Presentation is loading. Please wait.

Presentation is loading. Please wait.

4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.

Published byIsaac Harrison Modified over 9 years ago

Similar presentations

Presentation on theme: "4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009."— Presentation transcript:

1 4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009

2 Michael J. Cohen2 Agenda Research Objectives The Global Information Grid Introduction to DIACAP The Process The DIACAP Package Findings

3 4/29/2009Michael J. Cohen3 Research Objectives Assist Boeing with instruction for new Information Assurance Professionals on what DoDI 8500.1 (DIACAP) is and how it is applied. Use a sample architecture provided by Boeing to demonstrate the implementation of DIACAP.

4 4/29/2009Michael J. Cohen4 Related Research Hurkute S., Bele K., Nam, S., et. al. 2007. “Apply DITSCAP to Evaluate a PTC based Secure E-Voting System”. –Retrieved from http://cs.uccs.edu/~cs591/studentproj/projS2007/shurkute/doc/E- votingDITSCAPProject.ppt http://cs.uccs.edu/~cs591/studentproj/projS2007/shurkute/doc/E- votingDITSCAPProject.ppt Wilson, B., 2007. “Move Over DITSCAP…The DIACAP is Here!”. –Retrieved from http://cs.uccs.edu/~cs591/studentproj/projS2007/bwilson3/doc/DIA CAPClassPresentation.ppt http://cs.uccs.edu/~cs591/studentproj/projS2007/bwilson3/doc/DIA CAPClassPresentation.ppt

5 4/29/2009Michael J. Cohen5 The Global Information Grid “The Global Information Grid1 (GIG) consists of information capabilities – information, information technology (IT), and associated people and processes that support Department of Defense (DoD) personnel and organizations in accomplishing their tasks and missions – that enable the access to, exchange, and use of information and services throughout the Department and with non-DoD mission partners. The principal function of the GIG is to support and enable DoD missions, functions, and operations. Therefore, the way that DoD warfighters, business and intelligence personnel operate must drive the way the GIG is designed, developed, acquired, implemented, and operated.” -The DoD Global Information Grid Architectural Vision (2007)

6 4/29/2009Michael J. Cohen6

7 4/29/2009Michael J. Cohen7 DoD Global Information Grid Examples of DoD Systems include: –Joint Tactical Radio System (JTRS) –Warfighter Information Network Tactical (WIN-T) –Intelligence Community System for Information Sharing (ICSIS) What do these systems have in common? –They must not be compromised in terms of: Confidentiality Integrity Availability Information Assurance is an understandable concern.

8 4/29/2009Michael J. Cohen8 DIACAP Department of Defense (DoD) Information Assurance Certification and Accreditation Process This process ensures that a DoD information system meet the appropriate security policies throughout its entire lifecycle.

9 4/29/2009Michael J. Cohen9 Why is a process necessary? Defines the steps necessary to implement the security policies. Guarantees that security requirements are implemented consistently throughout the system. Creates a paper trail.

10 4/29/2009Michael J. Cohen10 3 Components Needed for Implementation The DIACAP Process DIACAP Knowledge Service –Online knowledge base maintained by the DoD that contains the most current information on IA controls. Automated C&A Tool that automates workflow –DoD recommends eMASS (Enterprise Mission Assurance Support Service) –Boeing uses the I-Assure DIACAP Toolset

11 4/29/2009Michael J. Cohen11 The DIACAP Process

12 4/29/2009Michael J. Cohen12 Tasks for Initiating and Planning IA C&A Registering the System –System is registered with the DoD –Confidentiality level is defined Assigning IA Controls –Security requirements are defined based on the level of mission criticality (MAC level) and confidentiality Assembling the DIACAP Team Initiating the Implementation Plan

13 4/29/2009Michael J. Cohen13 DIACAP Implementation Team Roles Designated Accrediting Authority (DAA) –Signs off on Accreditation status –Ultimately responsible for the system Certifying Authority (CA) –Makes the certification recommendation –Oversees those performing the evaluation Information Assurance Officer (IAO) –Ensures that appropriate security is maintained on the system Information Assurance Manager (IAM) –Coordinates and supports the missions of the other team members –Technical Lead

14 4/29/2009Michael J. Cohen14 DIACAP Implementation Roles (cont.) Program Manager / System Manger (PM/SM) –Manages Implementation User Rep –Represents the user community to ensure that user needs of the system are met

15 4/29/2009Michael J. Cohen15 Tasks for Implementing & Validating IA Controls Executing the Implementation Plan Conduct validation Prepare POA&M (if necessary) Enter results into DIACAP Scorecard

16 4/29/2009Michael J. Cohen16 Tasks for Certification & Accreditation Determination The CA makes a certification determination –Based on actual results of the implementation and testing of IA controls The DAA issues an accreditation decision –Based on the CA’s recommendation along with the mission and business need. DAA’s decision can be one of the following: –Authorization to Operate (ATO) –Interim Authorization to Operate (IATO) –Interim Authorization to Test (IATT) –Denial of Authorization to Operate (DATO) All systems must be reaccredited every 3 years

17 4/29/2009Michael J. Cohen17 Tasks for Maintaining Authorization to Operate Managed by IAM Maintaining situational awareness Maintaining security Initiate corrective action when necessary Conduct annual reviews of IA controls

18 4/29/2009Michael J. Cohen18 Tasks for Decommissioning Make sure there are no negative impacts to other systems Update the SIP Remove and dispose of POA&M and DIACAP scorecard from all tracking systems Retire system according to the appropriate requirements and procedures

19 4/29/2009Michael J. Cohen19 DIACAP Package Generated through the implementation of the DIACAP process. Comprehensive Package Contents: –System Identification Profile (SIP) –DIACAP Implementation Plan (DIP) –DIACAP Scorecard –IT Security Plan of Action & Milestones (POA&M) (Optional) –Supporting Certification Documentation

20 4/29/2009Michael J. Cohen20 Sample Architecture

21 4/29/2009Michael J. Cohen21 System Identification Profile (SIP)

22 4/29/2009Michael J. Cohen22 DIACAP Implementation Plan (DIP)

23 4/29/2009Michael J. Cohen23 DIACAP Scorecard

24 4/29/2009Michael J. Cohen24 DIACAP POA&M

25 4/29/2009Michael J. Cohen25 Findings The project was not as simple as simply running the I-Assure tool to generate the deliverables. There is not a lot of documentation online regarding DIACAP.

26 4/29/2009Michael J. Cohen26 Conclusion The following was learned from this research project: –The DIACAP methodology. –The usage of a third party tool (I-Assure) tool in implementing DIACAP.

27 4/29/2009Michael J. Cohen27 References Cooper, Ronald. Boeing Mentor. http://www.i-assure.com Department of Defense. (2009). DIACAP Training Module. DoD Information Assurance Support Environment.Retrieved from http://iase.disa.mil/eta/diacap/index.htm http://iase.disa.mil/eta/diacap/index.htm

28 4/29/2009Michael J. Cohen28

Download ppt "4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009."

Similar presentations

Document management Rev. Description Author Date 0.0 First draft

Document management Rev. Description Author Date 0.0 First draft
METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE.

METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE.
BENEFITS OF SUCCESSFUL IT MODERNIZATION

BENEFITS OF SUCCESSFUL IT MODERNIZATION
Presentation for the Management Study of the Code Enforcement Process City of Little Rock, Arkansas August 3, 2006.

Presentation for the Management Study of the Code Enforcement Process City of Little Rock, Arkansas August 3, 2006.
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
Accreditation 1. Purpose of the Module - To create knowledge and understanding on accreditation system - To build capacity of National Governments/ focal.

Accreditation 1. Purpose of the Module - To create knowledge and understanding on accreditation system - To build capacity of National Governments/ focal.
DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.

DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.
SPēD Certification Program Executive Overview. 2April 2012Executive Overview Purpose Outline the SPēD Program Provide SPēD Program update Provide SPēD.

SPēD Certification Program Executive Overview. 2April 2012Executive Overview Purpose Outline the SPēD Program Provide SPēD Program update Provide SPēD.
DISN Video Services September 21, 2009 An Overview of the VTF DIACAP Process A Combat Support Agency Defense Information Systems Agency.

DISN Video Services September 21, 2009 An Overview of the VTF DIACAP Process A Combat Support Agency Defense Information Systems Agency.
Unclassified Slide 1 5/21/2015 2007 LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC DSN 332-7376 DIACAP Army Guidance.

Unclassified Slide 1 5/21/ LandWarNet Conference RANK/title Sally Dixon, NETC-EST-IC DSN DIACAP Army Guidance.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication,

Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication,
Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.

Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.
22000 Food Safety Management Systems

22000 Food Safety Management Systems
Overarching Roles of Critical Partners In A Project 9:30 – 10:00 Rob Curlee, FMO Joseph Dominque, OCISO Mike Perry, EA.

Overarching Roles of Critical Partners In A Project 9:30 – 10:00 Rob Curlee, FMO Joseph Dominque, OCISO Mike Perry, EA.
Introduction & Background Laurene Christensen National Center on Educational Outcomes National Center on Educational Outcomes (NCEO)

Introduction & Background Laurene Christensen National Center on Educational Outcomes National Center on Educational Outcomes (NCEO)
Christopher P. Cabuzzi CS 591 DEFENSE INFORMATION ASSURANCE CERTIFICATION & ACCREDITATION PROCESS (DIACAP) Chris Cabuzzi, DIACAP, 12/8/10 1.

Christopher P. Cabuzzi CS 591 DEFENSE INFORMATION ASSURANCE CERTIFICATION & ACCREDITATION PROCESS (DIACAP) Chris Cabuzzi, DIACAP, 12/8/10 1.
Information Systems Security Officer

Information Systems Security Officer
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
ECM Project Roles and Responsibilities

ECM Project Roles and Responsibilities

Similar presentations

Ads by Google