An Introduction to Department of Defense IA Certification and Accreditation Process (DIACAP)

Similar documents
DIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)

Streamlined FISMA Compliance For Hosted Information Systems

STUDENT GUIDE Risk Management Framework Step 5: Authorizing Systems

INFORMATION ASSURANCE DIRECTORATE

Job Aid: Introduction to the RMF for Special Access Programs (SAPs)

Department of Defense INSTRUCTION. DoD Information Assurance Certification and Accreditation Process (DIACAP)

10th International Command and Control Research and Technology Symposium The Future of C2

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) A presentation by Lawrence Feinstein, CISSP

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

DoDD DoDI

FISMAand the Risk Management Framework

MIS Week 9 Host Hardening

Information Systems Security Requirements for Federal GIS Initiatives

INFORMATION ASSURANCE DIRECTORATE

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Risk Management Framework for DoD Medical Devices

INFORMATION ASSURANCE DIRECTORATE

FISMA Compliance and the Search for Security. Tim Murray NES Associates February 5, 2008

FedRAMP Security Assessment Framework. Version 2.0

INFORMATION ASSURANCE DIRECTORATE

Student Guide Course: Introduction to the NISP Certification and Accreditation Process

Test & Evaluation of the NR-KPP

INFORMATION ASSURANCE DIRECTORATE

SAC PA Security Frameworks - FISMA and NIST

Agency Guide for FedRAMP Authorizations

NIST Security Certification and Accreditation Project

Fiscal Year 2013 Federal Information Security Management Act Report

Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER

RISK MANAGEMENT FRAMEWORK COURSE

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

FedRAMP Security Assessment Framework. Version 2.1

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

This is to certify that. Chris FitzGerald. has completed the course. Systems Security Engineering _eng 2/10/08

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Solutions Technology, Inc. (STI) Corporate Capability Brief

Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)

INFORMATION ASSURANCE DIRECTORATE

Leveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements.

Guide to Understanding FedRAMP. Version 2.0

Appendix 12 Risk Assessment Plan

Synergistic Efforts Between Financial Audit and Cyber Security

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Appendix 12 Risk Assessment Plan

Department of Defense INSTRUCTION

Introduction to the Federal Risk and Authorization Management Program (FedRAMP)

INFORMATION ASSURANCE DIRECTORATE

Certification Exam Outline Effective Date: September 2013

Information Security Continuous Monitoring (ISCM) Program Evaluation

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

ISC2. Exam Questions CAP. ISC2 CAP Certified Authorization Professional. Version:Demo

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

CIS 444: Computer. Networking. Courses X X X X X X X X X

Executive Order 13556

Ensuring System Protection throughout the Operational Lifecycle

Security Management Models And Practices Feb 5, 2008

Exhibit A1-1. Risk Management Framework

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

Interagency Advisory Board Meeting Agenda, December 7, 2009

Department of Defense Fiscal Year (FY) 2013 IT President's Budget Request Defense Technical Information Center Overview

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

TEL2813/IS2820 Security Management

FedRAMP Digital Identity Requirements. Version 1.0

FiXs - Federated and Secure Identity Management in Operation

Contemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Annex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems

IT-CNP, Inc. Capability Statement

National Information Assurance Partnership (NIAP) 2017 Report. PPs Completed in CY2017

ManTech Advanced Systems International 2018 Security Training Schedule

IASM Support for FISMA

The Common Controls Framework BY ADOBE

MINIMUM SECURITY CONTROLS SUMMARY

Safeguarding Unclassified Controlled Technical Information

Risk Management Framework (RMF) 101 for Managers. October 17, 2017

ManTech Advanced Systems International 2017 Security Training Schedule

Vol. 1 Technical RFP No. QTA0015THA

Handbook Webinar

ACHIEVING COMPLIANCE WITH NIST SP REV. 4:

INFORMATION ASSURANCE DIRECTORATE

READ ME for the Agency ATO Review Template

DRAFT NATIONAL EDUCATION AND TRAINING STANDARD FOR SYSTEM CERTIFIERS

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

GSAW Information Assurance in Government Space Systems: From Art to Engineering

Critical Infrastructures and Cyber Protection Center (CICPC) Professional Development Programs. FISMA Compliance Review Program Sample Syllabus FISMA

Information Technology Branch Organization of Cyber Security Technical Standard

RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 2. 3 June 2013

DoDI IA Control Checklist - MAC 1-Classified. Version 1, Release March 2008

Introduction to AWS GoldBase

DFARS Cyber Rule Considerations For Contractors In 2018

INFORMATION ASSURANCE DIRECTORATE

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

DIACAP IA CONTROLS. Requirements Document. Sasa Basara University of Missouri-St. Louis

Building Secure Systems

manner. IOPA conducts its reviews in conformance with Government Auditing Standards issued by the Comptroller General of the United States.

FISMA Cybersecurity Performance Metrics and Scoring

Cybersecurity Risk Management

Student Guide. Course: NISP C&A Process: A Walk-Through. Lesson 1: Course Introduction. Course Information. Course Overview

SIPRNet Contractor Approval Process (SCAP) December 2011 v2. Roles and Responsibilities

Transcription:

An Introduction to Department of Defense IA Certification and Accreditation Process (DIACAP) Solutions Built On Security Prepared for The IT Security Community and our Customers Prepared by Lunarline, Inc. 1875 I ST, NW, Suite 500 Washington, DC 20006 www.lunarline.com 1 March 2006 By Mike Bendel

Table of Contents 1. Purpose... 2 2. DIACAP Defined... 3 3. The Net-Centric Data Strategy... 3 4. Global Information Grid (GIG)... 4 5. DIACAP and GIG... 4 6. Mission Assurance Categories (MACs)... 5 7. Confidentiality Levels (CLs)... 6 8. Mission Assurance Categories (MACs) & Confidentiality Levels (CLs)... 6 9. MAC, CL, & Information Assurance (IA) Controls... 7 10. IA Control Examples... 7 11. The DIACAP Knowledge Service (KS)... 9 12. Enterprise Mission Assurance Support services (emass)... 9 13. DIACAP Roles & Responsibilities... 11 14. The DIACAP Enterprise Governance Structure... 11 15. The DIACAP Process Stages & Phase One... 12 16. The DIACAP Process: Phase Two... 12 17. The DIACAP ScoreCard... 13 18. The DIACAP Process: Phase Three... 15 19. The DIACAP Process: Phase Four... 16 20. The DIACAP Process: Phase Five... 16 21. The DIACAP Process: Summarized... 17 22. Transition to DIACAP... 17 23. Transition Timeline and Instructions... 18 24. DITSCAP & DIACAP Compared... 18 APPENDIX A: REFERENCES... 20 List of Tables Table 1: MAC Levels... 6 Table 2: CL Levels...6 Table 3: IA Control Subject Areas... 7 Table 4: Minimum Required Baseline Scores... 14 Table 5: DIACAP Phase Review... 17 Table 6: Phases: DIACAP vs. DITSCAP... 18 Table 7: DIACAP & DITSCAP Compared... 19 Table of Figures Figure 1: The emass Welcome Page... 10 Figure 2: Register the IA Program... 10 Figure 3: The emass System Page... 11 Figure 4: The DIACAP ScoreCard... 14

1. Purpose The purpose of this article is to give an overview of the new Department of Defense IA Certification and Accreditation Process (DIACAP) and two associated Web-based services the DIACAP Knowledge Service (KS) and the Enterprise Mission Assurance Support Service (emass). 2. DIACAP Defined DIACAP, based on DoDI 8510.bb, is a new process for the Certification and Accreditation (C&A) of all Department of Defense (DoD) information systems (IS) and for determining whether these systems should be authorized to operate. It cancels DODI 5200.40 and DoD 8510.1-M and replaces DITSCAP. DIACAP is latest method for identifying, implementing, and validating information assurance controls and for managing information assurance posture across DoD information systems consistent with the Federal Information Security Management Act (FISMA). DIACAP is also a guide for compliance with the Global Information Grid (GIG). DIACAP is a dynamic process in which IA posture is reviewed not less than annually. It has a DoD enterprise C&A decision structure and implements enterprise level baseline IA Controls based on the IS Mission Assurance Category (MAC) and Confidentiality Level (CL). IA Controls may be augmented at the DoD Component level and the IS level. DIACAP places the responsibility of establishing DIACAP objectives, context & decision structure on DoD Senior Information Assurance Official (SIAO) and the Principle Approving Authority (PAA) representatives. Compliance with assigned IA Controls and the IS C&A decision status is conveyed by the DIACAP Scorecard. DIACAP assigns, implements, and validates DoDI 8500.2 standardized IA Controls and manages IA posture across DoD information systems consistent with DoD regulatory policy (IA 8500 series) and legislative policy (FISMA). It provides for the availability of C&A status of DoD information systems across the Global Information Grid (GIG) and supports transition to GIG standards, e.g., from fixed system boundaries to a net-centric environment. 3. The Net-Centric Data Strategy The Net-Centric Data Strategy (May 9, 2003*) is a key enabler of the DoD s transformation. This Strategy provides the foundation for managing the Department s data in a net-centric environment, ensuring several things: 1) Data are visible, accessible, and understandable when needed and where needed to accelerate decision making. 2) Tagging of all data (intelligence, non-intelligence, raw, and processed) with metadata enables discovery by known and unanticipated users in the DoD.

3) All data is posted to shared spaces for users to access except when limited by security, policy, or regulations. 4) Organizing around Communities of Interest (COIs) that are supported by Warfighter, Business, and Intelligence Domains. 4. Global Information Grid (GIG) What is the Global Information Grid (GIG)? The GIG comprises a seamless and secure end-to-end IA Architecture requiring shared enterprise services with streamlined management capabilities. The concept of individual systems will no longer exist. It encompasses DoD, the Intelligence Community (IC), Federal, industry, and international partnership communities. The network-centric objectives of the Global Information Grid (GIG) are based on an information sharing environment that empowers the user with the ability to securely access all relevant information and recognizes the individual user as an information source. Access privileges will be required in order to ensure information is available to those who need it and protected from those without appropriate privileges. The GIG supports all Department of Defense, National Security and related Intelligence Community missions and functions in war and in peace. The GIG encompasses the globally interconnected, end-to end set of information capabilities, associated processes and personnel for collecting, disseminating, distributing and managing information on demand by warfighters, policy makers and support personnel. GIG enables the formation of dynamic communities of interest (COIs). In some circumstances, these COIs will be formed on short notice and may exist for a relatively short timeframe. GIG requires greatly enhanced IA solutions to support the paradigm shift from "Need to know" to "need to share". Information sharing will require user access that crosses traditional system and classification boundaries. GIG will permit provisional access to data for users not normally possessing access privileges, but who may need access in certain mission-critical situations. It will require that users, and perhaps even automated processes, have the ability to override data owner and originator security settings in support of operational need. 5. DIACAP and GIG How is DIACAP related to the GIG? The DIACAP is a central component of GIG IA C&A Strategy. DIACAP satisfies the need for a dynamic C&A process for the GIG and net-centric applications which cannot be met with the current C&A methodology.

The DIACAP supports Information Systems transitioning to netcentric environments and GIG Standards by: 1. Ensuring uniformity of approach 2. Managing and disseminating Information Assurance Design, implementation, validation, sustainement and approach 3. Being able to handle differing system 4. facilitating a dynamic environment Information Assurance will be implemented with Information Assurance Controls as defined by DoDI 8500.2 and maintained through a DoD wide configuration management process that considers the GiG architecture and risk assessments conducted at the DoD component level in accordance with FISMA. The DIACAP will support the ongoing validation to maintain the Information Assurance posture of an Information System. DoD component IA Programs are the primary method of supporting the DoD Information Assurance Program. The status of all systems in the DIACAP program will be available to all who have authorized access. 6. Mission Assurance Categories (MACs) The Mission Assurance Category (MAC) reflects the importance of information relative to the achievement of DoD goals and objectives, especially concerning the Warfighter s combat mission. MACs are primarily used to determine the requirements for availability and integrity. The DoD has three defined mission assurance categories: MAC I: Information that is determined to be vital to the operational readiness or mission effectiveness of deployed and contingency forces in terms of both content and timeliness. MAC II: Information that is important to the support of deployed and contingency forces. MAC III: Information that is necessary for the conduct of day-to-day business, but does not materially affect support to deployed or contingency forces in the short-term. Table 1 shows the required levels of integrity and availability for each MAC level.

Table 1: MAC Levels MAC Integrity Level Availability Level MAC I High High MAC II High Medium MAC III Basic Basic 7. Confidentiality Levels (CLs) The Confidentiality Level (CL) measures a system s confidentiality requirements based on whether the system processes classified, sensitive, or public information. Table 2 maps each CL to its required level of confidentiality. Table 2: CL Levels CL Definition Level Required Classified Systems processing classified information High Sensitive Systems processing sensitive information Medium Public Systems processing public information Basic Since the CL measures the need for confidentiality, it is used to determine acceptable access factors, like requirements for individual security clearances or background investigations, access approvals and need-to know determinations. Interconnection controls and approvals and acceptable methods by which users may access the system are also determined by the CL of a system. 8. Mission Assurance Categories (MACs) & Confidentiality Levels (CLs) MACs and CLs are independent, that is a MAC I system may process public information and a MAC III system may process classified information. The nine combinations of mission assurance category and confidentiality level establish nine baseline IA levels that may coexist within the Global Information Grid (GIG): MAC I, Classified MAC I, Sensitive MAC I, Public

MAC II, Classified MAC II, Sensitive MAC II, Public MAC III, Classified MAC III, Sensitive MAC III, Public 9. MAC, CL, & Information Assurance (IA) Controls A MAC and a CL is assigned to each DoD information system. Which IA controls are appropriate for a system is determined by the assigned MAC and CL. IA Controls are the baseline requirements for IA C&A and help ensure that the levels of confidentiality, integrity, and availability meet system security requirements. The MAC IA Controls focus on integrity and availability while the CL IA Controls focus on confidentiality and integrity. Table 3 shows the IA control subject areas. Table 3: IA Control Subject Areas Control Subject Area Name # of Controls DC Security Design & Configuration 31 IA Identification & Authentication 9 EC Enclave & Computing Environment 48 EB Enclave Boundary Defense 8 PE Physical & Environmental 27 PR Personal 7 CO Continuity 24 VI Vulnerability & Incident Management 3 10. IA Control Examples Examples of Confidentiality IA Controls Identification and Authentication IAGA-1 Group Identification and Authentication (NIST SP 800-53, IA-2) Group authenticators for application or network access may be used only in conjunction with an individual authenticator. Any use of group authenticators not based on the DoD PKI has been explicitly approved by the DAA.

Security Design and Configuration DCAS-1 Acquisition Standards (NIST SP 800-53, SA-2) The acquisition of all IA-and IA-enabled GOTS IT products is limited to products that have been evaluated by the NSA or in accordance with NSA-approved processes. The acquisition of all IA-and IA-enabled COTS IT products is limited to products that have been evaluated or validated through one of the following sources the International Common Criteria (CC), the NIAP Evaluation and Validation Program, or the FIPS validation program. Robustness requirements, the mission, and customer needs will enable an experienced information systems security engineer to recommend a Protection Profile, a particular evaluated product or a security target with the appropriate assurance requirements for a product to be submitted for evaluation. Examples of Integrity IA Controls Identification and Authentication IAKM-2 Key Management (NIST SP 800-53 IA-2, IA-4, IA-5) Symmetric Keys are produced, controlled and distributed using NSA-approved key management technology and processes. Asymmetric Keys are produced, controlled, and distributed using DoD PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key. Identification and Authentication IATS-2 Token and Certificate Standards (NIST SP 800-53, IA-2) Identification and authentication is accomplished using the DoD PKI Class 3 or 4 certificate and hardware security token (when available) or an NSA-certified product. Examples of Availability IA Controls Security Design and Configuration DCAR-1 Procedural Review (NIST SP 800-53, CA-2) An annual IA review is conducted that comprehensively evaluates existing policies and processes to ensure procedural consistency and to ensure that they fully support the goal of uninterrupted operations. Security Design and Configuration DCSD-1 IA Documentation (NIST SP 800-53, PS-2, PL-2) All appointments to required IA roles are established in writing, to include assigned duties and appointment criteria such as training, security clearance, and IT-designation. A System Security Plan is established that describes the technical, administrative, and

procedural IA program and policies that govern the DoD information system, and identifies all IA personnel and specific IA requirements and objectives. 11. The DIACAP Knowledge Service (KS) What is the DIACAP Knowledge Service (KS)? The KS is a Web-based, DoD PKenabled DIACAP knowledge resource for DIACAP. It provides a wealth of tools, such as GIG IA C&A guidelines, diagrams, process maps, and documents, to support and aid in DIACAP execution. The KS is a collaboration workspace for the DIACAP user community to develop, share and post lessons learned & best practices. It is also a source for IA news and events and other IA-related information resources. With the DIACAP KS, you can find the most current GIG IA C&A guidelines and determine which enterprise level IA Controls apply to a given information system. The KS has implementation guidance, validation procedures and expected results for each DoDI 8500.2 IA Control. You can also hear about real-world experiences implementing DIACAP, get access to forms and templates and find out about latest IA news. The DIACAP KS is available on-line without charge. 12. Enterprise Mission Assurance Support services (emass) What is Enterprise Mission Assurance Support services (emass)? emass is a Webbased suite of integrated services for select core IA program management processes, the first of which is the implementation and management of C&A based on the requirements of the DIACAP. It is an OASD(NII) Research & Development Initiative designed to support the DoD 8500-series policy framework. It will support DCID 6/3 (Intelligence Community) and NIST SP 800-37/53 (Civil) in future iterations. It is considered a DoD Core Enterprise Services (CES) candidate for IA program management. It is an IATAC endeavor that is government owned, not proprietary. The benefits of emass are automation, accountability, extensibility, and flexibility. emass creates a C&A package for the management of each registered information system. DoD PKI and auditing features enable montioring of each transaction. emass is scalable to any enterprise, regardless of size and mission. It was designed to support multiple IA requirements types. emass will be available without charge for licensing or development upgrades; However, organizational investment is required for hardware, COTS software licenses and training.

The following three figures give an introduction to the emass interface. Figure 1: The emass Welcome Page Figure 2: Register the IA Program

Figure 3: The emass System Page 13. DIACAP Roles & Responsibilities There are various roles and Responsibilities within the DIACAP. The Designated Approval Authority (DAA) has the authority and ability to evaluate the mission, business cases, and budgetary needs for the system in view of the security risks. The DAA determines the acceptable level of residual risk and makes the authorization decision. The Information Assurance Manager (IAM)/Certification Authority (CA) is the one who manages the certification process. The IAM/CA performs a comprehensive evaluation of the technical and non-technical aspects of the certification effort, reports the status of the certification and recommends to the DAA whether to authorize the system. The program Manager/System Manager (PM/SM) represents the interests of the system throughout its life cycle. The User Representative (UR) is concerned with system availability, integrity, and confidentiality as they relate to the system s mission. The Validation Tester tests the system against the IA Controls to ensure the system is compliant 14. The DIACAP Enterprise Governance Structure

The DIACAP Enterprise Governance Structure is intended to synchronize and integrate DIACAP activities across all levels. The Governance Structure is comprised of three major elements: accreditation structure, configuration control and management (CCM) structure, and C&A process administration and certification structure. The accreditation structure is aligned to GIG Mission Areas and addresses cross-cutting issues. In the configuration control and management structure, the DIACAP Technical Advisory Group (TAG) supports the KS content including the IA Controls. In the C&A process administration and certification structure, the authority and responsibility for certification are vested in the DoD Component Senior IA Officials (SIAOs). SIAOs serve as the Certifying Authority (CA) and the CIO is responsible for administration of the overall C&A process. 15. The DIACAP Process Stages & Phase One There are five phases that summarize DIACAP activities: 1. Initiate and Plan IA C&A; 2. Implement and Validate Assigned IA Controls; 3. Make Certification Determination & Accreditation Decisions; 4. Maintain Authority to Operate and Conduct Reviews; and 5. Decommission. The five steps taken during the first phase are: 1. Register the System with DoD Component IA Program 2. Assign IA Controls 3. Assemble a DIACAP Team 4. Review DIACAP intent, and 5. Initiate IA Implementation Plan. 16. The DIACAP Process: Phase Two The second DIACAP Phase is Implement and Validate. The three steps in this phase are: 1. Execute and Update IA Implementation Plan 2. Conduct Validation Activities and 3. Compile Validation Results. The following two Identification & Authentication controls are useful in the second and third steps of this phase:

Validating IA Controls (IAKM-2 Key Management) Production, Control, and Distribution of Asymmetric Keys (NIST SP 800-53, IA-5) Validation Test: Review system documentation. Ensure that asymmetric keys, if utilized, are produced, controlled, and distributed using appropriate DoD PKI assurance level certificates and hardware security tokens that protect the user s private key (i.e. CAC). Record the results. Test Preparation: Obtain system documentation addressing the production, control, and distribution of asymmetric keys. Expected Results: Asymmetric keys utilize appropriate DoD PKI assurance level certificates and hardware security tokens. Validating IA Controls (IAKM-2 Key Management) Symmetric Keys (NIST SP 800-53, IA-5) Test Script: Review system documentation. Ensure that symmetric keys, if utilized, are produced, controlled and distributed using NSA-approved key management technology and processes. Record the results. Test Preparation: Obtain system documentation addressing the production, control, and distribution of symmetric keys. Expected Results: Symmetric keys are produced, controlled, and distributed using NSA-approved key management technology and processes. The DIACAP Scorecard is an important tool for this stage of the DIACAP process because it shows the implemented and validated controls. 17. The DIACAP ScoreCard The DIACAP ScoreCard is a summary report that shows the certified or accredited implementation status of a DoD information system's assigned IA Controls and supports or conveys the accreditation decision. The DIACAP ScoreCard is intended to convey information about the IA posture of the evaluated system in a format that can be easily understood by managers and can be easily exchanged electronically.

The I-Assure implementation of the DIACAP ScoreCard is an automated client-side application enables the assessor to evaluate the effectiveness of the controls in place for an IT system through a series of questions and answers. Figure 4: The DIACAP ScoreCard Also in the Implement and Validate DIACAP phase, it is important to compare the system s MAC and CL controls against standard minimum baseline requirements. This helps to measure the effectiveness of these controls in terms of confidentiality, integrity, and availability. The following table shows these minimum baseline scores: Table 4: Minimum Required Baseline Scores Required Minimum Baseline Scores for CL Required Minimum Baseline Scores for MAC CL MAC Confidentiality Integrity Availability Total Required Minimum Baseline Scores Classified MAC I 45 32 38 115 Sensitive MAC I 37 32 38 107 Public MAC I 11 32 38 81 Classified MAC II 45 32 38 115 Sensitive MAC II 37 32 38 107 Public MAC II 11 32 38 81 Classified MAC III 45 27 37 109 Sensitive MAC III 37 27 37 101 Public MAC III 11 27 37 75

18. The DIACAP Process: Phase Three C&A Decisions are made during the third DIACAP phase. The three steps in this stage are: 1. Analyze Residual Risk 2. Issue Certification Determination 3. Make Accreditation Decisions. The Analyze Residual Risk step is performed by the IAM or the CA. They assess residual risk to the DoD Component information environment, to the information exposed to the DoD information system, and to the mission being supported by the DoD information system. The DAA makes an accreditation decision based on a review of the materials in the DIACAP package and recommendations from the IAM/CA. Example Contents of DIACAP Package: System Identification Profile DIACAP Strategy IA Implementation Plan DIACAP Scorecard Certification Determination DIACAP Plan of Actions and Milestones (POA&M), as required Accreditation Decision Artifacts and Evidence of Compliance There are four possible accreditation decisions: 1. Approval to Operate (ATO) 2. Interim Approval to Operate (IATO) 3. Interim Approval to Test (IATT), and 4. Denial of Approval to Operate (DATO). When an ATO is given, a DoD information system is authorized to process, store, or transmit information, granted by a DAA. Authorization is based on an acceptable IA design and implementation of assigned IA Controls. An IATO is a temporary approval granted by a DAA to operate based on an assessment of the implementation status of the assigned IA Controls. An IATT is a temporary approval granted by a DAA to conduct system testing based on an assessment of the implementation status of the assigned IA Controls. A DATO is a DAA determination that a DoD information system cannot operate because of an inadequate IA design or failure to implement assigned IA Controls.

19. The DIACAP Process: Phase Four The fourth DIACAP stage is Maintain ATO/Reviews. The four steps in this phase are: 1. Initiate and Update Lifecycle Implementation 2. Plan for IA Controls 3. Maintain Situational Awareness, and 4. Maintain IA Posture. Types of Phase 4 Activities 1. Exercise configuration management of the IA Controls Implementation Plan for the operational system, which permits IT component swaps and minor software releases. 2. Incorporate any new or modified IA Controls into IA Implementation Plan, or any corrections of other identified security vulnerabilities. 3. Update DIACAP Package and IA Controls Scorecard. 4. Conduct monitoring as specified in the IA Implementation Plan. 5. Conduct vulnerability scans and penetration tests. 6. Re-verify identified IA Controls. 7. Validate continued compliance with necessary IA Controls and IA Controls Scorecard. 20. The DIACAP Process: Phase Five The fifth and final DIACAP process stage, the Decommission Stage, has one important step: Disposition of the DIACAP registration information and system-related data. In the Decommission Stage, the DIACAP registration information and system-related data or objects in GIG supporting IA infrastructure and core enterprise services are securely disposed.

21. The DIACAP Process: Summarized The following table summaries the DIACAP phases and the steps in each phase: Table 5: DIACAP Phase Review Phases Initiate & Plan Implement & Validate Make C&A Decisions Maintain ATO/Reviews Decommission Steps Register the System with DoD Component IA Program Assign IA Controls Assemble a DIACAP Team Review DIACAP intent Initiate IA Implementation Plan Execute and Update IA Implementation Plan Conduct Validation Activities Compile Validation Results Analyze Residual Risk Issue Certification Determination Make Accreditation Decisions Initiate and Update Lifecycle Implementation Plan for IA Controls Maintain Situational Awareness Maintain IA Posture Disposition of DIACAP Registration Information & System-Related Data 22. Transition to DIACAP Why is the DoD changing from DITSCAP to DIACAP at this time? The DoD is transforming its information security posture in response to changes in Information Technology (IT) and Federal requirements and guidelines. There have been many changes in the way the DoD acquires, uses, and operates IT. Also, the E-Government Act Title III of the E-Government Act, Federal Information Security Management Act (FISMA), which requires Federal departments and agencies to develop, document, and implement an organization-wide program to provide information assurance. DIACAP ensures DoD C&A is consistent with FISMA, DoDD 8500.1 and DoDI 8500.2.

23. Transition Timeline and Instructions The current draft of DoDI 8510.bb provides a timeline and instructions for transition from DITSCAP to DIACAP. DIACAP should be immediately initiated in unaccredited new start or operational information systems. Transition actions and timelines for a system that is currently under DITSCAP vary depending on the DITSCAP phase and status of the SSSA, the DITSCAP Accreditation Decision, and incorporation of 8500 IA controls. Under specific circumstances, a system may continue under DITSCAP and be granted an Accreditation Decision under DITSCAP, while development of a DIACAP transition plan and schedule is required. If a system has a DITSCAP ATO more than three years old, DIACAP should be initiated. 24. DIACAP & DITSCAP Compared Table 6 shows how the DIACAP phases differ from the DITSCAP phases. Table 6: Phases: DIACAP vs. DITSCAP DIACAP Initiate & Plan IA C&A Implement & Validate IA Controls Make Certification Determination & Accreditation Decision IATO/ATO Maintain ATO DITSCAP Definition Verification Validation IATO/ATO Post-Accreditation Table 7 shows some of the differences between DIACAP and DITSCAP.

Table 7: DIACAP & DITSCAP Compared DIACAP All systems inherit enterprise standards and requirements Certification Authority is a qualified, resourced, and permanent member of CIO staff No pre-defined phases. Each system works to a plan that aligns to the system life cycle Accreditation status communicated by assigned IA Controls compliance ratings and letter and status code (ATO, IATO, IATT, DATO) in DIACAP Scorecard Automated tools, enterprise managed KS, requirements tied to architecture ATO means security risk is at an acceptable level to support mission and live data Continuous, asynchronous monitoring; reviewed not less than annually; FISMA reporting DITSCAP Security requirements and standards uniquely determined by each system DAA and Certifier selected by/for each system Policy advocated tailoring, but process was hard-coded to phases Accreditation status communicated via letter and status code (ATO, IATO) in SSAA No process improvement Inaccurate association of ATO with perfect and unchanging security Fire and forget accreditation; 3 year white glove inspection reaccredidation

APPENDIX A: REFERENCES Publication DIACAP KB DoDI 8510.bb DoD 8510.b-M emass GiG IA, 2004 44 USC 3542 NIST Special Publication (SP) 800-53 FIPS 199 FIPS 201 OMB A130, Appendix III FISMA, 2002 DoD Acquisition Guidebook DoDI 5000.2 DoD 5220.22-M DoDD 8500.1 DoDI 8500.2 Publication Information DIACAP Knowledge Base Overview. Briefing. Washington, DC: DoD PKI C&A Working Group, March 2005. Defense Information Assurance Certification and Accreditation Process (DIACAP). DoD Instruction 8510.bb. Washington, DC: U.S. Department of Defense, draft 2005. Defense Information Assurance Certification and Accreditation Process (DIACAP) Manual Draft Annotated Outline. DoD 8510.b-M. Washington, DC: U.S. Department of Defense, draft 2005. emass Overview. Briefing. Washington, DC: DoD PKI C&A Working Group, March 2005. GIG IA Strategy (Draft). Fort Meade, MD: National Security Agency (NSA) Information Assurance Directorate, June 2004. Public Printing and Documents, Chapter 35 Coordination of Federal Information Policy, Subchapter III Information Security. U.S. Code 44, Section 3502. Washington, DC: U.S. Congress, 2005. National Institute of Standards and Technology Special Publication 800-53, Recommended Security Controls for Federal Information Systems, February 2005. Standards for Security Categorization of Federal Information and Information Systems. FIPS 199. Washington, DC: U.S. National Institute of Standards and Technology, 2003. Federal Information Processing Standards Publication 201, Personal Identity Verification for Federal Employees and Contractors, February 2005. Office of Management and Budget, Circular A-130, Appendix III, Transmittal Memorandum #4, Management of Federal Information Resources, Nov. 2000. Federal Information Security Management Act (FISMA). Washington, DC: U.S. Congress, 2002. DoD Acquisition Guidebook. Washington, DC: U.S. Department of Defense, 2004. Operation of the Defense Acquisition System. DoDI 5000.2. Washington, DC: U.S. Department of Defense, 2003. National Industrial Security Program Operating Manual (NISPOM). DoD 5220.22. Washington, DC: U.S. Department of Defense, 1995. Information Assurance. DoD Directive 8500.1. Washington, DC: U.S. Department of Defense, 2002. Information Assurance Implementation. DoD Instruction 8500.2. Washington, DC: U.S. Department of Defense, 2003.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback