Operations and Maintenance is the fourth phase of the SDLC. In this phase, systems are in place and operating, enhancements and/or modifications to the system are developed and tested, and hardware and/or software is added or replaced. The system is monitored for continued performance in accordance with security requirements and needed system modifications are incorporated. The operational system is periodically assessed to determine how the system can be made more effective, secure, and efficient. Operations continue as long as the system can be effectively adapted to respond to an organization’s needs while maintaining an agreed-upon risk level. When necessary modifications or changes are identified, the system may reenter a previous phase of the SDLC.
Key security activities for this phase include:
- Conduct an operational readiness review;
- Manage the configuration of the system ;
- Institute processes and procedures for assured operations and continuous monitoring of the information system’s security controls; and
- Perform reauthorization as required.
General types of control gates for this phase may include:
- Operational Readiness Review
- Change Control Board Review of Proposed Changes
- Review of POA&Ms
- Accreditation Decisions (Every three years or after a major system change).
Major Security Activities
Review Operational Readiness
Many times when a system transitions to a production environment, unplanned modifications to the system occur. If changes are significant, a modified test of security controls, such as configurations, may be needed to ensure the integrity of the security controls. This step is not always needed; however, it should be considered to help mitigate risk and efficiently address last-minute surprises.
Evaluation of security implications due to any system changes.
- System Administrator and ISSO confirmation to System Owner that system is operating normally and compliant with security requirements.
- Should a last minute change occur that fundamentally changes the level of risk to the system, the system owner should consider recertification – this is rare.
- An operational readiness review supplements the C&A process to ensure that changes are reviewed for risk potential.
- Any change to security controls should be updated in the security documentation.
- When an application is enhanced or changed, regression testing helps to ensure that additional vulnerabilities have not been introduced. For example, adding source code can often introduce errors in other areas and may negatively impact existing and stable functions.
- Changes that include additional data fields should be noted and analyzed to determine if the security posture of the system has degraded or introduced a need for additional controls.
- Ensure users are adequately trained on security awareness and practices for the new IT system prior to deploying the system in a production environment.
Perform Configuration Management and Control
An effective agency configuration management and control policy and associated procedures are essential to ensure adequate consideration of the potential security impacts due to specific changes to an information system or its surrounding environment.
Configuration management and control procedures are critical to establishing an initial baseline of hardware, software, and firmware components for the information system and subsequently for controlling and maintaining an accurate inventory of any changes to the system. Changes to the hardware, software, or firmware of a system can have a significant security impact.
Documenting information system changes and assessing the potential impact on the security of the system on an ongoing basis is an essential aspect of maintaining the security accreditation.
These steps, when implemented effectively, provide vital input into the system’s continuous alter a system’s security posture and control effectiveness to ensure proper assessment and testing occurs.
Note: The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance). Agency Configuration Management procedures should integrate this activity to ensure repeatability and consistency. This is an iterative process that requires periodic review of profile changes.
- Change Control Board (CCB) decisions
- Updated security documentation (System Security Plan, POA&M)
- Security evaluations of documented system changes
- System updates should be included into the system security documentation at least annually or with significant change.
- CM system documents should provide input into the Continuous Monitoring plan for the system.
- Security architecture should provide key details on component-level security service, which in turn provides a benchmark to evaluate the impact of the planned change. For example, if you are upgrading database software to a new version that has less auditing capability, the security architecture or security control documentation should provide insight into whether that component needs that level of auditing capability. Resulting analysis would identify whether further review is needed before implementing.
- Security significance is not always easy to identify when looking at CM artifacts. The reviewer should keep in mind any changes that would directly or indirectly impact confidentiality, integrity, and availability.
- Some system enhancements that add new data may require a review of impact to the system security categorization and associated security controls.
- Abbreviated CM processes that allow for unique emergency situations should be identified for emergency purposes. These situations should always be followed up with a full review when time permits.
Conduct Continuous Monitoring
The ultimate objective of continuous monitoring is to determine if the security controls in the information system continue to be effective over time in light of the inevitable changes that occur in the system as well as the environment in which the system operates.
A well-designed and well-managed continuous monitoring process can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status information to appropriate organizational officials. This information can be used to take appropriate risk mitigation actions and make credible, risk-based authorization decisions regarding the continued operation of the information system and the explicit acceptance of risk that results from that decision.
The ongoing monitoring of security control effectiveness can be accomplished in a variety of ways, including security reviews, self-assessments, configuration management, antivirus management, patch management, security testing and evaluation, or audits. Automation should be leveraged where possible to reduce level of effort and ensure repeatability.
Included as a part of continuous monitoring is reaccreditation which occurs when there are significant changes to the information system affecting the security of the system or when a specified time period has elapsed in accordance with federal or agency policy.
- Documented results of continuous monitoring
- POA&M review
- Security reviews, metrics, measures, and trend analysis
- Updated security documentation and security reaccreditation decision, as necessary
Continuous monitoring should be adjusted as risk levels fluctuate significantly and security controls are modified, added, and discontinued.
Continuous monitoring provides system owners with an effective tool for producing ongoing updates to information system security plans, security assessment reports, and plans of action and milestones documents.
- Agencies should strive to implement a cost-effective continuous monitoring program. Where available, a continuous monitoring program should make use of common services for more frequent monitoring, as well as system-specific monitoring for critical security controls.
- Realizing that it is neither feasible nor cost-effective to monitor all of the security controls in any information system on a continuous basis, agencies should consider establishing a schedule for security control monitoring to ensure that all controls requiring more frequent monitoring are adequately covered and that all controls are covered at least once between each accreditation decision.
- Continuous monitoring processes should be evaluated periodically to review changes in threats and how this could affect the ability of controls to protect a system. These threat updates may result in updated risk decisions and changes to existing controls.
- Take credit for activities already underway that count for continuous monitoring. AV DAT file updates, routine maintenance, physical security fire drills, log reviews, etc., should all be identified and captured in the continuous monitoring phase.
- Prioritize continuous monitoring by importance of control to mitigating risk, validation of POA&M items that become closed, and single control points of failure.
- Look at a monitoring cycle that will coincide with the system certification life span and capture test procedures and results for reuse upon recertification.
- Continuous monitoring activities can provide useful data to support security performance plans and measures of security return on investment (ROI).
- Defining agency-specific criteria for triggering a reaccreditation helps to ensure decision makers are informed and all stakeholders have a common understanding. Some latitude should be given in criteria to allow for unique situations.