Specifies "processes and controls" at two levels:
- Baseline/essential - minimum acceptable level of controls
- Good practice processes and controls
There is a single set of controls for info marked:
"Official information"
UNCLASSIFIED
IN-CONFIDENCE
SENSITIVE
RESTRICTED
A further set of controls are specified for info marked:
CONFIDENTIAL
SECRET
TOP SECRET
Some controls are marked "All classifications" so they apply to all of the above.
The use or non-use of good practice controls MUST be based on an agency’s assessment and determination of residual risk related to information security.
The "good practice" controls are supposed to be based on risk assessment for the app. The baseline controls
It seems to be a big set of categoriesed controls
Sections relevant to us
17 22
Accreditation and certification are not the same thing first you do certification and then get accreditation
The agency CISO is the certificaiton authority The agency head (or some delegate) is the accreditation authority
Possible deliverables
- architecture diagram of the system