Title: DIACAP Army Guidance and Transition
1Track 1 Session 3 Information Assurance
DIACAP Army Guidance and Transition Ms. Sally
Dixon Army Office of Information Assurance
Compliance
RANK/title Sally Dixon, NETC-EST-IC Sally.dixon_at_u
s.army.mil, DSN 332-7376
2Terminology
- DIACAP Department of Defense Information
Assurance Certification and Accreditation Process
(DIACAP) - DITSCAP Department of Defense Information
Technology Security Certification and
Accreditation Process - DODI Department of Defense Information
Issuance/Instruction
3- DAA Designated Approving Authority
- CA - Contractor Agreements/Certification
Authority - ACA Associate Contractor Agreements/Certificatio
n Authority - SIP System Identification Profile
- POA M Plan of Action Milestones
- SATE Security Awareness Training And Education
4Track 1, Session 3 Session DIACAP Army Guidance
and Transition
- PURPOSE Provide information on the Army
Information Assurance Certification
Accreditation requirements - OBJECTIVES By the end of this brief you will be
able to - Identify the reason CA needs to be completed
- Identify the why, when, and how concerning
transition to the DIACAP - Identify the tools provided by Army and DOD to
help implement the CA process - Identify the Army CA POCs
5(No Transcript)
6Congressional DOD Requirements
- Public Law 107-347, also known as Federal
Information Security Management Act of 2002
(FISMA) - Require agencies to identify and provide
information security protections commensurate
with risk and magnitude of harm resulting from
unauthorized access, use, disclosure, disruption,
modification or destruction of information and
information systems - DoD Directive 8500.1 Information Assurance, 24
Oct 2002 - Information Assurance requirements shall be
identified and included in the design,
acquisition, installation, operations, upgrade,
or replacement of all DoD information systems in
accordance with 10 U.S.C. Section 2224, OMB
Circular A-130, Appendix III, DoD Directive
5000.1
7DoD Requirements (cont)
- DOD CIO memorandum, subject Interim Department
of Defense (DoD) Information Assurance (IA)
Certification and Accreditation (CA) Process
Guidance, 6 July 2006 - DOD will begin an immediate transition to a
streamlined and modern CA process that complies
with FISMA - Interim DIACAP Guidance
- DoD shall certify and accredit information
systems through an enterprise process for
identifying, implementing, and managing IA
capabilities and services. These capabilities and
services shall be expressed as IA Controls as
defined by DODI 8500.2 IA Implementation
8DoD Requirements (cont)
- Interim DIACAP Guidance
- Net-centric, information belongs to the
enterprise, shared risks - Authority and responsibility for certification
are vested in the Senior IA Officer (SIAO) - Supersedes DITSCAP, DODI 5200.40
- Platform-centric, information belongs to system
owner, system specific risks - Individual C/S/A defined IA Controls
- DAA appointed Certification Authority
9Army Policy
- Department of the Army CIO/G-6 Memorandum,
subject Army Strategy for the Implementation of
the Interim DIACAP 30 Nov 2006 - Army will transition to the Interim DIACAP using
the DIACAP transition table and implementing the
four (4) CA Best Business Practices. - The Information Assurance (IA) Certification and
Accreditation (CA) BBP - The Designated Approving Authority (DAA) BBP
- The Certification Authority (CA) BBP
- The Agent of the Certification Authority (ACA)
BBP
10Army Policy (cont)
- The DAA remains decentralized, but will be
appointed by the CIO/G-6 at the General Officer,
SES level upon nomination - In chain of command of the system owner
- Responsible for the impact of any risk that was
accepted - Responsible for ensuring the POAM (get well
plan) is executed - Will complete the Army Specific DAA Course
- Certification Authority (CA) will be centralized
in the Army Senior Information Assurance Officer
(SIAO) - Army CA will vet a list of qualified government
organizations and labs as trusted Agents of the
CA to perform the functions as the 3rd party
independent validator
11Army Policy (cont)
- A System Owner will be identified for all
information systems used by or in support of the
Army - System owners will plan and budget for the CA
activities as part of their lifecycle
responsibilities - All information systems will be compliant with
the baseline IA controls in DODI 8500.2 and AR
25-2, at a minimum - Annul revalidation IAW FISMA will be completed
- Information systems will be recertified and
reaccredited every three years
12Why Transition
- DITSCAP and Army CA processes written for stand
alone or stove pipe systems - DITSCAP not cost effective, paper vice value
- DODI 8500.2 IA controls not considered
- DAA delegated to the lowest level limits Big
Picture consideration - Too many CAs limits consistent assessments
- No qualification requirements for ACAs
- IS deployed with no easily identifiable
responsible government owner
13CA Terms
EQUIVALENT CA TERMS
NEW CA TERMS
lt Phase 1 SSAA
SIP
Test Results
Scorecard
Get well plan
POAM
RTM Acquisition Strategy Test Plan, etc
DIP
Artifacts
Documents, MOAs, Waivers, etc
CA Team Member (TM)
CA Representative (CAR)
Agents of Certification Authority (ACA)
Validator
IA Requirements
IA Controls
Application Manual
Knowledge Service
14The DIACAP
- Focus on security posture via IA controls
compliance - Baseline IA Controls address enterprise-wide
threats and vulnerabilities - MAC Confidentiality levels determine IA
Controls - Applicability examples
- IS under contract to DoD
- IS of Non-appropriated Fund Instruments
- Prototypes
- Advanced Concept Technology Demos (ACTD)
- Stand-Alone IS
- Mobile Computing devices, wired or wireless
15The DIACAP (cont)
- Allows for Inheritance of IA Controls
- Severity code assigned to failed IA controls
- CA assessment of exploitation ease
- Impact codes assigned to failed IA controls
- DODs assessment of system-wide IA consequences
- Severity and Impact codes
- Determine risk level associated with the security
weakness - Urgency which corrective actions must take place
16Key CA Functions
Designated Approving Authority (DAA) Balances the
exploitation ease against the harm capability and
operational need
System Owner Responsible for IA of system
throughout lifecycle
17DIACAP Activities
18https//diacap.iaportal.navy.mil
19(No Transcript)
20DIACAP Packages
- Comprehensive package
- Used for the CA recommendation
- Includes all the information resulting from the
DIACAP process - Executive package
- Less than the Comprehensive package
- Used for an accreditation decision
- Provided to others in support of accreditation or
other decisions, such as connection approval
21DIACAP Package Contents
22 ltInsert System Name Heregt ltInsert System Name Heregt ltInsert System Name Heregt ltInsert System Name Heregt ltInsert System Name Heregt
System Identification Profile System Identification Profile System Identification Profile System Identification Profile System Identification Profile
1 System ID System ID
2 System Component System Component
3 Governing DoD Component IA Program Governing DoD Component IA Program
4 System name System name
5 Acronym Acronym
6 System Version or Release Number System Version or Release Number
7 System Description System Description
8 DIACAP Activity DIACAP Activity
9 System Life Cycle or Acquisition Phase System Life Cycle or Acquisition Phase
10 Information System Type Information System Type
11 MAC MAC
12 Confidentiality Level Confidentiality Level
13 Mission Criticality Mission Criticality
14 Accreditation Vehicle Accreditation Vehicle
15 Additional Accreditation Vehicles Additional Accreditation Vehicles
16 Certification Date Certification Date
17 Approval Date
18 Accreditation Status Accreditation Status
19 Accreditation Document
20 Accreditation Date Accreditation Date
21 Authorization Termination Date Authorization Termination Date
https//diacap.iaportal.navy.mil
23 24(No Transcript)
25(No Transcript)
26(No Transcript)
27(No Transcript)
28(No Transcript)
29(No Transcript)
30(No Transcript)
31Annual Validation
- IA Controls validation required no less than
annually - Three Information Papers
- IT System Contingency Plans
- Must be tested annually
- Table Top exercise
- Functional exercise
- Security Control Test Requirement for FISMA
Compliance - 8 controls must be tested
- Most control testing based on procedural review
32Annual Validation (cont)
- Annual Security Review Requirement for FISMA
Compliance - All IA controls must be reviewed annually
- Date testing completed in support of
accreditation decision is recorded in APMS - Status of existing accreditation reassessed
- Continue ATO, no change in ATD
- Continue ATO, SO must implement precautionary IA
improvements, no change in ATD - Down grade ATO to IATO, SO must prepare execute
POAM, ATD is reset to 180 days - Downgrade ATO to DATO, operations halted
- IS will be re-certified re-accredited every 3
years
33Transition
- Initiate / Transition to DIACAP
- Unaccredited new start or operational IS
- DITSCAP initiated, Phase 1 SSAA not signed
- IS authorization more than 3-years old
34Transition (cont)
- Accreditation current within 3-years
- RTM lists applicable 8500.2 controls
- 180-days establish strategy and schedule for
- Transitioning to DIACAP
- Satisfying DIACAP Annual Reviews
- Meeting FISMA reporting requirements
- RTM does not list applicable 8500.2 controls
- 180-days requirement same as above plus
- Strategy and Schedule for achieving compliance
with the 8500.2 IA controls - Provide Army CA an assessment of compliance with
85002 IA controls.
35Transition (cont)
- Continue DITSCAP
- Phase 1 signed, accreditation not received
- RTM lists applicable 8500.2 controls
- 180-days modify SSAA reaccreditation paragraph to
include transition strategy and schedule - RTM does not list applicable 8500.2 controls
- 180-days
- Modify RTM to incorporate IA Controls
- Develop implementation plan
- Modify SSAA reaccreditation para to include
transition strategy
36Status
- 552 CA package actions completed, 115 currently
in process - 309 Other CA actions completed, 58 currently in
process - Six ACA leads validated
- -- ISEC -- CE-LCMC SEC
- -- STDC -- SPAWARSYCEN Charleston
- -- ARL CISD -- ARL/SLAD
- System owner identified and confirmed for all
systems coming into the Certification Authority - DAA Repository posted, updated regularly
- 41 DAAs appointed for 1071 named systems
- Army Specific DAA Course developed, completed by
32 appointed DAAs https//iatraining.us.army.mil
37(No Transcript)
38DAA Course
https/iatraining.us.army.mil
39Status (cont)
- New CA BBPs
- Installation Level DAA published 6 Jun 07
- Terms for Connectivity to the Installation
Service Provider/ICAN (in process) Draft
distributed for comment 18 June 2007 - Standardized CA for Tactical Units (in process)
- CA status tracked in APMS for annual FISMA
reporting - Army CA Resource iacora home page on the AKO
stood up
40https//www.us.army.mil/suite/page/146650
41https//www.us.army.mil/suite/page/146650
42https//www.us.army.mil/suite/page/146650
43https//www.us.army.mil/suite/page/146650
44(No Transcript)
45Contacts
- Team Members
- Sally Dixon 703.602.7376, sally.dixon_at_us.army.mi
l - Bill Janosky 703.602.7372, william.janosky_at_us.ar
my.mil - Bill Cathcart 703.602.7369, william.cathcart_at_us.
army.mil - Jim Burgan 703-602-7393, jim.burgan_at_us.army.mil
- Jennifer Sikes 703-602-7377, jennifer.sikes_at_us.a
rmy.mil - Group email iacora_at_us.army.mil
- iacora home page on AKO at https//www.us.army.mi
l/suite/page/146650 (AKO Credentials of CAC
Validation for Access) - iacora home page on AKO-S at http//www.us.army.s
mil.mil/suite/page/5406 (AKO credentials for
Access)