DIACAP Essentials + IA Control Validation Training (part 3): DIACAP/AFCAP Day2

UPDAT: 2014 – Risk Management Framework for DOD IT released.

Day 1 & 2 have been all about the very basics of DIACAP. Were introduced to the terminologies, key players of the C&A process and basically given the big picture. Like I said, GREAT for beginners, but just lots of theory and refresher if you’ve been doing C&A since DITSCAP.

Day 1 &2:

Getting the Big Picture

DIACAP/AFCAP Policy & Terminology

Roles and Responsibilities for the C&A process

Accreditation & Approval to Connect

Homework: review terminology

In between longer breaks, during lunch and just before class we sneak in episode of the The IT Crowd. Its the first time I’ve watched it so its a real treat for me. Hilarious show.

Enterprise Mission Assurance Support Service (eMASS)

EMASS

**15 March 14 Update – eMASS will match the process/procedure and IA Controls of the new RMF for DoD IT that is replacing the DIACAP.  **

discussed here a little: http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2012-10/ispab_oct2012_dcussatt_dod-rmf-transition-brief.pdf

**30 Aug 11 Update to eMASS info. Previous information mixed eMass with IT Portfolio Management systems. There was a lot of confusion about eMASS due to is very late release following the official publication of DoDI 8510, DIACAP**

eMASS is a database managed by the DoD created to store, track and manage the activities of the Certification & Accreditation process (and/or risk management framework steps). The database is managed on the NIPR & SIPR. For more information refer to:
Information Assurance Support Environment (IASE)

eMASS vs. IT Portolio Management Systems

eMASS should not be confused with IT Portfolio management system addressed in DoDD 8115.01, “Information Technology Portfolio Management”:

USAF Enterprise Information Technology Data Repository (EITDR)

Department of NAVY DADMS/DITPR-DON

The DON CIO provides guidance on registration requirements for the DON Application and Database Management System (DADMS) and DoD IT Portfolio Registry (DITPR)-DON, which replaced the DON IT Registry. DITPR-DON is the single, authoritative source for data regarding DON IT systems, including National Security Systems. Registration of mission-critical, mission-essential and mission-support systems in DITPR-DON is central to establishing an accurate and reliable enterprise-wide inventory. Additionally, DITPR-DON is used to satisfy statutory and management reporting requirements, including Federal Information Security Management Act reporting and the Business Management Modernization Program certification process.

http://www.doncio.navy.mil/TagResults.aspx?ID=22

Army Portfolio Management Solution

The The Army Portfolio Management Solution (APMS) is the Army’s system has four major modules: IT registration module, Domain Certification module, Capital Planning & Investment Mgt IT Prioritization Module and Capital Planning Investment Control IT Budget Reporting Module

All the databases do essentially the same thing. For the purpose of DIACAP, the Information Technology registration and IA certification components are the most important.

References:

DoD Regulation 5200.1-R , “DoD Information Security Program,” January 1997

DoDD 8115.01, “Information Technology Portfolio Management”, dated October 10, 2005

DoDD 8500.01E, “Information Assurance (IA),” dated April 23, 2007

DoD 8510.1-M, “DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Application Document”, dated July 31, 2000

DoDI 8551.1, “Ports, Protocols, and Services Management (PPSM) Release 6.9,” dated September, 2007

DoDD 8570.1, “Information Assurance Training, Certification, and Workforce Management,” dated August 15, 2004

DoDI 8570.1-M “Information Assurance Workforce Improvement Program,” dated December 19, 2005

Deputy Secretary of Defense Memorandum, “Information Technology Portfolio Management,” March 22, 2004

Federal Information Security Management Act (FISMA) (2002)

Information Assurance Support Environment (IASE)