Below are the artifacts or report you need to create. I have also explained under each artifact what you need to do. All the necessary templates to create these reports/artifacts are attached to the email.
- Kick Meeting Email: Update the sections highlighted in blue of the “Kick Off Meeting CRT” template with the correct information.
- Kick Off Meeting Agenda: Update the sections highlighted in blue of the “CRT Annual Assessment Kick-Off Agenda” template with the correct information.
- FIPS 199/ System Categorization report: Update the sections highlighted in blue of the “CRT System Security Categorization” template with the correct information. You also have to select the correct System Type and the Overall System Security Category.
- Privacy Threshold Analysis/ Privacy Impact Analysis: Update the sections highlighted in blue of the “CRT PTA PIA” template with the correct information. Answer only questions 1 to 5 under section 2.1 Qualifying Questionsof the document for PTA related questions on page 7.
- System of Record Notice: Do we need a SORN? Explain why your response is Yes or NO.
- E-Authentication: Update the sections highlighted in blue of the “CRT E-authentication” template with the correct information. You also have to fill table 3.1 Potential Impacts for Assurance Levels on page 6 by selecting the correct Assurance Level Impact Profile for the Potential Impact Categories for Authentication Errors. Base on your response from table 3.1 Potential Impacts for Assurance Levels select the best EAuthenctication Level in table 4.1 EAuthenctication Level on page 6.
- Control Selection: Base on the categorization of CRT, select the appropriate controls from the CRT “Security control baseline template”. Only the AC, AT, AU, IA and CP families are considered for this assignment. Highlight the applicable controls in green. You also have to select the appropriate answer for the Inheritance and To be Tested Column for each selected control.
- Security Assessment Plan: Update the sections highlighted in blue of the “CRT Security Assessment Plan” template with the correct information. You also have to fill table 3 Assessment Plan with the correct information. You can use SP 800-53A or the document ST&E Guidance which was prepared based on SP -800-53A (This document will extremely help you to fill the Control Number, Control Name, Procedure and Potential Validation columns). You are only required to do the following 17 controls: AC-1, AC-6, AC-7, AC-8, AC-10, AC-14, AT-1, AT-2, AT-4, IA-1, IA-6, IA-2, AU-1, AU-3, AU-6, CP-1 and CP-3. ST&E Guidance document is attached to the email or on the USB.
- ST&E Report: Update the sections highlighted in blue of the “CRT Security Test and Evaluation” template with the correct information. Fill table 3 Findings Matrix with the correct information base on the interview we had with the system owner in class and the evidence provided to you. Use the document ST&E Guidance for possible assessment results language (This is located on the USB or attached to the email).
- System Security Plan: Update the sections highlighted in blue of the “CRT System Security Plan” template with the correct information. You also have to update tables 3.1 Potential Impacts for Assurance Levels and 4.1 EAuthenctication level in the section e-Authentications on page 9 with the information you created in question dPrivacy Threshold Analysis/ Privacy Impact Analysis. In addition, fill out the table in section 3.0 Security Controls on page 12.You are only required to do AC-1, AC-6, AC-7, AC-8, AC-10, AC-14, AT-1, AT-2, AT-4, IA-1, IA-6, IA-2, AU-1, AU-3, AU-6, CP-1 and CP-3 controls. Use the document ST&E Guidance attached to the email for possible compliance description language to fill table in section 3.0.You can also use some of the answers the system owner gave in class during the assessment to fill out the compliance description. In addition you can use the General Policy Note document provided as part of CRT evidence.
Hint: There is a difference between compliance description and assessment result. Assessment results must be validated by evidence, compliance descriptions are not. See example below:
Compliance Description: AC-7: CRT application enforces a limit of 3 consecutive invalid access attempts by a user in a 15-minute period. The application automatically locks the account for one hour. The account must be released by an administrator to be unlocked before one hour.
Assessment Results: AC-7: Per interview and demonstration by the system owner CRT application enforces a limit of 3 consecutive invalid access attempts by a user in a 15-minute period. The application automatically locks the account for one hour. The account must be released by an administrator to be unlocked before one hour.
- Security Assessment Report: Update the sections highlighted in blue of the “CRT Security Assessment Report” template with the correct information. You also have to update table 4.0 Security Assessment Results on page 11. Remember you only fill this table if you have any weaknesses identify during your assessment as documented in the ST&E report in question i.
- Plan of Action and Milestones: Update all columns within the “CRT POAM” template with the appropriate information. Remember you only create a POAM report if you have weaknesses.
- Authorization Letter: Update the sections highlighted in blue of the “CRT ATO Letter” template with the correct information.