Tag: DITSCAP

  • DIACAP Activity #1 Initiate and Plan Certification & Accreditation

    Initiating the Department of Defense Information Assurance Certification & Accreditation Process (DIACAP) starts with a lot of “setting up shop”. Registering with a DoD component, forming the IA Team and assigning IA controls (also known as IA requirements and security controls) can be a lot of work, but the more of these tasks you complete, the easier the rest of the process will be.

    Register the System with DoD IA Component

    Each branch of the military has an IA component. Each of the US Armed Services have a division under their respective chief information officer’s responsible for all computers, communications and networks in a given military branch. These communications divisions will house the Information Assurance component responsible for the DIACAP tasks.

    Table 1. DoD IA Components

    DoD Branch Branch Communication & Information Service Branch IA Component
    US Air Force Air Force Communication Agency (AFCA)http://public.afca.af.mil/ AFCA/EVAssessment and Validatorshttp://public.afca.af.mil/library/
    US Army *Army NETCOM 9th Signal Corps http://www.netcom.army.mil/ Army NETCOM Information Assurance Office
    Department of the Navy DON CIODON Information Management and Information Technology (IM/IT)http://www.doncio.navy.mil DON SIAOhttp://www.doncio.navy.mil/Main.aspx

    *more on Army NETCOM

    More on Registering with your IA Component
    DIACAP Team

    Once you’ve made contact with your system’s IA Component you may be asked to identify the players in your DIACAP Team. The DIACAP Team roles will consist of a Designated Approval Authority (DAA), Program Manager (PM), Certifying Authority (CA), User Rep, Information Assurance Manager and others. You will also need to identify other important players such as the Lead Engineer.

    More on DIACAP Team Roles.

    Get an Enterprise Mission Assurance Support Service (eMASS) account

    The Enterprise Mission Assurance Support Service (eMASS) is a generic name for specific automated databases that are used to manage the DIACAP. Each branch has a different automated database (Fig 1). The USAF has the EITDR, The Navy has the DITPR-DON, and the Army has the APMS. Each of these databases satisfies DoD IT portfolio management, certification and IT reporting directives addressed in DoD Directive 8115.01, signed October 10, 2005.

    Fig 1, DoD IT Portfolio Management System

    eMASS IT Portfolio Management System

    More on the eMASS systems.

    Assign IA Controls

    Information Assurance Controls are also known as Information Assurance requirements and security controls. IA Controls are assigned according to a system’s Mission Assurance Category (MAC) and Confidentiality Levels (Fig 2.) defined in DoDI 8500.2. The DIACAP Knowledge Service has Excel spread sheets breaking down each of the IA Controls.

    Fig. 2, Mission Assurance Category & Confidentiality Levels

    Mission Assurance Category (MAC) Confidentiality Levels

    Some of the IA Controls require system security engineering interpretation because no system is alike. Some IA Controls will not apply while other will apply only under certain circumstances and that is where knowledgeable system & system security engineer comes in.

    Ref:

    https://akss.dau.mil/dag/GuideBook/IG_c7.5.7.2.asp

    DoDI 8500.2, Enclosure 4

    Initiate DIACAP Implementation Plan

    With the proper MAC/CL level applied, the system security specialist/engineer and/or technician should have a good idea what IA Controls apply to a given system. The next step is to begin the DIACAP Implementation Plan.

    The DIACAP Knowledge Service has a thorough break down of each of the IA Controls and how to accomplish and validate them. Once complete, your system’s DIACAP Implementation Plan should identify each of the applicable IA Controls, whether the system is compliant or not and when it will be compliant with those particular IA Controls.

    Initiation of the DIACAP Plan means you are consulting developers and or Program Managers on the IA Controls that will affect the system. Both new systems, and existing legacy systems will require some sort of documentation whether a simple spreadsheet, or Word document detailing who, what, when and where of each IA Control feature applied to the system. The DIACAP Knowledge Service has a sample DIACAP Implementation Plan spread sheet that thoroughly details all the above requirements. It can be downloaded and tailored easily to your specific systems needs.

    Once registered, the eMASS (EITDR, DITPR-DON, and APFM) system will require that you upload your completed DIACAP Implementation Plan (which is a bit of a paradox because the EITDR can actually create a DIACAP package once certain data is uploaded, validated and approved. EITDR will also require that the IA Controls be addressed and validated individually and subsequently Reviewed, Validated and Approved by system stakeholders.

    Deliverables for Activity #1:DIACAP System Identification Profile (SIP)

    DIACAP Implementation Plan

    USAF SISSU Stakeholder’s List (Air Force)

    References:

    DoD Regulation 5200.1-R , “DoD Information Security Program,” January 1997

    DoDD 8115.01, “Information Technology Portfolio Management”, dated October 10, 2005

    DoDD 8500.01E, “Information Assurance (IA),” dated April 23, 2007

    DoD 8510.1-M, “DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Application Document”, dated July 31, 2000

    DoDI 8551.1, “Ports, Protocols, and Services Management (PPSM) Release 6.9,” dated September, 2007

    DoDD 8570.1, “Information Assurance Training, Certification, and Workforce Management,” dated August 15, 2004

    DoDI 8570.1-M “Information Assurance Workforce Improvement Program,” dated December 19, 2005

    Deputy Secretary of Defense Memorandum, “Information Technology Portfolio Management,” March 22, 2004

    Federal Information Security Management Act (FISMA) (2002)

    Information Assurance Support Environment (IASE)

  • DIACAP Team

    DIACAP Team. Comprised of the individuals responsible for implementing the DIACAP for a specific DoD IS.  At a minimum the DIACAP Team includes the DAA, the CA, the DoD IS program manager (PM) or system manager (SM), the DoD IS IA manager (IAM), IA officer (IAO), and a user representative (UR) or their representatives. (DoDI 8510.01, E2.25)

    *update: DIACAP is DoD Risk Management Framework (2014)

    Designated Accrediting Authority (DAA). The official with the authority to formally assume responsibility for operating a system at an acceptable level of risk. This term is synonymous with designated approving authority and delegated accrediting authority. (Reference (d) leads with the term designated approving authority, which was favored at the time of publication.). (DoDI 8510.01, E2.19) *DAA is Authorization Officer (2014)

     

    Program Manager or System Manager (PM or SM). For the purpose of this Instruction, the individual with responsibility for and authority to accomplish program or system objectives for development, production, and sustainment to meet the user’s operational needs. (DoDI 8510.01, E2.50)

    Certifying Authority (CA). The senior official having the authority and responsibility for the certification of ISs governed by a DoD Component IA program. (DoDI 8510.01, E2.12)

    Certifying Authority Representative. An official appointed by and acting on behalf of the CA (DoDI 8510.01, E2.13).

    IA Manager (IAM). The individual responsible for the information assurance program of a DoD information system or organization. While the term IAM is favored within the Department of Defense, it may be used interchangeably with the IA title Information Systems Security Manager (ISSM). (DoDI 8500.2, E2.1.27). Requirements: Demonstrate Need to know DoDD 8500.1 para: 4.8, US Citizen 8500.2 para: 5.8.3. must fit DoD 8570 applicable certifications.

    IA Officer (IAO). An individual responsible to the IAM for ensuring that the appropriate operational IA posture is maintained for a DoD information system or organization. While the term IAO is favored within the Department of Defense, it may be used interchangeably with other IA titles (e.g., Information Systems Security Officer, Information Systems Security Custodian, Network Security Officer, or Terminal Area Security Officer). (DoDI 8500.2, E2.1.28)

    Requirements: Demonstrate Need to know DoDD 8500.1 para: 4.8, can be foreign with DAA approval 8500.2 E3.T1 must fit DoD 8570 applicable certifications.

    Other Roles:

    E2.54. Senior Information Assurance Officer (SIAO). The official responsible for directing an organization’s IA program on behalf of the organization’s chief information officer.

    The entire DIACAP process has many player involved with give the system a high level of visibility and decentralized responsibility.

    Air Force Roles:

    The Air Force DAA is AFNETOPS/CC (Gen. Elders, cira 2008). AFCA/CC serves as the DAA Representative (AFPD 33-2, para 5.9.6). The Air Force uses the DAA as the PAA. AFCA/EVSS acts as the Certifying Authority for the Security discipline of the SISSU process. Ref: AF 33-2, AFI 33-210

    Lt. Gen. Michael W. Peterson is USAF Chief of Warfighting Integration and Chief Information Officer

    Navy Roles:

    Commander Naval Network Warfare Command (COMNETWARCOM).

    CO designates, in writing, an Information Assurance Manager (IAM) who serves as POC for all command IA issues and implements command’s IA program. CO also designates, in writing Information Assurance Officer(s) to implement and maintain command’s network security requirements

    Ref: SECNAV M-5510.30, Chapter 2

    SECNAV M-5510.36, Chapter 2, 6, and 12

    SECNAV M-5239.1, DON Information Assurance Program

    Army Roles:The Director, Enterprise Systems Technology Activity (ESTA) is the DAA.

    Ref: AR 25-2

    *These roles are different for guard and reserve units