1 / 28

Practical DIACAP Implementation

Practical DIACAP Implementation. CS526 Research Project by Michael J. Cohen 4/29/2009. Agenda. Research Objectives The Global Information Grid Introduction to DIACAP The Process The DIACAP Package Findings. Research Objectives.

Download Presentation

Practical DIACAP Implementation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009 Michael J. Cohen

  2. Agenda • Research Objectives • The Global Information Grid • Introduction to DIACAP • The Process • The DIACAP Package • Findings Michael J. Cohen

  3. Research Objectives • Assist Boeing with instruction for new Information Assurance Professionals on what DoDI 8500.1 (DIACAP) is and how it is applied. • Use a sample architecture provided by Boeing to demonstrate the implementation of DIACAP. Michael J. Cohen

  4. Related Research • Hurkute S., Bele K., Nam, S., et. al. 2007. “Apply DITSCAP to Evaluate a PTC based Secure E-Voting System”. • Retrieved from http://cs.uccs.edu/~cs591/studentproj/projS2007/shurkute/doc/E-votingDITSCAPProject.ppt • Wilson, B., 2007. “Move Over DITSCAP…The DIACAP is Here!”. • Retrieved from http://cs.uccs.edu/~cs591/studentproj/projS2007/bwilson3/doc/DIACAPClassPresentation.ppt Michael J. Cohen

  5. The Global Information Grid “The Global Information Grid1 (GIG) consists of information capabilities – information, information technology (IT), and associated people and processes that support Department of Defense (DoD) personnel and organizations in accomplishing their tasks and missions – that enable the access to, exchange, and use of information and services throughout the Department and with non-DoD mission partners. The principal function of the GIG is to support and enable DoD missions, functions, and operations. Therefore, the way that DoD warfighters, business and intelligence personnel operate must drive the way the GIG is designed, developed, acquired, implemented, and operated.” -The DoD Global Information Grid Architectural Vision (2007) Michael J. Cohen

  6. Michael J. Cohen

  7. DoD Global Information Grid • Examples of DoD Systems include: • Joint Tactical Radio System (JTRS) • Warfighter Information Network Tactical (WIN-T) • Intelligence Community System for Information Sharing (ICSIS) • What do these systems have in common? • They must not be compromised in terms of: • Confidentiality • Integrity • Availability • Information Assurance is an understandable concern. Michael J. Cohen

  8. DIACAP • Department of Defense (DoD) • Information • Assurance • Certification and • Accreditation • Process • This process ensures that a DoD information system meet the appropriate security policies throughout its entire lifecycle. Michael J. Cohen

  9. Why is a process necessary? • Defines the steps necessary to implement the security policies. • Guarantees that security requirements are implemented consistently throughout the system. • Creates a paper trail. Michael J. Cohen

  10. 3 Components Needed for Implementation • The DIACAP Process • DIACAP Knowledge Service • Online knowledge base maintained by the DoD that contains the most current information on IA controls. • Automated C&A Tool that automates workflow • DoD recommends eMASS (Enterprise Mission Assurance Support Service) • Boeing uses the I-Assure DIACAP Toolset Michael J. Cohen

  11. The DIACAP Process Michael J. Cohen

  12. Tasks for Initiating and Planning IA C&A • Registering the System • System is registered with the DoD • Confidentiality level is defined • Assigning IA Controls • Security requirements are defined based on the level of mission criticality (MAC level) and confidentiality • Assembling the DIACAP Team • Initiating the Implementation Plan Michael J. Cohen

  13. DIACAP Implementation Team Roles • Designated Accrediting Authority (DAA) • Signs off on Accreditation status • Ultimately responsible for the system • Certifying Authority (CA) • Makes the certification recommendation • Oversees those performing the evaluation • Information Assurance Officer (IAO) • Ensures that appropriate security is maintained on the system • Information Assurance Manager (IAM) • Coordinates and supports the missions of the other team members • Technical Lead Michael J. Cohen

  14. DIACAP Implementation Roles (cont.) • Program Manager / System Manger (PM/SM) • Manages Implementation • User Rep • Represents the user community to ensure that user needs of the system are met Michael J. Cohen

  15. Tasks for Implementing & Validating IA Controls • Executing the Implementation Plan • Conduct validation • Prepare POA&M (if necessary) • Enter results into DIACAP Scorecard Michael J. Cohen

  16. Tasks for Certification & Accreditation Determination • The CA makes a certification determination • Based on actual results of the implementation and testing of IA controls • The DAA issues an accreditation decision • Based on the CA’s recommendation along with the mission and business need. • DAA’s decision can be one of the following: • Authorization to Operate (ATO) • Interim Authorization to Operate (IATO) • Interim Authorization to Test (IATT) • Denial of Authorization to Operate (DATO) • All systems must be reaccredited every 3 years Michael J. Cohen

  17. Tasks for Maintaining Authorization to Operate • Managed by IAM • Maintaining situational awareness • Maintaining security • Initiate corrective action when necessary • Conduct annual reviews of IA controls Michael J. Cohen

  18. Tasks for Decommissioning • Make sure there are no negative impacts to other systems • Update the SIP • Remove and dispose of POA&M and DIACAP scorecard from all tracking systems • Retire system according to the appropriate requirements and procedures Michael J. Cohen

  19. DIACAP Package • Generated through the implementation of the DIACAP process. • Comprehensive Package Contents: • System Identification Profile (SIP) • DIACAP Implementation Plan (DIP) • DIACAP Scorecard • IT Security Plan of Action & Milestones (POA&M) (Optional) • Supporting Certification Documentation Michael J. Cohen

  20. Sample Architecture Michael J. Cohen

  21. System Identification Profile (SIP) Michael J. Cohen

  22. DIACAP Implementation Plan (DIP) Michael J. Cohen

  23. DIACAP Scorecard Michael J. Cohen

  24. DIACAP POA&M Michael J. Cohen

  25. Findings • The project was not as simple as simply running the I-Assure tool to generate the deliverables. • There is not a lot of documentation online regarding DIACAP. Michael J. Cohen

  26. Conclusion • The following was learned from this research project: • The DIACAP methodology. • The usage of a third party tool (I-Assure) tool in implementing DIACAP. Michael J. Cohen

  27. References • Cooper, Ronald. Boeing Mentor. • http://www.i-assure.com • Department of Defense. (2009). DIACAP Training Module. DoD Information Assurance Support Environment.Retrieved from http://iase.disa.mil/eta/diacap/index.htm Michael J. Cohen

  28. Michael J. Cohen

More Related