DIACAP Team

by Rob Elamb | 14 Comments

DIACAP Team. Comprised of the individuals responsible for implementing the DIACAP for a specific DoD IS.  At a minimum the DIACAP Team includes the DAA, the CA, the DoD IS program manager (PM) or system manager (SM), the DoD IS IA manager (IAM), IA officer (IAO), and a user representative (UR) or their representatives. (DoDI 8510.01, E2.25)

*update: DIACAP is DoD Risk Management Framework (2014)

Designated Accrediting Authority (DAA). The official with the authority to formally assume responsibility for operating a system at an acceptable level of risk. This term is synonymous with designated approving authority and delegated accrediting authority. (Reference (d) leads with the term designated approving authority, which was favored at the time of publication.). (DoDI 8510.01, E2.19) *DAA is Authorization Officer (2014)

 

Program Manager or System Manager (PM or SM). For the purpose of this Instruction, the individual with responsibility for and authority to accomplish program or system objectives for development, production, and sustainment to meet the user’s operational needs. (DoDI 8510.01, E2.50)

Certifying Authority (CA). The senior official having the authority and responsibility for the certification of ISs governed by a DoD Component IA program. (DoDI 8510.01, E2.12)

Certifying Authority Representative. An official appointed by and acting on behalf of the CA (DoDI 8510.01, E2.13).

IA Manager (IAM). The individual responsible for the information assurance program of a DoD information system or organization. While the term IAM is favored within the Department of Defense, it may be used interchangeably with the IA title Information Systems Security Manager (ISSM). (DoDI 8500.2, E2.1.27). Requirements: Demonstrate Need to know DoDD 8500.1 para: 4.8, US Citizen 8500.2 para: 5.8.3. must fit DoD 8570 applicable certifications.

IA Officer (IAO). An individual responsible to the IAM for ensuring that the appropriate operational IA posture is maintained for a DoD information system or organization. While the term IAO is favored within the Department of Defense, it may be used interchangeably with other IA titles (e.g., Information Systems Security Officer, Information Systems Security Custodian, Network Security Officer, or Terminal Area Security Officer). (DoDI 8500.2, E2.1.28)

Requirements: Demonstrate Need to know DoDD 8500.1 para: 4.8, can be foreign with DAA approval 8500.2 E3.T1 must fit DoD 8570 applicable certifications.

Other Roles:

E2.54. Senior Information Assurance Officer (SIAO). The official responsible for directing an organization’s IA program on behalf of the organization’s chief information officer.

The entire DIACAP process has many player involved with give the system a high level of visibility and decentralized responsibility.

Air Force Roles:

The Air Force DAA is AFNETOPS/CC (Gen. Elders, cira 2008). AFCA/CC serves as the DAA Representative (AFPD 33-2, para 5.9.6). The Air Force uses the DAA as the PAA. AFCA/EVSS acts as the Certifying Authority for the Security discipline of the SISSU process. Ref: AF 33-2, AFI 33-210

Lt. Gen. Michael W. Peterson is USAF Chief of Warfighting Integration and Chief Information Officer

Navy Roles:

Commander Naval Network Warfare Command (COMNETWARCOM).

CO designates, in writing, an Information Assurance Manager (IAM) who serves as POC for all command IA issues and implements command’s IA program. CO also designates, in writing Information Assurance Officer(s) to implement and maintain command’s network security requirements

Ref: SECNAV M-5510.30, Chapter 2

SECNAV M-5510.36, Chapter 2, 6, and 12

SECNAV M-5239.1, DON Information Assurance Program

Army Roles:The Director, Enterprise Systems Technology Activity (ESTA) is the DAA.

Ref: AR 25-2

*These roles are different for guard and reserve units

 

14 Comments on DIACAP Team

  1. elamb
    February 8, 2008 at 12:04 am (7 years ago)

    Here is a good question from someone who stumble upon the site:

    I have the following questions about certain DIACAP team positions:

    DAA – My DAA is a one star, Your telling me he’s supposed to sit in on the meetings?

    PM/SM – This would be the system owner or system POC?

    CA – ??? … how would this differ from the DAA?

    CAR – ??? is this similar to the role of the ACA?

    Answer:
    The DAA usually delegates to a lower more tech savvy person. Or at least, that has been my experience. When I was in the AF, our commander (full bird) was the DAA which was pushed down from the Wing Commander. All packages were read and evaluated by an Ops officer (a Capt). If the Ops officer approved then the commander would usually sign off. These days the DAA has been pushed to an even higher level (in the Air Force anyway). This Capt could be seen as the Certifying Authority, because it should be someone who is knowledgeable enough to realize what risks to take and which ones are unacceptable. They will typically have a lot of say in whether the system is acceptable.

    I don’t know about the other branches, but the USAF depends completely on the IA Component as the CA which is AFCA.

    In the Air Force, the DAA is the AFNETOPS/CC. Stick with DoD 8510.10 and 8500.02.

    more on the IA Components can be found here http://elamb.org/diacap-activity-1-initiate-and-plan-certification-accreditation/

    The IA Component is a great guide for the entire process for the Army its Army NETCOM Information Assurance Office; Navy info can be found here: http://www.doncio.navy.mil

    The PM or Program Management Office is critical because they manage the money and sustainment issues on a system. They will have to answer important sustainment questions as well as help coordinate how certain IA Controls will (or won’t – lol) be implemented. The PM works closely with the system owner (and I suppose it can sometime be the system owner). 8510 points out which roles can be one and the same and which ones can not.

    Reply
  2. Fred Juarez
    April 29, 2008 at 11:31 am (6 years ago)

    I am a program manager for a manpower tool that does not receive or transmit data. It reads a file and the output is written to a file (much like Excel, Access operrates. Would that be categorized as a system? The tool is an application installed on an individual’s PC,,,

    Reply
  3. elamb.security
    April 29, 2008 at 6:44 pm (6 years ago)

    fred,

    I don’t have a lot of experience with plain applications.

    I would contact the AF Infostructure Technology Reference Model (i-TRM) to determine the appropriate action to take https://infostructure.hq.af.mil — I think that is the link. They are who you want to talk to for applications.

    There is a STIG for applications, but I believe its only applies to servers.
    http://iase.disa.mil/stigs/draft-stigs/index.html

    Reply
  4. Cedric
    September 15, 2008 at 1:22 pm (6 years ago)

    Who is responsible for certifying and accreditating Platform IT (systems-hardware/software)?

    Reply
  5. Daniel
    December 16, 2008 at 4:50 pm (6 years ago)

    I’d like to second Cedric’s question.

    Reply
  6. AL Hough
    January 12, 2010 at 1:42 am (5 years ago)

    What requirements apply when considering a DIACAP on a server that will host applications that are on the approved software listing? Does the system require a full DIACAP or can it have an executive package created? The system itself is not going to be an application server in the sense that it will be dedicated to hosting one application. Also, what requirements apply when the server will host user shares and organizational data? For file servers already within and enclave (our servers on on a domain we do not own) does the host hold an responsibility for providing our organization with info regarding Inherited IA Controls?

    Reply
  7. AL Hough
    January 12, 2010 at 1:44 am (5 years ago)

    I would like to know the answer to Cedric's question also.

    Reply
  8. Brian O'Mara
    July 22, 2013 at 10:05 am (1 year ago)

    Is there a site or link that I can hit see if a particularly software (Tableau Reader) has DIACAP approval? Thanks

    Reply
  9. Internal Communication
    June 25, 2014 at 8:49 pm (4 months ago)

    I love what you guys tend too be up too. This kond of clever work and coverage!

    Keep up the awesome works guys I’ve addded you guys
    to our blogroll.

    Reply
  10. Andrew Bruce
    August 8, 2014 at 8:25 am (3 months ago)

    Hi Rob, thanks for all of your work. I’ve tuned in to your thoughts since 2009 – did you notice that RMF transformation was listed on the DIACAP KS all the way back in 2010?? I see from your http://diarmfs.com/ site that it looks like things are moving closer…

    If you know of any slides that are written from contractor / vendor view on DIACAP process, can you turn me on to them? I have a good project plan on tasks / planning from the vendor’s view to *integrate* with the Govt IA functions that I can share.

    On my site I have a lot of IA papers and thoughts…take a look when you have some time.

    Thanks,
    Andy

    Reply
    • Rob Elamb
      August 8, 2014 at 6:02 pm (2 months ago)

      Hey Andrew,

      I get so much spam that I don’t always go through the comments. Need to clean this up. I noticed now.. great blog btw

      Reply

2Pingbacks & Trackbacks on DIACAP Team

  1. [...] the DIACAP Team, the IA Component’s role will likely be the “Certifying Authority” which is [...]

Leave a Reply

Your email address will not be published. Required fields are marked *






Comment *