DIACAP Team

February 2, 2008

DIACAP Team. Comprised of the individuals responsible for implementing the DIACAP for a specific DoD IS. At a minimum the DIACAP Team includes the DAA, the CA, the DoD IS program manager (PM) or system manager (SM), the DoD IS IA manager (IAM), IA officer (IAO), and a user representative (UR) or their representatives. (DoDI 8510.01, E2.25)

Designated Accrediting Authority (DAA). The official with the authority to formally assume responsibility for operating a system at an acceptable level of risk. This term is synonymous with designated approving authority and delegated accrediting authority. (Reference (d) leads with the term designated approving authority, which was favored at the time of publication.). (DoDI 8510.01, E2.19)

Program Manager or System Manager (PM or SM). For the purpose of this Instruction, the individual with responsibility for and authority to accomplish program or system objectives for development, production, and sustainment to meet the user’s operational needs. (DoDI 8510.01, E2.50)

Certifying Authority (CA). The senior official having the authority and responsibility for the certification of ISs governed by a DoD Component IA program. (DoDI 8510.01, E2.12)

Certifying Authority Representative. An official appointed by and acting on behalf of the CA (DoDI 8510.01, E2.13).

IA Manager (IAM). The individual responsible for the information assurance program of a DoD information system or organization. While the term IAM is favored within the Department of Defense, it may be used interchangeably with the IA title Information Systems Security Manager (ISSM). (DoDI 8500.2, E2.1.27). Requirements: Demonstrate Need to know DoDD 8500.1 para: 4.8, US Citizen 8500.2 para: 5.8.3. must fit DoD 8570 applicable certifications.

IA Officer (IAO). An individual responsible to the IAM for ensuring that the appropriate operational IA posture is maintained for a DoD information system or organization. While the term IAO is favored within the Department of Defense, it may be used interchangeably with other IA titles (e.g., Information Systems Security Officer, Information Systems Security Custodian, Network Security Officer, or Terminal Area Security Officer). (DoDI 8500.2, E2.1.28)

Requirements: Demonstrate Need to know DoDD 8500.1 para: 4.8, can be foreign with DAA approval 8500.2 E3.T1 must fit DoD 8570 applicable certifications.

Other Roles:

E2.54. Senior Information Assurance Officer (SIAO). The official responsible for directing an organization’s IA program on behalf of the organization’s chief information officer.

The entire DIACAP process has many player involved with give the system a high level of visibility and decentralized responsibility.

Air Force Roles:

The Air Force DAA is AFNETOPS/CC (Gen. Elders, cira 2008). AFCA/CC serves as the DAA Representative (AFPD 33-2, para 5.9.6). The Air Force uses the DAA as the PAA. AFCA/EVSS acts as the Certifying Authority for the Security discipline of the SISSU process. Ref: AF 33-2, AFI 33-210

Lt. Gen. Michael W. Peterson is USAF Chief of Warfighting Integration and Chief Information Officer

Navy Roles:

Commander Naval Network Warfare Command (COMNETWARCOM).

CO designates, in writing, an Information Assurance Manager (IAM) who serves as POC for all command IA issues and implements command’s IA program. CO also designates, in writing Information Assurance Officer(s) to implement and maintain command’s network security requirements

Ref: SECNAV M-5510.30, Chapter 2

SECNAV M-5510.36, Chapter 2, 6, and 12

SECNAV M-5239.1, DON Information Assurance Program

Army Roles:The Director, Enterprise Systems Technology Activity (ESTA) is the DAA.

Ref: AR 25-2

*These roles are different for guard and reserve units

Popularity: 9% [?]

Written by elamb.security · Filed Under Assurance/DIACAP, Assurance/DITSCAP

Comments

1038Commentshttp://elamb.org/diacap-team/DIACAP+Team2008-02-03+06%3A11%3A11elamb.security to “DIACAP Team”

DIACAP Activity #1 Initiate and Plan Certification & Accreditation : security blog on February 2nd, 2008 11:35 pm

[...] DIACAP Team [...]
elamb on February 8th, 2008 12:04 am

Here is a good question from someone who stumble upon the site:

I have the following questions about certain DIACAP team positions:

DAA – My DAA is a one star, Your telling me he’s supposed to sit in on the meetings?

PM/SM – This would be the system owner or system POC?

CA – ??? … how would this differ from the DAA?

CAR – ??? is this similar to the role of the ACA?

Answer:
The DAA usually delegates to a lower more tech savvy person. Or at least, that has been my experience. When I was in the AF, our commander (full bird) was the DAA which was pushed down from the Wing Commander. All packages were read and evaluated by an Ops officer (a Capt). If the Ops officer approved then the commander would usually sign off. These days the DAA has been pushed to an even higher level (in the Air Force anyway). This Capt could be seen as the Certifying Authority, because it should be someone who is knowledgeable enough to realize what risks to take and which ones are unacceptable. They will typically have a lot of say in whether the system is acceptable.

I don’t know about the other branches, but the USAF depends completely on the IA Component as the CA which is AFCA.

In the Air Force, the DAA is the AFNETOPS/CC. Stick with DoD 8510.10 and 8500.02.

more on the IA Components can be found here http://elamb.org/diacap-activity-1-initiate-and-plan-certification-accreditation/

The IA Component is a great guide for the entire process for the Army its Army NETCOM Information Assurance Office; Navy info can be found here: http://www.doncio.navy.mil

The PM or Program Management Office is critical because they manage the money and sustainment issues on a system. They will have to answer important sustainment questions as well as help coordinate how certain IA Controls will (or won’t – lol) be implemented. The PM works closely with the system owner (and I suppose it can sometime be the system owner). 8510 points out which roles can be one and the same and which ones can not.
Register the System with DoD IA Component : security blog on February 9th, 2008 11:43 pm

[...] the DIACAP Team, the IA Component’s role will likely be the “Certifying Authority” which is [...]
Fred Juarez on April 29th, 2008 11:31 am

I am a program manager for a manpower tool that does not receive or transmit data. It reads a file and the output is written to a file (much like Excel, Access operrates. Would that be categorized as a system? The tool is an application installed on an individual’s PC,,,
elamb.security on April 29th, 2008 6:44 pm

fred,

I don’t have a lot of experience with plain applications.

I would contact the AF Infostructure Technology Reference Model (i-TRM) to determine the appropriate action to take https://infostructure.hq.af.mil — I think that is the link. They are who you want to talk to for applications.

There is a STIG for applications, but I believe its only applies to servers.
http://iase.disa.mil/stigs/draft-stigs/index.html
Cedric on September 15th, 2008 1:22 pm

Who is responsible for certifying and accreditating Platform IT (systems-hardware/software)?
Daniel on December 16th, 2008 4:50 pm

I’d like to second Cedric’s question.
AL Hough on January 12th, 2010 1:42 am

What requirements apply when considering a DIACAP on a server that will host applications that are on the approved software listing? Does the system require a full DIACAP or can it have an executive package created? The system itself is not going to be an application server in the sense that it will be dedicated to hosting one application. Also, what requirements apply when the server will host user shares and organizational data? For file servers already within and enclave (our servers on on a domain we do not own) does the host hold an responsibility for providing our organization with info regarding Inherited IA Controls?
AL Hough on January 12th, 2010 1:44 am

I would like to know the answer to Cedric's question also.