SISSU: USAF digesting the DIACAP

by Bruce Brown | 6 Comments

I’m still learning but it looks like the Air Force is going to implement the DIACAP with its IT Lean/SISSU implementation.

IT Lean is an initiative that is supposed to streamline the system aquisition process (more on IT Lean) by eventually getting rid of the Certificate to Operate (CTO)/Certificate of Networthiness (CON) process. SISSU stands for Security, Interoperability, Supportability, Sustainability and Usability process. All this will be possibly automated with something I am slowly begining to HATE called EITDR – Enterprise Information Technology Data Repository. The reason it rubs me the wrong way is the level of questions I have had to answer. Some of the questions are so high level I have not clue what they are even remotely talking about. And then when I ask the people who run the system to give me some hints on how to answer the questions they know even less than I do about it. So I ask, “can you give me the POC that put the question in the system?” They give me some contacts and lo and behold the contacts have no idea what the fuck I’m talking about.

Just frustrating, thats all. Some of the questions are Zen like in that they have no answer and seemingly no questioner. They just ARE.

***20 April 2009 Update***********
That actual DIACAP portion of the EITDR isn’t that bad. There are hundreds of questions in the EITDR but only some of those are necessary for a system when it starts the SISSU/IT Lean/DIACAP process.

We used to answer ALL 500 questions in the EITDR most of which were very, very high level. Now the system is pretty specific and walks you through the DIACAP process.

6 Comments on SISSU: USAF digesting the DIACAP

  1. guisar
    September 28, 2007 at 8:07 am (12 years ago)

    So what do you think- has the situation improved any in the last year?

    Reply
  2. Patrick Webb
    February 6, 2008 at 2:31 pm (11 years ago)

    The EITDR is much easier than you might think. Judging by your discussion topic you are likely to be coming from a security background. Security is just one aspect of EITDR. You probably don’t understand the rest because it doesn’t apply to what you do.

    Reply
  3. Brian
    December 13, 2008 at 5:27 pm (10 years ago)

    Thank you Patrick. Resourcefulness is key sometimes too. 😉

    Reply
  4. Joe
    April 18, 2009 at 1:11 pm (10 years ago)

    Each IA control has an implementation tab, explaining guidance.
    It also has testing suggestions (more for the test authority than for me, but it helps to know “how youre being graded 🙂

    Questions like:
    “Do you have non-repudiation” (and it explains what its looking for)
    “Do you have host-based IDS” (and it explains it)
    … should not stumble up too many people.

    The implementation guidance often includes very specific points that they look to be addressed. So, address them.

    Always remember a human is at the other side — else THAT will trip you up.
    Do not answer:
    “N/A” with no explanation
    “My system doesn’t have to do this requirement because x, y, z”
    “See attached 8 docs for the answer”
    … with any expectation of getting zipped through with a A+ approvel.

    — joe

    Reply
  5. Bill Sweger
    July 1, 2009 at 6:05 am (10 years ago)

    It was interesting to see some of the comments on EITDR from back in 2006. The EITDR process is still confusing and asks what seems like a non-ending volume of questions. While they do provide some additional details on what the questions are, an example(s) would speak a thousand words. It may even let the reader understand what you are looking for!

    In some cases, depending on the program level or MAC level, give users a pull-down option based on their program/security requirements. I know they want us to think about it before we fill it in, but I still find limited help to answer questions users have. So the process is still very frustrating and takes an inordinate amount of work not matter what level program you have. While it may have gotten better over the past 2-3 years, it’s still overwhelming for many of us…bottom line.

    As Joe mentioned, there’s a human on the other end. Finding that human that can answer the question is a little harder to find. None of expect someone else to answer questions for us, just make it a little simpler and more capability to ask pertinent questions depending on your program would be helpful. While there’s a requirement for EITDR, the process is still lacking to get there…my opinion (after working in comm/comp field for over 25 years). Good luck!

    Reply
  6. elamb.security
    July 1, 2009 at 9:13 pm (10 years ago)

    Bill,
    There is a DIACAP Implementers Guide out there. It is VERY helpful. There is also a DIACAP Validators guide. I don’t think they are on the DIACAP knowlege service, but they are definitely on one of the community of practice sites. If you have a .mil account I may be able to help you.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Comment *