Introduction to the NSA Infosec Assessment Methodology (IAM)

{LANG_NAVORIGIN} Vulnerability Management Risk Assessment
Mitchell Rowton 02/17/2004

On May 22, 1998 President Clinton signed Presidential Decision Directive 63 (PPD 63). This directive outlined the civilian and governmental responsibility of protecting the US Critical Infrastructure and established the framework for the National Infrastructure Assurance Plan. One portion of the National Infrastructure Assurance Plan mandates that the National Security Agency (NSA) will perform information security assessments of US Government systems. This assessment became known as the NSA?s Infosec Assessment Methodology (IAM)

Because PDD 63 encompasses such a large number of organizations NSA could not adequately perform the IAM for all of them. Because of this the NSA developed the Infosec Assessment Training and Rating Program (IATRP). The IATRP consist of two parts, the first part is a course designed to train Infosec professionals in the IAM. The second part is a ?train the trainer? course the NSA conducts to appraise the Infosec Assessment Capability Maturity Model (IA-CMM.)

The NSA Infosec Assessment is conducted by a team of individuals who review the information system security posture of an organization to identify potential vulnerabilities and recommending steps for eliminating or mitigating those vulnerabilities.

The IAM consists of 18 core subjects; however these may be modified to ensure the assessment addresses any organization specific elements. These initial 18 core subjects consist of:

Documentation
Roles & Responsibilities
Identification & Authentication
Account Management
Session Controls
External Connectivity
Telecommunications
Auditing
Virus Protection
Contingency Planning
Maintenance
Configuration Management
Back-ups
Labeling
Media Sanitization/Disposal
Physical Environment
Personnel Security
Training & Awareness

The assessment consists of three phases; the pre-assessment phase, on-site visit, and post assessment phase.

The pre-assessment phase lasts for one or two days. This is the time to get an understanding of a customer?s mission and organization, and introduce the team to any key points of contacts at the site. Also during this phase the team performing the IAM determines the customer?s needs, begins a criticality matrix of the customer?s information, identifies the system to be assessed, coordinates logistics with the customer, and devises an assessment plan.

From this visit the assessment team determines information criticality, systems criticality, and any special considerations. The team establishes the scope of the assessment and requests necessary system documentation from the customer.

After the initial visit, there is a two to four week period in which the assessment team reviews documentation, conducts a preliminary analysis of the system, establishes the activities to be conducted during the on-site activities phase of the assessment, and formalizes the written Assessment Plan Outline which documents:

Important Points of Contact
Organizational Mission
Organizational Information Criticality
System(s) Information Criticality
Customer Concerns
System Configuration
Individuals and Positions to be Interviewed
Documents Reviewed
Timeline of Events

The on-site activities phase usually lasts one or two weeks and allows the team to explore and confirm the information received during the pre-assessment phase, perform validation through interviews with personnel, review of the organizations documentation, view various demonstrations, and to provide initial analysis and feedback to the customer.

The post-assessment phase may last five or six weeks, and allows the team to review any additional documentation, perform further analysis based on information gathered during the on-site visit, finalizes its analysis. At the conclusion of this stage the Assessment team will prepare the final report and present it's to the customer.

E-Mail Link

Your IP address will be sent with this e-mail