SOW Annex D - Ministerio de Defensa

More documents

Recommendations

Info

1.4 Contractor responsibilitiesNATO UNCLASSIFIEDAMD-7 TO IFB-CO-12546-POL GAG - SOW Annex D1.4.1 It is the overall responsibility of the Contractor to develop an appropriate GAG systemdesign and provide all necessary statements and documents to ensure security accreditationapproval (including ATO-System and ATO-Site) before the Provisional Site Acceptance(PSA) of the respective GAG sites and CE sites.1.4.2 Obtaining the ‘Approval To Operate’ (ATO) will depend on the successful approval of theSecurity Accreditation Support package. The approval of the Security Accreditation Supportpackage will depend on the maturity of the respective documents that are comprising thispackage, and which are described in section 1.5 below.1.4.3 In support of producing those deliverables the Contractor shall also closely engage directlywith representatives of the Host Nation in order to discuss particular security-relatedrequirements but also to clarify and/or enhance the documentation to be provided as part ofthe Security Accreditation Support package. This process may be organised in the form ofone or several meetings or workshops, which will be attended by the Contractor and byrepresentatives of the Host Nation. Location of the meetings and workshops shall be definedby the Host Nation and shall typically take place at a facility located in the Host Nation.1.4.4 The Security Accreditation Support package in its Final Draft shall be presented by theContractor to the Host Nation and its Security Accreditation Authority, including but notlimited to a formal presentation. The location of this presentation shall be defined by theHost Nation and shall typically take place at a facility located in the Host Nation.1.4.5 The Contractor shall recognise the NATO security demands as well as particular Nationalrules of the Host Nation, in order to take into account all related requirements in theresulting GAG system design and installation thereof.1.4.6 Complementary to the information provided in the Security Accreditation Support package,and as part of the Site Installation Data Package (SIDP), the Contractor shall providedetailed installation plans that provide sufficient information about equipment, cabling andpower provisions.1.4.7 The delivery of all hardware, software and workmanship necessary to address the varioussecurity requirements shall be within scope of the contractual activities.1.5 Security Accreditation Support package1.5.1 Security Accreditation Plan (SAP)a. The Security Accreditation Plan (SAP) shall be the first document to be prepared by theContractor and shall describe the Contractor’s plans on how to develop and implementthe content of the Security Accreditation Support package.b. The SAP shall be sufficiently detailed to ensure the Purchaser is able to assess theContractor’s plans and capability to develop the content of the Security AccreditationSupport package.c. If necessary, and since the respective situation per individual GAG and CE site maydiffer substantially, any of the documents included in the Security AccreditationNATO UNCLASSIFIEDPage 4 of 14
NATO UNCLASSIFIEDAMD-7 TO IFB-CO-12546-POL GAG - SOW Annex DSupport package may be composed of several sub-sections or Appendices, addressingrespectively the individual sites. The Contractor is invited to describe his intent in theSAP.d. As a minimum, the SAP shall address in detail all elements as described in the templateof the NATO Security Accreditation Plan which is attached as Appendix 1 to Annex Dof the SoW.e. A Final Draft and Final version of the SAP shall be delivered as a standalone documentby the Contractor according to section 13 of the SOW.1.5.2 Security Risk Assessment (SRA)a. The Contractor shall produce a Security Risk Assessment (SRA), identifying the threatsand vulnerabilities to the system, determining their magnitude and identifying areasneeding safeguards or countermeasures.b. Objective of the SRA is to define the security objectives of confidentiality, availabilityand integrity/authenticity of the designed GAG system according to the particularservices to be provided by the resulting GAG system, the values of the traffic andinformation stored and transported over the GAG system, and the nature and levels ofthe particular threats being identified.c. The SRA may be composed as a standalone document, but may instead be included inthe SSRS and SISRS documents (ref. 1.5.3 and 1.5.4 below). If composed as astandalone document, the Contractor shall insert appropriate cross references from theSSRS and SISRS documents to the applicable sections in the SRA.d. This Risk assessment shall be developed in accordance with the guidelines contained inabove Reference B.1.5.3 System Specific Security Requirement Statement (SSRS)a. The Contractor shall develop a System Specific Security Requirement Statement(SSRS) describing the entire GAG system architecture, including all its assets and therelated security requirements, the security environment, security measures and securityadministration that have to be implemented in support of the system.b. This SSRS shall be developed in accordance with the guidelines contained in aboveReference C.1.5.4 System Interconnection Security Requirement Statement (SISRS)a. The Contractor shall develop a separate SISRS for each CE site and GAG site.b. In terms of interconnections between various networks or systems, for elements of theGAG system connected to or providing connectivity via the NDN or any other HostNation’s network or system, the particular National security requirements of the HostNation shall be taken into account.NATO UNCLASSIFIEDPage 5 of 14
Page 3: NATO UNCLASSIFIEDAMD-7 TO IFB-CO-12
Page 7 and 8: NATO UNCLASSIFIEDIFB-CO-12546-GAG -

SOW Annex D - Ministerio de Defensa

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?