1 / 45

DIACAP Army Guidance and Transition Ms. Sally Dixon Army Office of

Track 1: Session 3 Information Assurance. DIACAP Army Guidance and Transition Ms. Sally Dixon Army Office of Information Assurance & Compliance. RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376. Terminology.

Télécharger la présentation

DIACAP Army Guidance and Transition Ms. Sally Dixon Army Office of

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Track 1: Session 3 Information Assurance DIACAP Army Guidance and Transition Ms. Sally Dixon Army Office of Information Assurance & Compliance RANK/title Sally Dixon, NETC-EST-IC Sally.dixon@us.army.mil, DSN 332-7376

  2. Terminology • DIACAP : Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) • DITSCAP: Department of Defense Information Technology Security Certification and Accreditation Process • DODI: Department of Defense Information Issuance/Instruction

  3. DAA – Designated Approving Authority • CA - Contractor Agreements/Certification Authority • ACA – Associate Contractor Agreements/Certification Authority • SIP: System Identification Profile • POA &M : Plan of Action & Milestones • SATE: Security Awareness Training And Education

  4. Track 1, Session 3: Session DIACAP Army Guidance and Transition • PURPOSE: Provide information on the Army Information Assurance Certification & Accreditation requirements • OBJECTIVES: By the end of this brief you will be able to: • Identify the reason C&A needs to be completed • Identify the why, when, and how concerning transition to the DIACAP • Identify the tools provided by Army and DOD to help implement the C&A process • Identify the Army C&A POCs

  5. Public Law 107-347, also known as Federal Information Security Management Act of 2002 (FISMA) Require agencies to identify and provide information security protections commensurate with risk and magnitude of harm resulting from unauthorized access, use, disclosure, disruption, modification or destruction of information and information systems DoD Directive 8500.1 Information Assurance, 24 Oct 2002 Information Assurance requirements shall beidentified and included in the design, acquisition, installation, operations, upgrade, or replacement of all DoD information systems in accordance with 10 U.S.C. Section 2224, OMB Circular A-130, Appendix III, DoD Directive 5000.1 Congressional & DOD Requirements

  6. DOD CIO memorandum, subject: Interim Department of Defense (DoD) Information Assurance (IA) Certification and Accreditation (C&A) Process Guidance, 6 July 2006 DOD will begin an immediate transition to a streamlined and modern C&A process that complies with FISMA Interim DIACAP Guidance DoD shall certify and accredit information systems through an enterprise process for identifying, implementing, and managing IA capabilities and services. These capabilities and services shall be expressed as IA Controls as defined by DODI 8500.2 IA Implementation DoD Requirements (cont)

  7. Interim DIACAP Guidance Net-centric, information belongs to the enterprise, shared risks Authority and responsibility for certification are vested in the Senior IA Officer (SIAO) Supersedes DITSCAP, DODI 5200.40 Platform-centric, information belongs to system owner, system specific risks Individual C/S/A defined IA Controls DAA appointed Certification Authority DoD Requirements (cont)

  8. Army Policy • Department of the Army CIO/G-6 Memorandum, subject: Army Strategy for the Implementation of the Interim DIACAP 30 Nov 2006 • Army will transition to the Interim DIACAP using the DIACAP transition table and implementing the four (4) C&A Best Business Practices. • The Information Assurance (IA) Certification and Accreditation (C&A) BBP • The Designated Approving Authority (DAA) BBP • The Certification Authority (CA) BBP • The Agent of the Certification Authority (ACA) BBP

  9. Army Policy (cont) • The DAA remains decentralized, but will be appointed by the CIO/G-6 at the General Officer, SES level upon nomination • In chain of command of the system owner • Responsible for the impact of any risk that was accepted • Responsible for ensuring the POA&M (get well plan) is executed • Will complete the Army Specific DAA Course • Certification Authority (CA) will be centralized in the Army Senior Information Assurance Officer (SIAO) • Army CA will vet a list of qualified government organizations and labs as trusted Agents of the CA to perform the functions as the 3rd party independent validator

  10. A System Owner will be identified for all information systems used by or in support of the Army System owners will plan and budget for the C&A activities as part of their lifecycle responsibilities All information systems will be compliant with the baseline IA controls in DODI 8500.2 and AR 25-2, at a minimum Annul revalidation IAW FISMA will be completed Information systems will be recertified and reaccredited every three years Army Policy (cont)

  11. DITSCAP and Army C&A processes written for stand alone or stove pipe systems DITSCAP not cost effective, paper vice value DODI 8500.2 IA controls not considered DAA delegated to the lowest level limits “Big Picture” consideration Too many CAs limits consistent assessments No qualification requirements for ACAs IS deployed with no easily identifiable responsible government owner Why Transition

  12. C&A Terms NEW C&A TERMS EQUIVALENT C&A TERMS SIP < Phase 1 SSAA Scorecard Test Results POA&M Get well plan DIP RTM & Acquisition Strategy & Test Plan, etc Artifacts Documents, MOAs, Waivers, etc CA Team Member (TM) CA Representative (CAR) Validator Agents of Certification Authority (ACA) IA Controls IA Requirements Knowledge Service Application Manual

  13. Focus on security posture via IA controls compliance Baseline IA Controls address enterprise-wide threats and vulnerabilities MAC & Confidentiality levels determine IA Controls Applicability examples: IS under contract to DoD IS of Non-appropriated Fund Instruments Prototypes Advanced Concept Technology Demos (ACTD) Stand-Alone IS Mobile Computing devices, wired or wireless The DIACAP

  14. Allows for Inheritance of IA Controls Severity code assigned to failed IA controls CA assessment of exploitation ease Impact codes assigned to failed IA controls DODs assessment of system-wide IA consequences Severity and Impact codes Determine risk level associated with the security weakness Urgency which corrective actions must take place The DIACAP (cont)

  15. Certification Authority (CA) Determines the exploitation ease of vulnerabilities Agent of the CA (ACA) Performs Validation against IA controls Key C&A Functions Designated Approving Authority (DAA) Balances the exploitation ease against the harm capability and operational need System Owner Responsible for IA of system throughout lifecycle

  16. DIACAP Activities

  17. https://diacap.iaportal.navy.mil

  18. Comprehensive package Used for the CA recommendation Includes all the information resulting from the DIACAP process Executive package Less than the Comprehensive package Used for an accreditation decision Provided to others in support of accreditation or other decisions, such as connection approval DIACAP Packages

  19. Comprehensive DIACAP Package Executive Package System Identification Profile (SIP) System Identification Profile • DIACAP Implementation Plan (DIP) • IA Controls - Inherited and implemented • Implementation Status • Responsible entities • Resources • Estimated completion date for each IA Control • Supporting Documentation for Certification • Actual Validation Results • Artifacts associated with implementation of IA Controls (e.g., STIGs and other implementation guidance) • Other Artifacts • DIACAP Scorecard • Certification Determination • Accreditation Determination • DIACAP Scorecard • Certification Determination • Accreditation Determination POA&M (if required) POA&M (if required) DIACAP Package Contents

  20. https://diacap.iaportal.navy.mil

  21. 22 DIACAP Team Roles, Member Names and Contact Information See Table Below. 23 Acquisition Category (ACAT) 24 Type of IT Investment: 25 System Life cycle Phase 26 Software Category: 27 Privacy Impact Assessment: 28 E-Authentication Risk Assessment: 29 Annual Security Review Date: 30 System Operation: 31 Contingency Plan: 32 Contingency Plan Tested: 33 Information Assurance Record Type 34 Security Controls Tested Date DIACAP Team Roles, Member Names and Contact Information Name Phone Email PM/SM: IAM: User Representative: CA: DAA: SIAO: CIO: SME:

  22. IA Controls validation required no less than annually Three Information Papers IT System Contingency Plans Must be tested annually Table Top exercise Functional exercise Security Control Test Requirement for FISMA Compliance 8 controls must be tested Most control testing based on procedural review Annual Validation

  23. Annual Security Review Requirement for FISMA Compliance All IA controls must be reviewed annually Date testing completed in support of accreditation decision is recorded in APMS Status of existing accreditation reassessed Continue ATO, no change in ATD Continue ATO, SO must implement precautionary IA improvements, no change in ATD Down grade ATO to IATO, SO must prepare & execute POA&M, ATD is reset to 180 days Downgrade ATO to DATO, operations halted IS will be re-certified & re-accredited every 3 years Annual Validation (cont)

  24. Initiate / Transition to DIACAP Unaccredited new start or operational IS DITSCAP initiated, Phase 1 SSAA not signed IS authorization more than 3-years old Transition

  25. Accreditation current within 3-years RTM lists applicable 8500.2 controls 180-days establish strategy and schedule for Transitioning to DIACAP Satisfying DIACAP Annual Reviews Meeting FISMA reporting requirements RTM does not list applicable 8500.2 controls 180-days requirement same as above plus Strategy and Schedule for achieving compliance with the 8500.2 IA controls Provide Army CA an assessment of compliance with 85002 IA controls. Transition (cont)

  26. Continue DITSCAP Phase 1 signed, accreditation not received RTM lists applicable 8500.2 controls 180-days modify SSAA reaccreditation paragraph to include transition strategy and schedule RTM does not list applicable 8500.2 controls 180-days Modify RTM to incorporate IA Controls Develop implementation plan Modify SSAA reaccreditation para to include transition strategy Transition (cont)

  27. 552 C&A package actions completed, 115 currently in process 309 Other C&A actions completed, 58 currently in process Six ACA leads validated -- ISEC -- CE-LCMC SEC -- S&TDC -- SPAWARSYCEN Charleston -- ARL CISD -- ARL/SLAD System owner identified and confirmed for all systems coming into the Certification Authority DAA Repository posted, updated regularly 41 DAAs appointed for 1071 named systems Army Specific DAA Course developed, completed by 32 appointed DAAs [https://iatraining.us.army.mil] Status

  28. DAA Course https:/iatraining.us.army.mil

  29. New C&A BBP’s Installation Level DAA published 6 Jun 07 Terms for Connectivity to the Installation Service Provider/ICAN (in process) Draft distributed for comment 18 June 2007 Standardized C&A for Tactical Units (in process) C&A status tracked in APMS for annual FISMA reporting Army C&A Resource iacora home page on the AKO stood up Status (cont)

  30. https://www.us.army.mil/suite/page/146650

  31. https://www.us.army.mil/suite/page/146650

  32. https://www.us.army.mil/suite/page/146650

  33. https://www.us.army.mil/suite/page/146650

  34. Team Members Sally Dixon – 703.602.7376, sally.dixon@us.army.mil Bill Janosky – 703.602.7372, william.janosky@us.army.mil Bill Cathcart – 703.602.7369, william.cathcart@us.army.mil Jim Burgan – 703-602-7393, jim.burgan@us.army.mil Jennifer Sikes – 703-602-7377, jennifer.sikes@us.army.mil Group email: iacora@us.army.mil iacora home page on AKO at: https://www.us.army.mil/suite/page/146650 (AKO Credentials of CAC Validation for Access) iacora home page on AKO-S at: http://www.us.army.smil.mil/suite/page/5406 (AKO credentials for Access) Contacts

More Related