DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.

Slides:

Advertisements

Similar presentations

METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE.

Advertisements

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

1 Office of the Designated Approving Authority (ODAA) April 2008.

Navy and Marine Corps Intranet Certification and Accreditation Mr. Bob Turner, Booz Allen Hamilton Senior Consultant NMCI IA Lead NAVNETWARCOM Information.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

DISN Video Services September 21, 2009 An Overview of the VTF DIACAP Process A Combat Support Agency Defense Information Systems Agency.

Unclassified Slide 1 5/21/ LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC DSN DIACAP Army Guidance.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication,

Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.

1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.

Christopher P. Cabuzzi CS 591 DEFENSE INFORMATION ASSURANCE CERTIFICATION & ACCREDITATION PROCESS (DIACAP) Chris Cabuzzi, DIACAP, 12/8/10 1.

Information Systems Security Officer

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Computer Security: Principles and Practice

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Stephen S. Yau CSE , Fall Security Strategies.

Risk Management Framework

Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.

Complying With The Federal Information Security Act (FISMA)

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

DISN Video Services October 2, 2009 VTF DIACAP Scorecard Matrix Instructions A Combat Support Agency Defense Information Systems Agency.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

SEC835 Database and Web application security Information Security Architecture.

1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.

EOSC Generic Application Security Framework

C &A CS Unit 2: C&A Process Overview using DITSCAP Jocelyne Farah Clinton Campbell.

Information Systems Security Computer System Life Cycle Security.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop.

N-Wave Shareholders Meeting May 23, 2012 N-Wave Security Update Lisa

NIST Special Publication Revision 1

Move over DITSCAP… The DIACAP is here!

Certification and Accreditation CS Unit 1: Background LTC Tim O’Hara Ms Jocelyne Farah Mr Clinton Campbell.

Roles and Responsibilities

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

NMS Certification and Accreditation (C&A) Removal of Material Weakness for NMS Security and Access Controls Jim Craft USAID ISSO.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.

Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.

Shift Left Feb 2013 Page-1 DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17 th, 2013 – SR case number 13-S-0851 Dr. Steven.

Engineering Essential Characteristics Security Engineering Process Overview.

Jewuan Davis DSN Voice Connection Approval Office 18 May 2006 DSN Connection Approval Process (CAP)

Certification and Accreditation CS Syllabus Ms Jocelyne Farah Mr Clinton Campbell.

Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.

University of Maryland University College (UMUC) 3/11/2004 POA&M and FISMA What does it really mean? FISSEA Annual Conference.

Authorizing Information Systems FITSP-A Module 6.

Defense Security Service Contractor SIPRNet Process June 2013

SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:

Evaluate Phase Pertemuan Matakuliah: A0774/Information Technology Capital Budgeting Tahun: 2009.

Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,

 Local commanders understand impact of IA on mission accomplishment  Standard allies and coalition partners can emulate  IA for other workforces (acquisition,

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

The Risk Management Framework (RMF)

Defense Security Service

Defense Security Service Risk Management Framework (RMF)

TechStambha PMP Certification Training

Introduction to the Federal Defense Acquisition Regulation

NCHER Knowledge Symposium Federal Contractor/TPS Session

Compliance Toolbox.

RMF Process in the NISP eMASS

MANAGEMENT of INFORMATION SECURITY, Fifth Edition

Presentation transcript:

DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011

Our Goal……Protecting DISA’s Networks At Sea and On Shore 2

What are we protecting? DOD Information –Classified Info –Privacy Act Info –Sensitive but Unclassified/Nuclear Info –FOUO (For Official Use Only) Systems –C4 (Command, Control, Communication & Computer) Systems –POR (Program of Record) Systems Networks –NIPRNET (Unclassified) –SIPRNET (Classified) 3

What are we protecting from? Insider Threat (Often under-estimated) –Disgruntled personnel –Unintentional actions of user –Trusted insider ??? Hacker/Cracker Malicious Code/Viruses/Worms State Sponsored CNA (Computer Network Attack) DOS (Denial of Service) Attacks –Self imposed –Deliberate actions of others 4

People Operations Technology Defense-in-Depth: It’s more than just technology 5 Right people in the right job Training, Training, Training Tactics, Techniques, and Procedures Hardened infrastructure Layered Protection Right DiD tool/technology in the right layer

Certification and Accreditation DIACAP = DOD Information Assurance Certification and Accreditation Process Designated Approval Authority (DAA) –Active Involvement –Risk Management Program Manager (PM) –Ensures Security Design Certification Authority/Agent (CA) –Reviews package/supports PM in design and verification Risk Management Framework (RMF) 6

Phase Description DIACAP melds into a “Lifecycle” support scheme very well Re-assessment of security posture/compliance and ATO status no less than once per year 7

DIACAP Lifecycle Phases of an IT System 8 Source:

DIACAP Tools DIACAP Packages are created with the help of: Knowledge Service (KS) – DoD-wide web based database of C&A efforts Enterprise Mission Assurance Support System (eMASS) – automates management functions 9

DIACAP KS Provides DIACAP process information Implementation Guides –Central point for process data dissemination –C&A News –Updates to controls –Generic Forms/Templates 10

eMASS Aids document production –Automates status reporting, workflows, artifact creation Acts as storehouse for infrastructure documents –Tracks all enterprise systems –Links C&A efforts across organization eMASS 11

DIACAP Executive Package Minimum information for accreditation decision –System Identification Profile –Scorecard –Certification Determination –POA&M –Accreditation Decision 12

Comprehensive Package System Identification Profile DIACAP Strategy Implementation Plan Security Control Requirements Relevant Artifacts, Validation Procedures, etc. –Scorecard –Certification Determination & Artifacts –POA&M –Accreditation Decision 13

System Identification Profile (SIP) Initial product of the DIACAP Describes Mission and System for Review Specifies DIACAP Team Members Formal System Registration Determination of MAC and CL 14

Implementation Plan Relevant Security Controls Lifecycle Analysis Configuration Description Once the Implementation Plan is set, its execution kicks off the Validation Process 15

Validation & POA&M System Tests/Test Plan Validation results POA&M with discrepancies Note that these are completed prior to the formal Scorecard creation 16

DIACAP Scorecard The Scorecard shows the certification status of a system in a concise format Displays: Number of Controls Required Number of Compliant/Non-compliant Areas Assessed Risk Status of Each Non-compliant area 17

Certification & Accreditation Decisions 18 DIACAP Package + Risk Assessment Presented to the Certification Authority (CA) CA issues Certification Recommendation (Cert Rec) DAA Takes the CA recommendation and DIACAP Package to Make Accreditation Decision

Authority To Operate Accreditation Decision takes the Form of: ATO – Authority to Operate (NO provisions) IATO – Interim ATO (provisions set forth in POA&M required) IATT – Interim Authority To Test (inside given timeline only) DATO – Denial of ATO (Reassess Implementation Plan…) 19

ATO Maintenance Monitor IA-Relevant Issues (vulnerabilities, exploits, policy changes, best practices, etc.) Conduct Annual Reviews Complete Re-Accreditation Process –(3 Years) 20

ATO Maintenance (cont) Correct newly discovered CAT I weakness within 30 days Correct newly discovered CAT II weakness within 90 days Continued ATO is contingent on the sustainment of an acceptable IA posture Identify Decommission Point 21

C&A Timeline days out from expiration date –Notification via IA Compliance Slides 30 days out –Cert Rec & DIACAP Package due –Time to work out any issues 5 days out –DAA review Connection Approval Process (CAP) –Circuits –Requires 21 days to process C&A Timeline 22

Questions? DIACAP Knowledge Service ( CIO-IA-Security Ref: DoDI