DIACAP Army Guidance and Transition

1
Track 1 Session 3 Information Assurance
DIACAP Army Guidance and Transition Ms. Sally
Dixon Army Office of Information Assurance
Compliance

RANK/title Sally Dixon, NETC-EST-IC Sally.dixon_at_u
s.army.mil, DSN 332-7376
2
Terminology

• DIACAP Department of Defense Information
  Assurance Certification and Accreditation Process
  (DIACAP)
• DITSCAP Department of Defense Information
  Technology Security Certification and
  Accreditation Process
• DODI Department of Defense Information
  Issuance/Instruction

3

• DAA Designated Approving Authority
• CA - Contractor Agreements/Certification
  Authority
• ACA Associate Contractor Agreements/Certificatio
  n Authority
• SIP System Identification Profile
• POA M Plan of Action Milestones
• SATE Security Awareness Training And Education

4
Track 1, Session 3 Session DIACAP Army Guidance
and Transition

• PURPOSE Provide information on the Army
  Information Assurance Certification
  Accreditation requirements
• OBJECTIVES By the end of this brief you will be
  able to
• Identify the reason CA needs to be completed
• Identify the why, when, and how concerning
  transition to the DIACAP
• Identify the tools provided by Army and DOD to
  help implement the CA process
• Identify the Army CA POCs

5
(No Transcript)
6
Congressional DOD Requirements

• Public Law 107-347, also known as Federal
  Information Security Management Act of 2002
  (FISMA)
• Require agencies to identify and provide
  information security protections commensurate
  with risk and magnitude of harm resulting from
  unauthorized access, use, disclosure, disruption,
  modification or destruction of information and
  information systems
• DoD Directive 8500.1 Information Assurance, 24
  Oct 2002
• Information Assurance requirements shall be
  identified and included in the design,
  acquisition, installation, operations, upgrade,
  or replacement of all DoD information systems in
  accordance with 10 U.S.C. Section 2224, OMB
  Circular A-130, Appendix III, DoD Directive
  5000.1

7
DoD Requirements (cont)

• DOD CIO memorandum, subject Interim Department
  of Defense (DoD) Information Assurance (IA)
  Certification and Accreditation (CA) Process
  Guidance, 6 July 2006
• DOD will begin an immediate transition to a
  streamlined and modern CA process that complies
  with FISMA
• Interim DIACAP Guidance
• DoD shall certify and accredit information
  systems through an enterprise process for
  identifying, implementing, and managing IA
  capabilities and services. These capabilities and
  services shall be expressed as IA Controls as
  defined by DODI 8500.2 IA Implementation

8
DoD Requirements (cont)

• Interim DIACAP Guidance
• Net-centric, information belongs to the
  enterprise, shared risks
• Authority and responsibility for certification
  are vested in the Senior IA Officer (SIAO)
• Supersedes DITSCAP, DODI 5200.40
• Platform-centric, information belongs to system
  owner, system specific risks
• Individual C/S/A defined IA Controls
• DAA appointed Certification Authority

9
Army Policy

• Department of the Army CIO/G-6 Memorandum,
  subject Army Strategy for the Implementation of
  the Interim DIACAP 30 Nov 2006
• Army will transition to the Interim DIACAP using
  the DIACAP transition table and implementing the
  four (4) CA Best Business Practices.
• The Information Assurance (IA) Certification and
  Accreditation (CA) BBP
• The Designated Approving Authority (DAA) BBP
• The Certification Authority (CA) BBP
• The Agent of the Certification Authority (ACA)
  BBP

10
Army Policy (cont)

• The DAA remains decentralized, but will be
  appointed by the CIO/G-6 at the General Officer,
  SES level upon nomination
• In chain of command of the system owner
• Responsible for the impact of any risk that was
  accepted
• Responsible for ensuring the POAM (get well
  plan) is executed
• Will complete the Army Specific DAA Course
• Certification Authority (CA) will be centralized
  in the Army Senior Information Assurance Officer
  (SIAO)
• Army CA will vet a list of qualified government
  organizations and labs as trusted Agents of the
  CA to perform the functions as the 3rd party
  independent validator

11
Army Policy (cont)

• A System Owner will be identified for all
  information systems used by or in support of the
  Army
• System owners will plan and budget for the CA
  activities as part of their lifecycle
  responsibilities
• All information systems will be compliant with
  the baseline IA controls in DODI 8500.2 and AR
  25-2, at a minimum
• Annul revalidation IAW FISMA will be completed
• Information systems will be recertified and
  reaccredited every three years

12
Why Transition

• DITSCAP and Army CA processes written for stand
  alone or stove pipe systems
• DITSCAP not cost effective, paper vice value
• DODI 8500.2 IA controls not considered
• DAA delegated to the lowest level limits Big
  Picture consideration
• Too many CAs limits consistent assessments
• No qualification requirements for ACAs
• IS deployed with no easily identifiable
  responsible government owner

13
CA Terms
EQUIVALENT CA TERMS
NEW CA TERMS
lt Phase 1 SSAA
SIP
Test Results
Scorecard
Get well plan
POAM
RTM Acquisition Strategy Test Plan, etc
DIP
Artifacts
Documents, MOAs, Waivers, etc
CA Team Member (TM)
CA Representative (CAR)
Agents of Certification Authority (ACA)
Validator
IA Requirements
IA Controls
Application Manual
Knowledge Service
14
The DIACAP

• Focus on security posture via IA controls
  compliance
• Baseline IA Controls address enterprise-wide
  threats and vulnerabilities
• MAC Confidentiality levels determine IA
  Controls
• Applicability examples
• IS under contract to DoD
• IS of Non-appropriated Fund Instruments
• Prototypes
• Advanced Concept Technology Demos (ACTD)
• Stand-Alone IS
• Mobile Computing devices, wired or wireless

15
The DIACAP (cont)

• Allows for Inheritance of IA Controls
• Severity code assigned to failed IA controls
• CA assessment of exploitation ease
• Impact codes assigned to failed IA controls
• DODs assessment of system-wide IA consequences
• Severity and Impact codes
• Determine risk level associated with the security
  weakness
• Urgency which corrective actions must take place

16
Key CA Functions
Designated Approving Authority (DAA) Balances the
exploitation ease against the harm capability and
operational need
System Owner Responsible for IA of system
throughout lifecycle
17
DIACAP Activities
18
https//diacap.iaportal.navy.mil
19
(No Transcript)
20
DIACAP Packages

• Comprehensive package
• Used for the CA recommendation
• Includes all the information resulting from the
  DIACAP process
• Executive package
• Less than the Comprehensive package
• Used for an accreditation decision
• Provided to others in support of accreditation or
  other decisions, such as connection approval

21
DIACAP Package Contents
22
  ltInsert System Name Heregt ltInsert System Name Heregt ltInsert System Name Heregt ltInsert System Name Heregt ltInsert System Name Heregt
  System Identification Profile System Identification Profile System Identification Profile System Identification Profile System Identification Profile
1 System ID System ID      
2 System Component System Component      
3 Governing DoD Component IA Program Governing DoD Component IA Program      
4 System name System name      
5 Acronym Acronym      
6 System Version or Release Number System Version or Release Number      
7 System Description System Description      
           
           
           
8 DIACAP Activity DIACAP Activity      
9 System Life Cycle or Acquisition Phase System Life Cycle or Acquisition Phase      
10 Information System Type Information System Type      
11 MAC MAC      
12 Confidentiality Level Confidentiality Level      
13 Mission Criticality Mission Criticality      
14 Accreditation Vehicle Accreditation Vehicle      
15 Additional Accreditation Vehicles Additional Accreditation Vehicles      
16 Certification Date Certification Date      
17 Approval Date        
18 Accreditation Status Accreditation Status      
19 Accreditation Document        
20 Accreditation Date Accreditation Date      
21 Authorization Termination Date Authorization Termination Date      
https//diacap.iaportal.navy.mil
23
 
 
 
24
(No Transcript)
25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
(No Transcript)
29
(No Transcript)
30
(No Transcript)
31
Annual Validation

• IA Controls validation required no less than
  annually
• Three Information Papers
• IT System Contingency Plans
• Must be tested annually
• Table Top exercise
• Functional exercise
• Security Control Test Requirement for FISMA
  Compliance
• 8 controls must be tested
• Most control testing based on procedural review

32
Annual Validation (cont)

• Annual Security Review Requirement for FISMA
  Compliance
• All IA controls must be reviewed annually
• Date testing completed in support of
  accreditation decision is recorded in APMS
• Status of existing accreditation reassessed
• Continue ATO, no change in ATD
• Continue ATO, SO must implement precautionary IA
  improvements, no change in ATD
• Down grade ATO to IATO, SO must prepare execute
  POAM, ATD is reset to 180 days
• Downgrade ATO to DATO, operations halted
• IS will be re-certified re-accredited every 3
  years

33
Transition

• Initiate / Transition to DIACAP
• Unaccredited new start or operational IS
• DITSCAP initiated, Phase 1 SSAA not signed
• IS authorization more than 3-years old

34
Transition (cont)

• Accreditation current within 3-years
• RTM lists applicable 8500.2 controls
• 180-days establish strategy and schedule for
• Transitioning to DIACAP
• Satisfying DIACAP Annual Reviews
• Meeting FISMA reporting requirements
• RTM does not list applicable 8500.2 controls
• 180-days requirement same as above plus
• Strategy and Schedule for achieving compliance
  with the 8500.2 IA controls
• Provide Army CA an assessment of compliance with
  85002 IA controls.

35
Transition (cont)

• Continue DITSCAP
• Phase 1 signed, accreditation not received
• RTM lists applicable 8500.2 controls
• 180-days modify SSAA reaccreditation paragraph to
  include transition strategy and schedule
• RTM does not list applicable 8500.2 controls
• 180-days
• Modify RTM to incorporate IA Controls
• Develop implementation plan
• Modify SSAA reaccreditation para to include
  transition strategy

36
Status

• 552 CA package actions completed, 115 currently
  in process
• 309 Other CA actions completed, 58 currently in
  process
• Six ACA leads validated
• -- ISEC -- CE-LCMC SEC
• -- STDC -- SPAWARSYCEN Charleston
• -- ARL CISD -- ARL/SLAD
• System owner identified and confirmed for all
  systems coming into the Certification Authority
• DAA Repository posted, updated regularly
• 41 DAAs appointed for 1071 named systems
• Army Specific DAA Course developed, completed by
  32 appointed DAAs https//iatraining.us.army.mil
  

37
(No Transcript)
38
DAA Course
https/iatraining.us.army.mil
39
Status (cont)

• New CA BBPs
• Installation Level DAA published 6 Jun 07
• Terms for Connectivity to the Installation
  Service Provider/ICAN (in process) Draft
  distributed for comment 18 June 2007
• Standardized CA for Tactical Units (in process)
• CA status tracked in APMS for annual FISMA
  reporting
• Army CA Resource iacora home page on the AKO
  stood up

40
https//www.us.army.mil/suite/page/146650
41
https//www.us.army.mil/suite/page/146650
42
https//www.us.army.mil/suite/page/146650
43
https//www.us.army.mil/suite/page/146650
44
(No Transcript)
45
Contacts

• Team Members
• Sally Dixon 703.602.7376, sally.dixon_at_us.army.mi
  l
• Bill Janosky 703.602.7372, william.janosky_at_us.ar
  my.mil
• Bill Cathcart 703.602.7369, william.cathcart_at_us.
  army.mil
• Jim Burgan 703-602-7393, jim.burgan_at_us.army.mil
• Jennifer Sikes 703-602-7377, jennifer.sikes_at_us.a
  rmy.mil
• Group email iacora_at_us.army.mil
• iacora home page on AKO at https//www.us.army.mi
  l/suite/page/146650 (AKO Credentials of CAC
  Validation for Access)
• iacora home page on AKO-S at http//www.us.army.s
  mil.mil/suite/page/5406 (AKO credentials for
  Access)