Comments on: DIACAP Team http://elamb.org/diacap-team/ don't be sheeple Fri, 30 Jul 2010 09:41:50 -0700 http://wordpress.org/?v=2.8.3 hourly 1 By: AL Hough http://elamb.org/diacap-team/comment-page-1/#comment-195650 AL Hough Tue, 12 Jan 2010 01:44:09 +0000 http://elamb.org/diacap-team/#comment-195650 I would like to know the answer to Cedric's question also. I would like to know the answer to Cedric's question also.

]]> By: AL Hough http://elamb.org/diacap-team/comment-page-1/#comment-195649 AL Hough Tue, 12 Jan 2010 01:42:31 +0000 http://elamb.org/diacap-team/#comment-195649 What requirements apply when considering a DIACAP on a server that will host applications that are on the approved software listing? Does the system require a full DIACAP or can it have an executive package created? The system itself is not going to be an application server in the sense that it will be dedicated to hosting one application. Also, what requirements apply when the server will host user shares and organizational data? For file servers already within and enclave (our servers on on a domain we do not own) does the host hold an responsibility for providing our organization with info regarding Inherited IA Controls? What requirements apply when considering a DIACAP on a server that will host applications that are on the approved software listing? Does the system require a full DIACAP or can it have an executive package created? The system itself is not going to be an application server in the sense that it will be dedicated to hosting one application. Also, what requirements apply when the server will host user shares and organizational data? For file servers already within and enclave (our servers on on a domain we do not own) does the host hold an responsibility for providing our organization with info regarding Inherited IA Controls?

]]> By: Daniel http://elamb.org/diacap-team/comment-page-1/#comment-151881 Daniel Tue, 16 Dec 2008 23:50:37 +0000 http://elamb.org/diacap-team/#comment-151881 I'd like to second Cedric's question. I’d like to second Cedric’s question.

]]> By: Cedric http://elamb.org/diacap-team/comment-page-1/#comment-130622 Cedric Mon, 15 Sep 2008 20:22:15 +0000 http://elamb.org/diacap-team/#comment-130622 Who is responsible for certifying and accreditating Platform IT (systems-hardware/software)? Who is responsible for certifying and accreditating Platform IT (systems-hardware/software)?

]]> By: elamb.security http://elamb.org/diacap-team/comment-page-1/#comment-93779 elamb.security Wed, 30 Apr 2008 01:44:59 +0000 http://elamb.org/diacap-team/#comment-93779 fred, I don't have a lot of experience with plain applications. I would contact the AF Infostructure Technology Reference Model (i-TRM) to determine the appropriate action to take https://infostructure.hq.af.mil -- I think that is the link. They are who you want to talk to for applications. There is a STIG for applications, but I believe its only applies to servers. http://iase.disa.mil/stigs/draft-stigs/index.html fred,

I don’t have a lot of experience with plain applications.

I would contact the AF Infostructure Technology Reference Model (i-TRM) to determine the appropriate action to take https://infostructure.hq.af.mil — I think that is the link. They are who you want to talk to for applications.

There is a STIG for applications, but I believe its only applies to servers.
http://iase.disa.mil/stigs/draft-stigs/index.html

]]> By: Fred Juarez http://elamb.org/diacap-team/comment-page-1/#comment-93697 Fred Juarez Tue, 29 Apr 2008 18:31:39 +0000 http://elamb.org/diacap-team/#comment-93697 I am a program manager for a manpower tool that does not receive or transmit data. It reads a file and the output is written to a file (much like Excel, Access operrates. Would that be categorized as a system? The tool is an application installed on an individual's PC,,, I am a program manager for a manpower tool that does not receive or transmit data. It reads a file and the output is written to a file (much like Excel, Access operrates. Would that be categorized as a system? The tool is an application installed on an individual’s PC,,,

]]> By: Register the System with DoD IA Component : security blog http://elamb.org/diacap-team/comment-page-1/#comment-66081 Register the System with DoD IA Component : security blog Sun, 10 Feb 2008 06:43:15 +0000 http://elamb.org/diacap-team/#comment-66081 [...] the DIACAP Team, the IA Component’s role will likely be the “Certifying Authority” which is [...] [...] the DIACAP Team, the IA Component’s role will likely be the “Certifying Authority” which is [...]

]]> By: elamb http://elamb.org/diacap-team/comment-page-1/#comment-65597 elamb Fri, 08 Feb 2008 07:04:11 +0000 http://elamb.org/diacap-team/#comment-65597 Here is a good question from someone who stumble upon the site: I have the following questions about certain DIACAP team positions: DAA - My DAA is a one star, Your telling me he's supposed to sit in on the meetings? PM/SM - This would be the system owner or system POC? CA - ??? ... how would this differ from the DAA? CAR - ??? is this similar to the role of the ACA? <strong>Answer:</strong> The DAA usually delegates to a lower more tech savvy person. Or at least, that has been my experience. When I was in the AF, our commander (full bird) was the DAA which was pushed down from the Wing Commander. All packages were read and evaluated by an Ops officer (a Capt). If the Ops officer approved then the commander would usually sign off. These days the DAA has been pushed to an even higher level (in the Air Force anyway). This Capt could be seen as the Certifying Authority, because it should be someone who is knowledgeable enough to realize what risks to take and which ones are unacceptable. They will typically have a lot of say in whether the system is acceptable. I don't know about the other branches, but the USAF depends completely on the IA Component as the CA which is AFCA. In the Air Force, the DAA is the AFNETOPS/CC. Stick with DoD 8510.10 and 8500.02. more on the IA Components can be found here http://elamb.org/diacap-activity-1-initiate-and-plan-certification-accreditation/ The IA Component is a great guide for the entire process for the Army its Army NETCOM Information Assurance Office; Navy info can be found here: http://www.doncio.navy.mil The PM or Program Management Office is critical because they manage the money and sustainment issues on a system. They will have to answer important sustainment questions as well as help coordinate how certain IA Controls will (or won't - lol) be implemented. The PM works closely with the system owner (and I suppose it can sometime be the system owner). 8510 points out which roles can be one and the same and which ones can not. Here is a good question from someone who stumble upon the site:

I have the following questions about certain DIACAP team positions:

DAA – My DAA is a one star, Your telling me he’s supposed to sit in on the meetings?

PM/SM – This would be the system owner or system POC?

CA – ??? … how would this differ from the DAA?

CAR – ??? is this similar to the role of the ACA?

Answer:
The DAA usually delegates to a lower more tech savvy person. Or at least, that has been my experience. When I was in the AF, our commander (full bird) was the DAA which was pushed down from the Wing Commander. All packages were read and evaluated by an Ops officer (a Capt). If the Ops officer approved then the commander would usually sign off. These days the DAA has been pushed to an even higher level (in the Air Force anyway). This Capt could be seen as the Certifying Authority, because it should be someone who is knowledgeable enough to realize what risks to take and which ones are unacceptable. They will typically have a lot of say in whether the system is acceptable.

I don’t know about the other branches, but the USAF depends completely on the IA Component as the CA which is AFCA.

In the Air Force, the DAA is the AFNETOPS/CC. Stick with DoD 8510.10 and 8500.02.

more on the IA Components can be found here http://elamb.org/diacap-activity-1-initiate-and-plan-certification-accreditation/

The IA Component is a great guide for the entire process for the Army its Army NETCOM Information Assurance Office; Navy info can be found here: http://www.doncio.navy.mil

The PM or Program Management Office is critical because they manage the money and sustainment issues on a system. They will have to answer important sustainment questions as well as help coordinate how certain IA Controls will (or won’t – lol) be implemented. The PM works closely with the system owner (and I suppose it can sometime be the system owner). 8510 points out which roles can be one and the same and which ones can not.

]]> By: DIACAP Activity #1 Initiate and Plan Certification & Accreditation : security blog http://elamb.org/diacap-team/comment-page-1/#comment-62947 DIACAP Activity #1 Initiate and Plan Certification & Accreditation : security blog Sun, 03 Feb 2008 06:35:40 +0000 http://elamb.org/diacap-team/#comment-62947 [...] DIACAP Team [...] [...] DIACAP Team [...]

]]>