4-5.4 Activities

4-5.4.1 Develop Security Test and Evaluation Plan

4-5.4.1.1 General

A ST&E plan must be developed for all information resources.

The ST&E plan defines the security testing to be conducted to determine the extent to which the information resource meets the security requirements for its mission and operational environment. If the ST&E plan is part of an overall system test plan, highlight or flag the security section for ease of review. Sensitive-enhanced and sensitive test data should be protected throughout the entire testing cycle.

4-5.4.1.2 Build Security Test and Evaluation Plan

The development team should build the ST&E plan and include the stakeholders in the process. The Security Test and Evaluation template and instructions are available on the IT Web site. Select TSLC Templates; under System Integration Test, select Security Test and Evaluation Plan. The ST&E plan should do the following:

  1. Address all security controls and processes described in the security plan and the means by which those controls and processes will be tested.
    1. Include both the technical and nontechnical security controls.
    2. Include controls associated with hardware, operating system, networking and telecommunications, physical security, personnel security, and computer operations, and manual processes.
  2. Define the security functionality (security control feature) to be tested for each security control implemented to satisfy the security requirement.
  3. Describe the actual testing to be performed for each control. For each control, include applicable test scripts, scenarios, performance thresholds, and an indication of what will constitute passing or failing.

4-5.4.2 Conduct Operational Security Training

Using the training materials developed in phase 3, train users, system administrators, management, and other personnel on the correct use of the information resource and its security safeguards.

4-5.4.3 Complete Contingency Planning

Contingency planning documents are required for information resources designated as critical. The development of the contingency planning documents is begun during Phase 4 in coordination with the DRS and updated in this phase.

Exhibit 4-5 

Phase 5, SIT

Exhibit 4-5, Phase 5, SIT