DIACAP Activity #2 Implement and Validate Assigned IA Controls

by Rob Elamb | 29 Comments

**28 Sept 2011– DIACAP is being changed to the DoD Risk Management Framework. 8510.01 is being changed to reflect the NIST SP 800-37, with security controls matching that of the NIST SP 800-53. This information is being released on the DIACAP Knowledge Service**

This activity is marked by actually putting the IA Controls into action. This means not only coordinating with software and/or system developers and engineers, but testing the IA Controls once they have been implemented.

Execute the DIACAP Implementation Plan

Executing the DIACAP Implementation Plan is the most critical part of the DIACAP process because it focuses almost exclusively on the assigned security controls. Your system may very well get an authorization to operate but if it does not have the appropriate security controls it could be a detriment to an organization and anything its is attached to by being an enormous vulnerability that is easily hacked or, more likely, a wasteful product that is very difficult to support in the long term. If anything, it is more important to get the IA Controls implemented than it is to get the system approved although the process is such that you should not have one without the other.

IA Controls are not just about security but include what the Air Force has called SISSU which stands for security, interoperability, sustainability, supportability and usability. All these features are checked annually under the DIACAP (activity #4).

The time it takes to implement the system should factor in any additional time it might take to implement and test the IA Controls.

Resistance to the Implementation of IA Controls

Be prepared for panic and gnashing of teeth when you tell them what is needed. Implementing the security controls can be a challenge. The cost, time and energy it takes to accomplish all the IA Controls can be intimidating at first glance.

Some engineers, program managers and system owners will resist the implementation of IA Controls, particularly if it is a legacy system that has operated just fine for years without any security controls. When dealing with reluctant customers the best thing you can do is come to meetings armed with federal regulations, operating instructions and mandates that have been issued by the DoD and signed by generals. You should be familiar enough to fully inform the customer of the risks associated with being non-compliant. Make sure that they are informed about how visible the system is in the eMASS database. Many times system owners will completely ignore regulations until they are absolutely forced to comply and by then they don’t have funding or time to comply.

Methods of Implementing the IA Controls

The technicians and/or engineers who are actually developing the system and installing the IA Controls should know about the tools that will make their job much easier.

For Windows systems those implementing the IA Controls should know about the following:

For Unix/Linux Systems:

Implementing Windows IA Controls

The quickest way to implement IA Controls on Windows systems is to use automated methods first to find and implement as many technical security features as possible and use STIGS and security guides for the remaining security controls that should be implemented. On a mission system, it is important to know that some security controls may break some critical functions. Some security controls can be ignored, some can be mitigated, some can have waivers and others absolutely must be complied with in some way, shape or form.

Federal Standard Configuration Operating Systems (if applicable)
Windows based systems with connections to the Global Information Grid may need to use a Federal Standard Configuration OS. This disk has various names. The USAF calls this disk the Standard Desktop Configuration (SDC) and Standard Server Configuration (SSC) for servers. Some federal organizations have Federal Desktop Common Configuration (FDCC), the Navy has NMCI systems and Army has Gold Master systems. These are locked down versions of Windows XP or Vista systems (depending on the version) that are only supposed to be altered under specialized circumstances.

These standard configurations may pose as a serious technical issue for mission systems that are not standard. Sustainment/Supportability funding might also be an issue for mission systems as SDC is mostly designed for systems with basic computing needs in a base area networks that uses devices like Microsoft System Management Service (SMS) to conduct automated pushes from all systems on the network. Mission systems usually have to be tested separately in order make sure new upgrades and IAVA’s don’t negatively affect the mission. Your system may be able to attain a waiver for the standard configuration. This configuration may not be needed for Windows systems not connected to the GIG.

DISA Gold DISK

DISA has disk called the Gold Disk that can scan for Category 1, 2 and 3 vulnerabilities according the applicable Mission Assurance Level. It can also automatically fix these vulnerabilities for Windows NT/XP and Vista. This scan should also be run on the standard configuration systems. You’ll be surprise how many vulnerabilities will show up even on standard configurations such as USAF SDC.

The challenges with the Gold Disk include the following: 1) there may be false positives. For example, Gold Disk may tell you that the Guest account should be removed. But Guest account is a built-in feature in Windows so it can only be disabled. 2) Some Category 1’s and 2’s may not be fixable on mission systems (especially legacy systems). In which case, it may have to be marked as non-compliant in the appropriate IA Controls. 3) Not all vulnerability Categories match up with the IA Controls so some of it will be up to your discretion. Also, the Cat 1, 2, or 3 results might not be applicable to your system. For example, you may have Internet Explorer vulnerabilities that pop-up on a system that will not actually use port 80 or the web at all.

Gold Disk is automated but it still needs a fairly technical & security oriented person to interpret the data.

Implementing UNIX/LINUX IA Controls

Unlike Windows there is no standard configuration for any UNIX environment. Currently, there are no plans published to change this. UNIX does have an automated script called the Security Readiness Review (SRR). Running the script requires solid skills in the command line. SRR picks up a lot of false positives so the technician/engineer running the script really needs to know what is running on the system and what does not need to be running. UNIX knowledge is really a must to use the SRR effectively.

The UNIX SRR Scripts are supported on the following platforms and versions:
Solaris 2.5.1 through Solaris 10; HP-UX 11.0, HP-UX 11.11; Red Hat Enterprise Linux 3 and 4; and AIX 4.3. – http://iase.disa.mil/stigs/SRR/index.html

STIGS and Security Guides

IA Control ECSC-1, Security Configuration Compliance directs the use of security guides and STIGS. DISA and the National Security Agency have created lots of security guides for Windows and accompanying applications. Implementation of these guides will satisfy many of the other IA Controls.

http://iase.disa.mil/stigs/stig/index.html

IA Controls

The IA Controls will likely be most of the work you do on any system. Even if you have a MAC III, Public, there are a lot of them. They require everything from developing and/or checking documentation, installing security features, ensuring proper network configurations to checking personnel and physical security at each site. The DIACAP Knowledge Service has several templates detailing each group of IA Controls according to Mission Assurance Levels.

Continuity – COxx – IA Control
The COxx series of the IA Controls deal with the continuity of the system. Developing a comprehensive continuity, disaster recovery, emergency management plan for the system will satisfy many of the COxx IA Controls. Your division, squadron, flight or company will usually have some sort of emergency management plans and disaster recovery instructions you can use. The old DITSCAP System Security Authorization Agreement had Appendix L, Contingency Plan. Many of the requested documents and process likely already exist so it maybe a matter of just finding them or re-packaging them.

Security Design and Configuration – DCXX – IA Control
The DCxx series deals with designing and maintaining a secure baseline. Dealing with these IA Controls will require and intimate knowledge of the systems software, hardware, and network configuration. If you don’t know the configuration of the system you should have a highly knowledgeable technician or engineer on hand who does. You will need to know the DoD policy to understand what is fully required or if the control is even applicable. Network and computer security policies such as AFI-33-202 for the USAF will be a good help. Systems that have been developed outside of the DoD and US services policies will have a real hard time with these IA Controls.

Enclave Computing Environments – EVxx – IA Controls
Enclave computing environments are IA Controls that deal with security features within the local area network or enclave. It will help to have some understanding of network security because some of the IA Controls address things like VPN and Remote Authentication.

Identification & Authentication – IAxx – IA Controls
Identification & Authentication address specific issues that deal with logon and passwords.

Physical & Environment – PExx – IA Controls
Physical & Environmental IA Controls deal with physical security of the sites, safety issues and environmental controls such as humidity systems.

Personnel – PRxx – IA Controls
These IA Controls deal with the training and access of each personnel with direct contact with the system.

Vulnerability and Incident Management – Vixx – IA Controls
The issues in these few IA Controls maybe addressed in the contingency plan. Elements within DITSCAP System Security Authorization Agreement had Appendix K, Incident Response may also be used for these IA Controls.


POA&M: When Systems Can Not be Fix

Some legacy systems can not comply with applicable IA Controls without spending millions of dollars that the program office and/or system owners don’t currently have. In these cases it’s important to have a “get well plan”. The document is called a Plan of Action & Milestone (POA&M). The POA&M details what IA Controls have not been met, when they will and how. The EITDR eMASS system can automatically create a POA&M document once all the IA Controls have been entered, Validated and Approved (others eMASS systems might be able to do this as well).

Conduct Validation Activities

Validation includes Certification Test & Evaluation (CT&E) and Security Test & Evaluation (ST&E). Certification Test & Evaluation is completed on a system on which IA Controls have been applied in a test environment. The CT&E is conducted to make sure all the IA Controls have been applied on a functional system. Once has been proven to work in a testing environment with all the applicable technical IA Controls applied the ST&E can be completed with a system in an operational environment.

Techniques used in the CT&E and ST&E may include Gold Disk Scan, SRR (UNIX), penetration testing (black box, white box, gray box), network vulnerability scan, source code scan, web application scan, or simply a manual check of each of the security controls using the security guides. During and ST&E on the site it is also helpful to make sure there is proper contingency plans, physical & operational security.

29 Comments on DIACAP Activity #2 Implement and Validate Assigned IA Controls

  1. Rob R.
    February 8, 2008 at 8:50 am (7 years ago)

    I’ve been watching your blog since your first mention of DIACAP. This post is very relevant to my job. I’m conducting C&As on two AF systems with very little guidance from anyone. It’s difficult to find people with any answers.

    Anyway, one of my many questions concerning the controls: Some controls mention using automated scripts to help determine compliance (ECSC-1 for example). Does the Gold Disk contain these scripts or where are they?

    Thanks,
    Rob

    Reply
  2. elamb.security
    February 10, 2008 at 10:17 pm (7 years ago)

    Rob,

    Yes, the Gold Disk v2 has essentially two parts to it. 1) Scan Engine – allows you to scan your system according to a chosen mission assurance category; 2) Automatic fixes – allows system to load all appropriate patches, and security settings.

    There are few things you should know about the automatic fix feature, though. If you have specialized needs (such as the need to NOT have 3 attempt lock out or NOT have certain patches) it may affect some functionality of your mission system. So testing really is needed on mission systems before running the second part of the Gold Disk on an operation system (this is usually done in a lab with a CT&E). The Gold Disk Scan Engine shouldn’t hurt anything.

    But, yeah, Gold Disk will automatically handle passwords, logon rules, some auditing and permission issues that are addressed in the IA Controls. Even though it can find scores or hundreds of Category 1,2,3 vulnerabilities it actually only directly relates to a hand full of IA Controls it touches on, because the COxx ones deal exclusively with contingency plans, the PExx deals with personnel, and PRxx deals with physical/environmental safety & security. Anyone doing the IA Controls has their work cut out for them. Its not something you can knockout over a weekend if you have good sized, global system.

    Reply
  3. Alex Dumont
    March 13, 2008 at 1:36 am (6 years ago)

    Looking at Unix SRR scripts (January 08 release) I’ve found some PDI’s (vulnerabilities) corresponding to IA control number “DSCQ-1″, which I cannot find in DoD Instructions 8500.2 Feb 6 2003 (neither appears the DSxx Subject Area in table E4.T1.).

    Do you know what Subject Area corresponds to DSxx? And what IA control is DSCQ-1?

    I’ve googled for it and I can’t find anything neither.

    If you answer, please would you mind answering also by email? Thanks by advance.

    Reply
  4. elamb.security
    March 13, 2008 at 6:09 pm (6 years ago)

    Alex,

    I don’t think there is a DSCQ. In fact there is no DSXX series of IA Controls. I think that is a typo in the Unix SRR script. A Unix guru security co-worker of mine has found other minor typo’s in the script as well as tons of false positives.

    It looks like the script is actually refering to “DCSQ-1″. Looks like they swapped the “CS”

    DCSQ-1 Software Quality

    Software quality requirements and validation methods
    that are focused on the minimization of flawed or malformed
    software that can negatively impact integrity or availability
    (e.g., buffer overruns) are specified for all software
    development initiatives.
    –DoD 8500.2

    Reply
  5. Sam
    March 14, 2008 at 8:09 am (6 years ago)

    A very important item that I did not see in this implemention is the Post accreditations. Once a system is accredited, they must maintain the security posture.
    These items must be done frequently:
    - Maintain Security Posture
    - Review System Modifications
    - Review new Vulnerabilities/Threats and patches
    - Change management
    - Compliance validation

    Reply
  6. keith yockey
    March 14, 2008 at 8:49 am (6 years ago)

    Recently the AF has declared that “Platform IT” is exempt fromt the DIACAP C&A process. What it the Platform IT and why is it exempt?

    Reply
  7. Steph Wisner
    April 8, 2008 at 10:30 am (6 years ago)

    Keith,

    Platform IT is defined in DODI 8580.1 E2.1.5.4., an example would be the onboard guidance system for an infrared missile or the defibrillators at the hospital. R&D systems are generally custom built and run on non-traditional platforms, or are on legacy OS’s that are generally not authorized for use anymore but are still required to work with older weapon systems. Many of them also depend on high-performance computing environments, like clusters and grids, to crunch data and do not function properly without every user having admin rights (especially if they are compiling and executing code), timed screensavers applied, etc. Non-interconnected Platform IT was also exempt from DITSCAP – it is just not practical to apply, drives costs up and can potentially introduce vulnerability to those systems rather than reduce them.

    Reply
  8. Jack Amick
    June 18, 2008 at 4:22 pm (6 years ago)

    Is there any documentation that maps IA Controls to a specific STIG??

    Reply
  9. elamb.security
    June 18, 2008 at 7:51 pm (6 years ago)

    There is an Excel spread sheet on the DIACAP Knowledge service that breaks down each of the IA Controls, but STIGs are sort of system specific so they can’t really name a STIG per IA Control (for example some systems have Windows some have Unix so you’d have to use that particular STIG for that respective configuration).

    Reply
  10. emillar
    July 31, 2008 at 11:23 am (6 years ago)

    If you have an application that has an ATO and it’s about to expire, do you have to prepare the entire DIACAP package over again?

    Reply
  11. elamb.security
    August 2, 2008 at 9:40 pm (6 years ago)

    emillar,
    from my experience.. application go through a different process. Air Force has uses AFCA’s i-TRM process now. For some reason they don’t advertise this. But application have to be added to the iTRM database with and iCR. AF Infostructure Technology Reference Model (i-TRM) is located at https://infostructure.hq.af.mil

    If you have a SYSTEM (not just an application) than you have to updated the DIACAP package annually (FISMA) and completely redo it every 3 years (when it expires). If your ATO is from the old DITSCAP, you’ll have to completely redo it in DIACAP. Its actually not that hard if you already have the DITSCAP and nothing is going to really change.

    Reply
  12. Christie
    August 13, 2008 at 1:08 pm (6 years ago)

    I’ve been working with the DCID 6/3 requirements and now must correlate the DIACAP requirements to those of the DCID… it’s a daunting job but your site is actually very helpful in getting a background of the DIACAP… Thanks ~ and I plan to check back often.

    Reply
  13. elamb.security
    September 20, 2008 at 5:06 pm (6 years ago)

    I thought I read something about the DoD using the DIACAP method to do SCI systems.. I'll have to post something about that when I can get that data together.

    Reply
  14. chuck
    September 24, 2008 at 8:57 am (6 years ago)

    Where is the specific guidance from the AF stating “…the AF has declared that “Platform IT” is exempt fromt the DIACAP C&A process?”

    Reply
  15. Steve Pearce
    October 28, 2008 at 11:22 am (6 years ago)

    DoDI 8580.1 paragraph 6 is the reference.

    Reply
  16. Mike
    November 10, 2008 at 8:18 pm (6 years ago)

    Anyone know the approximate number of IA controls (by MAC level) that should be validated via technical assessment (e.g. tools, scans)? I know several controls are can validated by document inspection or reviewing policies, procedures, etc.

    Reply
  17. Grace
    March 16, 2009 at 10:26 am (5 years ago)

    I appreciate all the information on how a DIACAP implementation can be validated. I have a question about the DISA Gold Disk software that scans for vulnerabilities. How compatible is it with Windows Vista? I have heard from others that it should not be used with Vista. Was that perhaps just an earlier Gold Disk release?

    Reply
  18. CandA Chick
    June 19, 2009 at 7:07 am (5 years ago)

    Great site for basic DIACAP information in easy to understand language. One point of clarification about the use of the phrase “EITDR eMASS system:” EITDR is specific to the Air Force implementation of DIACAP and is in fact mandated to be used for all AF C&A activities while eMASS is a tool developed to automate the DIACAP, but they are not even remotely similar in form, function or feel. Right now, hardly anybody is using eMASS since it’s proprietary and must be purchased. The DoD had encouraged components to use it, but refused to provide the funding for licensing. So right now there is no consistent process across components.

    Reply
  19. elamb.security
    June 22, 2009 at 6:50 pm (5 years ago)

    Thanks for the correction CandA Chick. You are totally right. I need to correct that. I’ve been corrected several times about that. And every class I go to is very clear about the distinction between EITDR and eMass.

    I ask about eMass all the time, because I was certain it would be implemented DOD wide before they started really pushing the IT Profile Management Systems: EITDR, DITPR-DON, & APMS.

    Reply
  20. Mike Hayden
    September 18, 2009 at 6:48 am (5 years ago)

    Where could one acquire a copy of the Gold Disk to do some in-house testing before accreditation?

    Thx,

    MH

    Reply
  21. Mike
    October 27, 2009 at 4:14 pm (5 years ago)

    Would like to find out if anyone has successfully run remote implementation of the DISA Gold Disk in the Platinum Mode, for multiple workstations? !

    Reply
  22. Diane Melanson
    February 19, 2010 at 6:55 pm (5 years ago)

    Anyone have any insight as to how Changes or Updates to the Army Gold Disk are implemented ? They must be handled by a specific branch of the Military or Gov't Agency.

    Reply
  23. Jackie
    June 7, 2010 at 12:58 pm (4 years ago)

    Just wondering if anyone has a CT&E plan as a template? I am accrediting an AIS and one of the requirements to the Gov. is a CT&E Plan. Thank you

    Reply
  24. NeedMoreIAExperts
    April 5, 2011 at 7:28 am (3 years ago)

    Anyone with questions about the Gold Disk or APL process and DIACAP should check out the DISA website.

    Use the search feature and many answers and resources will be found regarding many of these questions above.
    http://iase.disa.mil/

    Reply
  25. @booboop
    September 28, 2011 at 8:02 am (3 years ago)

    This blog is very helpful. How do you categorize an IS as PIT?

    Reply
  26. @booboop
    September 28, 2011 at 8:04 am (3 years ago)

    Looking for guidance on the recent "rumors" that the DIACAP will be transformed or merged simply replaced by DIARMF?

    Please give your thoughts?

    Reply
  27. @booboop
    September 28, 2011 at 8:14 am (3 years ago)

    Thanks for this question, did you get an answer?

    Reply
  28. millard
    August 9, 2012 at 5:31 pm (2 years ago)

    Once all Gold Disk Findings have been remediated and the status of my system is saved as a Gold Disk session. Should the Gold Disk session be considered classified?

    Reply

1Pingbacks & Trackbacks on DIACAP Activity #2 Implement and Validate Assigned IA Controls

  1. aix recovery says:

    [...] but testing the IA Controls once they have been implemented. Execute the DIACAP Implementatiohttp://elamb.org/diacap-activity-2-implement-and-validate-assigned-ia-controls/IBM Introduces the First in a New Generation of Power Systems Marketwire via Yahoo! Finance At the [...]

Leave a Reply

Your email address will not be published. Required fields are marked *






Comment *