140 likes | 346 Views
Move over DITSCAP… The DIACAP is here!. By: Brigette Wilson. Agenda. DoD security background information How does the DoD ensure their systems are secure? The history of accreditation DIACAP information Information assurance (IA) controls DIACAP process
E N D
Move over DITSCAP… The DIACAP is here! By: Brigette Wilson Bwilson/UCCS CS591-Boeing Mentored DIACAP
Agenda • DoD security background information • How does the DoD ensure their systems are secure? • The history of accreditation • DIACAP information • Information assurance (IA) controls • DIACAP process • How does the DIACAP differ from the DITSCAP? • Transitioning from the DITSCAP to the DIACAP • Current problems with the DIACAP • Conclusion • References Bwilson/UCCS CS591-Boeing Mentored DIACAP
DoD Security Background Information • All DoD owned or controlled information systems that receive, process, store, display, or transmit DoD information (regardless of classification or sensitivity) must be accredited by the DoD in order to operate. • Once a system passes the DoD accreditation it is awarded authorization to operate (ATO) which is valid for up to three years. Toward the end of the ATO period the system must start the accreditation process over again to gain a new ATO. • A DoD system cannot operate if it does not have a current ATO or interim ATO on file. Bwilson/UCCS CS591-Boeing Mentored DIACAP
How does the DoD ensure their systems are secure? • The creators/maintainers of a information system have to document a number of different things relating to the security of their system. • Once the documentation has been submitted, a DoD representative runs attacks against the system to try to gain access and figure out any vulnerabilities that have not been addressed or mitigated. These attacks are tailored based on the classification of the system. Bwilson/UCCS CS591-Boeing Mentored DIACAP
The history of accreditation • On December 30, 1997 the DoD introduced a life-cycle approach to security accreditation called the DITSCAP. • On July 6, 2006 the interim department of defense (DoD) certification and accreditation (C&A) process guidance was released. This document officially retired the DITSCAP process and introduced the DIACAP process. Bwilson/UCCS CS591-Boeing Mentored DIACAP
DIACAP Information • DIACAP stands for DoD Information Assurance Certification and Accreditation Process. • The DIACAP process focuses on: • Identifying, implementing, and validating standardized IA controls. • Authorizing the operation of DoD information systems. • Managing the IA status across the information system life cycle. • The need for the DIACAP was driven by two issues: • The global information grid (GIG) which is the DoD's vision of network-centric operations to foster an agile, robust, interoperable and collaborative DoD. This is where warfighters, business and intelligence users all share knowledge on a secure, dependable and global network. • The need to meet section 3541 of the “Federal Information Security Management Act of 2002” (FISMA). • Interim DIACAP guidance stated that any system operating with an ATO or IATO needs to modify their DITSCAP package to include all information assurance (IA) controls within 180 days. • As of May 1, 2007 no final DIACAP guidance has been released. Bwilson/UCCS CS591-Boeing Mentored DIACAP
Information Assurance Controls • The theme of the DIACAP revolves around how a program currently (or plans) to implement IA controls applicable to that system. • IA Controls of a system are determined by the systems Mission Assurance Category (MAC) and classification level (CL). The baseline IA Controls that systems need to meet are found in DoD 8500.2 (Information Assurance Implementation) Enclosure 4. Bwilson/UCCS CS591-Boeing Mentored DIACAP
DIACAP Process • Like the DITSCAP process, the DIACAP is a very documentation heavy activity. • To start the process the system must register a System Identification Profile (SIP) on eMass. eMass is the new DoD web based tool to help with the implementation and management of C&A based on the DIACAP. • Next the DIACAP Implementation Plan Package must be created. Doing this includes the following steps: • Determine the IA Controls the system must meet. • Evaluate each control to see if it is currently implemented. If implemented, document how it is implemented. If not implemented, create a plan and schedule to implement the control (called Plan of Action and Milestone). • The next step is for a Designated Approving Authority (DAA) to look over all the artifacts created in the above step to determine if it is complete enough to sell off implementation of the assigned IA controls. If it is complete, the DAA runs attacks against the system to try to gain access and figure out any vulnerabilities that have not been already addressed or mitigated (this is basically testing out each of the IA controls). Bwilson/UCCS CS591-Boeing Mentored DIACAP
DIACAP Process Continued • Once the IA artifacts and validation testing are done the DAA fills out the DIACAP scorecard which will help determine the certification decision. • Each system has to get a required minimum number of points in the IA categories of Confidently, Availability, and Integrity in order to be considered for accreditation. • The accreditation decision is based on the DIACAP scorecard along with the artifacts and documentation submitted. Bwilson/UCCS CS591-Boeing Mentored DIACAP
How does the DIACAP differ from the DITSCAP? Bwilson/UCCS CS591-Boeing Mentored DIACAP
Transitioning from the DITSCAP to the DIACAP • Its quite a project for a system to transition from the DITSCAP to the DIACAP. The system gets no breaks for having an ATO granted by the DITSCAP process. • The only help available is a guide that relates some of the IA controls to IA artifacts to sections in the SSAA. Bwilson/UCCS CS591-Boeing Mentored DIACAP
Current problems with the DIACAP • There are currently only a few IA controls that have specific artifacts listed to document that control. • No final guidance has been issued on the whole process. • The DIACAP Knowledge Service is only accessible to those individuals who have a DoD PKI certificate. Bwilson/UCCS CS591-Boeing Mentored DIACAP
Conclusion • The DIACAP process is set up to handle the DoD’s move to a net-centric operating environment and to set up a standard that all programs must meet. Once completely in place this will make the whole security process much easier. • Unfortunately with final guidance still not released most programs that are currently operating under a DITSCAP ATO are at a standstill, and programs with ATO expiring are being issued IATOs in 6 month increments. Bwilson/UCCS CS591-Boeing Mentored DIACAP
References • DoD 8500.2 (Information Assurance Implementation) • DIACAP Knowledge Service • The Federal Information Security Management Act (FISMA) • DoD Directive 8500.1 (Information Assurance) • DoD Directive 8100.1 (Global Information Grid Overarching Policy) Bwilson/UCCS CS591-Boeing Mentored DIACAP