DIACAP Activity #4 Maintain Authorization to Operate and Conduct Review
February 21, 2008
Maintain Situational AwarenessIncluded in the IA controls assigned to all DoD ISs are IA controls related to configuration and vulnerability management, performance monitoring, and periodic independent evaluations (e.g., penetration testing). The IAM continuously monitors the system or information environment for security-relevant events and configuration changes that negatively impact IA posture and periodically assesses the quality of IA controls implementation against performance indicators such as security incidents, feedback from external inspection agencies (e.g., IG DoD, Government Accountability Office (GAO)), exercises, and operational evaluations. In addition the IAM may, independently or at the direction of the CA or DAA, schedule a revalidation of any or all IA controls at any time. Reference (a) requires revalidation of a select number of IA controls at least annually. (DoD 8510.01, 6.3.4.1)
Knowing what is going on with the system is the job of the Information Assurance Manager (IAM). This can be delegated to the Information Assurance Officer (IAO) or the IAM and IAO may be the same person, but keep in mind that these permission require training, a technical and security certification (IAW DoD 8570).
Maintain IA Posture
Ensuring that there are no changes to the IA posture falls on the shoulders of the IAM. This includes making sure that the establish baseline of the system has no signifigant changes. Most patches (even involving security) will have a minimal impact on the system. Applicable patches should always be tested before being put on a system. Major patches are usually service packs that may actually change the IA posture. The DIACAP Team should be involved with any major changes to the IA posture. They will also decide which modifications, upgrades and additions should be considered changes to the IA posture of the system. As a minimum, the Program Manager, IAM, subject matter experts (software/system security engineers) and information system owner/user representative should be appart of that decision.
What will likely be considered a change to the IA Posture:
Adding IA products (firewalls, intrusion detection systems, ect)
Some internetworking devices such as Routers and Switches
New operating systems
Major upgrades to software or operating systems (not including support applications)
Newly discover major vulnerabilities
*Basically any major changes that will affect the security, supportability, usability, and interoperability of the system. It is important to have who, what when and where of sustainability, new risks, and usability requirements in writing. Information Assurance includes all these things, not just security.
What are usually not changes to the IA Posture:
Most NOTAM/IAVAS/TCNOs (such as Office patches, browser upgrades, ect)
Re-positioning equipment within the office (as long as the IAM has readable documentation on the data connections)
Adding passive periferal devices such as stand-alone printers, scanners and new monitors (devices with connectivity to external sources such as faxes, share external network printers should go before the DIACAP Team)
Devices such as DVD, CD and hard drives with more capacity may not affect the IA Posture but it is best to have some formalized method of tracking upgrades to hardware especially on mission systems as some changes could have some unpredictable affects
Annual FISMA Reviews
DIACAP includes the task of performing reviews annually on the system. This is one of the key features of the Federal Information System Management Act of 2002. What ever command or branch of the DoD you reside, your system has the potential of being audited annually to make sure it is in compliance with federal regulations. The eMASS IT Portfolio management systems (EITDR, DITPR-DON, APMS) also has this feature intergrated into its key functions. All data on each systems IA posture is collect annually. This is done by the IAMs and/or the DIACAP Team.
Additionally, each system must be re-accredited every three years:
6.3.4.4. Initiate Reaccreditation. In accordance with OMB Circular A-130 (Reference (s)), an IS must be recertified and reaccredited once every 3 years. The results of an annual review or a major change in the IA posture at any time may also indicate the need for recertification and reaccreditation of the IS. DoD 8510.01, 6.3.4.4
From DoD 8510.01, DIACAP:
6.3.4.1.1. DoD ISs with a current ATO that are found to be operating in an unacceptable IA posture through GAO audits, IG DoD audits, or other reviews or events such as an annual security review or compliance validation shall have the newly identified weakness added to an existing or newly created IT Security POA&M.
6.3.4.1.2. If a newly discovered CAT I weakness on a DoD IS operating with an ATO cannot be corrected within 30 days, the system can only continue operation under the terms prescribed in subparagraph 6.3.3.2.6.1.2.
6.3.4.1.3. If a newly discovered CAT II weakness on a DoD IS operating with a current ATO cannot be corrected or satisfactorily mitigated within 90 days, the system can only continue operation under the terms prescribed in subparagraph 6.3.3.2.6.2.5.
6.3.4.2. Maintain IA Posture. The IAM may recommend changes or improvement to the implementation of assigned IA controls, the assignment of additional IA controls, or changes or improvements to the design of the IS itself.
6.3.4.3. Perform Reviews. The IAM shall annually provide a written or DoD PKI-certified digitally signed statement to the DAA and the CA that indicates the results of the security review of all IA controls and the testing of selected IA controls as required by Reference (a). The review will either confirm the effectiveness of assigned IA controls and their implementation, or it will recommend: changes such as those described in subparagraph 6.3.4.2.; a change in accreditation status (e.g., accreditation status is downgraded to IATO or DATO); or development of an IT Security POA&M. The CA and DAA shall review the IAM statement in light of mission and information environment indicators and determine a course of action that will be provided to the concerned CIO or SIAO for reporting requirements described in Reference (a). The date of the annual security review will be recorded in the SIP. A DAA may downgrade or revoke an accreditation decision at any time if risk conditions or concerns so warrant.
6.3.4.4. Initiate Reaccreditation. In accordance with OMB Circular A-130 (Reference (s)), an IS must be recertified and reaccredited once every 3 years. The results of an annual review or a major change in the IA posture at any time may also indicate the need for recertification and reaccreditation of the IS.
Popularity: 6% [?]
Register the System with DoD IA Component
February 9, 2008
Register the System with DoD IA Component
Each branch of the military has an IA component. Each of the US Armed Services have a division under their respective chief information officer’s responsible for all computers, communications and networks in a given military branch. These communications divisions will house the Information Assurance component responsible for the DIACAP tasks.
Table 1. DoD IA Components
| DoD Branch |
Branch Communication & Information Service |
|
| US Air Force |
Air Force Communication Agency (AFCA) |
AFCA/EV |
| US Army |
*Army NETCOM 9th Signal Corps |
Army NETCOM Information Assurance Office |
| Department of the Navy |
DON CIO |
DON SIAO |
*more on Army NETCOM
Its important to get registered as soon as possible, because the DIACAP process (as with any certification & accreditation process) can take well over from six months to accomplish.
Role of the IA Component
Within the DIACAP Team, the IA Component’s role will likely be the “Certifying Authority” which is responsible for the final validation of security controls. This role is powerful in that it will determine whether or not the system is certified. The designated accreditation authority (DAA) listens the the recommendation of the CA. If the CA validates, the DAA will accredit. Also, the DAA can actually be within the IA Component, depending on the Mission Assurance Category (MAC) level (ref: USAF IT Lean/SISSU guidelines, this may differ within Army & DON).
IA Component’s IT Portfolio
DoD IT portfolio management (DoDD 8115.01) requires that each of the branches report to the DoD the status of IT systems. Each branches IA Component has a Enterprise Mission Assurance Support Service (eMASS). You will likely be tasked with entering your system into that database. This is what is essentially meant by register the system with the DoD IA Component.
More on DoD IT portfolio management & eMASS
Popularity: 5% [?]
Security, Interoperability, Supportability, Sustainability and Usability (SISSU)
February 5, 2008
The Security, Interoperability, Supportability, Sustainability and Usability (SISSU) is considered a part of the USAF IT LEAN process. SISSU is a comprehensive database of security controls (IA Controls) addressed in DoDI 8500.02 needed to complete the DIACAP process.
The SISSU questions includes everything from documentation of the system to physical security, to network security. To access the SISSU process in the EITDR one need an account and “stakeholders list” approval via AFCA/EV.
Security, Interoperability, Supportability, Sustainability and Usability are each considered disciplines. Each discipline is assigned a set of roles: producer, reviewer, validator, and approver. Once all of these roles have done their part on each of their applicable questions in a given discipline they can move on to the next phase. The phases are Define Need, Design, Build & Test, and Release.
Popularity: 5% [?]
USAF Enterprise Information Technology Data Repository (EITDR)
February 3, 2008
The EITDR is a database controlled and managed by AFCA/EV. It includes information on most UNCLASS USAF IT systems. All data is uploaded from the EITDR into the Department of Defense Information Technology Profile Registry (DITPR) to meet Federal Information System Management Act requirements.
The DIACAP process is only a small part of what the data collected in the EITDR. The system is used to keep track of new acquisitions, new major DoD mandate compliance, program management and system engineering documentation.
EITDR maintains the Security, Interoperability, Supportability, Sustainability and Usability (SISSU) of all applicable systems. This process lists all DIACAP IA Controls. Stakeholder’s in the DIACAP Process (DIACAP Team) must be selected in order to access the SISSU process.
In the EITDR SISSU Phases are broken into Define Need, Design, Build and Test and Sustain And Release. The questions are put into the following disciplines: Security, Interoperability, Supportability/Sustainability and Usability. The IA Component (AFCA/EVSS) is responsible for validating & approving the Security phase. All the other disciplines Validators and Approvers are chosen by the agency registering the system.
Popularity: 5% [?]
Enterprise Mission Assurance Support Service (eMASS)
February 2, 2008
**8 April Update — I’ve had some people challenge me on my definition of the eMASS. I am saying that the eMASS is with the DOD IT Portfolios Management systems (EITDR, DITPR DON et al), but from what I’ve been told this not true. I’ve been told that eMASS is still has not been released. If this is true than I guess its fair to call it a huge failure. I’ll keep you posted.**
The Enterprise Mission Assurance Support Service (eMASS) is a generic name for specific automated databases that are used to manage the DIACAP, keep track and manage DoD IT systems. Each branch has a different automated database (Fig 1). The USAF has the EITDR, The Navy has the DITPR-DON, and the Army has the APMS. Each of these databases satisfies Dodd IT portfolio management, certification and IT reporting directives addressed in DoD Directive 8115.01, signed October 10, 2005.
USAF Enterprise Information Technology Data Repository (EITDR)
The EITDR is a database controlled and managed by AFCA/EV. It includes information on most UNCLASS USAF IT systems. The DIACAP (along with many other documents – such as the Information Support Plan) is essentially uploaded into the EITDR. The Air Force has a process known as the Security, Interoperability, Supportability, Sustainability and Usability (SISSU) that is worked in tandem with the DIACAP process for achievement of the an ATO/ATC.
Department of NAVY DADMS/DITPR-DON
The DON CIO provides guidance on registration requirements for the DON Application and Database Management System (DADMS) and DoD IT Portfolio Registry (DITPR)-DON, which replaced the DON IT Registry. DITPR-DON is the single, authoritative source for data regarding DON IT systems, including National Security Systems. Registration of mission-critical, mission-essential and mission-support systems in DITPR-DON is central to establishing an accurate and reliable enterprise-wide inventory. Additionally, DITPR-DON is used to satisfy statutory and management reporting requirements, including Federal Information Security Management Act reporting and the Business Management Modernization Program certification process.
– http://www.doncio.navy.mil/TagResults.aspx?ID=22
Army Portfolio Management Solution
The The Army Portfolio Management Solution (APMS) is the Army’s system has four major modules: IT registration module, Domain Certification module, Capital Planning & Investment Mgt IT Prioritization Module and Capital Planning Investment Control IT Budget Reporting Module
All the databases do essentially the same thing. For the purpose of DIACAP, the Information Technology registration and IA certification components are the most important.
References:
DoD Regulation 5200.1-R , “DoD Information Security Program,” January 1997
DoDD 8115.01, “Information Technology Portfolio Management”, dated October 10, 2005
DoDD 8500.01E, “Information Assurance (IA),” dated April 23, 2007
DoDI 8551.1, “Ports, Protocols, and Services Management (PPSM) Release 6.9,” dated September, 2007
DoDI 8570.1-M “Information Assurance Workforce Improvement Program,” dated December 19, 2005
Federal Information Security Management Act (FISMA) (2002)
Information Assurance Support Environment (IASE)
Popularity: 5% [?]
