Upload
jessie-poole
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Unclassified
Slide 1 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
DIACAP Army Guidance and Transition
Ms. Sally DixonArmy Office of
Information Assurance & Compliance
RANK/title Sally Dixon, [email protected], DSN 332-7376
Track 1: Session 3Information Assurance
Unclassified
Slide 2 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Terminology
• DIACAP : Department of Defense Information Assurance Certification and Accreditation Process (DIACAP)
• DITSCAP: Department of Defense Information Technology Security Certification and Accreditation Process
• DODI: Department of Defense Information Issuance/Instruction
Unclassified
Slide 3 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
• DAA – Designated Approving Authority• CA - Contractor Agreements/Certification
Authority• ACA – Associate Contractor
Agreements/Certification Authority• SIP: System Identification Profile• POA &M : Plan of Action & Milestones• SATE: Security Awareness Training And
Education
Unclassified
Slide 4 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Track 1, Session 3: Session DIACAP Army Guidance and
Transition
• PURPOSE: Provide information on the Army Information Assurance Certification & Accreditation requirements
• OBJECTIVES: By the end of this brief you will be able to:
– Identify the reason C&A needs to be completed – Identify the why, when, and how concerning transition to the
DIACAP– Identify the tools provided by Army and DOD to help
implement the C&A process– Identify the Army C&A POCs
Unclassified
Slide 5 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Unclassified
Slide 6 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Congressional & DOD Requirements
• Public Law 107-347, also known as Federal Information Security Management Act of 2002 (FISMA)
– Require agencies to identify and provide information security protections commensurate with risk and magnitude of harm resulting from unauthorized access, use, disclosure, disruption, modification or destruction of information and information systems
• DoD Directive 8500.1 Information Assurance, 24 Oct 2002
– Information Assurance requirements shall be identified and included in the design, acquisition, installation, operations, upgrade, or replacement of all DoD information systems in accordance with 10 U.S.C. Section 2224, OMB Circular A-130, Appendix III, DoD Directive 5000.1
Unclassified
Slide 7 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
• DOD CIO memorandum, subject: Interim Department of Defense (DoD) Information Assurance (IA) Certification and Accreditation (C&A) Process Guidance, 6 July 2006– DOD will begin an immediate transition to a streamlined
and modern C&A process that complies with FISMA
• Interim DIACAP Guidance– DoD shall certify and accredit information systems through
an enterprise process for identifying, implementing, and managing IA capabilities and services. These capabilities and services shall be expressed as IA Controls as defined by DODI 8500.2 IA Implementation
DoD Requirements (cont)
Unclassified
Slide 8 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
DoD Requirements (cont)
• Interim DIACAP Guidance
– Net-centric, information belongs to the enterprise, shared risks
– Authority and responsibility for certification are vested in the Senior IA Officer (SIAO)
– Supersedes DITSCAP, DODI 5200.40
• Platform-centric, information belongs to system owner, system specific risks
• Individual C/S/A defined IA Controls
• DAA appointed Certification Authority
Unclassified
Slide 9 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Army Policy
• Department of the Army CIO/G-6 Memorandum, subject: Army Strategy for the Implementation of the Interim DIACAP 30 Nov 2006
– Army will transition to the Interim DIACAP using the DIACAP transition table and implementing the four (4) C&A Best Business Practices.
The Information Assurance (IA) Certification and Accreditation (C&A) BBP
The Designated Approving Authority (DAA) BBP
The Certification Authority (CA) BBP
The Agent of the Certification Authority (ACA) BBP
Unclassified
Slide 10 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Army Policy (cont)
– The DAA remains decentralized, but will be appointed by the CIO/G-6 at the General Officer, SES level upon nomination In chain of command of the system owner
Responsible for the impact of any risk that was accepted
Responsible for ensuring the POA&M (get well plan) is executed
Will complete the Army Specific DAA Course
– Certification Authority (CA) will be centralized in the Army Senior Information Assurance Officer (SIAO)
– Army CA will vet a list of qualified government organizations and labs as trusted Agents of the CA to perform the functions as the 3rd party independent validator
Unclassified
Slide 11 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Army Policy (cont)
– A System Owner will be identified for all information systems used by or in support of the Army
– System owners will plan and budget for the C&A activities as part of their lifecycle responsibilities
– All information systems will be compliant with the baseline IA controls in DODI 8500.2 and AR 25-2, at a minimum
– Annul revalidation IAW FISMA will be completed
– Information systems will be recertified and reaccredited every three years
Unclassified
Slide 12 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Why Transition
• DITSCAP and Army C&A processes written for stand alone or stove pipe systems
• DITSCAP not cost effective, paper vice value
• DODI 8500.2 IA controls not considered
• DAA delegated to the lowest level limits “Big Picture” consideration
• Too many CAs limits consistent assessments
• No qualification requirements for ACAs
• IS deployed with no easily identifiable responsible government owner
Unclassified
Slide 13 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
C&A Terms
Application Manual Knowledge Service
IA Requirements IA Controls
Agents of Certification Authority (ACA)
Validator
CA Team Member (TM)
Artifacts
RTM & Acquisition Strategy & Test Plan, etc
DIP
Get well plan POA&M
Test Results Scorecard
< Phase 1 SSAASIP
EQUIVALENT C&A TERMS NEW C&A TERMS
Documents, MOAs, Waivers, etc
CA Representative (CAR)
Unclassified
Slide 14 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
• Focus on security posture via IA controls compliance
– Baseline IA Controls address enterprise-wide threats and vulnerabilities
– MAC & Confidentiality levels determine IA Controls
• Applicability examples:
– IS under contract to DoD
– IS of Non-appropriated Fund Instruments
– Prototypes
– Advanced Concept Technology Demos (ACTD)
– Stand-Alone IS
– Mobile Computing devices, wired or wireless
The DIACAP
Unclassified
Slide 15 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
The DIACAP (cont)
• Allows for Inheritance of IA Controls
• Severity code assigned to failed IA controls– CA assessment of exploitation ease
• Impact codes assigned to failed IA controls– DODs assessment of system-wide IA consequences
• Severity and Impact codes– Determine risk level associated with the security
weakness
– Urgency which corrective actions must take place
Unclassified
Slide 16 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Key C&A Functions
Certification Authority (CA)Determines the exploitation ease of
vulnerabilities
Agent of the CA (ACA)Performs Validation against IA controls
System OwnerResponsible for IA of system throughout lifecycle
Designated Approving Authority (DAA)Balances the exploitation ease against the harm
capability and operational need
Unclassified
Slide 17 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
DIACAP Activities
Unclassified
Slide 18 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
https://diacap.iaportal.navy.mil
Unclassified
Slide 19 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Unclassified
Slide 20 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
DIACAP Packages
• Comprehensive package
– Used for the CA recommendation
– Includes all the information resulting from the DIACAP process
• Executive package
– Less than the Comprehensive package
– Used for an accreditation decision
– Provided to others in support of accreditation or other decisions, such as connection approval
Unclassified
Slide 21 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
DIACAP Package Contents
POA&M (if required)POA&M (if required)
DIACAP Scorecard• Certification Determination • Accreditation Determination
DIACAP Scorecard• Certification Determination• Accreditation Determination
ArtifactsSupporting Documentation for Certification• Actual Validation Results• Artifacts associated with implementation of IA Controls (e.g., STIGs and other implementation guidance)• Other
DIACAP Implementation Plan (DIP)• IA Controls - Inherited and implemented• Implementation Status• Responsible entities• Resources• Estimated completion date for each IA Control
System Identification ProfileSystem Identification Profile (SIP)
Executive Package Comprehensive DIACAP Package
Unclassified
Slide 22 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
<Insert System Name Here>
System Identification Profile
1 System ID:
2 System Component:
3 Governing DoD Component IA Program:
4 System name:
5 Acronym:
6 System Version or Release Number:
7 System Description:
8 DIACAP Activity:
9 System Life Cycle or Acquisition Phase:
10 Information System Type:
11 MAC:
12 Confidentiality Level:
13 Mission Criticality :
14 Accreditation Vehicle:
15 Additional Accreditation Vehicles:
16 Certification Date:
17 Approval Date
18 Accreditation Status:
19 Accreditation Document
20 Accreditation Date:
21 Authorization Termination Date:
https://diacap.iaportal.navy.mil
Unclassified
Slide 23 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
SME:
CIO:
SIAO:
DAA:
CA:
User Representative:
IAM:
PM/SM:
EmailPhoneName
DIACAP Team Roles, Member Names and Contact Information
Security Controls Tested Date34
Information Assurance Record
Type33
Contingency Plan Tested:32
Contingency Plan:31
System Operation:30
Annual Security Review Date:29
E-Authentication Risk Assessment:28
Privacy Impact Assessment:27
Software Category:26
System Life cycle Phase25
Type of IT Investment:24
Acquisition Category (ACAT)23
See Table Below.DIACAP Team Roles, Member Names
and Contact Information22
Unclassified
Slide 24 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Unclassified
Slide 25 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Unclassified
Slide 26 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Unclassified
Slide 27 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Unclassified
Slide 28 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Unclassified
Slide 29 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Unclassified
Slide 30 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Unclassified
Slide 31 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Annual Validation
• IA Controls validation required no less than annually
• Three Information Papers
– IT System Contingency Plans
• Must be tested annually
• Table Top exercise
• Functional exercise
– Security Control Test Requirement for FISMA Compliance
• 8 controls must be tested
• Most control testing based on procedural review
Unclassified
Slide 32 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Annual Validation (cont)– Annual Security Review Requirement for FISMA
Compliance
• All IA controls must be reviewed annually
• Date testing completed in support of accreditation decision is recorded in APMS
• Status of existing accreditation reassessed
– Continue ATO, no change in ATD
– Continue ATO, SO must implement precautionary IA improvements, no change in ATD
– Down grade ATO to IATO, SO must prepare & execute POA&M, ATD is reset to 180 days
– Downgrade ATO to DATO, operations halted
• IS will be re-certified & re-accredited every 3 years
Unclassified
Slide 33 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Transition
• Initiate / Transition to DIACAP
– Unaccredited new start or operational IS
– DITSCAP initiated, Phase 1 SSAA not signed
– IS authorization more than 3-years old
Unclassified
Slide 34 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Transition (cont)
• Accreditation current within 3-years
– RTM lists applicable 8500.2 controls
180-days establish strategy and schedule for
Transitioning to DIACAP
Satisfying DIACAP Annual Reviews
Meeting FISMA reporting requirements
– RTM does not list applicable 8500.2 controls
180-days requirement same as above plus Strategy and Schedule for achieving compliance with the
8500.2 IA controls
Provide Army CA an assessment of compliance with 85002 IA controls.
Unclassified
Slide 35 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Transition (cont)
• Continue DITSCAP
– Phase 1 signed, accreditation not received
– RTM lists applicable 8500.2 controls
180-days modify SSAA reaccreditation paragraph to include transition strategy and schedule
– RTM does not list applicable 8500.2 controls
180-days
- Modify RTM to incorporate IA Controls
- Develop implementation plan
- Modify SSAA reaccreditation para to include transition strategy
Unclassified
Slide 36 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
• 552 C&A package actions completed, 115 currently in process
• 309 Other C&A actions completed, 58 currently in process
• Six ACA leads validated
-- ISEC -- CE-LCMC SEC
-- S&TDC -- SPAWARSYCEN Charleston
-- ARL CISD -- ARL/SLAD
• System owner identified and confirmed for all systems coming into the Certification Authority
• DAA Repository posted, updated regularly
• 41 DAAs appointed for 1071 named systems
• Army Specific DAA Course developed, completed by 32 appointed DAAs [https://iatraining.us.army.mil]
Status
Unclassified
Slide 37 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Unclassified
Slide 38 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
DAA Course
https:/iatraining.us.army.mil
Unclassified
Slide 39 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Status (cont)
• New C&A BBP’s
– Installation Level DAA published 6 Jun 07
– Terms for Connectivity to the Installation Service Provider/ICAN (in process) Draft distributed for comment 18 June 2007
– Standardized C&A for Tactical Units (in process)
• C&A status tracked in APMS for annual FISMA reporting
• Army C&A Resource iacora home page on the AKO stood up
Unclassified
Slide 40 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
https://www.us.army.mil/suite/page/146650
Unclassified
Slide 41 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
https://www.us.army.mil/suite/page/146650
Unclassified
Slide 42 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
https://www.us.army.mil/suite/page/146650
Unclassified
Slide 43 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
https://www.us.army.mil/suite/page/146650
Unclassified
Slide 44 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
Unclassified
Slide 45 04/18/23
2007 LandWarNet Conference 2007 LandWarNet Conference
RANK/title Sally Dixon, [email protected], DSN 332-7376
ContactsTeam Members Sally Dixon – 703.602.7376, [email protected]
Bill Janosky – 703.602.7372, [email protected]
Bill Cathcart – 703.602.7369, [email protected]
Jim Burgan – 703-602-7393, [email protected]
Jennifer Sikes – 703-602-7377, [email protected]
Group email: [email protected]
iacora home page on AKO at: https://www.us.army.mil/suite/page/146650 (AKO Credentials of CAC Validation for Access)
iacora home page on AKO-S at: http://www.us.army.smil.mil/suite/page/5406 (AKO credentials for Access)