Elamb Cybersecurity

Category: Assurance/DIACAP

  • DIACAP Essentials + IA Control Validation Training (part 2): DIACAP/AFCAP Day1

    DIACAP/AFCAP Day 1.
    This is the second installment of the DIACAP Essentials journal.

    In the first day of class we’ve taken a high level look at the big picture of the Department of Defense Information Assurance Certification & Accreditation Process (DIACAP) and Air Force Certification & Accreditation Program (AFCAP). It is a very valuable tool for a beginner.

    Since I’ve gone through the entire process (with a legacy system) more than once through all the growing pains of Air Force C&A from DITSCAP to DIACAP, I found that I knew about 90% of everything taught. I don’t mind having a refresher, though and quite frankly, I need the CPE’s for my CISSP :).

    There were a couple of golden nuggets that I’ve been able to get out of some of the old timers. I learned some interesting things about how the Navy, Marines and Army do things.
    Navy (as weird as their dumb ass rank system.. yep, I said it.. its dumb) have like three systems: DITPR-DON, DA-DUMB and some other BS, Marines have something called Exacta and the Army has APMS (Army Profile Management System). Also learned cool off topic stuff like history of eMass.

    I must admit I’m looking forward to day two.
    pros of day 1: Good solid start on basics GREAT for beginners. SecureInfo gets mad props for have a great instructor John M.(don’t know if he wants his full name published.. but he’s highly, highly knowledgeable and very positive).

    cons of day 1: Right off the bat I am noticing a huge hole in the training… a lack of in depth teaching of EITDR, which is how the Air Force implements, manages and maintains the entire DIACAP/AFCAP process. I don’t really see how you can teach one without the other these days. I guess contractually, SecureInfo can not touch it since some other company has the contract. But unfortunately, the folks that are new to this are going to suffer. Because if they goto this class without knowing the EITDR they will know why but now how, and if they go to the EITDR class without knowing the DIACAP they will know how but not Why.

  • DIACAP Essentials + IA Control Validation Training (part 1)

    UPDAT: 2014 – Risk Management Framework for DOD IT released.

    I’ve been scheduled to go to DIACAP Essentials + IA Control Validation training. It is the same training that is given to validators at AFCA, so I guess it is pretty serious stuff. I was very reluctant to go until I realized that I actually really need the CPE’s to maintain my CISSP.

    Since I’ve been doing the DIACAP stuff for about 2 years now, I’m not certain there is any new information for me to learn.

    DIACAP Essentials
    The Department of Defense Information Assurance Certification and
    Accreditation Process (DIACAP) Essentials course blends lecture and hands-on
    exercises to introduce students to DIACAP policy (to include FISMA
    requirements of a comprehensive, repeatable, and auditable Information
    Security process).

    IA Control Validation In-Depth – 3 Days
    The IA Control Validation In-Depth course takes the students DIACAP
    education and turns the view from an implementor to a Validator perspective
    and involves the students in the validation process for the IA Controls
    (DoDI 8500.2).

    What I am hoping to get from the course is a better handle on the FISMA process.
    I don’t feel like I really have a handle on what is supposed to happen with it.

  • New Certification & Accreditation Process (Rumor)

    One C&A package to rule them all?

    The federal government has a bunch of Certification & Accreditation processes. There is Department of Defense Information Assurance Certification & Accreditation (DIACAP) for the DOD, there’s Director of Central intelligence Directive (DCID) 6/3 for certain classified systems, there is National Information Assurance Certification & Accreditation (NIACAP) for National Security Systems. And under each of these their processes differ according the branch, leadership, organization and/or mission. Each process, organization, branch and mission has a different set of resources that they pull from. DIACAP pertains to military branches and pulls from the DoD 8500 series, many other federal agencies use National Institute of Standards and Technology (NIST) Special Publication (SP) 800-xx series.

    Each agency, organization and/or branch uses their own methods and everyone is happy. The only problem is when a system gets exploited. When it happens there is mass panic and they realize that there are massive holes in the process.

    Rumors and Trends

    There have been rumors floating around about many of these federal C&A processes merging into one. At their core they are actually pretty similar. Take NIST SP 800-37, C&A of Federal Information Systems and DOD 8510, DIACAP for example. Both have an initial phase where data is gathered on the system and all parties involved with a system are pulled together (see table. 1 for more similarities).

    Federal C&A Process

    Phases

    Activities

    SP 800-37

    Initiation Phase

    Gather data, get agreement of all stake
    holders

    DIACAP

    Initiate & Plan IA C&A

     

     

     

    SP 800-37

    Security Certification Phase

    IA Control Assessment and agreement

    DIACAP

    Implement & Validate Assigned IA
    Controls

     

     

     

    SP 800-37

    Security Accreditation Phase

    Security implementation and assessment

     

    DIACAP

    Make Cert. Determination &
    Accreditation Decision

     

     

     

    DP 800-37

    Continuous Monitoring Phase

    Configuration management; FISMA reporting;
    sustainment

    DIACAP

    Maintain Authorization to Operate

     

     

     

    DIACAP

    Decommission

    Retire System

     

     

     

     

     

     

    12-37?

  • Certification & Accreditation Change

    Standard-issue security
    Certification and accreditation process for national security systems to extend to the rest of government. A two-year-old effort to standardize processes for certifying and accrediting government IT systems could soon bear fruit, according to officials from several agencies.

    The Committee on National Security Systems is preparing instructions for implementing a unified certification and accreditation (C&A) process that could be used on all national security systems, including those in the Defense Department and intelligence community, said Tony Cornish, chairman of the CNSS’ C&A working group.

    At the same time, the National Institute of Standards and Technology plans to update its C&A guidance for systems covered by the Federal Information Security Management Act, said Ron Ross, a senior computer scientist and FISMA implementation lead at NIST.

    “We are very close to producing a unified C&A process for the entire federal government,” Ross said in July at a government security symposium hosted by Symantec. “Within the next six to eight months, you are going to see a plethora of new things coming out” from CNSS and NIST.

    CNSS’ instructions will be incorporated into NIST guidelines in its 800 series of special publications. Ross said a major update of SP 800-53 Rev. 2, “Recommended Security Controls for Federal Information Systems,” is expected in December, and a draft of the first revision of SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems,” is expected to be released for comment soon.

    A single, governmentwide approach would make it easier for agencies to share data and cooperate with one another and with states, foreign allies and the private sector.

    It could enable reciprocity, or the acceptance of other agencies’ C&A processes, without requiring recertification, and also could streamline acquisition processes by making it easier for vendors and developers to meet one set of standards.

    C&A is a process for ensuring that IT systems are operating with an appropriate level of security. In the certification phase, the security of the system is documented; for accreditation, a designated authority signs off on the system’s fitness to go into operation. The concept has been around for some time, but there has been little standardization.

    “In the past, we each had our own set of policies, and we didn’t look at each other’s,” said Sherrill Nicely, deputy associate director of national intelligence at the Office of the Director of National Intelligence.

    FISMA requires C&A of information technology systems, but that does not apply to national security systems. And within the national security community, the military and intelligence sectors each have had their own way of doing things.

    “Since about 1993, the Defense Department had its program, the Defense IT Security Certification and Accreditation Process,” said Eustace King, DOD chief of acquisition and technology oversight. “It worked pretty well” in a time before DOD’s emphasis on network- centric systems and information sharing, but it lacked enterprise visibility.

    That C&A program was replaced with the Defense Information Assurance Certification and Accreditation Process. DOD was moving to the program in 2006 to harmonize military and intelligence processes when, a year later, it was expanded to include the rest of the national security community by bringing in the CNSS.

    Through NIST, C&A procedures eventually will be standardized across all of government. However, policies do not change mind-sets, and old habits still remain one of the primary challenges to a standardized process. At DOD, there is a reluctance to accept reciprocity — that is, to give full credit to another agency’s C&A process without recertification, King said.

    The intelligence community faces a similar hurdle, said Sharon Ehlers, an assistant deputy associate director of national intelligence.

    “The cultural change has been the biggest challenge,” Ehlers said. “When it is not invented here, people don’t want to look at it.”

  • IA Control Typo: DCSQ-1 Unix SRR script

    Alex of Le Blog d’Alex
    had a good question:

    Looking at Unix SRR scripts (January 08 release) I’ve found some PDI’s (vulnerabilities) corresponding to IA control number “DSCQ-1″, which I cannot find in DoD Instructions 8500.2 Feb 6 2003 (neither appears the DSxx Subject Area in table E4.T1.).

    Do you know what Subject Area corresponds to DSxx? And what IA control is DSCQ-1?

    I’ve googled for it and I can’t find anything neither.

    If you answer, please would you mind answering also by email? Thanks by advance.

    I don’t think there is a DSCQ. In fact there is no DSXX series of IA Controls. I think that is a typo in the Unix SRR script. A Unix guru security co-worker of mine has found other minor typo’s in the script as well as tons of false positives.

    It looks like the script is actually refering to “DCSQ-1”. Looks like they swapped the “CS”

    DCSQ-1 Software Quality

    Software quality requirements and validation methods
    that are focused on the minimization of flawed or malformed
    software that can negatively impact integrity or availability
    (e.g., buffer overruns) are specified for all software
    development initiatives.
    DoD 8500.2

    If this is not the case than I really don’t know what DCSQ could be.

  • DIACAP Activity #4 Maintain Authorization to Operate and Conduct Review

    Maintain Situational AwarenessIncluded in the IA controls assigned to all DoD ISs are IA controls related to configuration and vulnerability management, performance monitoring, and periodic independent evaluations (e.g., penetration testing). The IAM continuously monitors the system or information environment for security-relevant events and configuration changes that negatively impact IA posture and periodically assesses the quality of IA controls implementation against performance indicators such as security incidents, feedback from external inspection agencies (e.g., IG DoD, Government Accountability Office (GAO)), exercises, and operational evaluations. In addition the IAM may, independently or at the direction of the CA or DAA, schedule a revalidation of any or all IA controls at any time. Reference (a) requires revalidation of a select number of IA controls at least annually. (DoD 8510.01, 6.3.4.1)

    Knowing what is going on with the system is the job of the Information Assurance Manager (IAM). This can be delegated to the Information Assurance Officer (IAO) or the IAM and IAO may be the same person, but keep in mind that these permission require training, a technical and security certification (IAW DoD 8570).

    Maintain IA Posture

    Ensuring that there are no changes to the IA posture falls on the shoulders of the IAM.  This includes making sure that the establish baseline of the system has no signifigant changes.  Most patches (even involving security) will have a minimal impact on the system.  Applicable patches should always be tested before being put on a system.  Major patches are usually service packs that may actually change the IA posture.  The DIACAP Team should be involved with any major changes to the IA posture.  They will also decide which modifications, upgrades and additions should be considered changes to the IA posture of the system.  As a minimum, the Program Manager, IAM, subject matter experts (software/system security engineers) and information system owner/user representative should be appart of that decision. 

    What will likely be considered a change to the IA Posture:

    Adding IA products (firewalls, intrusion detection systems, ect)

    Some internetworking devices such as Routers and Switches

    New operating systems

    Major upgrades to software or operating systems (not including support applications)

    Newly discover major vulnerabilities

    *Basically any major changes that will affect the security, supportability, usability, and interoperability of the system.  It is important to have who, what when and where of sustainability, new risks, and usability requirements in writing.  Information Assurance includes all these things, not just security.

    What are usually not changes to the IA Posture: 

    Most NOTAM/IAVAS/TCNOs (such as Office patches, browser upgrades, ect)

    Re-positioning equipment within the office (as long as the IAM has readable documentation on the data connections)

    Adding passive periferal devices such as stand-alone printers, scanners and new monitors (devices with connectivity to external sources such as faxes, share external network printers should go before the DIACAP Team)

    Devices such as DVD, CD and hard drives with more capacity may not affect the IA Posture but it is best to have some formalized method of tracking upgrades to hardware  especially on mission systems as some changes could have some unpredictable affects

    Annual FISMA Reviews

    DIACAP includes the task of performing reviews annually on the system.  This is one of the key features of the Federal Information System Management Act of 2002.  What ever command or branch of the DoD you reside, your system has the potential of being audited annually to make sure it is in compliance with federal regulations.  The eMASS IT Portfolio management systems (EITDR, DITPR-DON, APMS) also has this feature intergrated into its key functions.  All data on each systems IA posture is collect annually.   This is done by the IAMs and/or the DIACAP Team.

    Additionally, each system must be re-accredited every three years:

    6.3.4.4. Initiate Reaccreditation. In accordance with OMB Circular A-130 (Reference (s)), an IS must be recertified and reaccredited once every 3 years. The results of an annual review or a major change in the IA posture at any time may also indicate the need for recertification and reaccreditation of the IS.  DoD 8510.01, 6.3.4.4

    From DoD 8510.01, DIACAP: 

    6.3.4.1.1. DoD ISs with a current ATO that are found to be operating in an unacceptable IA posture through GAO audits, IG DoD audits, or other reviews or events such as an annual security review or compliance validation shall have the newly identified weakness added to an existing or newly created IT Security POA&M.

    6.3.4.1.2. If a newly discovered CAT I weakness on a DoD IS operating with an ATO cannot be corrected within 30 days, the system can only continue operation under the terms prescribed in subparagraph 6.3.3.2.6.1.2.

    6.3.4.1.3. If a newly discovered CAT II weakness on a DoD IS operating with a current ATO cannot be corrected or satisfactorily mitigated within 90 days, the system can only continue operation under the terms prescribed in subparagraph 6.3.3.2.6.2.5.

    6.3.4.2. Maintain IA Posture. The IAM may recommend changes or improvement to the implementation of assigned IA controls, the assignment of additional IA controls, or changes or improvements to the design of the IS itself.

    6.3.4.3. Perform Reviews. The IAM shall annually provide a written or DoD PKI-certified digitally signed statement to the DAA and the CA that indicates the results of the security review of all IA controls and the testing of selected IA controls as required by Reference (a). The review will either confirm the effectiveness of assigned IA controls and their implementation, or it will recommend: changes such as those described in subparagraph 6.3.4.2.; a change in accreditation status (e.g., accreditation status is downgraded to IATO or DATO); or development of an IT Security POA&M. The CA and DAA shall review the IAM statement in light of mission and information environment indicators and determine a course of action that will be provided to the concerned CIO or SIAO for reporting requirements described in Reference (a). The date of the annual security review will be recorded in the SIP. A DAA may downgrade or revoke an accreditation decision at any time if risk conditions or concerns so warrant.

    6.3.4.4. Initiate Reaccreditation. In accordance with OMB Circular A-130 (Reference (s)), an IS must be recertified and reaccredited once every 3 years. The results of an annual review or a major change in the IA posture at any time may also indicate the need for recertification and reaccreditation of the IS.

  • ATO and ATC

    Difference between DITSCAP and DIACAP ATO:

    Although the acronym “ATO” was used in DITSCAP and is now being used in the DIACAP process, the DIACAP ATO is “Authority to Operate” and replaces the DITSCAP “Approval to Operate”. The essential meaning is the same. An ATO is still a statement that marks a formal Accreditation Decision issued by the DAA.

    E2.2. Accreditation Decision. A formal statement by a designated accrediting authority (DAA) regarding acceptance of the risk associated with operating a DoD information system (IS) and expressed as an authorization to operate (ATO), interim ATO (IATO), interim authorization to test (IATT), or denial of ATO (DATO). The accreditation decision may be issued in hard copy with a traditional signature or issued electronically signed with a DoD public key infrastructure (PKI)-certified digital signature. (DOD 8510.01)

    E2.8. Authorization to Operate (ATO). Authorization granted by a DAA for a DoD IS to process, store, or transmit information. An ATO indicates a DoD IS has adequately implemented all assigned IA controls to the point where residual risk is acceptable to the DAA. ATOs may be issued for up to 3 years. (DOD 8510.01)

    E2.19. Designated Accrediting Authority (DAA). The official with the authority to formally assume responsibility for operating a system at an acceptable level of risk. This term is synonymous with designated approving authority and delegated accrediting authority. (Reference (d) leads with the term designated approving authority, which was favored at the time of publication.). (DOD 8510.01)

    Connection to the NIPRNet/GIG:

    To connect to the Global Information Grid (which includes the NIPRNet/SIPRNet) an Approval To Connect is need.

    Authority to Connect (ATC). The ATC defines the customer’s connection boundaries as accepted by the DISN SIPRNET Management and reflects the completion of a successful network vulnerability assessment by the DISA SCAO. CJCSI 6211.02B 31 July 2003

    Interim Approval to Connect (IATC). The IATC defines the customer’s connection boundaries as accepted by the DISN SIPRNET Management. CJCSI 6211.02B 31 July 2003

  • Register the System with DoD IA Component

    Register the System with DoD IA Component

    Each branch of the military has an IA component. Each of the US Armed Services have a division under their respective chief information officer’s responsible for all computers, communications and networks in a given military branch. These communications divisions will house the Information Assurance component responsible for the DIACAP tasks.

    Table 1. DoD IA Components

    DoD Branch Branch Communication & Information Service Branch IA Component
    US Air Force Air Force Communication Agency (AFCA)http://public.afca.af.mil/ AFCA/EVAssessment and Validatorshttp://public.afca.af.mil/library/
    US Army *Army NETCOM 9th Signal Corps http://www.netcom.army.mil/ Army NETCOM Information Assurance Office
    Department of the Navy DON CIODON Information Management and Information Technology (IM/IT)http://www.doncio.navy.mil DON SIAOhttp://www.doncio.navy.mil/Main.aspx

    *more on Army NETCOM

    Its important to get registered as soon as possible, because the DIACAP process (as with any certification & accreditation process) can take well over from six months to accomplish.

    Role of the IA Component

    Within the DIACAP Team, the IA Component’s role will likely be the “Certifying Authority” which is responsible for the final validation of security controls. This role is powerful in that it will determine whether or not the system is certified. The designated accreditation authority (DAA) listens the the recommendation of the CA. If the CA validates, the DAA will accredit. Also, the DAA can actually be within the IA Component, depending on the Mission Assurance Category (MAC) level (ref: USAF IT Lean/SISSU guidelines, this may differ within Army & DON).

    IA Component’s IT Portfolio

    DoD IT portfolio management (DoDD 8115.01) requires that each of the branches report to the DoD the status of IT systems.  Each branches IA Component has a Enterprise Mission Assurance Support Service (eMASS).  You will likely be tasked with entering your system into that database.  This is what is essentially meant by register the system with the DoD IA Component.

    More on DoD IT portfolio management & eMASS

  • Security, Interoperability, Supportability, Sustainability and Usability (SISSU)

     

    The Security, Interoperability, Supportability, Sustainability and Usability (SISSU) is considered a part of the USAF IT LEAN process.  SISSU is a comprehensive database of security controls (IA Controls) addressed in DoDI 8500.02 needed to complete the DIACAP process. 

     

    The SISSU questions includes everything from documentation of the system to physical security, to network security.  To access the SISSU process in the EITDR one need an account and “stakeholders list” approval via AFCA/EV.

     

    Security, Interoperability, Supportability, Sustainability and Usability are each considered disciplines.  Each discipline is assigned a set of roles: producer, reviewer, validator, and approver.  Once all of these roles have done their part on each of their applicable questions in a given discipline they can move on to the next phase.  The phases are Define Need, Design, Build & Test, and Release.

  • DIACAP Activity #3 Make Certification Determination and Accreditation Decision

    Make Certification Determination

    Once all of the validations have been complete its time for the IA Component to make a certification determination. They examine the system and may call for additional documentation to verify certain IA features. Waivers, memoradums and other documentation may be required for completion of the certification. The IA Component may need additional scan results. This can sometimes make the process much longer than it should be.

    Issue Accreditation Decision

    Once the all documentation and scans for the certification have been completed it is out of your hands. The IA Component will push the package forward for final Accreditation approval. The DAA usually takes the recommendations of the IA Component so its best to have complied with all of their wishes.

    The DAA will issue an ATO, IATO, ATC or IATC.

     

    E2.2. Accreditation Decision. A formal statement by a designated accrediting authority (DAA) regarding acceptance of the risk associated with operating a DoD information system (IS) and expressed as an authorization to operate (ATO), interim ATO (IATO), interim authorization to test (IATT), or denial of ATO (DATO). The accreditation decision may be issued in hard copy with a traditional signature or issued electronically signed with a DoD public key infrastructure (PKI)-certified digital signature. (DOD 8510.1)

    More on ATOs & ATC’s