DIACAP Army Guidance and Transition Ms. Sally Dixon Army Office of Information Assurance Compliance

1. Rule: Follow the exact same format in this slide template. Indicate your rank/title, first, last name, office symbol, AKO email address, office phone number.Rule: Follow the exact same format in this slide template. Indicate your rank/title, first, last name, office symbol, AKO email address, office phone number.

4. Congressional & DOD Requirements Public Law 107-347, also known as Federal Information Security Management Act of 2002 (FISMA) Require agencies to identify and provide information security protections commensurate with risk and magnitude of harm resulting from unauthorized access, use, disclosure, disruption, modification or destruction of information and information systems DoD Directive 8500.1 Information Assurance, 24 Oct 2002 Information Assurance requirements shall be identified and included in the design, acquisition, installation, operations, upgrade, or replacement of all DoD information systems in accordance with 10 U.S.C. Section 2224, OMB Circular A-130, Appendix III, DoD Directive 5000.1

5. DOD CIO memorandum, subject: Interim Department of Defense (DoD) Information Assurance (IA) Certification and Accreditation (C&A) Process Guidance, 6 July 2006 DOD will begin an immediate transition to a streamlined and modern C&A process that complies with FISMA Interim DIACAP Guidance DoD shall certify and accredit information systems through an enterprise process for identifying, implementing, and managing IA capabilities and services. These capabilities and services shall be expressed as IA Controls as defined by DODI 8500.2 IA Implementation DoD Requirements (cont)

6. DoD Requirements (cont) Interim DIACAP Guidance Net-centric, information belongs to the enterprise, shared risks Authority and responsibility for certification are vested in the Senior IA Officer (SIAO) Supersedes DITSCAP, DODI 5200.40 Platform-centric, information belongs to system owner, system specific risks Individual C/S/A defined IA Controls DAA appointed Certification Authority

7. Army Policy

8. Army Policy (cont)

9. Army Policy (cont) A System Owner will be identified for all information systems used by or in support of the Army System owners will plan and budget for the C&A activities as part of their lifecycle responsibilities All information systems will be compliant with the baseline IA controls in DODI 8500.2 and AR 25-2, at a minimum Annul revalidation IAW FISMA will be completed Information systems will be recertified and reaccredited every three years

10. Why Transition DITSCAP and Army C&A processes written for stand alone or stove pipe systems DITSCAP not cost effective, paper vice value DODI 8500.2 IA controls not considered DAA delegated to the lowest level limits “Big Picture” consideration Too many CAs limits consistent assessments No qualification requirements for ACAs IS deployed with no easily identifiable responsible government owner

11. C&A Terms

12. Focus on security posture via IA controls compliance Baseline IA Controls address enterprise-wide threats and vulnerabilities MAC & Confidentiality levels determine IA Controls Applicability examples: IS under contract to DoD IS of Non-appropriated Fund Instruments Prototypes Advanced Concept Technology Demos (ACTD) Stand-Alone IS Mobile Computing devices, wired or wireless The DIACAP

13. The DIACAP (cont) Allows for Inheritance of IA Controls Severity code assigned to failed IA controls CA assessment of exploitation ease Impact codes assigned to failed IA controls DODs assessment of system-wide IA consequences Severity and Impact codes Determine risk level associated with the security weakness Urgency which corrective actions must take place

14. Key C&A Functions

15. DIACAP Activities

18. DIACAP Packages Comprehensive package Used for the CA recommendation Includes all the information resulting from the DIACAP process Executive package Less than the Comprehensive package Used for an accreditation decision Provided to others in support of accreditation or other decisions, such as connection approval

19. DIACAP Package Contents

29. Annual Validation IA Controls validation required no less than annually Three Information Papers IT System Contingency Plans Must be tested annually Table Top exercise Functional exercise Security Control Test Requirement for FISMA Compliance 8 controls must be tested Most control testing based on procedural review

30. Annual Validation (cont) Annual Security Review Requirement for FISMA Compliance All IA controls must be reviewed annually Date testing completed in support of accreditation decision is recorded in APMS Status of existing accreditation reassessed Continue ATO, no change in ATD Continue ATO, SO must implement precautionary IA improvements, no change in ATD Down grade ATO to IATO, SO must prepare & execute POA&M, ATD is reset to 180 days Downgrade ATO to DATO, operations halted IS will be re-certified & re-accredited every 3 years

31. Transition Initiate / Transition to DIACAP Unaccredited new start or operational IS DITSCAP initiated, Phase 1 SSAA not signed IS authorization more than 3-years old

32. Transition (cont) Accreditation current within 3-years RTM lists applicable 8500.2 controls 180-days establish strategy and schedule for Transitioning to DIACAP Satisfying DIACAP Annual Reviews Meeting FISMA reporting requirements RTM does not list applicable 8500.2 controls 180-days requirement same as above plus Strategy and Schedule for achieving compliance with the 8500.2 IA controls Provide Army CA an assessment of compliance with 85002 IA controls.

33. Transition (cont) Continue DITSCAP Phase 1 signed, accreditation not received RTM lists applicable 8500.2 controls 180-days modify SSAA reaccreditation paragraph to include transition strategy and schedule RTM does not list applicable 8500.2 controls 180-days Modify RTM to incorporate IA Controls Develop implementation plan Modify SSAA reaccreditation para to include transition strategy

34. 552 C&A package actions completed, 115 currently in process 309 Other C&A actions completed, 58 currently in process Six ACA leads validated -- ISEC -- CE-LCMC SEC -- S&TDC -- SPAWARSYCEN Charleston -- ARL CISD -- ARL/SLAD System owner identified and confirmed for all systems coming into the Certification Authority DAA Repository posted, updated regularly 41 DAAs appointed for 1071 named systems Army Specific DAA Course developed, completed by 32 appointed DAAs [https://iatraining.us.army.mil] Status

37. Status (cont) New C&A BBP’s Installation Level DAA published 6 Jun 07 Terms for Connectivity to the Installation Service Provider/ICAN (in process) Draft distributed for comment 18 June 2007 Standardized C&A for Tactical Units (in process) C&A status tracked in APMS for annual FISMA reporting Army C&A Resource iacora home page on the AKO stood up

43. Contacts Team Members Sally Dixon – 703.602.7376, sally.dixon@us.army.mil Bill Janosky – 703.602.7372, william.janosky@us.army.mil Bill Cathcart – 703.602.7369, william.cathcart@us.army.mil Jim Burgan – 703-602-7393, jim.burgan@us.army.mil Jennifer Sikes – 703-602-7377, jennifer.sikes@us.army.mil Group email: iacora@us.army.mil iacora home page on AKO at: https://www.us.army.mil/suite/page/146650 (AKO Credentials of CAC Validation for Access) iacora home page on AKO-S at: http://www.us.army.smil.mil/suite/page/5406 (AKO credentials for Access)