Module 02 Course Project

Revision History

Table of Contents

6.4 Limitation of Liabilities………………………………………………………………………………………………….…………..8

6.5 Signatures 10

List of Tables

CRSS Information Systems. Administration and Classified Networks FedRAMP SAP Template Version #.# Date

MOCK Plan – Academic Purposes Only Page | ii

Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for Country Roads Space Systems. Testing security controls is an integral part of the FedRAMP security authorization requirements. Providing a plan for security control ensures that the process runs smoothly.

The CRSS Information Systems. Administration and Classified Networks (CRSS ITS) will be assessed by an Independent Assessor (IA) <Your Name>. The use of an independent assessment team reduces the potential for conflicts of interest that could occur in verifying the implementation status and effectiveness of the security controls. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-39, Managing Information Security Risk states:

Assessor independence is an important factor in: (i) preserving the impartial and unbiased nature of the assessment process; (ii) determining the credibility of the security assessment results; and (iii) ensuring that the authorizing official receives the most objective information possible in order to make an informed, risk-based, authorization decision.

A summary of the FedRAMP Laws and Regulations and the FedRAMP Standards and Guidance is included in the System Security Plan (SSP) Attachment 12 – FedRAMP Laws and Regulations.

SSP Section 12 Laws, Regulations, Standards, and Guidance contains the following two tables that are system specific:

Table 12 1 CRSS Information Systems. Administration and Classified Networks Laws and Regulations includes additional laws and regulations specific to CRSS Information Systems. Administration and Classified Networks.

Table 12 2 CRSS Information Systems. Administration and Classified Networks Standards and Guidance includes any additional standards and guidance specific to CRSS Information Systems. Administration and Classified Networks.

This document consists of a test plan to test the security controls for CRSS ITS. It has been completed by <Your Name> for the benefit of Country Roads Space Systems. NIST SP 800-39, Managing Information Security Risk states:

The information system owner and common control provider rely on the security expertise and the technical judgment of the assessor to: (i) assess the security controls employed within and inherited by the information system using assessment procedures specified in the security assessment plan; and (ii) provide specific recommendations on how to correct weaknesses or deficiencies in the controls and address identified vulnerabilities.

The CRSS ITS is undergoing testing as described in this Security Assessment Plan named in Table 2-1.

Instruction: If you plan to test any of the systems identified in the CRSS_Network.vsd Diagram, you will need to list them here, with a brief description of the system (extrapolate the function from the name based on other systems of the same type you find online) and list a priority for testing based on your view of the risk and vulnerability.

Delete this instruction from your final version of this document.

Please list all systems slated for testing.

Role testing will be performed to test the authorizations restrictions for each role. <Your Name> will access the system while logged in as different user types and attempt to perform restricted functions as unprivileged users. Functions and roles that will be tested are noted in Table 26 Role Based Testing. Roles slated for testing correspond to those roles listed in the CRSS ITS SSP.

Instruction: The assumptions listed are default assumptions. The Auditor must edit these assumptions as necessary for each unique engagement.

Delete this instruction from your final version of this document.

The following assumptions were used when developing this SAP:

Country Roads Space Systems resources, including documentation and individuals with knowledge of the Country Roads Space Systems and infrastructure and their contact information, will be available to <Your Name> staff during the time necessary to complete assessments.

The Country Roads Space Systems will provide login account information/credentials necessary for <Your Name> to use its testing devices to perform authenticated scans of devices and applications.

The Country Roads Space Systems will permit <Your Name> to connect its testing laptops to the Country Roads Space Systems networks defined within the scope of this assessment.

The Country Roads Space Systems will permit communication from Third Party Assessment Organization testing appliances to an internet hosted vulnerability management service to permit the analysis of vulnerability data.

Security controls that have been identified as “Not Applicable” in the SSP will be verified as such and further testing will not be performed on these security controls

Significant upgrades or changes to the infrastructure and components of the system undergoing testing will not be performed during the security assessment period.

For onsite control assessment, Country Roads Space Systems personnel will be available should the <Your Name> staff determine that either after hours work, or weekend work, is necessary to support the security assessment.

<ADD MORE HERE>

Instruction: FedRAMP provides a documented methodology to describe the process for testing the security controls. The IAs may edit this section to add additional information.

Delete this instruction from your final version of this document.

<Your Name> will perform an assessment of the CRSS ITS security controls using the methodology described in NIST SP 800-53A. <Your Name> will use FedRAMP test procedures to evaluate the security control(s). Outline below, these test procedures contain the test objectives and associated test cases to determine if a control is effectively implemented and operating as intended.

<Your Name> data gathering activities will consist of the following:

Request Country Roads Space Systems provide FedRAMP required documentation

Request any follow-up documentation, files, or information needed that is not provided in FedRAMP required documentation

Travel to the Country Roads Space Systems sites as necessary to inspect systems and meet with Country Roads Space Systems staff

Obtain information through the use of security testing tools

Security controls will be verified using one or more of the following assessment methods:

Examine: the IA will review, analyze, inspect, or observe one or more assessment artifacts as specified in the attached test cases

Interview: the IA will conduct discussions with individuals within the organization to facilitate assessor understanding, achieve clarification, or obtain evidence

Technical Tests: the IA will perform technical tests, including penetration testing, on system components using automated and manual methods

<Your Name> will use sampling when performing this assessment.

Instruction: List the members of the risk assessment team and the role each member will play. Include team members contact information. Enter up to 3 other members after you on the first line. Fill in the role with skills you believe are needed to perform this assessment and fake contact information.

Delete this instruction from your final version of this document.

The security assessment team consists of the below individuals.

Security control assessors play a unique role in testing system security controls. NIST SP 800-39, Managing Information Security Risk states:

The security control assessor is an individual, group, or organization responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system).

The members of the IA security testing team are found in Table 51 Security Testing Team.

Country Roads Space Systems Provider Testing Points of Contact

Instruction: The IA must obtain at least three points of contact from the CSP to use for testing communications. One of the contacts must be available 24 x 7 and must include an operations center (e.g., NOC, SOC).

Delete this instruction from your final version of this document.

The Country Roads Space Systems points of contact that the testing team will use are found in Table 52 Country Roads Space Systems Service Provider Points of Contact (POCs).

Instruction: Describe what tools will be used for testing security controls. Include all product names and names of open source tools and include version numbers. If open source tools are used, name the organization (or individuals) who developed the tools. Additionally, describe the function and purpose of the tool (e.g., file integrity checking, web application scanning). For scanners, indicate what the scanner’s capability is, e.g., database scanning, web application scanning, infrastructure scanning, code scanning/analysis). For more information see the Guide to Understanding FedRAMP.

Delete this instruction from your final version of this document.

<Your Name> plans to use the following tools noted in Table 53 Tools Used for Security Testing to perform testing of the CRSS ITS.

Instruction: Describe what technical tests will be performed through manual methods without the use of automated tools. The results of all manual tests must be recorded in the Security Assessment Report (SAR). Examples are listed in the first four rows. Delete the examples, and put in the real tests. Add additional rows as necessary. Identifiers must be in the format MT-1, MT-2 which would indicate “Manual Test 1” and “Manual Test 2” etc. Example MT-1 Example Forceful Browsing Example Description: We will login as a customer and try to see if we can gain access to the Network Administrator and Database Administrator privileges and authorizations by navigating to different views and manually forcing the browser to various URLs. Example MT-2 Example Structured Query Language (SQL) Injection Example Description: We will perform some manual SQL injection attacks using fake names and 0 OR '1'='1' statements. Example MT-3 C Example Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) Example Description: We will test the CAPTCHA function on the web form manually. Example MT-4 Example Online Certificate Status Protocol (OCSP) Example Description: We will manually test to see if OCSP is validating certificates.

Penetration tests must be included in this section.

Delete these instructions from your final version of this document.

Table 54 Testing Performed through Manual Methods describes the technical test that were performed through manual methods without automated tools.

Security testing

Instruction: FedRAMP provides a Rules of Engagement template. The IAs must edit this RoE as necessary. The final version of the RoE must be signed by both the IA and CSP.

Delete this instruction from your final version of this document.

A Rules of Engagement (RoE) document is designed to describe proper notifications and disclosures between the owner of a tested systems and an independent assessor. In particular, a RoE includes information about targets of automated scans and IP address origination information of automated scans (and other testing tools). Together with the information provided in preceding sections of this document, this document shall serve as a RoE once signed.

Disclosures

Instruction: Edit and modify the disclosures as necessary. If testing is to be conducted from an internal location, identify at least one network port with access to all subnets/segments to be tested. The purpose of identifying the IP addresses from where the security testing will be performed is so that when the IAs are performing scans, the CSP will understand that the rapid and high volume network traffic is not an attack and is part of the testing.

Edit the below lists as needed.

Delete this instruction from your final version of this document.

Any testing will be performed according to terms and conditions designed to minimize risk exposure that could occur during security testing. All scans will originate from the following IP address(es): 192.168.1.250

Instruction: The IA must edit the bullets in this default list to make it consistent with each unique system tested.

Delete this instruction from your final version of this document.

Security testing may include the following activities:

Port scans and other network service interaction and queries

Network sniffing, traffic monitoring, traffic analysis, and host discovery

Attempted logins or other use of systems, with any account name/password

Attempted structured query language (SQL) injection and other forms of input parameter testing

Use of exploit code for leveraging discovered vulnerabilities

Password cracking via capture and scanning of authentication databases

Spoofing or deceiving servers regarding network traffic

Altering running system configuration except where denial of service would result

Adding user accounts

Instruction: The 3PAO must edit the bullets in this default list to make it consistent with each unique system tested.

Delete this instruction from your final version of this document.

Security testing will not include any of the following activities:

Changes to assigned user passwords

Modification of user files or system files

Telephone modem probes and scans (active and passive)

Intentional viewing of Country Roads Space Systems staff email, Internet caches, and/or personnel cookie files

Denial of service attacks

Exploits that will introduce new weaknesses to the system

Intentional introduction of malicious code (viruses, Trojans, worms, etc.)

<Your Name> will notify CRSS Project Manager at Country Roads Space Systems when security testing has been completed.

Email and reports on all security testing will be encrypted according to Country Roads Space Systems requirements. Security testing results will be sent and disclosed to the individuals at Country Roads Space Systems noted in Table 61 Individuals at Country Roads Space Systems Receiving Test Results within 60 days after security testing has been completed.

Instruction: Insert any Limitations of Liability associated with the security testing below. Edit the provided default Limitation of Liability as needed.

Delete this instruction from your final version of this document.

<Your Name>, and its stated partners, shall not be held liable to Country Roads Space Systems for any and all liabilities, claims, or damages arising out of or relating to the security vulnerability testing portion of this agreement, howsoever caused and regardless of the legal theory asserted, including breach of contract or warranty, tort, strict liability, statutory liability, or otherwise.

Country Roads Space Systems acknowledges that there are limitations inherent in the methodologies implemented, and the assessment of security and vulnerability relating to information technology is an uncertain process based on past experiences, currently available information, and the anticipation of reasonable threats at the time of the analysis. There is no assurance that an analysis of this nature will identify all vulnerabilities or propose exhaustive and operationally viable recommendations to mitigate all exposure.

The following individuals at the IA and Country Roads Space Systems have been identified as having the authority to agree to security testing of CRSS ITS.

Controlled Unclassified Information Page | 12

Please add any Acronyms you utilize in this area, in alphabetical order.

Delete this instruction from your final version of this document.

Instruction: If applicable, attachments must include penetration testing rules of engagement, penetration testing methodology, and the sampling methodology used in testing.

Delete this instruction from your final version of this document.

List of Attachments: