DIACAP Essentials + IA Control Validation Training (part 4): DIACAP/AFCAP Day 4 & 5

July 2, 2009

Days 4 & 5 bring the DIACAP/AFCAP Essentials Class to a close. The
biggest things I learned were: CNSSI 4009 is the the official glossary of DOD IA, there is a big difference between theory, policy and practice, Agents of the Certifying Authority (ACA) are official validators and there is a difference between acquisition Mission criticality and IA MAC levels.

Stuff I learned from people in the class:

-AFCA is changing its name (to what?)

DOD is going to put the new IA controls in NCSSI 12-53 (currently in draft)

-a lot of what I need in there is in NIST 800-53

Marines use something called Exacta

Site called securitycritics.org

33-202 is now completely irrelevant and obsolete (not even mentioned ONCE in the class)

800-30

Feds call Certification &Accreditation (C&A) “Security authorization”

NIST SP 800-37

Day 4:

Validator Activities & Issue Accreditation Decision

Prepare POA&M

Validate Results/Scorecard

Scorecard

Make certification determination

CA/DAA Package review

Day 5:

Validation procedures were discussed. On day five, we looked at how the validators look at a system.

I thought is was interesting. It should help me get through the EITDR/DIACAP process easier.

Maintain Situational Awareness

Maintain IA Posture

Conduct Review

R-Accreditation

Retire system

Popularity: 2% [?]

Written by elamb.security · Filed Under Assurance, Assurance/DIACAP, Assurance/DITSCAP, Assurance/Netcentric, Assurance/SSAA, EITDR, FISMA, Main Digg, emass, information assurance, security, sissu

Enterprise Mission Assurance Support Service (eMASS)

February 2, 2008

**8 April Update — I’ve had some people challenge me on my definition of the eMASS. I am saying that the eMASS is with the DOD IT Portfolios Management systems (EITDR, DITPR DON et al), but from what I’ve been told this not true. I’ve been told that eMASS is still has not been released. If this is true than I guess its fair to call it a huge failure. I’ll keep you posted.**

The Enterprise Mission Assurance Support Service (eMASS) is a generic name for specific automated databases that are used to manage the DIACAP, keep track and manage DoD IT systems. Each branch has a different automated database (Fig 1). The USAF has the EITDR, The Navy has the DITPR-DON, and the Army has the APMS. Each of these databases satisfies Dodd IT portfolio management, certification and IT reporting directives addressed in DoD Directive 8115.01, signed October 10, 2005.

USAF Enterprise Information Technology Data Repository (EITDR)

The EITDR is a database controlled and managed by AFCA/EV. It includes information on most UNCLASS USAF IT systems. The DIACAP (along with many other documents – such as the Information Support Plan) is essentially uploaded into the EITDR. The Air Force has a process known as the Security, Interoperability, Supportability, Sustainability and Usability (SISSU) that is worked in tandem with the DIACAP process for achievement of the an ATO/ATC.

Department of NAVY DADMS/DITPR-DON

The DON CIO provides guidance on registration requirements for the DON Application and Database Management System (DADMS) and DoD IT Portfolio Registry (DITPR)-DON, which replaced the DON IT Registry. DITPR-DON is the single, authoritative source for data regarding DON IT systems, including National Security Systems. Registration of mission-critical, mission-essential and mission-support systems in DITPR-DON is central to establishing an accurate and reliable enterprise-wide inventory. Additionally, DITPR-DON is used to satisfy statutory and management reporting requirements, including Federal Information Security Management Act reporting and the Business Management Modernization Program certification process.

– http://www.doncio.navy.mil/TagResults.aspx?ID=22

Army Portfolio Management Solution

The The Army Portfolio Management Solution (APMS) is the Army’s system has four major modules: IT registration module, Domain Certification module, Capital Planning & Investment Mgt IT Prioritization Module and Capital Planning Investment Control IT Budget Reporting Module

All the databases do essentially the same thing. For the purpose of DIACAP, the Information Technology registration and IA certification components are the most important.

References:

DoD Regulation 5200.1-R , “DoD Information Security Program,” January 1997

DoDD 8115.01, “Information Technology Portfolio Management”, dated October 10, 2005

DoDD 8500.01E, “Information Assurance (IA),” dated April 23, 2007

DoD 8510.1-M, “DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Application Document”, dated July 31, 2000

DoDI 8551.1, “Ports, Protocols, and Services Management (PPSM) Release 6.9,” dated September, 2007

DoDD 8570.1, “Information Assurance Training, Certification, and Workforce Management,” dated August 15, 2004

DoDI 8570.1-M “Information Assurance Workforce Improvement Program,” dated December 19, 2005

Deputy Secretary of Defense Memorandum, “Information Technology Portfolio Management,” March 22, 2004

Federal Information Security Management Act (FISMA) (2002)

Information Assurance Support Environment (IASE)

Popularity: 14% [?]