Presentation is loading. Please wait.

Presentation is loading. Please wait.

Unclassified Slide 1 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC DSN 332-7376 DIACAP Army Guidance.

Published byJessie Poole Modified over 9 years ago

Similar presentations

Presentation on theme: "Unclassified Slide 1 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC DSN 332-7376 DIACAP Army Guidance."— Presentation transcript:

1 Unclassified Slide 1 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 DIACAP Army Guidance and Transition Ms. Sally Dixon Army Office of Information Assurance & Compliance RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 Track 1: Session 3 Information Assurance

2 Unclassified Slide 2 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 Terminology DIACAP : Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) DITSCAP: Department of Defense Information Technology Security Certification and Accreditation Process DODI: Department of Defense Information Issuance/Instruction

3 Unclassified Slide 3 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 DAA – Designated Approving Authority CA - Contractor Agreements/Certification Authority ACA – Associate Contractor Agreements/Certification Authority SIP: System Identification Profile POA &M : Plan of Action & Milestones SATE: Security Awareness Training And Education

4 Unclassified Slide 4 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 Track 1, Session 3: Session DIACAP Army Guidance and Transition PURPOSE: Provide information on the Army Information Assurance Certification & Accreditation requirements OBJECTIVES: By the end of this brief you will be able to: –Identify the reason C&A needs to be completed –Identify the why, when, and how concerning transition to the DIACAP –Identify the tools provided by Army and DOD to help implement the C&A process –Identify the Army C&A POCs

5 Unclassified Slide 5 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376

6 Unclassified Slide 6 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 Congressional & DOD Requirements Public Law 107-347, also known as Federal Information Security Management Act of 2002 (FISMA) –Require agencies to identify and provide information security protections commensurate with risk and magnitude of harm resulting from unauthorized access, use, disclosure, disruption, modification or destruction of information and information systems DoD Directive 8500.1 Information Assurance, 24 Oct 2002 –Information Assurance requirements shall be identified and included in the design, acquisition, installation, operations, upgrade, or replacement of all DoD information systems in accordance with 10 U.S.C. Section 2224, OMB Circular A- 130, Appendix III, DoD Directive 5000.1

7 Unclassified Slide 7 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 DOD CIO memorandum, subject: Interim Department of Defense (DoD) Information Assurance (IA) Certification and Accreditation (C&A) Process Guidance, 6 July 2006 –DOD will begin an immediate transition to a streamlined and modern C&A process that complies with FISMA Interim DIACAP Guidance –DoD shall certify and accredit information systems through an enterprise process for identifying, implementing, and managing IA capabilities and services. These capabilities and services shall be expressed as IA Controls as defined by DODI 8500.2 IA Implementation DoD Requirements (cont)

8 Unclassified Slide 8 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 DoD Requirements (cont) Interim DIACAP Guidance –Net-centric, information belongs to the enterprise, shared risks –Authority and responsibility for certification are vested in the Senior IA Officer (SIAO) –Supersedes DITSCAP, DODI 5200.40 Platform-centric, information belongs to system owner, system specific risks Individual C/S/A defined IA Controls DAA appointed Certification Authority

9 Unclassified Slide 9 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 Army Policy Department of the Army CIO/G-6 Memorandum, subject: Army Strategy for the Implementation of the Interim DIACAP 30 Nov 2006 –Army will transition to the Interim DIACAP using the DIACAP transition table and implementing the four (4) C&A Best Business Practices.  The Information Assurance (IA) Certification and Accreditation (C&A) BBP  The Designated Approving Authority (DAA) BBP  The Certification Authority (CA) BBP  The Agent of the Certification Authority (ACA) BBP

10 Unclassified Slide 10 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 Army Policy (cont) –The DAA remains decentralized, but will be appointed by the CIO/G-6 at the General Officer, SES level upon nomination  In chain of command of the system owner  Responsible for the impact of any risk that was accepted  Responsible for ensuring the POA&M (get well plan) is executed  Will complete the Army Specific DAA Course –Certification Authority (CA) will be centralized in the Army Senior Information Assurance Officer (SIAO) –Army CA will vet a list of qualified government organizations and labs as trusted Agents of the CA to perform the functions as the 3 rd party independent validator

11 Unclassified Slide 11 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 Army Policy (cont) –A System Owner will be identified for all information systems used by or in support of the Army –System owners will plan and budget for the C&A activities as part of their lifecycle responsibilities –All information systems will be compliant with the baseline IA controls in DODI 8500.2 and AR 25-2, at a minimum –Annul revalidation IAW FISMA will be completed –Information systems will be recertified and reaccredited every three years

12 Unclassified Slide 12 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 Why Transition DITSCAP and Army C&A processes written for stand alone or stove pipe systems DITSCAP not cost effective, paper vice value DODI 8500.2 IA controls not considered DAA delegated to the lowest level limits “Big Picture” consideration Too many CAs limits consistent assessments No qualification requirements for ACAs IS deployed with no easily identifiable responsible government owner

13 Unclassified Slide 13 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 C&A Terms Application ManualKnowledge Service IA RequirementsIA Controls Agents of Certification Authority (ACA) Validator CA Team Member (TM) Artifacts RTM & Acquisition Strategy & Test Plan, etc DIP Get well planPOA&M Test ResultsScorecard < Phase 1 SSAASIP EQUIVALENT C&A TERMS NEW C&A TERMS Documents, MOAs, Waivers, etc CA Representative (CAR)

14 Unclassified Slide 14 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 Focus on security posture via IA controls compliance –Baseline IA Controls address enterprise-wide threats and vulnerabilities –MAC & Confidentiality levels determine IA Controls Applicability examples: –IS under contract to DoD –IS of Non-appropriated Fund Instruments –Prototypes –Advanced Concept Technology Demos (ACTD) –Stand-Alone IS –Mobile Computing devices, wired or wireless The DIACAP

15 Unclassified Slide 15 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 The DIACAP (cont) Allows for Inheritance of IA Controls Severity code assigned to failed IA controls –CA assessment of exploitation ease Impact codes assigned to failed IA controls –DODs assessment of system-wide IA consequences Severity and Impact codes –Determine risk level associated with the security weakness –Urgency which corrective actions must take place

16 Unclassified Slide 16 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 Key C&A Functions Certification Authority (CA) Determines the exploitation ease of vulnerabilities Agent of the CA (ACA) Performs Validation against IA controls System Owner Responsible for IA of system throughout lifecycle Designated Approving Authority (DAA) Balances the exploitation ease against the harm capability and operational need

17 Unclassified Slide 17 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 DIACAP Activities

18 Unclassified Slide 18 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 https://diacap.iaportal.navy.mil

19 Unclassified Slide 19 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376

20 Unclassified Slide 20 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 DIACAP Packages Comprehensive package –Used for the CA recommendation –Includes all the information resulting from the DIACAP process Executive package –Less than the Comprehensive package –Used for an accreditation decision –Provided to others in support of accreditation or other decisions, such as connection approval

21 Unclassified Slide 21 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 DIACAP Package Contents POA&M (if required) DIACAP Scorecard Certification Determination Accreditation Determination DIACAP Scorecard Certification Determination Accreditation Determination ArtifactsSupporting Documentation for Certification Actual Validation Results Artifacts associated with implementation of IA Controls (e.g., STIGs and other implementation guidance) Other DIACAP Implementation Plan (DIP) IA Controls - Inherited and implemented Implementation Status Responsible entities Resources Estimated completion date for each IA Control System Identification ProfileSystem Identification Profile (SIP) Executive PackageComprehensive DIACAP Package

22 Unclassified Slide 22 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 System Identification Profile 1 System ID: 2 System Component: 3 Governing DoD Component IA Program: 4 System name: 5 Acronym: 6 System Version or Release Number: 7 System Description: 8 DIACAP Activity: 9 System Life Cycle or Acquisition Phase: 10 Information System Type: 11 MAC: 12 Confidentiality Level: 13 Mission Criticality : 14 Accreditation Vehicle: 15 Additional Accreditation Vehicles: 16 Certification Date: 17 Approval Date 18 Accreditation Status: 19 Accreditation Document 20 Accreditation Date: 21 Authorization Termination Date: https://diacap.iaportal.navy.mil

23 Unclassified Slide 23 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376

24 Unclassified Slide 24 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376

25 Unclassified Slide 25 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376

26 Unclassified Slide 26 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376

27 Unclassified Slide 27 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376

28 Unclassified Slide 28 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376

29 Unclassified Slide 29 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376

30 Unclassified Slide 30 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376

31 Unclassified Slide 31 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 Annual Validation IA Controls validation required no less than annually Three Information Papers –IT System Contingency Plans Must be tested annually Table Top exercise Functional exercise –Security Control Test Requirement for FISMA Compliance 8 controls must be tested Most control testing based on procedural review

32 Unclassified Slide 32 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 Annual Validation (cont) –Annual Security Review Requirement for FISMA Compliance All IA controls must be reviewed annually Date testing completed in support of accreditation decision is recorded in APMS Status of existing accreditation reassessed –Continue ATO, no change in ATD –Continue ATO, SO must implement precautionary IA improvements, no change in ATD –Down grade ATO to IATO, SO must prepare & execute POA&M, ATD is reset to 180 days –Downgrade ATO to DATO, operations halted IS will be re-certified & re-accredited every 3 years

33 Unclassified Slide 33 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 Transition Initiate / Transition to DIACAP –Unaccredited new start or operational IS –DITSCAP initiated, Phase 1 SSAA not signed –IS authorization more than 3-years old

34 Unclassified Slide 34 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 Transition (cont) Accreditation current within 3-years –RTM lists applicable 8500.2 controls  180-days establish strategy and schedule for Transitioning to DIACAP Satisfying DIACAP Annual Reviews Meeting FISMA reporting requirements –RTM does not list applicable 8500.2 controls  180-days requirement same as above plus Strategy and Schedule for achieving compliance with the 8500.2 IA controls Provide Army CA an assessment of compliance with 85002 IA controls.

35 Unclassified Slide 35 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 Transition (cont) Continue DITSCAP –Phase 1 signed, accreditation not received –RTM lists applicable 8500.2 controls  180-days modify SSAA reaccreditation paragraph to include transition strategy and schedule –RTM does not list applicable 8500.2 controls  180-days - Modify RTM to incorporate IA Controls - Develop implementation plan - Modify SSAA reaccreditation para to include transition strategy

36 Unclassified Slide 36 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 552 C&A package actions completed, 115 currently in process 309 Other C&A actions completed, 58 currently in process Six ACA leads validated -- ISEC-- CE-LCMC SEC -- S&TDC-- SPAWARSYCEN Charleston -- ARL CISD-- ARL/SLAD System owner identified and confirmed for all systems coming into the Certification Authority DAA Repository posted, updated regularly 41 DAAs appointed for 1071 named systems Army Specific DAA Course developed, completed by 32 appointed DAAs [https://iatraining.us.army.mil] Status

37 Unclassified Slide 37 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376

38 Unclassified Slide 38 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 DAA Course https:/iatraining.us.army.mil

39 Unclassified Slide 39 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 Status (cont) New C&A BBP’s –Installation Level DAA published 6 Jun 07 –Terms for Connectivity to the Installation Service Provider/ICAN (in process) Draft distributed for comment 18 June 2007 –Standardized C&A for Tactical Units (in process) C&A status tracked in APMS for annual FISMA reporting Army C&A Resource iacora home page on the AKO stood up

40 Unclassified Slide 40 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 https://www.us.army.mil/suite/page/146650

41 Unclassified Slide 41 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 https://www.us.army.mil/suite/page/146650

42 Unclassified Slide 42 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 https://www.us.army.mil/suite/page/146650

43 Unclassified Slide 43 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 https://www.us.army.mil/suite/page/146650

44 Unclassified Slide 44 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376

45 Unclassified Slide 45 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376 Contacts Team Members Sally Dixon – 703.602.7376, sally.dixon@us.army.mil Bill Janosky – 703.602.7372, william.janosky@us.army.mil Bill Cathcart – 703.602.7369, william.cathcart@us.army.mil Jim Burgan – 703-602-7393, jim.burgan@us.army.mil Jennifer Sikes – 703-602-7377, jennifer.sikes@us.army.mil Group email: iacora@us.army.mil iacora home page on AKO at: https://www.us.army.mil/suite/page/146650 (AKO Credentials of CAC Validation for Access) https://www.us.army.mil/suite/page/146650 iacora home page on AKO-S at: http://www.us.army.smil.mil/suite/page/5406 (AKO credentials for Access) http://www.us.army.smil.mil/suite/page/5406

Download ppt "Unclassified Slide 1 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC DSN 332-7376 DIACAP Army Guidance."

Similar presentations

METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE.

METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE.
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
IT Security Law for Federal Agencies As of: 30 December 2002.

IT Security Law for Federal Agencies As of: 30 December 2002.
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
Join the conference call by dialing the conference number in your Invitation or Reminder Emails. Please put your phone on mute. Please stand by! The webinar.

Join the conference call by dialing the conference number in your Invitation or Reminder s. Please put your phone on mute. Please stand by! The webinar.
Records Emergency Planning and Response Webinar Session 2 Join the conference call by dialing the conference number in your Invitation or Reminder Emails.

Records Emergency Planning and Response Webinar Session 2 Join the conference call by dialing the conference number in your Invitation or Reminder s.
DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.

DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.

4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
DISN Video Services September 21, 2009 An Overview of the VTF DIACAP Process A Combat Support Agency Defense Information Systems Agency.

DISN Video Services September 21, 2009 An Overview of the VTF DIACAP Process A Combat Support Agency Defense Information Systems Agency.
The IA Roadmap Baked-in versus Brushed-on Integrating IA into Major Programs Art King IBM Business Consulting Services Acquisition Team, DIAP 703.604.1480.

The IA Roadmap Baked-in versus Brushed-on Integrating IA into Major Programs Art King IBM Business Consulting Services Acquisition Team, DIAP
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication,

Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication,
Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.

Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.
Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.

Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Similar presentations

Ads by Google