All federal information systems, including operational systems, systems under development, and systems undergoing some form of modification or upgrade, are in some phase of what is commonly referred to as the system development life cycle.  There are many activities occurring during the life cycle of an information system dealing with the issues of cost, schedule, and performance. In addition to the functional requirements levied on an information system, security requirements must also be considered. When fully implemented, the information system must be able to meet its functional requirements and do so in a manner that is secure enough to protect organizational operations, assets, and individuals. 

Praetorian Secure is well versed in the SDLC approach and understands how to effectively map this process to a wide variety of C&A efforts.  At Praetorian, we follow a standard phase approach to SDLC which has proved effective in getting our clients solutions to a hardened state and efficient in meeting difficult compliance timelines.

Our SDLC Phased Approach

Initiation Phase:

Initial Analysis- review solution specifications, architectural diagrams, and documentation; Security Categorization – define security impact on organizations (a loss of confidentiality, integrity, or availability) and appropriate security controls;

Preliminary Risk Assessment– audit basic security needs of the system, define the threat environment in which the system will operate, assessment based on the compliance regulation and further based on applicable technical configuration guidelines;

Executive Summary & Presentation- based on findings of initial analysis and risk assessment, provide strategies for executing additional phases, cost and schedule

Acquisition/Development Phase:

Security Functional Requirements Analysis– analysis of system security environment, (i.e., enterprise information security policy and enterprise security architecture) and security functional requirements;

Security Assurance Requirements Analysis– analysis of requirements that address the developmental activities required and assurance evidence needed to produce the desired level of confidence that the information security will work correctly and effectively; Define the Boundary – define the accreditation and sensitivity level with the sponsoring branch or agency based on DIACAP and FISMA/NIST;

Risk Assessment– build on the initial risk assessment performed during the Initiation phase and formally analyze (more in-depth and specific) system protection requirements

Implementation Phase:

Security Planning– ensure agreed upon security controls, planned or in place, are fully documented: configuration management plan, contingency plan, incident response plan, security awareness and training plan, rules of behavior, risk assessment, security test and evaluation results, system interconnection agreements, security authorizations/accreditations, and plan of action and milestones (DIACAP Implementation Plan (DIP), the DIACAP Test Plan, 8500.2 IA Control Implementation and Gap Assessment; POA&M); selection of the appropriate contract type, participation by all necessary functional groups within an organization, participation by the certifying and accrediting body.

Security Control Development & Integration– ensure security controls described in the respective security plans are designed, developed, and implemented; integrated at the operational site where the information system is to be deployed for operation; consider vendor best management practices

Developmental Security Test and Evaluation–ensures that security controls developed for a new information system are working properly and are effective.

Inspection and Acceptance– ensure the organization validates and verifies that the functionality described in the specification is included in the deliverables.

Security Certification & Accreditation– ensure controls are effectively implemented through established verification techniques and procedures, and gives organization officials confidence that the appropriate safeguards and countermeasures are in place to protect the organization’s information system; C&A authority provides the necessary security authorization of an information system to process, store, or transmit information that is required.

Operations and Maintenance Phase:

While Praetorian Secure can help with the planning, strategy and management of ongoing operations and maintenance, these requirements will be typically managed by our clients internal staff.

Configuration Management and Control– ensure adequate consideration of the potential security impacts due to specific changes to an information system or its surrounding environment continue after accreditation;

Continuous Monitoring– ensure controls continue to be effective in their application through periodic testing and evaluation. Security control monitoring and reporting the security status of the information system to appropriate agency officials is an essential activity of a comprehensive information security program.

Disposition Phase:

While Praetorian Secure can help with the planning, strategy and management of decommissioning of a DIACAP and/or FISMA program, these requirements will be typically managed by our clients internal staff.

Information Preservation– conform to current legal requirements;

Media Sanitization– ensure data is deleted, erased, and written over as necessary;

Hardware and Software Disposal– ensure hardware and software is disposed of as directed by the information system security officer.