Move over DITSCAP… The Move over DITSCAP… The DIACAP is here!DIACAP is here!

By:By:

Brigette WilsonBrigette Wilson

5/115/11 11Bwilson/UCCS CS591-Boeing Mentored Bwilson/UCCS CS591-Boeing Mentored DIACAPDIACAP

AgendaAgendaDoD security background informationDoD security background informationHow does the DoD ensure their systems are How does the DoD ensure their systems are secure?secure?The history of accreditationThe history of accreditationDIACAP informationDIACAP informationInformation assurance (IA) controlsInformation assurance (IA) controlsDIACAP processDIACAP processHow does the DIACAP differ from the DITSCAP?How does the DIACAP differ from the DITSCAP?Transitioning from the DITSCAP to the DIACAPTransitioning from the DITSCAP to the DIACAPCurrent problems with the DIACAPCurrent problems with the DIACAPConclusionConclusionReferencesReferences

5/115/11 22Bwilson/UCCS CS591-Boeing Mentored Bwilson/UCCS CS591-Boeing Mentored DIACAPDIACAP

DoD Security Background DoD Security Background InformationInformation

All DoD owned or controlled information systems All DoD owned or controlled information systems that receive, process, store, display, or transmit that receive, process, store, display, or transmit DoD information (regardless of classification or DoD information (regardless of classification or sensitivity) must be accredited by the DoD in sensitivity) must be accredited by the DoD in order to operate.order to operate.Once a system passes the DoD accreditation it is Once a system passes the DoD accreditation it is awarded authorization to operate (ATO) which is awarded authorization to operate (ATO) which is valid for up to three years. Toward the end of the valid for up to three years. Toward the end of the ATO period the system must start the ATO period the system must start the accreditation process over again to gain a new accreditation process over again to gain a new ATO.ATO.A DoD system cannot operate if it does not have A DoD system cannot operate if it does not have a current ATO or interim ATO on file.a current ATO or interim ATO on file.

5/115/11 33Bwilson/UCCS CS591-Boeing Mentored Bwilson/UCCS CS591-Boeing Mentored DIACAPDIACAP

How does the DoD ensure their How does the DoD ensure their systems are secure?systems are secure?

The creators/maintainers of a information The creators/maintainers of a information system have to document a number of system have to document a number of different things relating to the security of different things relating to the security of their system.their system.

Once the documentation has been Once the documentation has been submitted, a DoD representative runs submitted, a DoD representative runs attacks against the system to try to gain attacks against the system to try to gain access and figure out any vulnerabilities access and figure out any vulnerabilities that have not been addressed or that have not been addressed or mitigated. These attacks are tailored mitigated. These attacks are tailored based on the classification of the system.based on the classification of the system.5/115/11 44Bwilson/UCCS CS591-Boeing Mentored Bwilson/UCCS CS591-Boeing Mentored

DIACAPDIACAP

The history of accreditationThe history of accreditationOn December 30, 1997 the DoD On December 30, 1997 the DoD introduced a life-cycle approach to introduced a life-cycle approach to security accreditation called the DITSCAP.security accreditation called the DITSCAP.

On July 6, 2006 the interim department of On July 6, 2006 the interim department of defense (DoD) certification and defense (DoD) certification and accreditation (C&A) process guidance was accreditation (C&A) process guidance was released. This document officially retired released. This document officially retired the DITSCAP process and introduced the the DITSCAP process and introduced the DIACAP process.DIACAP process.

5/115/11 55Bwilson/UCCS CS591-Boeing Mentored Bwilson/UCCS CS591-Boeing Mentored DIACAPDIACAP

DIACAP InformationDIACAP InformationDIACAP stands for DoD Information Assurance Certification and DIACAP stands for DoD Information Assurance Certification and Accreditation Process.Accreditation Process.The DIACAP process focuses on:The DIACAP process focuses on:– Identifying, implementing, and validating standardized IA Identifying, implementing, and validating standardized IA

controls.controls.– Authorizing the operation of DoD information systems.Authorizing the operation of DoD information systems.– Managing the IA status across the information system life Managing the IA status across the information system life

cycle.cycle.The need for the DIACAP was driven by two issues:The need for the DIACAP was driven by two issues:– The global information grid (GIG) which is the DoD's vision of The global information grid (GIG) which is the DoD's vision of

network-centric operations to foster an agile, robust, network-centric operations to foster an agile, robust, interoperable and collaborative DoD. This is where warfighters, interoperable and collaborative DoD. This is where warfighters, business and intelligence users all share knowledge on a business and intelligence users all share knowledge on a secure, dependable and global network.secure, dependable and global network.

– The need to meet section 3541 of the “Federal Information The need to meet section 3541 of the “Federal Information Security Management Act of 2002” (FISMA).Security Management Act of 2002” (FISMA).

Interim DIACAP guidance stated that any system operating with an Interim DIACAP guidance stated that any system operating with an ATO or IATO needs to modify their DITSCAP package to include all ATO or IATO needs to modify their DITSCAP package to include all information assurance (IA) controls within 180 days.information assurance (IA) controls within 180 days.As of May 1, 2007 no final DIACAP guidance has been released.As of May 1, 2007 no final DIACAP guidance has been released.

5/115/11 66Bwilson/UCCS CS591-Boeing Mentored Bwilson/UCCS CS591-Boeing Mentored DIACAPDIACAP

Information Assurance ControlsInformation Assurance ControlsThe theme of the DIACAP revolves around The theme of the DIACAP revolves around how a program currently (or plans) to how a program currently (or plans) to implement IA controls applicable to that implement IA controls applicable to that system.system.IA Controls of a system are determined by IA Controls of a system are determined by the systems Mission Assurance Category the systems Mission Assurance Category (MAC) and classification level (CL). The (MAC) and classification level (CL). The baseline IA Controls that systems need to baseline IA Controls that systems need to meet are found in DoD 8500.2 meet are found in DoD 8500.2 (Information Assurance Implementation) (Information Assurance Implementation) Enclosure 4. Enclosure 4.

5/115/11 77Bwilson/UCCS CS591-Boeing Mentored Bwilson/UCCS CS591-Boeing Mentored DIACAPDIACAP

DIACAP ProcessDIACAP ProcessLike the DITSCAP process, the DIACAP is a very documentation Like the DITSCAP process, the DIACAP is a very documentation heavy activity.heavy activity.

To start the process the system must register a System To start the process the system must register a System Identification Profile (SIP) on eMass. eMass is the new DoD web Identification Profile (SIP) on eMass. eMass is the new DoD web based tool to help with the implementation and management of based tool to help with the implementation and management of C&A based on the DIACAP.C&A based on the DIACAP.

Next the DIACAP Implementation Plan Package must be created. Next the DIACAP Implementation Plan Package must be created. Doing this includes the following steps:Doing this includes the following steps:– Determine the IA Controls the system must meet.Determine the IA Controls the system must meet.– Evaluate each control to see if it is currently implemented. If Evaluate each control to see if it is currently implemented. If

implemented, document how it is implemented. If not implemented, implemented, document how it is implemented. If not implemented, create a plan and schedule to implement the control (called Plan of create a plan and schedule to implement the control (called Plan of Action and Milestone).Action and Milestone).

The next step is for a Designated Approving Authority (DAA) to The next step is for a Designated Approving Authority (DAA) to look over all the artifacts created in the above step to determine if look over all the artifacts created in the above step to determine if it is complete enough to sell off implementation of the assigned IA it is complete enough to sell off implementation of the assigned IA controls. If it is complete, the DAA runs attacks against the controls. If it is complete, the DAA runs attacks against the system to try to gain access and figure out any vulnerabilities that system to try to gain access and figure out any vulnerabilities that have not been already addressed or mitigated (this is basically have not been already addressed or mitigated (this is basically testing out each of the IA controls). testing out each of the IA controls). 5/115/11 88Bwilson/UCCS CS591-Boeing Mentored Bwilson/UCCS CS591-Boeing Mentored

DIACAPDIACAP

DIACAP Process ContinuedDIACAP Process ContinuedOnce the IA artifacts and validation testing Once the IA artifacts and validation testing are done the DAA fills out the DIACAP are done the DAA fills out the DIACAP scorecard which will help determine the scorecard which will help determine the certification decision.certification decision.Each system has to get a required Each system has to get a required minimum number of points in the IA minimum number of points in the IA categories of Confidently, Availability, and categories of Confidently, Availability, and Integrity in order to be considered for Integrity in order to be considered for accreditation.accreditation.The accreditation decision is based on the The accreditation decision is based on the DIACAP scorecard along with the artifacts DIACAP scorecard along with the artifacts and documentation submitted.and documentation submitted.

5/115/11 99Bwilson/UCCS CS591-Boeing Mentored Bwilson/UCCS CS591-Boeing Mentored DIACAPDIACAP

How does the DIACAP differ from How does the DIACAP differ from the DITSCAP?the DITSCAP?

5/115/11 1010Bwilson/UCCS CS591-Boeing Mentored Bwilson/UCCS CS591-Boeing Mentored DIACAPDIACAP

Transitioning from the DITSCAP to Transitioning from the DITSCAP to the DIACAPthe DIACAP

Its quite a project for a system to Its quite a project for a system to transition from the DITSCAP to the transition from the DITSCAP to the DIACAP. The system gets no breaks DIACAP. The system gets no breaks for having an ATO granted by the for having an ATO granted by the DITSCAP process.DITSCAP process.The only help available is a guide The only help available is a guide that relates some of the IA controls that relates some of the IA controls to IA artifacts to sections in the to IA artifacts to sections in the SSAA. SSAA.

5/115/11 1111Bwilson/UCCS CS591-Boeing Mentored Bwilson/UCCS CS591-Boeing Mentored DIACAPDIACAP

Current problems with the DIACAPCurrent problems with the DIACAP

There are currently only a few IA There are currently only a few IA controls that have specific artifacts controls that have specific artifacts listed to document that control.listed to document that control.

No final guidance has been issued on No final guidance has been issued on the whole process.the whole process.

The DIACAP Knowledge Service is The DIACAP Knowledge Service is only accessible to those individuals only accessible to those individuals who have a DoD PKI certificate.who have a DoD PKI certificate.

5/115/11 1212Bwilson/UCCS CS591-Boeing Mentored Bwilson/UCCS CS591-Boeing Mentored DIACAPDIACAP

ConclusionConclusionThe DIACAP process is set up to handle the The DIACAP process is set up to handle the DoD’s move to a net-centric operating DoD’s move to a net-centric operating environment and to set up a standard that environment and to set up a standard that all programs must meet. Once completely all programs must meet. Once completely in place this will make the whole security in place this will make the whole security process much easier.process much easier.Unfortunately with final guidance still not Unfortunately with final guidance still not released most programs that are currently released most programs that are currently operating under a DITSCAP ATO are at a operating under a DITSCAP ATO are at a standstill, and programs with ATO expiring standstill, and programs with ATO expiring are being issued IATOs in 6 month are being issued IATOs in 6 month increments.increments.

5/115/11 1313Bwilson/UCCS CS591-Boeing Mentored Bwilson/UCCS CS591-Boeing Mentored DIACAPDIACAP

ReferencesReferencesDoD 8500.2 (Information Assurance DoD 8500.2 (Information Assurance Implementation)Implementation)DIACAP Knowledge ServiceDIACAP Knowledge ServiceThe Federal Information Security The Federal Information Security Management Act (FISMA)Management Act (FISMA) DoD Directive 8500.1 (Information DoD Directive 8500.1 (Information Assurance)Assurance)DoD Directive 8100.1 (Global DoD Directive 8100.1 (Global Information Grid Overarching Policy)Information Grid Overarching Policy)

5/115/11 1414Bwilson/UCCS CS591-Boeing Mentored Bwilson/UCCS CS591-Boeing Mentored DIACAPDIACAP