System Environment

CE IASAE.

Knowledge

Applies knowledge of IA policy, procedures, and structure to design, develop, and implement CE system(s), system components, or system architectures.

Supervision

• For IA issues, typically reports to an IASAE Level II, IAM, or DAA.

• May report to other management for other CE operational requirements.

Other

Actions are usually authorized and controlled by policies and established procedures.

IA Certification

Within 6 months of assignment to position.

IASAE-I.1. Identify information protection needs for CE system(s) and network(s).

IASAE-I.2. Define CE security requirements in accordance with applicable IA requirements (e.g, DoD Instruction 8500.2, “Information Assurance (IA) Implementation,” February 6, 2003 and Director Central Intelligence Directive 6/3 organizational security policies).

IASAE-I.3. Provide system related input on IA security requirements to be included in statements of work and other appropriate procurement documents.

IASAE-I.4. Design security architectures for CE system(s) and network(s).

IASAE-I.5. Design and develop IA or IA-enabled products for use within a CE.

IASAE-I.6. Integrate and/or implement Cross Domain Solutions (CDS) for use within a CE.

IASAE-I.7. Design, develop, and implement security designs for new or existing CE system(s). Ensure that the design of hardware, operating systems, and software applications adequately address IA security requirements for the CE.

IASAE-I.8. Design, develop, and implement system security measures that provide confidentiality, integrity, availability, authentication, and non-repudiation.

IASAE-I.9. Develop and implement specific IA countermeasures for the CE.

IASAE-I.10. Develop interface specifications for CE system(s).

IASAE-I.11. Develop approaches to mitigate CE vulnerabilities, recommend changes to system or system components as needed.

IASAE-I.12. Ensure that system designs support the incorporation of DoD-directed IA vulnerability solutions, e.g., IAVAs.

IASAE-I.13. Develop IA architectures and designs for DoD IS with basic integrity and availability requirements, to include MAC III systems as defined in DoD Instruction 8500.2, “Information Assurance (IA) Implementation,” February 6, 2003 and DoD Directive 8500.1, “Information Assurance (IA),” October 24, 2002; systems with a Basic Level-of-Concern for availability or integrity in accordance with Director of Central Intelligence Directive 6/3, “Protecting Sensitive Compartmented Information within Information Systems”, June 5, 1999; and other DAA designated systems.

IASAE-I.14. Develop IA architectures and designs for systems processing Sensitive Compartmented Information (SCI) that will operate at Protection Level 1 or 2 as defined in Director of Central Intelligence Directive 6/3, “Protecting Sensitive Compartmented Information within Information Systems”, June 5, 1999.

IASAE-I.15. Assess threats to and vulnerabilities of CE system(s).

IASAE-I.16. Identify, assess, and recommend IA or IA-enabled products for use within a CE; ensure recommended products are in compliance with the DoD evaluation and validation requirements of References (b) and (f).

IASAE-I.17. Ensure that the implementation of security designs properly mitigate identified threats.

IASAE-I.18. Assess the effectiveness of information protection measures utilized by CE system(s).

IASAE-I.19. Ensure security deficiencies identified during security/certification testing have been mitigated, corrected, or a risk acceptance has been obtained by the appropriate DAA or authorized representative.

IASAE-I.20. Provide input to IA C&A process activities and related documentation (system life-cycle support plans, concept of operations, operational procedures and maintenance training materials, etc.).

IASAE-I.21. Participate in an IS risk assessment during the C&A process and design security countermeasures to mitigate identified risks.

IASAE-I.22. Provide engineering support to security/certification test and evaluation activities.

IASAE-I.23. Document system security design features and provide input to implementation plans and standard operating procedures.

IASAE-I.24. Recognize a possible security violation and take appropriate action to report the incident.

IASAE-I.25. Implement and/or integrate security measures for use in CE system(s) and ensure that system designs incorporate security configuration guidelines.

IASAE-I.26. Ensure the implementation of CE IA policies into system architectures.

IASAE-I.27. Obtain and maintain IA certification appropriate to position.

System Environment

CE IASAE.

Knowledge

Applies knowledge of IA policy, procedures, and structure to design, develop, and implement CE system(s), system components, or system architectures.

Supervision

• For IA issues, typically reports to an IASAE Level II, IAM, or DAA.

• May report to other management for other CE operational requirements.

Other

Actions are usually authorized and controlled by policies and established procedures.

IA Certification

Within 6 months of assignment to position.

IASAE-I.1. Identify information protection needs for CE system(s) and network(s).

IASAE-I.2. Define CE security requirements in accordance with applicable IA requirements (e.g, DoD Instruction 8500.2, “Information Assurance (IA) Implementation,” February 6, 2003 and Director Central Intelligence Directive 6/3 organizational security policies).

IASAE-I.3. Provide system related input on IA security requirements to be included in statements of work and other appropriate procurement documents.

IASAE-I.4. Design security architectures for CE system(s) and network(s).

IASAE-I.5. Design and develop IA or IA-enabled products for use within a CE.

IASAE-I.6. Integrate and/or implement Cross Domain Solutions (CDS) for use within a CE.

IASAE-I.7. Design, develop, and implement security designs for new or existing CE system(s). Ensure that the design of hardware, operating systems, and software applications adequately address IA security requirements for the CE.

IASAE-I.8. Design, develop, and implement system security measures that provide confidentiality, integrity, availability, authentication, and non-repudiation.

IASAE-I.9. Develop and implement specific IA countermeasures for the CE.

IASAE-I.10. Develop interface specifications for CE system(s).

IASAE-I.11. Develop approaches to mitigate CE vulnerabilities, recommend changes to system or system components as needed.

IASAE-I.12. Ensure that system designs support the incorporation of DoD-directed IA vulnerability solutions, e.g., IAVAs.

IASAE-I.13. Develop IA architectures and designs for DoD IS with basic integrity and availability requirements, to include MAC III systems as defined in DoD Instruction 8500.2, “Information Assurance (IA) Implementation,” February 6, 2003 and DoD Directive 8500.1, “Information Assurance (IA),” October 24, 2002; systems with a Basic Level-of-Concern for availability or integrity in accordance with Director of Central Intelligence Directive 6/3, “Protecting Sensitive Compartmented Information within Information Systems”, June 5, 1999; and other DAA designated systems.

IASAE-I.14. Develop IA architectures and designs for systems processing Sensitive Compartmented Information (SCI) that will operate at Protection Level 1 or 2 as defined in Director of Central Intelligence Directive 6/3, “Protecting Sensitive Compartmented Information within Information Systems”, June 5, 1999.

IASAE-I.15. Assess threats to and vulnerabilities of CE system(s).

IASAE-I.16. Identify, assess, and recommend IA or IA-enabled products for use within a CE; ensure recommended products are in compliance with the DoD evaluation and validation requirements of References (b) and (f).

IASAE-I.17. Ensure that the implementation of security designs properly mitigate identified threats.

IASAE-I.18. Assess the effectiveness of information protection measures utilized by CE system(s).

IASAE-I.19. Ensure security deficiencies identified during security/certification testing have been mitigated, corrected, or a risk acceptance has been obtained by the appropriate DAA or authorized representative.

IASAE-I.20. Provide input to IA C&A process activities and related documentation (system life-cycle support plans, concept of operations, operational procedures and maintenance training materials, etc.).

IASAE-I.21. Participate in an IS risk assessment during the C&A process and design security countermeasures to mitigate identified risks.

IASAE-I.22. Provide engineering support to security/certification test and evaluation activities.

IASAE-I.23. Document system security design features and provide input to implementation plans and standard operating procedures.

IASAE-I.24. Recognize a possible security violation and take appropriate action to report the incident.

IASAE-I.25. Implement and/or integrate security measures for use in CE system(s) and ensure that system designs incorporate security configuration guidelines.

IASAE-I.26. Ensure the implementation of CE IA policies into system architectures.

IASAE-I.27. Obtain and maintain IA certification appropriate to position.