Move over DITSCAP… The DIACAP is here!

Slides:



Advertisements
Similar presentations
METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE.
Advertisements

Texas Department of Information Resources Presents
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
13 th Command & Control Research & Technology Symposium Bellevue WA June, 2008 Briefing Managing the Life Cycle of Net- Centric Architectures This document.
ISFO – ODAA Defense Security Service Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) Nov Nov 2013.
DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.
4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.
Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
DISN Video Services September 21, 2009 An Overview of the VTF DIACAP Process A Combat Support Agency Defense Information Systems Agency.
Unclassified Slide 1 5/21/ LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC DSN DIACAP Army Guidance.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication,
Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.
IT Tools OEET Online Expert Evaluation Tool.
Christopher P. Cabuzzi CS 591 DEFENSE INFORMATION ASSURANCE CERTIFICATION & ACCREDITATION PROCESS (DIACAP) Chris Cabuzzi, DIACAP, 12/8/10 1.
ECE579S/8 #1 Spring 2011 © , Richard A. Stanley ECE579S Computer and Network Security 8: Certification & Accreditation; Red/Black Professor Richard.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
LandWarNet 2020 and Beyond Enterprise Architecture
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
DISN Video Services October 2, 2009 VTF DIACAP Scorecard Matrix Instructions A Combat Support Agency Defense Information Systems Agency.
A Combat Support Agency Defense Information Systems Agency Unified Capabilities Requirements (UCR) Overview Joint Interoperability Test Command.
Information Assurance
CDS CERTIFICATION AND ACCREDITATION PROCESS
C &A CS Unit 2: C&A Process Overview using DITSCAP Jocelyne Farah Clinton Campbell.
Software Engineering Modern Approaches
1 NATO HQ C 3 Staff The NATO HQ need for the Web: How policy requirements are affected by the need to take web development into account Georges D’hollander.
Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
DoD Acquisition Domain (Sourcing) (DADS) Analysis of Alternatives (AoA) E-Business/SPS Joint Users’ Conference November 15-19, 2004 Houston, TX.
Just In Time Training (JITT): How Not to Jump from the Frying Pan into the Fire.
NIST Special Publication Revision 1
Certification and Accreditation CS Unit 1: Background LTC Tim O’Hara Ms Jocelyne Farah Mr Clinton Campbell.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Information Assurance Program Manager U.S. Army Europe and Seventh Army Information Assurance in Large-Scale Practice International Scientific NATO PfP/PWP.
ETICS2 All Hands Meeting VEGA GmbH INFSOM-RI Uwe Mueller-Wilm Palermo, Oct ETICS Service Management Framework Business Objectives and “Best.
Evaluation and Testbed Development Bhavani Thuraisingham The University of Texas at Dallas Jim Massaro and Ravi Sandhu.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.
0 eCPIC User Training: Resource Library These training materials are owned by the Federal Government. They can be used or modified only by FESCOM member.
The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Shift Left Feb 2013 Page-1 DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17 th, 2013 – SR case number 13-S-0851 Dr. Steven.
Jewuan Davis DSN Voice Connection Approval Office 18 May 2006 DSN Connection Approval Process (CAP)
Department of Defense Information Age Vision Linton Wells II ASD(NII)/DoD CIO-Acting United States DoD North American Day 2005.
Certification and Accreditation CS Syllabus Ms Jocelyne Farah Mr Clinton Campbell.
0 Office of Performance Assessments and Root Cause Analyses (PARCA) PARCA EVM Update Presenter: Phone:
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
NIST / URAC / WEDi Health Care Security Workgroup Presented by: Andrew Melczer, Ph.D. Illinois State Medical Society.
Department of Tourism Computerization Project Phase I Accreditation JULY 2009.
The DoD Information Enterprise Strategic Plan and Roadmap (SP&R)
UNCLASSIFIED NCES Net-Centric Enterprise Services Lynda D Myers DISA, Center for Enterprise Capabilites February 2003.
USS Howard Wireless LAN. 1 Configuration 95 wired drops – 65 workstations 40 wireless gateways 16 laptops 50 wireless handhelds Advanced Encryption Standard.
Latest Strategies for IT Security Margaret Myers Principal Director, Deputy CIO United States Department of Defense North American Day 2006.
The NIST Special Publications for Security Management By: Waylon Coulter.
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC Semester 1.
Overview
TechStambha PMP Certification Training
Improving Mission Effectiveness By Exploiting the Command’s Implementation Of the DoD Enterprise Services Management Framework - DESMF in the [name the.
Introduction to the Federal Defense Acquisition Regulation
Certification and Accreditation
IS4550 Security Policies and Implementation
Matthew Christian Dave Maddox Tim Toennies
SPR-B Research Coordination Webinar
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Presentation transcript:

Move over DITSCAP… The DIACAP is here! By: Brigette Wilson 5/11 Bwilson/UCCS CS591-Boeing Mentored DIACAP

Bwilson/UCCS CS591-Boeing Mentored DIACAP Agenda DoD security background information How does the DoD ensure their systems are secure? The history of accreditation DIACAP information Information assurance (IA) controls DIACAP process How does the DIACAP differ from the DITSCAP? Transitioning from the DITSCAP to the DIACAP Current problems with the DIACAP Conclusion References 5/11 Bwilson/UCCS CS591-Boeing Mentored DIACAP

DoD Security Background Information All DoD owned or controlled information systems that receive, process, store, display, or transmit DoD information (regardless of classification or sensitivity) must be accredited by the DoD in order to operate. Once a system passes the DoD accreditation it is awarded authorization to operate (ATO) which is valid for up to three years. Toward the end of the ATO period the system must start the accreditation process over again to gain a new ATO. A DoD system cannot operate if it does not have a current ATO or interim ATO on file. 5/11 Bwilson/UCCS CS591-Boeing Mentored DIACAP

How does the DoD ensure their systems are secure? The creators/maintainers of a information system have to document a number of different things relating to the security of their system. Once the documentation has been submitted, a DoD representative runs attacks against the system to try to gain access and figure out any vulnerabilities that have not been addressed or mitigated. These attacks are tailored based on the classification of the system. 5/11 Bwilson/UCCS CS591-Boeing Mentored DIACAP

The history of accreditation On December 30, 1997 the DoD introduced a life-cycle approach to security accreditation called the DITSCAP. On July 6, 2006 the interim department of defense (DoD) certification and accreditation (C&A) process guidance was released. This document officially retired the DITSCAP process and introduced the DIACAP process. 5/11 Bwilson/UCCS CS591-Boeing Mentored DIACAP

Bwilson/UCCS CS591-Boeing Mentored DIACAP DIACAP Information DIACAP stands for DoD Information Assurance Certification and Accreditation Process. The DIACAP process focuses on: Identifying, implementing, and validating standardized IA controls. Authorizing the operation of DoD information systems. Managing the IA status across the information system life cycle. The need for the DIACAP was driven by two issues: The global information grid (GIG) which is the DoD's vision of network-centric operations to foster an agile, robust, interoperable and collaborative DoD. This is where warfighters, business and intelligence users all share knowledge on a secure, dependable and global network. The need to meet section 3541 of the “Federal Information Security Management Act of 2002” (FISMA). Interim DIACAP guidance stated that any system operating with an ATO or IATO needs to modify their DITSCAP package to include all information assurance (IA) controls within 180 days. As of May 1, 2007 no final DIACAP guidance has been released. 5/11 Bwilson/UCCS CS591-Boeing Mentored DIACAP

Information Assurance Controls The theme of the DIACAP revolves around how a program currently (or plans) to implement IA controls applicable to that system. IA Controls of a system are determined by the systems Mission Assurance Category (MAC) and classification level (CL). The baseline IA Controls that systems need to meet are found in DoD 8500.2 (Information Assurance Implementation) Enclosure 4. 5/11 Bwilson/UCCS CS591-Boeing Mentored DIACAP

Bwilson/UCCS CS591-Boeing Mentored DIACAP DIACAP Process Like the DITSCAP process, the DIACAP is a very documentation heavy activity. To start the process the system must register a System Identification Profile (SIP) on eMass. eMass is the new DoD web based tool to help with the implementation and management of C&A based on the DIACAP. Next the DIACAP Implementation Plan Package must be created. Doing this includes the following steps: Determine the IA Controls the system must meet. Evaluate each control to see if it is currently implemented. If implemented, document how it is implemented. If not implemented, create a plan and schedule to implement the control (called Plan of Action and Milestone). The next step is for a Designated Approving Authority (DAA) to look over all the artifacts created in the above step to determine if it is complete enough to sell off implementation of the assigned IA controls. If it is complete, the DAA runs attacks against the system to try to gain access and figure out any vulnerabilities that have not been already addressed or mitigated (this is basically testing out each of the IA controls). 5/11 Bwilson/UCCS CS591-Boeing Mentored DIACAP

DIACAP Process Continued Once the IA artifacts and validation testing are done the DAA fills out the DIACAP scorecard which will help determine the certification decision. Each system has to get a required minimum number of points in the IA categories of Confidently, Availability, and Integrity in order to be considered for accreditation. The accreditation decision is based on the DIACAP scorecard along with the artifacts and documentation submitted. 5/11 Bwilson/UCCS CS591-Boeing Mentored DIACAP

How does the DIACAP differ from the DITSCAP? 5/11 Bwilson/UCCS CS591-Boeing Mentored DIACAP

Transitioning from the DITSCAP to the DIACAP Its quite a project for a system to transition from the DITSCAP to the DIACAP. The system gets no breaks for having an ATO granted by the DITSCAP process. The only help available is a guide that relates some of the IA controls to IA artifacts to sections in the SSAA. 5/11 Bwilson/UCCS CS591-Boeing Mentored DIACAP

Current problems with the DIACAP There are currently only a few IA controls that have specific artifacts listed to document that control. No final guidance has been issued on the whole process. The DIACAP Knowledge Service is only accessible to those individuals who have a DoD PKI certificate. 5/11 Bwilson/UCCS CS591-Boeing Mentored DIACAP

Bwilson/UCCS CS591-Boeing Mentored DIACAP Conclusion The DIACAP process is set up to handle the DoD’s move to a net-centric operating environment and to set up a standard that all programs must meet. Once completely in place this will make the whole security process much easier. Unfortunately with final guidance still not released most programs that are currently operating under a DITSCAP ATO are at a standstill, and programs with ATO expiring are being issued IATOs in 6 month increments. 5/11 Bwilson/UCCS CS591-Boeing Mentored DIACAP

Bwilson/UCCS CS591-Boeing Mentored DIACAP References DoD 8500.2 (Information Assurance Implementation) DIACAP Knowledge Service The Federal Information Security Management Act (FISMA) DoD Directive 8500.1 (Information Assurance) DoD Directive 8100.1 (Global Information Grid Overarching Policy) 5/11 Bwilson/UCCS CS591-Boeing Mentored DIACAP

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.