NSTSSI Security Education Standards
10. MAINTENANCE OF THE SSAA a. Life-Cycle Security Planning 1) discuss, when consulted, proposed changes to the SSAA; 2) propose, where required, a need for recertification and reaccreditation; and 3) interpret, when consulted, changes that may affect the existing certification. b. Documentation Policies 1) appraise the documentation policies for continued applicability; 2) identify the documentation policies for updates; and 3) verify changes against the original documentation policies. c. Configuration Control/Change Management 1) appraise the configuration control for continued applicability; 2) identify the configuration control in place versus that which has been specified in the current SSAA; 3) list proposed changes to the previously approved system configuration and/or operating environment, to include system retirement; 4) analyze the above changes to determine if an assessment of the impact is required; 5) outline the process for an assessment of the impact of changes to the existing SSAA; and 6) revise the SSAA in accordance with the configuration changes. d. Maintenance of Configuration Documents 1) appraise the maintenance of configuration documents; and 2) compare the maintenance of configuration documents for conformance to the SSAA. e. Periodic Review of System Life-cycle 1) appraise the periodic review of the system/product life-cycle for conformance to the SSAA; 2) initiate the periodic review of the system/product life-cycle for conformance to the SSAA; and 3) report on the periodic review of the system/product life-cycle. f. Communicate Results report the results of changes to the SSAA to the accreditor (DAA). g. Convey Magnitude of Risk identify the inherent and residual risks and the potential corrective approaches to the accreditor (DAA). h. Brief and Defend ST&E Results prepare and deliver the ST&E results to the accreditor (DAA).