Diacap

In: Computers and Technology

Submitted By maxoh
Words 16882
Pages 68
Department of Defense

INSTRUCTION
NUMBER 8510.01 November 28, 2007 ASD(NII)/DoD CIO SUBJECT: References: DoD Information Assurance Certification and Accreditation Process (DIACAP) (a) Subchapter III of Chapter 35 of title 44, United States Code, “Federal Information Security Management Act (FISMA) of 2002” (b) DoD Directive 8500.01E, “Information Assurance (IA),” October 24, 2002 (c) DoD Directive 8100.1, “Global Information Grid (GIG) Overarching Policy,” September 19, 2002 (d) DoD Instruction 8500.2, “Information Assurance (IA) Implementation,” February 6, 2003 (e) through (ab), see Enclosure 1

1. PURPOSE This Instruction: 1.1. Implements References (a), (b), (c), and (d) by establishing the DIACAP for authorizing the operation of DoD Information Systems (ISs). 1.2. Cancels DoD Instruction (DoDI) 5200.40; DoD 8510.1-M; and ASD(NII)/DoD CIO memorandum, “Interim Department of Defense (DoD) Information Assurance (IA) Certification and Accreditation (C&A) Process Guidance” (References (e), (f), and (g)). 1.3. Establishes or continues the following positions, panels, and working groups to implement the DIACAP: the Senior Information Assurance Officer (SIAO), the Principal Accrediting Authority (PAA), the Defense Information Systems Network (DISN)/Global Information Grid (GIG) Flag Panel, the IA Senior Leadership (IASL), the Defense (previously DISN) IA Security Accreditation Working Group (DSAWG), and the DIACAP Technical Advisory Group (TAG). 1.4. Establishes a C&A process to manage the implementation of IA capabilities and services and provide visibility of accreditation decisions regarding the operation of DoD ISs, including core enterprise services- and Web services-based software systems and applications.

DoDI 8510.01, November 28, 2007 1.5. Prescribes the DIACAP to satisfy the requirements of Reference (a) and requires the Department of Defense to meet…...

Similar Documents

Vulnerability Management Plan

...vulnerability remediations • Train administrators on how to apply remediations (NIST, 2012) Following the Department of Defense (DoD) adoption of the framework provided by NIST, the development of this patch and vulnerability management plan is based on their recommendations. NIST developed the special publication SP800-40 version 2 to further its responsibilities under the Federal Information Security Management ACT (FISMA) of 2002, Public Law 107-347 (Peter Mell, November, 2005). The Defense Information Assurance Certification and Accreditation Process (DIACAP) is the DoD vehicle for providing DICES IV the certification and approval to operate. This patch and vulnerability management plan fulfills the Information Assurance Vulnerability Management (IAVM) DIACAP control required for a DICES IV system. A patch and vulnerability management plan was not available during previous DIACAP phases; as a result, it is a high priority and must be in-place in order to maintain the systems certification and accreditation without requiring a waiver. Review of Other Work Benjamin Franklin once said, “An ounce of prevention equals a pound of cure.” Patch and vulnerability management is the “ounce of prevention” compared to the “pound of cure” that is incident response. (Peter Mell, November, 2005) As of this date (June 2012) according to the National Vulnerability Database website http://nvd.nist.gov/home.cfm?workloadindex......

Words: 6924 - Pages: 28

Risk Management Plan

...CNSSI-4012 (National Information Assurance Training Standard for Senior Systems Managers) * CNSSI-4013 (National Information Assurance Training Standard for System Administrators) * CNSSI-4014 (Information Assurance Training Standard for Information Systems Security Officers) * NSTISSI-4015 (National Training Standard for Systems Certifiers) * CNSSI – 4016 (National Information Assurance Training Standard for Risk Analysts) * Information Security Management System (ISMS), a set of various policies concerned with information security management or different Information Technology related risks. * Department of Defense Information Assurance Certification and Accreditation Process (DIACAP), this is the process that is defined by the United States Department of Defense (DoD) for managing risk. | Key Personnel Roles and Responsibilities | * As part of the overall welfare and security of DLIS, the following individuals and departments are a critical part to ensure this Risk Management Plan effective to obtain positive results: * President of the United States * Joint Chiefs of Staff * President/CEO of DLIS * Vice President * Information Technology * Chief Technology Officer * Systems Administrators * Network Administrators * Software Developers and Programmers * Accounting * Chief Financial Officer ......

Words: 4166 - Pages: 17

Risk Management Plan

...and disaster recovery plan. Risk Management Procedure The Risk management procedure will start by obtaining senior management support and involvement, designating focal points, defining procedures, creating a schedule with milestones and deadlines, involving business and technical experts as consultants, and controlling, maintaining, monitoring, reporting, analyzing, and documenting results. This procedure will identify risks, threats, vulnerabilities, and the likelihood of those risks materializing, identify and rank critical issues and operations, estimate potential damage, identify cost effective mitigating controls, and document assessment findings. All policies and procedures will support or be in compliance to the FISMA, COBIT, DIACAP, and PCI standards. Risk Analysis Risks may vary greatly from natural disasters, operational errors, software vulnerabilities, financial hardships, or even human interactions such as; attackers, buffer overflow attacks, syn flood attacks, etc. Network and Server crashes, loss of connectivity, broken or damaged equipment/hardware including workstations, employees calling in sick, hard deadlines not being met, costs, no IDs, and open ports on the firewall can all be considered risks. Not having any anti-virus software, not updating the operating systems, running unneeded services and protocols, and not having any backups of your business assets such as files and applications are some of the risks that should be considered critical......

Words: 4395 - Pages: 18

Unit 2 Lab Align Auditing Frameworks for a Business Unit with in the Dod

...1. What is the difference between DITSCAP and DIACP? a. DITSCAP provided guidance on roles, activities and documents for performing C&A, but it did not clearly identify what requirements to use. b. DIACAP points to DoDD 8500.2, making it clear where to start identifying the IA capabilities that should be included and assessed for a particular C&A effort. c. One of the biggest complaints about DITSCAP was that it required too much documentation and took too long to perform. d. DIACAP identifies four spreadsheets that summarize important C&A information. e. A second complaint about DITSCAP was that it only accommodated individual systems. f. DIACAP addresses the need to expand C&A to account for components outside of a site’s control. 2. What is DCID 6/3, and why would you use DCID 6/3 as opposed to DIACAP for Certification and Accreditation of a system? g. It is the policy for “Protecting Sensitive Compartmented Information Within Information Systems”. This directive establishes the security policy and procedures for storing, processing, and communicating classified intelligence information in information systems (ISs). For purposes of this Directive, intelligence information refers to Sensitive Compartmented Information and special access programs for intelligence under the purview of the DCI. An information system is any telecommunications and/or computer related equipment or interconnected system or......

Words: 1031 - Pages: 5

Ngineer

...process (improvement) approach like PDCA or Six Sigmas DMAIC. Another competing ISMS is Information Security Forum's Standard of Good Practice (SOGP). It is more best practice-based as it comes from ISF's industry experiences. Some best-known ISMSs for computer security certification are the Common Criteria (CC) international standard and its predecessors Information Technology Security Evaluation Criteria (ITSEC) and Trusted Computer System Evaluation Criteria (TCSEC).[3] Some nations publish and use their own ISMS standards, e.g. the Department of Defense (DoD) Information Technology Security Certification and Accreditation Process (DITSCAP) of USA, the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) of USA, the German IT baseline protection, ISMS of Japan, ISMS of Korea, Information Security Check Service (ISCS) of Korea.[3] Other frameworks such as COBIT and ITIL touch on security issues, but are mainly geared toward creating a governance framework for information and IT more generally. COBIT has a companion framework Risk IT dedicated to Information security. Below table illustrate the certification structure comparison of some best-known ISMSs:[3] | BS 7799 | Common Criteria | IT Security Evaluation Criteria | Operation Area | England | About 25 Countries | European Countries | Basic Structure | - 6 Management phases - 11 Security domains - 139 Control objectives - 133 Security controls | - 3 Parts - 11......

Words: 5234 - Pages: 21

Emerging Cybersecurity Policies in the Federal Government

...defined ‘best practices” in a checkbox format so that those that were not necessarily industry experts could apply the industry best practices as consistently as an expert (Dhamankar,Dausin, Eisenbarth,King,Kandek,Ullrich,Skoudis,Lee, 2009). To answer this need, the Defense Information Systems Agency (DISA) created an overall security risk framework along with a certification and accreditation process that defined and dictated the required industry best security practices to be applied to all government DoD systems that were to be on the operational enterprise networks (Stenbit, 2003). This security risk framework was outlined in a list of security controls known as the DoD Information Assurance Certification and Accreditation Process (DIACAP) 8500 control-set and has been the leading security control-set the DoD has used for the past 10 years (Stenbit, 2003). This security risk framework set up accepted best practices for every aspect of information technology security. Items such as physical facility security, server room construction as well as heating and air conditioning of server rooms are covered by specific controls (Stenbit, 2003). Operating system configuration requirements, network topology requirements, personnel requirements, and system documentation requirements are covered by other controls (Stenbit, 2003). Auditing, backups, continuing operations, and data/system classification requirements are covered by still other controls (Stenbit, 2003). Although this......

Words: 6354 - Pages: 26

Is3110 Acronyms

...child pornography; or (c) harmful to minors (for computers that are accessed by minors). Before adopting this Internet safety policy, schools and libraries must provide reasonable notice and hold at least one public hearing or meeting to address the proposal. Schools subject to CIPA have two additional certification requirements: 1) their Internet safety policies must include monitoring the online activities of minors; and 2) as required by the Protecting Children in the 21st Century Act, they must provide for educating minors about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms, and cyber bullying awareness and response. DIACAP The DoD Information Assurance Certification and Accreditation Process (DIACAP) is a United States Department of Defense (DoD) process that means to ensure that companies and organizations apply risk management to information systems (IS). FERPA The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred......

Words: 1744 - Pages: 7

Is4680 Lab 4

...1) The DoD Information Assurance Certification and Accreditation Process (DIACAP) is the United States Department of Defense (DoD) process to ensure that risk management is applied on Information Systems from an enterprise view. DIACAP is a DoD-wide standard set of activities, tasks and process for the certification and accreditation of a DoD information system that will maintain the Information Assurance posture throughout the system's life cycle. The Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP) is a process defined by the United States Department of Defense (DOD) for managing risk. DoD Instruction (DODI) 5200.40 establishes a standard DOD-wide process with a set of activities, general tasks and a management structure to certify and accredit an Automated Information System (AIS) that will maintain the Information Assurance (IA) posture of the Defense Information Infrastructure (DII) throughout the system's life cycle. DITSCAP applies to the acquisition, operation and sustainment of any DOD system that collects, stores, transmits, or processes unclassified or classified information since December 1997. 2) The Director of Central Intelligence Directive (DCID) 6/3 establishes the security policy and procedures for storing, processing, and communicating classified intelligence data in information systems. To achieve compliance with DCID 6/3, agencies must ensure that information is safeguarded at all times and......

Words: 360 - Pages: 2

Lab 6

...and disaster recovery plan. Risk Management Procedure The Risk management procedure will start by obtaining senior management support and involvement, designating focal points, defining procedures, creating a schedule with milestones and deadlines, involving business and technical experts as consultants, and controlling, maintaining, monitoring, reporting, analyzing, and documenting results. This procedure will identify risks, threats, vulnerabilities, and the likelihood of those risks materializing, identify and rank critical issues and operations, estimate potential damage, identify cost effective mitigating controls, and document assessment findings. All policies and procedures will support or be in compliance to the FISMA, COBIT, DIACAP, and PCI standards. Risk Analysis Risks may vary greatly from natural disasters, operational errors, software vulnerabilities, financial hardships, or even human interactions such as; attackers, buffer overflow attacks, syn flood attacks, etc. Network and Server crashes, loss of connectivity, broken or damaged equipment/hardware including workstations, employees calling in sick, hard deadlines not being met, costs, no IDs, and open ports on the firewall can all be considered risks. Not having any anti-virus software, not updating the operating systems, running unneeded services and protocols, and not having any backups of your business assets such as files and applications are some of the risks that should be considered critical to......

Words: 1881 - Pages: 8

Tech

...and use an enterprise decision structure for IA C&A that includes and integrates GIG MAs pursuant to DOD Directive (DOD) 8115.01 (Reference (j)) and the DIACAP governance process prescribed in this Instruction. 4.3. The DIACAP shall support the transition of DOD ISs to GIG standards and a net-centric environment while enabling assured information sharing by: 4.3.1. Providing a standard C&A approach. 4.3.2. Providing guidance on managing and disseminating enterprise standards and guidelines for IA design, implementation, configuration, validation, operational sustainment, and reporting. 4.3.3. Accommodating diverse ISs in a dynamic environment. 4.4. All DOD-owned or -controlled ISs shall be under the governance of a DOD Component IA program in accordance with Reference (d). The DOD Component IA program shall be the primary mechanism for ensuring enterprise visibility and synchronization of the DIACAP. 4.5. All DOD ISs shall be implemented using the baseline DOD IA controls in accordance with Reference (d). The baseline DOD IA controls may be augmented if required to address localized threats or vulnerabilities. 4.6. A DIACAP Scorecard with a manual or DOD Public Key Infrastructure (PKI)-certified digital signature shall be visible to the DOD Chief Information Officer (CIO) and the DOD Component CIOs. The DIACAP Scorecard shall document the designated accrediting authority (DAA) accreditation decision as well as the results of the implementation of required......

Words: 9781 - Pages: 40

Lab1

...1. What is the difference between DITSCAP and DIACP? a. DITSCAP provided guidance on roles, activities and documents for performing C&A, but it did not clearly identify what requirements to use. b. DIACAP points to DoDD 8500.2, making it clear where to start identifying the IA capabilities that should be included and assessed for a particular C&A effort. c. One of the biggest complaints about DITSCAP was that it required too much documentation and took too long to perform. d. DIACAP identifies four spreadsheets that summarize important C&A information. e. A second complaint about DITSCAP was that it only accommodated individual systems. f. DIACAP addresses the need to expand C&A to account for components outside of a site’s control. 2. What is DCID 6/3, and why would you use DCID 6/3 as opposed to DIACAP for Certification and Accreditation of a system? g. It is the policy for “Protecting Sensitive Compartmented Information Within Information Systems”. This directive establishes the security policy and procedures for storing, processing, and communicating classified intelligence information in information systems (ISs). For purposes of this Directive, intelligence information refers to Sensitive Compartmented Information and special access programs for intelligence under the purview of the DCI. An information system is any telecommunications and/or computer related equipment or interconnected system or subsystems of equipment that is used in the......

Words: 1031 - Pages: 5

Is3110 Project Plan Part 1

...not mentioned above, will be denied access due to the high security risk they may present by possibly allowing unauthorized personnel access the DLIS systems, information, files, and/or data. Compliance to laws applicable to our company All federal agencies, including DLIS, are required to abide by all laws and regulations of the Federal Information Security Management Act (FISMA) to allow the protection of sensitive information. Since DLIS provides logistics and information technology services to the U.S. Department of Defense (DoD) and other federal agencies and international partners, they are also provided with standards for risk management including the Defense Information Assurance Certification and Accreditation Process (DIACAP) and the Control Objectives for Information and related Technology (COBIT). Roles and Responsibilities i. Chief of Information Technology. a. Maintains Risk Management Plan b. Established Policies and Procedures c. Develops Risk Response and Contingency Action Plan ii. Information Technology Managers. a. Maintains Risks on a daily basis b. Promotes Operational Risk Management c. Implements Risk Management Plan iii. DLIS. a. Assigns Audits/Schedules Audits b. Determines Acceptable Risks c. Upholds Effective Risk Management Schedule A schedule has been established to ensure the Risk Management Plan is completed in a timely manner. The plan has been assigned a 20-day period to complete the initial draft. This timeframe......

Words: 1341 - Pages: 6

New Networks

...Defense (DoD) are directed to implement the Host-Based Security System (HBSS). This is a multifaceted software security application used within the DoD to protect vital network resources from exploitation. Protecting vital data on information systems by ensuring the information’s availability, integrity, authentication, confidentiality and non-repudiation is called Information Assurance (IA). The process used within the DoD to certify information systems meet documented IA requirements is known as the DIACAP process. The DIACAP process was established in order to comply with the Federal Information Security Management Act 2002 (FISMA). The DIACAP directly supports and identifies the IA security tool, HBSS and fully implements those practices as prescribed in accordance with DoD I 8500.1M. All organizations within the DoD are mandated to comply with DoD I 8500.1M and Fragmentary Order (FRAGO) 13 to remain connected to the DoD’s GRID. This project envelops all applicable DIACAP processes necessary to obtain the accreditations for the Centrixs-M software application. This project outlines the process used to develop a complete set of HBSS policies for the Centrixs-M software application. The development phase of this project includes the site configuration within the ePO system tree, deployment of the McAfee agents, and the configuration of secure site as prescribed by FARGO 13, policy development, and validation testing of the newly created policies. One of the......

Words: 527 - Pages: 3

Audit

...are required to draft an executive summary defining NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION and explaining at least two auditing, hardening or security frameworks from one of the above DoD resources. The executive summary shall be a minimum of 600 words, double space, Arial, 11 font. The research performed by the students is required to answer the lab assessment questions. © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION Lab Assessment Questions & Answers © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT 1. What is the difference between DITSCAP and DIACAP? © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC why would you use DCID 6/3 as & Bartlett Learning,Certification and © Jones opposed to DIACAP for LLC 2. What is DCID 6/3, and NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Accreditation of a system? © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT 3. What is C&A and what are the following Acronyms related to the C&A process: DISN, GIG, PAA, DAA, DISA? © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett©Learning, LLC Learning, LLC, an Ascend Learning Company Bartlett Current Version Date:......

Words: 30948 - Pages: 124

Managing Risk in Information System

...You put controls into place. Later, you perform checks and audits to ensure they are still working as expected. Critical success factor (CSF) | An element necessary for the success of an organization. CSFs often contribute to CBFs. 428    Glossary of Key Terms Demilitarized zone (DMZ) | A buffer zone separating the Internet from the internal network. A DMZ is often created with two separate firewalls. You then place public-facing servers such as Web servers or e-mail servers in the DMZ. Denial of service (DoS) | An attack designed to prevent a system from providing a service. A DoS attack is launched from a single client. Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP) | A risk management process applied to U.S. DoD systems. It is fully documented in DoD instruction 8510.1. Systems must go through a formal certification and accreditation process before being authorized to operate. Due care | Taking reasonable steps to protect against risks. Due diligence | Taking a reasonable amount of time and effort to identify risks. The person or organization conducting due diligence investigates risks in order to understand them. E Emergency Management Team (EMT) | A team composed of senior management personnel, who have overall authority during a disruption or disaster. The EMT, DAT, and TRT are teams designated by the BCP. Department of Homeland Security (DHS) | A major department in......

Words: 182687 - Pages: 731

500 - 750 млн. | Obyczajowy | Bruce Denny