Move over DITSCAP The DIACAP is here By

Move over DITSCAP… The DIACAP is here! By: Brigette Wilson 5/11 Bwilson/UCCS CS 591 -Boeing Mentored DIACAP 1

Agenda Do. D security background information How does the Do. D ensure their systems are secure? The history of accreditation DIACAP information Information assurance (IA) controls DIACAP process How does the DIACAP differ from the DITSCAP? Transitioning from the DITSCAP to the DIACAP Current problems with the DIACAP Conclusion References 5/11 Bwilson/UCCS CS 591 -Boeing Mentored DIACAP 2

Do. D Security Background Information All Do. D owned or controlled information systems that receive, process, store, display, or transmit Do. D information (regardless of classification or sensitivity) must be accredited by the Do. D in order to operate. Once a system passes the Do. D accreditation it is awarded authorization to operate (ATO) which is valid for up to three years. Toward the end of the ATO period the system must start the accreditation process over again to gain a new ATO. A Do. D system cannot operate if it does not have a current ATO or interim ATO on file. 5/11 Bwilson/UCCS CS 591 -Boeing Mentored DIACAP 3

How does the Do. D ensure their systems are secure? 5/11 The creators/maintainers of a information system have to document a number of different things relating to the security of their system. Once the documentation has been submitted, a Do. D representative runs attacks against the system to try to gain access and figure out any vulnerabilities that have not been addressed or mitigated. These attacks are tailored based on the classification of the system. Bwilson/UCCS CS 591 -Boeing Mentored DIACAP 4

The history of accreditation On December 30, 1997 the Do. D introduced a life-cycle approach to security accreditation called the DITSCAP. On July 6, 2006 the interim department of defense (Do. D) certification and accreditation (C&A) process guidance was released. This document officially retired the DITSCAP process and introduced the DIACAP process. 5/11 Bwilson/UCCS CS 591 -Boeing Mentored DIACAP 5

DIACAP Information DIACAP stands for Do. D Information Assurance Certification and Accreditation Process. The DIACAP process focuses on: – Identifying, implementing, and validating standardized IA controls. – Authorizing the operation of Do. D information systems. – Managing the IA status across the information system life cycle. The need for the DIACAP was driven by two issues: – The global information grid (GIG) which is the Do. D's vision of network-centric operations to foster an agile, robust, interoperable and collaborative Do. D. This is where warfighters, business and intelligence users all share knowledge on a secure, dependable and global network. – The need to meet section 3541 of the “Federal Information Security Management Act of 2002” (FISMA). Interim DIACAP guidance stated that any system operating with an ATO or IATO needs to modify their DITSCAP package to include all information assurance (IA) controls within 180 days. As of May 1, 2007 no final DIACAP guidance has been released. 5/11 Bwilson/UCCS CS 591 -Boeing Mentored DIACAP 6

Information Assurance Controls The theme of the DIACAP revolves around how a program currently (or plans) to implement IA controls applicable to that system. IA Controls of a system are determined by the systems Mission Assurance Category (MAC) and classification level (CL). The baseline IA Controls that systems need to meet are found in Do. D 8500. 2 (Information Assurance Implementation) Enclosure 4. 5/11 Bwilson/UCCS CS 591 -Boeing Mentored DIACAP 7

DIACAP Process Like the DITSCAP process, the DIACAP is a very documentation heavy activity. To start the process the system must register a System Identification Profile (SIP) on e. Mass is the new Do. D web based tool to help with the implementation and management of C&A based on the DIACAP. Next the DIACAP Implementation Plan Package must be created. Doing this includes the following steps: – Determine the IA Controls the system must meet. – Evaluate each control to see if it is currently implemented. If implemented, document how it is implemented. If not implemented, create a plan and schedule to implement the control (called Plan of Action and Milestone). The next step is for a Designated Approving Authority (DAA) to look over all the artifacts created in the above step to determine if it is complete enough to sell off implementation of the assigned IA controls. If it is complete, the DAA runs attacks against the system to try to gain access and figure out any vulnerabilities that have not been already addressed or mitigated (this is basically 5/11 8 Bwilson/UCCS CS 591 -Boeing Mentored testing out each of the IA controls). DIACAP

DIACAP Process Continued 5/11 Once the IA artifacts and validation testing are done the DAA fills out the DIACAP scorecard which will help determine the certification decision. Each system has to get a required minimum number of points in the IA categories of Confidently, Availability, and Integrity in order to be considered for accreditation. The accreditation decision is based on the DIACAP scorecard along with the artifacts and documentation submitted. Bwilson/UCCS CS 591 -Boeing Mentored DIACAP 9

How does the DIACAP differ from the DITSCAP? 5/11 Bwilson/UCCS CS 591 -Boeing Mentored DIACAP 10

Transitioning from the DITSCAP to the DIACAP Its quite a project for a system to transition from the DITSCAP to the DIACAP. The system gets no breaks for having an ATO granted by the DITSCAP process. The only help available is a guide that relates some of the IA controls to IA artifacts to sections in the SSAA. 5/11 Bwilson/UCCS CS 591 -Boeing Mentored DIACAP 11

Current problems with the DIACAP There are currently only a few IA controls that have specific artifacts listed to document that control. No final guidance has been issued on the whole process. The DIACAP Knowledge Service is only accessible to those individuals who have a Do. D PKI certificate. 5/11 Bwilson/UCCS CS 591 -Boeing Mentored DIACAP 12

Conclusion 5/11 The DIACAP process is set up to handle the Do. D’s move to a net-centric operating environment and to set up a standard that all programs must meet. Once completely in place this will make the whole security process much easier. Unfortunately with final guidance still not released most programs that are currently operating under a DITSCAP ATO are at a standstill, and programs with ATO expiring are being issued IATOs in 6 month increments. Bwilson/UCCS CS 591 -Boeing Mentored DIACAP 13

References Do. D 8500. 2 (Information Assurance Implementation) DIACAP Knowledge Service The Federal Information Security Management Act (FISMA) Do. D Directive 8500. 1 (Information Assurance) Do. D Directive 8100. 1 (Global Information Grid Overarching Policy) 5/11 Bwilson/UCCS CS 591 -Boeing Mentored DIACAP 14