DoD Information Assurance Certification and Accreditation Process DIACAP

1
DoD Information Assurance Certification and
Accreditation Process (DIACAP)
Richard Holzer Director, IA Army IT
Sector richard.holzer_at_gdit.com
2
Agenda

• DIACAP Background
• DIACAP vs DITSCAP
• DIACAP Package
• DIACAP Activities
• Summary

3
DIACAP Background
DIACAP
DITSCAP
It's all just CA to me...
NIACAP
4
DIACAP Background
Security or Assurance??
As long as you understand this has nothing to do
with security, youll be fine
5
DIACAP Background

• Interim DIACAP signed 6 Jul 2006
• Replaces DITSCAP
• Process based on automated toolsbut tools are
  not yet fully available
• Limited input fields and standardized databases -
  limit paperwork avalanche
• Attempts to further standardize test methods and
  risk categorization remove subjectivity
• Severity Category Codes (I III)
• Impact Codes (High Low)
• Aligns CA with FISMA Requirements

6
DIACAP Background

• Two associated Web-based services the DIACAP
  Knowledge Service (KS) and the Enterprise Mission
  Assurance Support Service (eMASS)

7
DIACAP Knowledge Service

• DIACAP Knowledge Service
• Library of references, tools, diagrams,
  templates, process maps to aid in DIACAP
  execution
• Collaboration workspace for the DIACAP User
  Community
• Lessons learned, best practices
• https//diacap.iaportal.navy.mil/ks/default.aspx

8
e-MASS

• e-MASS
• Automated CA process with workflow logic,
  validation methods and data repository support
• CA status tracking and document repository

9
DIACAP vs DITSCAP

• Broadens perspective from system-centric
  (DITSCAP) view to examine potential systems
  impact on the network and other systems on that
  network (DIACAP)
• More emphasis on continuous security review and
  improvements, vice once every 3 years
• Specific Requirements for Accrediting Authority
  and Certifying Authority (Senior IA Officer)
  single CA for each service
• Risk Assessment is now by the numbers (DIACAP)
  findings mandated by IA Control and potential
  for compromise

10
DIACAP vs DITSCAP
DITSCAP
DIACAP
11
DIACAP vs DITSCAP

• Systems still need
• to identify IA requirements based on MAC and
  Confidentiality Level
• to implement security requirements (IA Controls)
• to be certified
• to be accredited
• Documentation has changedbut not as much as
  everyone thinks

12
DIACAP vs DITSCAP

• DoD 8500.2 still requires
• Configuration Management Plan
• Continuity of Operations/Disaster Recovery Plan
• Incident Response Plan
• Acceptable Use Policy
• Security Education, Training, and Awareness Plan
• MOUs / MOAs / SIAs
• Architecture

13
DIACAP vs DITSCAP
14
DIACAP vs DITSCAP

• DIACAP no longer requires
• System / Security Concept of Operations
• Security Test and Evaluation Plan
• Risk Assessment Report
• Technical Security Controls

15
DIACAP Packages

• Executive Package
• System Identification Profile (SIP)
• DIACAP Scorecard
• Plan of Action Milestones (POAM), if required

16
DIACAP Packages

• Comprehensive Package
• Executive Package (SIP, DIACAP Scorecard, POAM)
• DIACAP Implementation Plan
• Supporting Documentation
• Artifacts
• Certification results
• Materials required to support or justify
  compliance with all IA Controls

17
DIACAP Activities
18
Initiate and Plan CA

• Register System (APMS)
• Army Portfolio Management System (APMS)
• Create System Identification Profile (SIP)
• Assign IA Controls
• Baseline Controls plus Service and system unique
  IA Controls
• Assemble DIACAP Team
• Create DIACAP Implementation Plan
• Assign Responsibilities
• Allocate Resources and Schedule

19
Implement Validate IA Controls

• Execute DIACAP Implementation Plan
• Implement the IA Controls
• Conduct Validation Activities
• DITSCAP Lite?
• Compile Validation Results using DIACAP Scorecard
• Risk Assessment Lite?

20
Implement Validate IA Controls

• DIACAP Scorecard
• Summary of system IA Control compliance status
  (compliant, non-compliant, N/A)
• Intended to convey information about the IA
  posture of the evaluated system in a format that
  can be easily understood by managers
• Rigid definitions for Probability of Exploitation
  and Degree of Impact (Harm)
• Severity Code
• Impact Code

21
Implement Validate IA Controls

• Severity Category
• I Allows security to be by-passed, resulting in
  immediate unauthorized or root-level access
• II Potential to lead to unauthorized access
• III Recommendations that will improve IA
  posture
• Impact Code
• High Severely Disrupt GIG
• Medium Moderately Disrupt GIG
• Low Minimally Disrupt GIG

22
Make Certification Determination Accreditation
Decision

• Make Certification Determination
• Severity Code
• Impact Code
• Danger to the GIG
• Issue Accreditation Decision
• IATT, IATO, ATO, DATO

Single CA for each Service determines risk
Only the Service CIO can authorize operation for
a system with a Severity Category I finding
23
Make Certification Determination Accreditation
Decision
Plan of Action and Milestones (POAM)

• Management Tool for IA Control non-compliance
  tracking
• Programs must regularly update (quarterly) CIO on
  remediation progress
• Shared with Service or Agency IG to support IVV
  of identified weaknesses and completed corrective
  actions

24
Maintain Authorization and Conduct Reviews
Comply with FISMA

• Maintain Situational Awareness
• Annual Revalidation of some IA Controls
• Must result in 100 Review of all IA Controls
  over 3-year period
• Maintain IA Posture
• Annual Status Report with Recommendations
• DAA decision to continue / alter prior approval

Information Assurance Manager Responsibility
25
Decommission

• Address disposition of DIACAP registration
  information
• Address disposition of system-related data or
  objects in GIG

26
Summary

• CA Assurance
• DIACAP better aligns CA process with FISMA
• Big Changes Include
• Central CA enforces single Service-wide
  standard
• More focus on enterprise-wide impacts rather than
  system specific ones What does it do to the
  GIG?
• Only the CIO for each Service can approve systems
  with Severity Code I issues

27
Questions