Presentation is loading. Please wait.

Presentation is loading. Please wait.

DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.

Published byIrma Joseph Modified over 9 years ago

Similar presentations

Presentation on theme: "DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011."— Presentation transcript:

1 DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011

2 Our Goal……Protecting DISA’s Networks At Sea and On Shore 2

3 What are we protecting? DOD Information –Classified Info –Privacy Act Info –Sensitive but Unclassified/Nuclear Info –FOUO (For Official Use Only) Systems –C4 (Command, Control, Communication & Computer) Systems –POR (Program of Record) Systems Networks –NIPRNET (Unclassified) –SIPRNET (Classified) 3

4 What are we protecting from? Insider Threat (Often under-estimated) –Disgruntled personnel –Unintentional actions of user –Trusted insider ??? Hacker/Cracker Malicious Code/Viruses/Worms State Sponsored CNA (Computer Network Attack) DOS (Denial of Service) Attacks –Self imposed –Deliberate actions of others 4

5 People Operations Technology Defense-in-Depth: It’s more than just technology 5 Right people in the right job Training, Training, Training Tactics, Techniques, and Procedures Hardened infrastructure Layered Protection Right DiD tool/technology in the right layer

6 Certification and Accreditation DIACAP = DOD Information Assurance Certification and Accreditation Process Designated Approval Authority (DAA) –Active Involvement –Risk Management Program Manager (PM) –Ensures Security Design Certification Authority/Agent (CA) –Reviews package/supports PM in design and verification Risk Management Framework (RMF) 6

7 Phase Description DIACAP melds into a “Lifecycle” support scheme very well Re-assessment of security posture/compliance and ATO status no less than once per year 7

8 DIACAP Lifecycle Phases of an IT System 8 Source: http://www.prim.osd.mil/cap/dhra-diacap.html?p=1.1.1.1http://www.prim.osd.mil/cap/dhra-diacap.html?p=1.1.1.1

9 DIACAP Tools DIACAP Packages are created with the help of: Knowledge Service (KS) – DoD-wide web based database of C&A efforts Enterprise Mission Assurance Support System (eMASS) – automates management functions 9

10 DIACAP KS Provides DIACAP process information Implementation Guides –Central point for process data dissemination –C&A News –Updates to controls –Generic Forms/Templates 10

11 eMASS Aids document production –Automates status reporting, workflows, artifact creation Acts as storehouse for infrastructure documents –Tracks all enterprise systems –Links C&A efforts across organization eMASS 11

12 DIACAP Executive Package Minimum information for accreditation decision –System Identification Profile –Scorecard –Certification Determination –POA&M –Accreditation Decision 12

13 Comprehensive Package System Identification Profile DIACAP Strategy Implementation Plan Security Control Requirements Relevant Artifacts, Validation Procedures, etc. –Scorecard –Certification Determination & Artifacts –POA&M –Accreditation Decision 13

14 System Identification Profile (SIP) Initial product of the DIACAP Describes Mission and System for Review Specifies DIACAP Team Members Formal System Registration Determination of MAC and CL 14

15 Implementation Plan Relevant Security Controls Lifecycle Analysis Configuration Description Once the Implementation Plan is set, its execution kicks off the Validation Process 15

16 Validation & POA&M System Tests/Test Plan Validation results POA&M with discrepancies Note that these are completed prior to the formal Scorecard creation 16

17 DIACAP Scorecard The Scorecard shows the certification status of a system in a concise format Displays: Number of Controls Required Number of Compliant/Non-compliant Areas Assessed Risk Status of Each Non-compliant area 17

18 Certification & Accreditation Decisions 18 DIACAP Package + Risk Assessment Presented to the Certification Authority (CA) CA issues Certification Recommendation (Cert Rec) DAA Takes the CA recommendation and DIACAP Package to Make Accreditation Decision

19 Authority To Operate Accreditation Decision takes the Form of: ATO – Authority to Operate (NO provisions) IATO – Interim ATO (provisions set forth in POA&M required) IATT – Interim Authority To Test (inside given timeline only) DATO – Denial of ATO (Reassess Implementation Plan…) 19

20 ATO Maintenance Monitor IA-Relevant Issues (vulnerabilities, exploits, policy changes, best practices, etc.) Conduct Annual Reviews Complete Re-Accreditation Process –(3 Years) 20

21 ATO Maintenance (cont) Correct newly discovered CAT I weakness within 30 days Correct newly discovered CAT II weakness within 90 days Continued ATO is contingent on the sustainment of an acceptable IA posture Identify Decommission Point 21

22 C&A Timeline 30-60 days out from expiration date –Notification via IA Compliance Slides 30 days out –Cert Rec & DIACAP Package due –Time to work out any issues 5 days out –DAA review Connection Approval Process (CAP) –Circuits –Requires 21 days to process C&A Timeline 22

23 Questions? DIACAP Knowledge Service (https://diacap.iaportal.navy.mil)https://diacap.iaportal.navy.mil CIO-IA-Security (cioiase@disa.mil)cioiase@disa.mil Ref: DoDI 8510.01 23

Download ppt "DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011."

Similar presentations

METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE.

METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE.
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
1 Office of the Designated Approving Authority (ODAA) April 2008.

1 Office of the Designated Approving Authority (ODAA) April 2008.
Navy and Marine Corps Intranet Certification and Accreditation Mr. Bob Turner, Booz Allen Hamilton Senior Consultant NMCI IA Lead NAVNETWARCOM Information.

Navy and Marine Corps Intranet Certification and Accreditation Mr. Bob Turner, Booz Allen Hamilton Senior Consultant NMCI IA Lead NAVNETWARCOM Information.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.

4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
DISN Video Services September 21, 2009 An Overview of the VTF DIACAP Process A Combat Support Agency Defense Information Systems Agency.

DISN Video Services September 21, 2009 An Overview of the VTF DIACAP Process A Combat Support Agency Defense Information Systems Agency.
Unclassified Slide 1 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC DSN 332-7376 DIACAP Army Guidance.

Unclassified Slide 1 5/21/ LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC DSN DIACAP Army Guidance.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication,

Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication,
Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.

Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.
1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.

1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.
Christopher P. Cabuzzi CS 591 DEFENSE INFORMATION ASSURANCE CERTIFICATION & ACCREDITATION PROCESS (DIACAP) Chris Cabuzzi, DIACAP, 12/8/10 1.

Christopher P. Cabuzzi CS 591 DEFENSE INFORMATION ASSURANCE CERTIFICATION & ACCREDITATION PROCESS (DIACAP) Chris Cabuzzi, DIACAP, 12/8/10 1.
Information Systems Security Officer

Information Systems Security Officer
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Similar presentations

Ads by Google