8-5.6 Phase 6 — Customer Acceptance Testing

Phase 6 consists of activities described below that culminate in the certification, risk mitigation plan, accreditation, acceptance of residual risk, and approval to deploy an information resource. (See Handbook AS-805-A, Exhibit 4-6 for The Certification and Accreditation Input, Activities and Output.)

8-5.6.1 Conduct Security Test and Document Results

Security testing is conducted using the approved security test plan. If a modification to a control is required, the change must be reflected in the security plan and the security test plan before the test is executed.

The results of the testing must be documented and communicated in language that is understandable to business-process owners and the ISSO. (See Handbook AS-805-A, Section 4-6.4.2.1 for Conduct The Security Test and Evaluation.)

8-5.6.2 Conduct Security Code Review

To protect the infrastructure, a documented security code review may be required. (See Handbook AS-805-A for the criteria for conducting a code review.)

The security code review is based on the Postal Service Security Code Review Standards or an acceptable equivalent. This security code review is not required if an independent security code review is conducted.

8-5.6.3 Conduct Vulnerability Scan

A vulnerability scan is recommended for all information resources. A quarterly vulnerability scan is required for PCI applications and an annual vulnerability scan is required for externally facing applications. The scanning procedure must ensure adequate scan coverage and the updating of a list of vulnerabilities.

8-5.6.4 Conduct Risk Assessment

A risk assessment must be conducted for all information resources to identify security concerns (e.g., threats, vulnerabilities, and control weaknesses), risk ranking, additional countermeasures, and residual risk (see 4-3, Information Resource Risk Management). The risk assessment can be started in this phase but must be updated throughout the TSLC. 8-5.6.5

8-5.6.5 Conduct Independent Risk Assessment

An independent information security risk assessment may be required to evaluate the appropriateness and effectiveness of the security controls and identify residual risk. (See Handbook AS-805-A for the criteria for conducting an independent risk assessment.)

8-5.6.6 Conduct Independent Security Code Review

Information resources may be subject to an independent code review of the source code and documentation to verify compliance with software design documentation and programming standards and the absence of malicious code. The independent code review may also evaluate correctness and specific security issues. (See Handbook AS-805-A for the criteria for conducting an independent security code review.)

8-5.6.7 Conduct Independent Penetration Testing and Vulnerability Scans

Independent penetration testing evaluates the effectiveness of the implemented information resource configuration. Vulnerability scans evaluate information resources for vulnerabilities and compliance with Postal Service information security policies and standards. (See Handbook AS-805-A for the criteria for conducting independent penetration testing and vulnerability scans.)

8-5.6.8 Conduct Regular Vulnerability Scans

Vulnerability scans evaluate information resources for vulnerabilities and compliance with Postal Service information security policies and standards. (See Handbook AS-805-A for the criteria for conducting independent penetration testing and vulnerability scans.)

8-5.6.9 Perform Penetration Testing

Prior to the first production deployment, or “go live” date, all Postal applications should have penetration testing performed. Operational requirements for penetration testing include ensuring that the system is available for testing, and that penetration testers have access to the application and data nearly identical to a live environment. Objectively, penetration testing should ensure that the application is free of any findings prior to any customer interaction with the application. Postal leaders are responsible for ensuring that enough time is available for the application to be tested.

8-5.6.10 Conduct Independent Validation of Security Testing

The independent security test validation addresses the appropriateness and effectiveness of the security controls and corroborates the previously conducted security test results. The scope of the independent security test validation depends on the information resource, its environment, and the associated threats and vulnerabilities. The independent security test validation is usually carried out at the development or test site. (See Handbook AS-805-A for the criteria for conducting an independent security test validation.)

8-5.6.11 Project Manager and ISSO Develop C&A Documentation Package

Sensitive-enhanced, sensitive, and critical information resources require a C&A documentation package. The project manager and the ISSO develop the C&A package. The package is a consolidation of the designation of sensitivity and criticality and associated protection requirements (BIA); threats, vulnerabilities, additional controls, and residual risks (risk assessment); protection mechanisms (security plan and business continuity plans); and the security test and evaluation results.

8-5.6.12 Project Manager, Executive Sponsor, and ISSO Prepare Risk Mitigation Plan

The Project Manager, Executive Sponsor, and ISSO prepare a risk mitigation plan for any residual risks rated as medium or high, recommending how the risks will be mitigated, the organization or individual responsible, and the time table for resolution.

8-5.6.13 ISSO Reviews C&A Documentation Package and Prepares Evaluation Report

The ISSO reviews the C&A documentation package and prepares a C&A evaluation report highlighting the findings and recommendations. The ISSO escalates security concerns or forwards the C&A evaluation report and supporting documentation to the certifier for review.

8-5.6.14 Certifier Escalates Security Concerns or Certifies Information Resource

The certifier (e.g., manager, C&A process) reviews the C&A evaluation report and the supporting C&A documentation package, escalates security concerns or prepares and signs a certification letter, and forwards the certification letter and C&A documentation package to the accreditor.

If the certifier decides not to certify the information resource, he or she will indicate the C&A Phase to return to for rework.

8-5.6.15 Accreditor Escalates Security Concerns or Accredits Information Resource

The accreditor (i.e., manager, CISO) reviews the risk mitigation plan and the supporting C&A documentation. Based on this review, the accreditor either, escalates security concerns or prepares and signs an accreditation letter, and forwards the accreditation letter and final C&A documentation package to the vice president functional business area (or the executive sponsor if this responsibility is delegated) and to the vice president of IT (or the Business Relationship Management portfolio manager if this responsibility is delegated).

If the accreditor decides not to accredit the information resource, he or she will indicate the C&A phase to return to for rework.