Presentation is loading. Please wait.

Presentation is loading. Please wait.

UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.

Published byCarmella Palmer Modified over 8 years ago

Similar presentations

Presentation on theme: "UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI."— Presentation transcript:

1 UNCLASSIFIED DITSCAP Primer

2 UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI 5200.40 –Title: DoD Information Technology Security Certification and Accreditation Process (DITSCAP) –ASD Signature 30 Dec 97 DOD 8510.1-M –Title: DITSCAP Application Manual –Standalone document supplementing DoDI 5200.40 –ASD Signature 31 Jul 00 * DITSCAP: DoD Information Technology Security Certification and Accreditation Process

3 UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 3 DITSCAP Applicability* Applies to –All DOD C/S/As**, Components, Activities, CJCS, and their Contractors and Agents Applies to –“the acquisition, operation and sustainment of any DoD system that collects, stores, transmits, or processes unclassified or classified information” –“Any IT or information system life cycle, …, the reconfiguration or upgrade of existing systems…” Effective immediately Mandatory for use by all DOD * DODI 5200.40, 30 Dec 97, Para 2 ** S/C/As: CINCs/Services/Agencies

4 UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 4 Why DITSCAP DITSCAP –DoDI 5200.40 (DITSCAP) establishes a standard DOD-wide process, set of activities, general tasks, and a management structure to certify and accredit Information Systems (IS) that will maintain the Information Assurance (IA) and security posture of the Defense Information Infrastructure (DII) throughout the life cycle of the system

5 UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 5 Definitions Certification “Comprehensive evaluation of the technical and non-technical security features of an IT system and other safeguards, made in support of the accreditation process, to establish the extent that a particular design and implementation meets a set of specified security requirements”* * DODI 5200.40, 30 Dec 97, Enclosure 2, para E2.1.8

6 UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 6 Certification Certification is a security analysis in the following areas: –Physical –Personnel –Administrative –Information –Information Systems –Communications

7 UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 7 Definition Accreditation “Formal declaration by the DAA that an IT system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk”* * DODI 5200.40, 30 Dec 97, Enclosure 2, para E2.1.2 DAA: Designated Approving Authority

8 UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 8 DITSCAP Features DITSCAP –Defines a process for uniform C&A practice –Applicable throughout life cycle of system –Applicable to any type of acquisition strategy or development –Should be part of the Acquisition Strategy –Is a continuous process –Brings responsible organizations together

9 UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 9 DITSCAP Phases Phase 1 Definition Phase 2 Verification Phase 3 Validation Phase 4 Post Accreditation

10 UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 10 Phase 1: Definition Key players agree on the intended system mission, security reqs, C&A* boundary, schedule, level of effort, and required resources Agreement is documented in the SSAA** Document Mission Need Preparation Registration Negotiation Agreement? SSAA No Yes * C&A: Certification and Accreditation ** SSAA: System Security Authorization Agreement

11 UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 11 Phase 1 Main Tasks Define system functions, reqs, and interfaces Define information category and classification Prepare the system architecture description Identify principle C&A roles & responsibilities Define C&A level of effort Draft SSAA Agree on the method for implementing security reqs (documented in SSAA)

12 UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 12 Phase 2: Verification Verify system’s compliance with SSAA reqs Goal is to obtain integrated system for certification testing and accreditation System Development Certification Analysis Pass? SSAA No Yes Ready for Certification? No Yes A Phase 1 Definition Phase 3 Validation

13 UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 13 Phase 2 Main Tasks System Architecture Analysis Software Design Analysis Network Connection Rule Compliance Integrity Analysis of Integrated Products Life Cycle Management Analysis Security Reqs Validation Procedures Vulnerability Evaluation

14 UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 14 Phase 3: Validation System on-hand Validates system compliance w/SSAA reqs Goal is to obtain full approval to operate system (accreditation) Certify System? SSAA Certification Evaluation Of Integrated System Develop Recommendation Yes Accreditation Granted? No Yes Phase 4: Post Accreditation No A Phase 1 Definition

15 UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 15 Phase 3 Main Tasks ST&E* (Implementation of security reqs, I&A, AC, Audits…) Penetration Testing (Exploitation, Insider/Outsider) COMSEC Compliance Evaluation (Reqs, Integration) System Management Analysis (Maintain Mgmt/CM/Arch) Contingency Plan Evaluation (Backup, COOP…) Site Accreditation Survey (SSAA compliance, environment) Risk Management Review (acceptable risks to CIAA**) Develop Certification Report and Recommendation for Accreditation: –System Certified: Yes or No (based on meeting SSAA reqs) –If Certified, Recommend: IATO or Accreditation Ends with accreditation decision from DAA * ST&E: Security Test and Evaluation ** CIAA: Confidentiality, Integrity, Availability, and Accountability

16 UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 16 ST&E Tasks* Assess implementation of security design Ascertain that CIAA are implemented as documented in SSAA and perform properly Validate correct implementation of I&A**, Audits, Access Controls, Object Reuse, Trusted Recovery, and Network Connection Rule Compliance Evaluate system conformance w/reqs, mission, and architecture as defined in SSAA * DODI 5200.40, and DODM 8510.1 ** I&A: Identification and Authentication

17 UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 17 Phase 4: Post Accreditation Starts after site accreditation Objective is to maintain an acceptable level of residual risk DITSCAP responsibilities shift to site/O&M Orgs Ends with system termination Phase 1: Definition SSAA System Operation Compliance Validation Validation Req’d? No Yes No Change Required? Yes

18 UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 18 Phase 4 Main Tasks Review configuration & security Mgmt* –Follow change mgmt documented in SSAA –Determine if system security mgmt continues to support mission and architecture Conduct risk management review –Assess if risk to CIAA is being maintained at an acceptable level Conduct compliance validation if needed –Ensure continued compliance w/SSAA reqs, current threat assessment, and concept of operations Maintain SSAA * Mgmt: Management

Download ppt "UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI."

Similar presentations

METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE.

METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE.
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
Software Quality Assurance Plan

Software Quality Assurance Plan
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.

DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.
4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.

4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication,

Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication,
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.

1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.
School of Computing, Dublin Institute of Technology.

School of Computing, Dublin Institute of Technology.
Christopher P. Cabuzzi CS 591 DEFENSE INFORMATION ASSURANCE CERTIFICATION & ACCREDITATION PROCESS (DIACAP) Chris Cabuzzi, DIACAP, 12/8/10 1.

Christopher P. Cabuzzi CS 591 DEFENSE INFORMATION ASSURANCE CERTIFICATION & ACCREDITATION PROCESS (DIACAP) Chris Cabuzzi, DIACAP, 12/8/10 1.
Information Systems Security Officer

Information Systems Security Officer
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice

Computer Security: Principles and Practice

Similar presentations

Ads by Google