Elamb Cybersecurity

Category: Assurance/DIACAP

  • DIACAP is READY

    What is scary, is that my blogs are on google above some of the most informative pages about DIACAP.  For this reason, the government should have secured blogs and or forum (.mil/.gov only) to allow faster access to this kind of extremily important information.  C & A, security engineering and IA officers get information much faster than the Gov’t can publish.  A security forum or secure blogs would allow some email that we get on the latest news on IA issues to be posted immediately without fear of giving out unauthorized data over the Internet.  Just one mans oppinion.

    DoD 8510.bb is signed and will supercedes DoDI 5200.40 and DoDI 8510.1-M.   

    The DIACAP Knowledge Service site is up and ready to go:

    https://diacap.iaportal.navy.mil. (.gov, .mil only)

    More information on the DIACAP – http://www.sdissa.org/downloads/Revised_DIACAP_KS_eMASS_Brief ISSA_10-28-05.ppt

    What I don’t get is how to get to eMASS. 

    Unless I have read wrong, the “Enterprise Mission Assurance
    Support System” (eMass)      is supposed to be the main feature for automating and streamlining the Certification and Accreditation process.  It seems that you have to get some sort of software to get access to eMass.  Not sure, I’m researching this while reading up on the new DIACAP documents.  

    Here is some contact information on how to get on eMass – https://diacap.iaportal.navy.mil/ks/links2/emass.aspx

     

  • DIACAP Guide

    This slide will tell you everything you need to know for now:

    http://www.sdissa.org/downloads/Revised_DIACAP_KS_eMASS_Brief ISSA_10-28-05.ppt

    According to rumors about the DIACAP, the document (8510.bb) is waiting to be signed (or is signed). DoD 8510.bb will be the DIACAP Instruction guide. The DoD 8510.bb, Defense Information Assurance Certification and Accreditation Process will replace the 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP) and 8510.1-M, Department of Defense Information Technolgoy Security Certification and Accreditation Process (DITSCAP) Application Manual.

     

    Read More on the DIACAP Guide.

  • DIACAP

    <sarcasm>

    Do want to know ALL about DIACAP    ?  Are you anxiously awaiting the DIACAP to come out so you can do amazing things with it??  ME…NEITHER.

    But just in case you are an Information Assurance/Security policy person check out this bit about the DIACAP page it will change your life FOREVER.

    Laugh if you want to but I bet you won't be laughing when your global system is hacked by a 14 year old who doesn't even know what Telnet is, the press get wind of it then Donald Rumsfeld is doing a press conference about the lack of security on DoD information technology because YOU didn't have info assurance.  I bet it won't think it is so funny then will you?

    </sarcasm>

  • The ISSEP: Information System Security Engineering Professional (ISSEP) certification

     

    I've been thinking of taking the Information System Security Engineering Professional (ISSEP) certification.  Since the CISSP info is still fresh in my mind and much of the ISSEP are things I do or have to deal with daily it seems like a good idea. 

    What is the ISSEP?
    The ISSEP was developed by the International Information System Security Certification Consortium (ISC)2 in conjuction with the National Security Agency/IAD. Where as the CISSP is an all encompassing general look at security, the ISSEP is a concentration on system security engineering process.  System security engineering has to do with ensuring that selected solutions
    meet the mission or business security needs.  It is defined as “the art of and science of discovering users security needs, and designing and making with economy and elegance information
    systems so that they can safely resist the forces they might be subjected to.”

    System Security Engineers tasks:
      Discover Information Protection Needs
      Define system Security Requirements
      Design System Security Architectures
      Develop Detailed Security Design
      Implement System Security
      Assess Information Protection Effectiveness

    Instead of ten Domains the ISSEP has four:
      System Security Engineering
      Certification and Accreditation
      Technical Managment
      U.S. Government Information Assurance Regulations 

    Most of of the ISSEP's material comes from the Information Assurance Technical Framework (IATF). 

    My co-worker recently took the test and he said it was more difficult than the CISSP.  The CISSP is easily THE most difficult test I've every done.  Although, since most of the information comes from the IATF, I'm not sure how it could be more difficult.
    The CISSP is so broad that you could not possibly get all the information from a single source.

    http://www.acsac.org/2003/case/thu-c-1530-Oren.pdf
    www.nsa.gov
    www.isc2.org

     

  • Net Ready Key Performance Parameters (NR-KPP)

    The Net Ready Key Performance Parameters (NR-KPP) is
    comprised of the following elements: compliance with the Net-Centric
    Operations and Warfare (NCOW) Reference Model (RM), applicable Global
    Information Grid (GIG) Key Interface Profiles (KIP),
    DOD information assurance requirements, and supporting integrated
    architecture products required to assess information exchange and use
    for a given capability.

    Net Centric Operations Warfare Reference Model (NCOW RM) (a) The NCOW
    RM serves as a common, enterprise-level, reference model for the DOD’s
    Enterprise Architecture The NCOW RM will ultimately provide a common
    architectural construct for NCOW with a common language and taxonomy.
    The final version of the RM will include:

    1. All Views (AV): AV-1 and AV-2
    2. Operational Views (OV): OV-1, OV-2, OV-3, and OV-5
    3. System Views (SV): SV-1, SV-2, SV-3, SV-4, and SV-5
    4. Target Technical View

    AV-1 Overview and Summary
    Information Scope, purpose, intended users, environment depicted, analytical findings

    OV-2 Operational Node
    Connectivity Description Operational Nodes, operational activities performed at each node,
    connectivity and information exchange need lines between nodes

    OV-4 Organizational Relationships Chart
    Organizational, role, or other relationships among organizations

    OV-5 Operational Activity Model
    Operational activities, relationships among activities, inputs and outputs.

    OV-6c Operational Event-Trace Description
    One of three products used to describe operational activity sequence and
    timing – traces actions in a scenario or sequence of events and specifiestiming of events.

    SV-4 Systems Functionality Description
    Functions performed by systems and the information flow among system
    functions, including information assurance functions

    SV-5 Operational Activity to Systems Function Traceability Matrix
    Mapping of systems back to operational capabilities or of system functions
    back to operational activities.

    SV-6 Systems Data Exchange Matrix
    Provides details of systems data being exchanged between systems.

    TV-1 Technical Standards Profile Extraction of standards that apply to the given architecture,
    Including information assurance functions.

    Bookmarks
    that are constantly updated by people around the world use delicious
    feed for netcentric (will need an aggregator to view feed):

    http://del.icio.us/rss/tag/netcentric
    More on Netcentrics, Ditscap, DIACAP and Information Assurance at infoassure.blogspot.com

  • SSAA vs. ISP

    I've done a few System Security Authorization Agreements (SSAA's) but I
    admit I'm doing Information Support Plans, ISPs (formerly C4ISPs) for
    the first time.

    I used to think that the SSAA was a little bit
    too much information. Overtime I've learned that it make total sense.
    It forces the Information System designers to answer important questions. Many times the
    questions it answers aren't important until much later (such as life
    cycle issues).

    The ISP's puts the SSAA to shame in its sheer
    volume of information that needs to be gathered. This is because it
    includes the netcentric aspects of the system, the actual schedule and
    money involved, acquisitions issues and a bunch of other things that I,
    as a security guy, don't care about.

    The ISP is a birds eye view
    of the target system where the SSAA is a microscope into all levels of
    security over the life of the system from cradle to the grave.

    More on Information Assurace, DITSCAP, and DIACAP on infoassure.blogharbor.com

  • DIACAP Policy

    This is an overview of the DIACAP’s final draft. 

    The DIACAP includes the same things that the DITSCAP has with two major differerences: netcentric environments and GIG standards. With these two (and MANY other changes) it seems that this evolution of the DITSCAP has to take place. So many major levels of Information Assurance in the DoD and abroad have changed that DITSCAP will have to embrace them to stay relevant.

    The DIACAP policies will come from DoD Directive/Instruction 8500.01E/.2. [fixed 22 Aug 07]

    The DIACAP supports Information Systems transitioning to netcentric environments and GIG Standards by:

    1. Ensuring uniformity of approach
    2. Managing and disseminating Information Assurance Design, implementation, validation, sustainement and approach
    3. Being able to handle differing system
    4. facilitating a dynamic environment

    Information Assurance will be implemented with Information Assurance Controls as defined by DoDI 8500.2 and maintained through a DoD wide configuration management process that considers the GiG architecture and risk assessments conducted at the DoD component level in accordance with FISMA.

    The DIACAP will support the ongoing validation to maintain the Information Assurance posture of an Information System. DoD component IA Programs are the primary method of supporting the DoD Information Assurance Program.

    Status of all systems in the DIACAP program will be available to all who have authorized access.

  • SUBJECT: DoD Information Assurance Certification and Accreditation Process (DIACAP)

    The Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) is replacing with the DoD Information Technology Security Certification and Accreditation Process (DITSCAP). More on DITCAP can be found at the DOD's IASE website.

    What is DIACAP?
    The DIACAP is the DoD process for identifying, implementing, and validating information assurance controls, for authorizing the operation of DoD information systems, and for managing information assurance posture across DoD information systems consistent with the Federal Information Security Management Act (FISMA).

    What is so special about the DIACAP?
    It will replace DoDI 5200.40 and DoD 8510.1-M
    Guide for compliance with the Global Information Grid
    Supports Netcentricity.

    Follow this link to my interpretation of the DIACAP Policy.

    What will we have to do differently with the DIACAP. (soon)