2 Security Risk Assessment (SRA)a. The Contractor shall produce a Security Risk Assessment (SRA), identifying the threatsand vulnerabilities to the system, determining their magnitude and identifying areasneeding safeguards or countermeasures.b. Objective of the SRA is to define the security objectives of confidentiality, availabilityand integrity/authenticity of the designed GAG system according to the particularservices to be provided by the resulting GAG system, the values of the traffic andinformation stored and transported over the GAG system, and the nature and levels ofthe particular threats being identified.c. The SRA may be composed as a standalone document, but may instead be included inthe SSRS and SISRS documents (ref. 1.5.3 and 1.5.4 below). If composed as astandalone document, the Contractor shall insert appropriate cross references from theSSRS and SISRS documents to the applicable sections in the SRA.d. This Risk assessment shall be developed in accordance with the guidelines contained inabove Reference B.1.5.3 System Specific Security Requirement Statement (SSRS)a. The Contractor shall develop a System Specific Security Requirement Statement(SSRS) describing the entire GAG system architecture, including all its assets and therelated security requirements, the security environment, security measures and securityadministration that have to be implemented in support of the system.b. This SSRS shall be developed in accordance with the guidelines contained in aboveReference C.1.5.4 System Interconnection Security Requirement Statement (SISRS)a. The Contractor shall develop a separate SISRS for each CE site and GAG site.b. In terms of interconnections between various networks or systems, for elements of theGAG system connected to or providing connectivity via the NDN or any other HostNation’s network or system, the particular National security requirements of the HostNation shall be taken into account.NATO UNCLASSIFIEDPage 5 of 14

1.5.5 Security Operating Procedures (SECOPS)NATO UNCLASSIFIEDAMD-7 TO IFB-CO-12546-POL GAG - SOW Annex Da. The Contractor shall develop Security Operating Procedures (SECOPS) for each site ofthe GAG system (CE sites and GAG sites) describing the implementation of proceduralsecurity requirements. This SECOPS shall follow the guidelines provided in aboveReference D.b. In terms of operational procedures, for elements of the GAG system connected to orproviding connectivity via the NDN or any other Host Nation’s network or system, theparticular national security requirements of the Host Nation shall be taken into account.1.5.6 Security Test and Evaluation Plan (ST&E)a. The Contractor shall develop a Security Test and Evaluation Plan (ST&E) describingthe testing activities for the security functions per each CE site and GAG site.b. The CE site-specific and GAG site-specific technical, administrative and securitysafeguards will be evaluated based on administrative and technical documentationreviews, a physical configuration management audit, equipment and/or systemdiagnostics, discrete security function testing, and total system testing to the extentpossible in the test environment.1.5.7 Key Management Plan (KMP)a. The KMP shall include the provisions for key exchange or key fill requirements insupport of the crypto equipment that will be integrated with the GAG system, e.g.VINSON or IP crypto devices (regardless whether those will be provided as PFE), butalso shall describe the process of exchanging of Word of Day (WOD) and otherrelevant information with the radio equipment.NATO UNCLASSIFIEDPage 6 of 14

NATO UNCLASSIFIEDIFB-CO-12546-GAG - SOW Annex DAppendix 1NATO NATO SECURITY ACCREDITATION PLANFOR Version X.XXNATO NATO UNCLASSIFIEDPage 7 of 14

NATO UNCLASSIFIEDIFB-CO-12546-GAG - SOW Annex DAppendix 1NATO DOCUMENT CONTROL PAGEAPPROVAL BLOCKDOCUMENT APPROVED BY:SIGNATURE:TITLE:CHAIRMAN NATO CIS SECURITYACCREDITATION BOARDDATE:VERSION HISTORYVersion Author Date Reason for Change SupersededDocument0.1 LTC Hilbig 20/11/08 1st draft0.2 LTC Hilbig 04/05/09 Amendments from0.1Jan 09 NSAB1.0 LTC Hilbig 25/06/09 Incorporation ofcomments from NOS,SHAPE J6 and SECAN0.2NATO NATO UNCLASSIFIEDPage 8 of 14

NATO UNCLASSIFIEDIFB-CO-12546-GAG - SOW Annex DAppendix 1NATO TABLE OF CONTENTS1. Introduction ............................................................................................. 102. Description of the System ....................................................................... 10a. General ............................................................................................... 10b. Categorizing Connections ................................................................... 10c. Technical Solution ............................................................................... 11d. Security Classification and Mode of Operation .................................... 113. Security Accreditation Authorities (SAA)................................................. 114. CIS Operating Authorities (CISOA)......................................................... 115. CIS Planning and Implementation Authority (CISPIA) ............................ 116. User ........................................................................................................ 117. Target of Accreditation ............................................................................ 128. Accreditation Documentation .................................................................. 129. Approved Software ................................................................................. 1210. Process of Accreditation ..................................................................... 1211. Accreditation Decision ......................................................................... 1312. Schedule of Accreditation.................................................................... 14ANNEXESA. Complete as requiredREFERENCESA. AC/35-D/1021 – Guidelines for the Security Approval or SecurityAccreditation of CISB. C-M(2002)49 – Security Within the North Atlantic Treaty OrganizationC. AC/35-D/2004 / AC/322-D/0052 – Primary Directive on INFOSECD. AC/35-D/2005 – INFOSEC Management Directive for CISE. AC/322-D/0030 – INFOSEC Technical & Implementation Directive forthe Interconnection of Communication and Information Systems (CIS)NATO NATO UNCLASSIFIEDPage 9 of 14

NATO UNCLASSIFIEDIFB-CO-12546-GAG - SOW Annex DAppendix 1NATO 1. IntroductionThis Security Accreditation Plan (SAP) describes the steps to be taken toachieve security accreditation for the to be installed at It follows the guidelines on security accreditation published by the NATOSecurity Committee (Reference A) and complies with NATO Security Policy(Reference B), the Primary Directive on INFOSEC (Reference C), theINFOSEC Management Directive (Reference D) and directive for theInterconnection of CIS (Reference E).2. Description of the Systema. Generalb. Categorizing ConnectionsFigure 1 – Architectural DrawingNATO NATO UNCLASSIFIEDPage 10 of 14

NATO UNCLASSIFIEDIFB-CO-12546-GAG - SOW Annex DAppendix 1c. Technical SolutionNATO Figure 2 - Conceptual Depiction of Information Flowsd. Security Classification and Mode of OperationThe shall be accredited to exchange information classifiedup to and including in the mode of operation.3. Security Accreditation Authorities (SAA)The Security Accreditation Authority of the is the NATO CISSecurity Accreditation Board (NSAB) / SHAPE J2 / ACT Office of Security /NATO Office of Security (NOS). The accreditation request for the connectionto the NS WAN will be sponsored by SHAPE J2 / ACT Office of Security /NATO Office of Security (NOS).4. CIS Operating Authorities (CISOA)The CIS Operating Authority for the is the NATO CIS ServiceAgency (NCSA). The will be handed over from the Host Nation(e.g. NC3A) to the CIS Operating Authority after the System Implementationphase has been completed including the achievement of, at least, the initialsecurity approval or accreditation.5. CIS Planning and Implementation Authority (CISPIA)The CIS Planning and Implementation Authority for the isSHAPE J6/ACT C4I/…. However, Host Nation on behalf of the CISPIA is.6. UserDefine who uses the system and their different roles like normal users, powerusers, administrators etc.NATO NATO UNCLASSIFIEDPage 11 of 14

NATO UNCLASSIFIEDIFB-CO-12546-GAG - SOW Annex DAppendix 1NATO 7. Target of AccreditationThe primary objective of security approval or accreditation is to ensure thatthe implemented CIS conforms with NATO Security Policy and supportingdirectives (and, where appropriate, National equivalent(s)), and the CISspecificsecurity-related documentation (e.g. CSRS). Security approval andaccreditation is the authorisation granted to a CIS to store, process or transmitinformation up to the determined security classification in its operationalenvironment.8. Accreditation DocumentationIn order to grant security approval or accreditation for a CIS, the SecurityApproval or Accreditation Authority should be satisfied that the applicablesecurity requirements will be met by proper enforcement of the SRS(s), withparticular emphasis on the SSRS, and the SecOPs. The SRS(s) form thebasis for an understanding and agreement between the security approval oraccreditation authority and the CIS Operating Authority that the CIS will beoperated in a secure manner.9. Approved SoftwareSoftware used on the system shall be approved by the appropriate SAA. Thisapproval is automatically applied if the software is listed in the ApprovedFielded Product List (AFPL) maintained by NCSA.10. Process of Accreditationa. A security risk assessment of the shall be conductedby the Host Nation (HN) e.g. NATO C3 Agency (NC3A) inconjunction with the SAA and project staffs.b. HN shall produce SRS(s) for the as required. TheSRS(s) shall:(1) Include (generic) Security Operating Procedures(SecOPs).(2) Describe the minimum levels of security deemednecessary to counter risk identified in a risk assessmentof the .(3) Define the security testing requirements and include asecurity test and evaluation (ST&E) plan.(4) Include a Statement of Compliance, including aninterconnection statement, as Annex to the SRS(s)c. The SRS(s) shall be presented to the SAA for approval in duetime to permit timely reviews and resolution of outstandingissues prior to being required operationally.NATO NATO UNCLASSIFIEDPage 12 of 14

NATO UNCLASSIFIEDIFB-CO-12546-GAG - SOW Annex DAppendix 1NATO d. Each site shall produce:(1) Its own SecOPs.(2) ST&E plan based on the generic version included in theSRS(s).e. The SecOPs and the ST&E plan shall be approved by the localSAA.f. Each node shall securely implement the local againstthe SRS(s) and SecOPs.g. Security testing of the site shall be conducted by the appropriateCIS Operating Authority in coordination with NITC/SECAN.h. Accreditation of each local site shall only be granted by the localSAA after security testing has been successfully completed.i. Once local accreditation has been completed, the CIS OperatingAuthority shall sign and forward a Statement of Compliance(SoC) to the appropriate Security Accreditation Authority (SAA).j. Upon receipt of a signed Statement of Compliance, the SAAshall arrange a security inspection of the NATO site to verifycompliance with the SRS(s) prior to granting accreditation. Theinspection of the NATO site shall be arranged by the SAA on acase-by-case basis.11. Accreditation Decision for ConnectionsThe SAA can only grant security accreditation to connections after statementsof compliance have been received from the local SAAs of the connectingsites. As an exceptional measure, the SAA may grant temporary securityapproval to a connecting site by granting Interim Approval to Operate (IATO).These IATOs shall only be granted for limited time periods (maximum of 12month) after which, if the nodes have not been accredited and certifiedcompliant, the SAA may recommend their disconnection from the NGCS PTCto the appropriate risk owner and declare that the network is being operatedwithout security accreditation or authority.NATO NATO UNCLASSIFIEDPage 13 of 14

NATO UNCLASSIFIEDIFB-CO-12546-GAG - SOW Annex DAppendix 1NATO 12. Schedule of AccreditationThe schedule for accreditation of the is listed below. It is compiledin accordance with the Project / System Development Plan.ACTION Responsibility DATE StatusConduct a Risk Assessment (RA) NC3ADevelop CSRSNC3ANSAB approves RA and CSRS SAAProduce local SecOPs and CISOAST & E PlanApprove SecOPs and ST & E Local SAAPlanSystem implementationCISOASecurity TestingCISOA/NITC/SECANTransfer of CIS Operating Host NationAuthority (e.g. NC3A to NCSA)Local AccreditationLocal SAAComplete and forward SoC CISOA/Local SAAConduct Security Inspection SAAGrant (interim) Accreditation SAANATO NATO UNCLASSIFIEDPage 14 of 14