Friday, September 14, 2007


I have a requirement to say whether the application being accredited contains SAMI data. What the heck is that? I did a google search and found it's an acronym for Sources and Methods Intelligence. That doesn't help me very much. However, if your app. processes SAMI data, you need to retain audit records for 5 years instead of 1. That must mean SAMI is important stuff. I'm still searching and it's taken the better part of half an hour so far.

I just found a defintion inside the definitions section of a DoD manual:
Any classified non-SCI information that has been determined by the Data or Information Owner to need the protection afforded by DCID 6/5 and bears a SAMI marking.

Because the information my app. process is not classified, I can safely say my app. does not process SAMI data. But what does SCI information mean? I'll find that next.

Sensitive Compartmented Information, Classified
information concerning or derived from intelligence
sources, methods, or analytical processes, that is required
to be handled within formal access control systems established
by the Director of Central Intelligence (DCI).
Of course, I'm inserting these definitions in my list of acronyms and glossary.

Friday, September 07, 2007

FISMA Security Controls

Our company is working on a strategy to offer our SSDLC (secure software development life cycle) and they're looking to me for help understanding when and how to include security controls in the process.

The only security controls I've worked with so far are DoD controls. Because we want this process to apply to non-DoD customers, I'm looking into other controls such as NIST. I just started reading publication 800-53, "Recommended Security Controls for Federal Information Systems"

I'm not sure if that's the right publication, but it will certainly lead me to the answer.

Wednesday, September 05, 2007


I'm going to give a presentation today about C&A efforts to our company's sales staff. I thought I'd start with a description of what a C&A is.

These are my definitions based on other standard definitions like NIST and others. What do you think of them?


Certification: A formal evaluation, in support of an accreditation, of a computer system's safeguards to determine whether it meets a specific set of security requirements.

Accreditation: A formal decision by an approving authority that a computer system is approved to operate at an acceptable level of risk based on a set of specific requirements.

C&A: A process that ensures a system meets a formal set of security requirements.