Unclassified Slide 1 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC [email protected], DSN 332-7376 DIACAP Army Guidance

Unclassified

Slide 1 04/18/23

2007 LandWarNet Conference 2007 LandWarNet Conference

RANK/title Sally Dixon, [email protected], DSN 332-7376

DIACAP Army Guidance and Transition

Ms. Sally DixonArmy Office of

Information Assurance & Compliance


Track 1: Session 3Information Assurance

Unclassified

Slide 2 04/18/23



Terminology

• DIACAP : Department of Defense Information Assurance Certification and Accreditation Process (DIACAP)

• DITSCAP: Department of Defense Information Technology Security Certification and Accreditation Process

• DODI: Department of Defense Information Issuance/Instruction

Unclassified

Slide 3 04/18/23



• DAA – Designated Approving Authority• CA - Contractor Agreements/Certification

Authority• ACA – Associate Contractor

Agreements/Certification Authority• SIP: System Identification Profile• POA &M : Plan of Action & Milestones• SATE: Security Awareness Training And

Education

Unclassified

Slide 4 04/18/23



Track 1, Session 3: Session DIACAP Army Guidance and

Transition

• PURPOSE: Provide information on the Army Information Assurance Certification & Accreditation requirements

• OBJECTIVES: By the end of this brief you will be able to:

– Identify the reason C&A needs to be completed – Identify the why, when, and how concerning transition to the

DIACAP– Identify the tools provided by Army and DOD to help

implement the C&A process– Identify the Army C&A POCs

Unclassified

Slide 5 04/18/23



Unclassified

Slide 6 04/18/23



Congressional & DOD Requirements

• Public Law 107-347, also known as Federal Information Security Management Act of 2002 (FISMA)

– Require agencies to identify and provide information security protections commensurate with risk and magnitude of harm resulting from unauthorized access, use, disclosure, disruption, modification or destruction of information and information systems

• DoD Directive 8500.1 Information Assurance, 24 Oct 2002

– Information Assurance requirements shall be identified and included in the design, acquisition, installation, operations, upgrade, or replacement of all DoD information systems in accordance with 10 U.S.C. Section 2224, OMB Circular A-130, Appendix III, DoD Directive 5000.1

Unclassified

Slide 7 04/18/23



• DOD CIO memorandum, subject: Interim Department of Defense (DoD) Information Assurance (IA) Certification and Accreditation (C&A) Process Guidance, 6 July 2006– DOD will begin an immediate transition to a streamlined

and modern C&A process that complies with FISMA

• Interim DIACAP Guidance– DoD shall certify and accredit information systems through

an enterprise process for identifying, implementing, and managing IA capabilities and services. These capabilities and services shall be expressed as IA Controls as defined by DODI 8500.2 IA Implementation

DoD Requirements (cont)

Unclassified

Slide 8 04/18/23



DoD Requirements (cont)

• Interim DIACAP Guidance

– Net-centric, information belongs to the enterprise, shared risks

– Authority and responsibility for certification are vested in the Senior IA Officer (SIAO)

– Supersedes DITSCAP, DODI 5200.40

• Platform-centric, information belongs to system owner, system specific risks

• Individual C/S/A defined IA Controls

• DAA appointed Certification Authority

Unclassified

Slide 9 04/18/23



Army Policy

• Department of the Army CIO/G-6 Memorandum, subject: Army Strategy for the Implementation of the Interim DIACAP 30 Nov 2006

– Army will transition to the Interim DIACAP using the DIACAP transition table and implementing the four (4) C&A Best Business Practices.

The Information Assurance (IA) Certification and Accreditation (C&A) BBP

The Designated Approving Authority (DAA) BBP

The Certification Authority (CA) BBP

The Agent of the Certification Authority (ACA) BBP

Unclassified

Slide 10 04/18/23



Army Policy (cont)

– The DAA remains decentralized, but will be appointed by the CIO/G-6 at the General Officer, SES level upon nomination In chain of command of the system owner

Responsible for the impact of any risk that was accepted

Responsible for ensuring the POA&M (get well plan) is executed

Will complete the Army Specific DAA Course

– Certification Authority (CA) will be centralized in the Army Senior Information Assurance Officer (SIAO)

– Army CA will vet a list of qualified government organizations and labs as trusted Agents of the CA to perform the functions as the 3rd party independent validator

Unclassified

Slide 11 04/18/23



Army Policy (cont)

– A System Owner will be identified for all information systems used by or in support of the Army

– System owners will plan and budget for the C&A activities as part of their lifecycle responsibilities

– All information systems will be compliant with the baseline IA controls in DODI 8500.2 and AR 25-2, at a minimum

– Annul revalidation IAW FISMA will be completed

– Information systems will be recertified and reaccredited every three years

Unclassified

Slide 12 04/18/23



Why Transition

• DITSCAP and Army C&A processes written for stand alone or stove pipe systems

• DITSCAP not cost effective, paper vice value

• DODI 8500.2 IA controls not considered

• DAA delegated to the lowest level limits “Big Picture” consideration

• Too many CAs limits consistent assessments

• No qualification requirements for ACAs

• IS deployed with no easily identifiable responsible government owner

Unclassified

Slide 13 04/18/23



C&A Terms

Application Manual Knowledge Service

IA Requirements IA Controls

Agents of Certification Authority (ACA)

Validator

CA Team Member (TM)

Artifacts

RTM & Acquisition Strategy & Test Plan, etc

DIP

Get well plan POA&M

Test Results Scorecard

< Phase 1 SSAASIP

EQUIVALENT C&A TERMS NEW C&A TERMS

Documents, MOAs, Waivers, etc

CA Representative (CAR)

Unclassified

Slide 14 04/18/23



• Focus on security posture via IA controls compliance

– Baseline IA Controls address enterprise-wide threats and vulnerabilities

– MAC & Confidentiality levels determine IA Controls

• Applicability examples:

– IS under contract to DoD

– IS of Non-appropriated Fund Instruments

– Prototypes

– Advanced Concept Technology Demos (ACTD)

– Stand-Alone IS

– Mobile Computing devices, wired or wireless

The DIACAP

Unclassified

Slide 15 04/18/23



The DIACAP (cont)

• Allows for Inheritance of IA Controls

• Severity code assigned to failed IA controls– CA assessment of exploitation ease

• Impact codes assigned to failed IA controls– DODs assessment of system-wide IA consequences

• Severity and Impact codes– Determine risk level associated with the security

weakness

– Urgency which corrective actions must take place

Unclassified

Slide 16 04/18/23



Key C&A Functions

Certification Authority (CA)Determines the exploitation ease of

vulnerabilities

Agent of the CA (ACA)Performs Validation against IA controls

System OwnerResponsible for IA of system throughout lifecycle

Designated Approving Authority (DAA)Balances the exploitation ease against the harm

capability and operational need

Unclassified

Slide 17 04/18/23



DIACAP Activities

Unclassified

Slide 18 04/18/23



https://diacap.iaportal.navy.mil

Unclassified

Slide 19 04/18/23



Unclassified

Slide 20 04/18/23



DIACAP Packages

• Comprehensive package

– Used for the CA recommendation

– Includes all the information resulting from the DIACAP process

• Executive package

– Less than the Comprehensive package

– Used for an accreditation decision

– Provided to others in support of accreditation or other decisions, such as connection approval

Unclassified

Slide 21 04/18/23



DIACAP Package Contents

POA&M (if required)POA&M (if required)

DIACAP Scorecard• Certification Determination • Accreditation Determination

DIACAP Scorecard• Certification Determination• Accreditation Determination

ArtifactsSupporting Documentation for Certification• Actual Validation Results• Artifacts associated with implementation of IA Controls (e.g., STIGs and other implementation guidance)• Other

DIACAP Implementation Plan (DIP)• IA Controls - Inherited and implemented• Implementation Status• Responsible entities• Resources• Estimated completion date for each IA Control

System Identification ProfileSystem Identification Profile (SIP)

Executive Package Comprehensive DIACAP Package

Unclassified

Slide 22 04/18/23



<Insert System Name Here>

System Identification Profile

1 System ID:

2 System Component:

3 Governing DoD Component IA Program:

4 System name:

5 Acronym:

6 System Version or Release Number:

7 System Description:

8 DIACAP Activity:

9 System Life Cycle or Acquisition Phase:

10 Information System Type:

11 MAC:

12 Confidentiality Level:

13 Mission Criticality :

14 Accreditation Vehicle:

15 Additional Accreditation Vehicles:

16 Certification Date:

17 Approval Date

18 Accreditation Status:

19 Accreditation Document

20 Accreditation Date:

21 Authorization Termination Date:

https://diacap.iaportal.navy.mil

Unclassified

Slide 23 04/18/23



SME:

CIO:

SIAO:

DAA:

CA:

User Representative:

IAM:

PM/SM:

EmailPhoneName

DIACAP Team Roles, Member Names and Contact Information

Security Controls Tested Date34

Information Assurance Record

Type33

Contingency Plan Tested:32

Contingency Plan:31

System Operation:30

Annual Security Review Date:29

E-Authentication Risk Assessment:28

Privacy Impact Assessment:27

Software Category:26

System Life cycle Phase25

Type of IT Investment:24

Acquisition Category (ACAT)23

See Table Below.DIACAP Team Roles, Member Names

and Contact Information22

Unclassified

Slide 24 04/18/23



Unclassified

Slide 25 04/18/23



Unclassified

Slide 26 04/18/23



Unclassified

Slide 27 04/18/23



Unclassified

Slide 28 04/18/23



Unclassified

Slide 29 04/18/23



Unclassified

Slide 30 04/18/23



Unclassified

Slide 31 04/18/23



Annual Validation

• IA Controls validation required no less than annually

• Three Information Papers

– IT System Contingency Plans

• Must be tested annually

• Table Top exercise

• Functional exercise

– Security Control Test Requirement for FISMA Compliance

• 8 controls must be tested

• Most control testing based on procedural review

Unclassified

Slide 32 04/18/23



Annual Validation (cont)– Annual Security Review Requirement for FISMA

Compliance

• All IA controls must be reviewed annually

• Date testing completed in support of accreditation decision is recorded in APMS

• Status of existing accreditation reassessed

– Continue ATO, no change in ATD

– Continue ATO, SO must implement precautionary IA improvements, no change in ATD

– Down grade ATO to IATO, SO must prepare & execute POA&M, ATD is reset to 180 days

– Downgrade ATO to DATO, operations halted

• IS will be re-certified & re-accredited every 3 years

Unclassified

Slide 33 04/18/23



Transition

• Initiate / Transition to DIACAP

– Unaccredited new start or operational IS

– DITSCAP initiated, Phase 1 SSAA not signed

– IS authorization more than 3-years old

Unclassified

Slide 34 04/18/23



Transition (cont)

• Accreditation current within 3-years

– RTM lists applicable 8500.2 controls

180-days establish strategy and schedule for

Transitioning to DIACAP

Satisfying DIACAP Annual Reviews

Meeting FISMA reporting requirements

– RTM does not list applicable 8500.2 controls

180-days requirement same as above plus Strategy and Schedule for achieving compliance with the

8500.2 IA controls

Provide Army CA an assessment of compliance with 85002 IA controls.

Unclassified

Slide 35 04/18/23



Transition (cont)

• Continue DITSCAP

– Phase 1 signed, accreditation not received

– RTM lists applicable 8500.2 controls

180-days modify SSAA reaccreditation paragraph to include transition strategy and schedule

– RTM does not list applicable 8500.2 controls

180-days

- Modify RTM to incorporate IA Controls

- Develop implementation plan

- Modify SSAA reaccreditation para to include transition strategy

Unclassified

Slide 36 04/18/23



• 552 C&A package actions completed, 115 currently in process

• 309 Other C&A actions completed, 58 currently in process

• Six ACA leads validated

-- ISEC -- CE-LCMC SEC

-- S&TDC -- SPAWARSYCEN Charleston

-- ARL CISD -- ARL/SLAD

• System owner identified and confirmed for all systems coming into the Certification Authority

• DAA Repository posted, updated regularly

• 41 DAAs appointed for 1071 named systems

• Army Specific DAA Course developed, completed by 32 appointed DAAs [https://iatraining.us.army.mil]

Status

Unclassified

Slide 37 04/18/23



Unclassified

Slide 38 04/18/23



DAA Course

https:/iatraining.us.army.mil

Unclassified

Slide 39 04/18/23



Status (cont)

• New C&A BBP’s

– Installation Level DAA published 6 Jun 07

– Terms for Connectivity to the Installation Service Provider/ICAN (in process) Draft distributed for comment 18 June 2007

– Standardized C&A for Tactical Units (in process)

• C&A status tracked in APMS for annual FISMA reporting

• Army C&A Resource iacora home page on the AKO stood up

Unclassified

Slide 40 04/18/23



https://www.us.army.mil/suite/page/146650

Unclassified

Slide 41 04/18/23




Unclassified

Slide 42 04/18/23




Unclassified

Slide 43 04/18/23




Unclassified

Slide 44 04/18/23



Unclassified

Slide 45 04/18/23



ContactsTeam Members Sally Dixon – 703.602.7376, [email protected]

Bill Janosky – 703.602.7372, [email protected]

Bill Cathcart – 703.602.7369, [email protected]

Jim Burgan – 703-602-7393, [email protected]

Jennifer Sikes – 703-602-7377, [email protected]

Group email: [email protected]

iacora home page on AKO at: https://www.us.army.mil/suite/page/146650 (AKO Credentials of CAC Validation for Access)

iacora home page on AKO-S at: http://www.us.army.smil.mil/suite/page/5406 (AKO credentials for Access)