4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.

4/29/2009 Michael J. Cohen 1

Practical DIACAP Implementation

CS526 Research Project

by Michael J. Cohen

4/29/2009

4/29/2009 Michael J. Cohen 2

Agenda

• Research Objectives

• The Global Information Grid

• Introduction to DIACAP

• The Process

• The DIACAP Package

• Findings

4/29/2009 Michael J. Cohen 3

Research Objectives

• Assist Boeing with instruction for new Information Assurance Professionals on what DoDI 8500.1 (DIACAP) is and how it is applied.

• Use a sample architecture provided by Boeing to demonstrate the implementation of DIACAP.

4/29/2009 Michael J. Cohen 4

Related Research

• Hurkute S., Bele K., Nam, S., et. al. 2007. “Apply DITSCAP to Evaluate a PTC based Secure E-Voting System”.

– Retrieved from http://cs.uccs.edu/~cs591/studentproj/projS2007/shurkute/doc/E-votingDITSCAPProject.ppt

• Wilson, B., 2007. “Move Over DITSCAP…The DIACAP is Here!”.

– Retrieved from http://cs.uccs.edu/~cs591/studentproj/projS2007/bwilson3/doc/DIACAPClassPresentation.ppt

4/29/2009 Michael J. Cohen 5

The Global Information Grid“The Global Information Grid1 (GIG) consists of information capabilities – information, information technology (IT), and associated people and processes that support Department of Defense (DoD) personnel and organizations in accomplishing their tasks and missions – that enable the access to, exchange, and use of information and services throughout the Department and with non-DoD mission partners. The principal function of the GIG is to support and enable DoD missions, functions, and operations.Therefore, the way that DoD warfighters, business and intelligence personnel operate must drive the way the GIG is designed, developed, acquired, implemented, and operated.”

-The DoD Global Information Grid Architectural Vision (2007)

4/29/2009 Michael J. Cohen 6

4/29/2009 Michael J. Cohen 7

DoD Global Information Grid• Examples of DoD Systems include:

– Joint Tactical Radio System (JTRS)

– Warfighter Information Network Tactical (WIN-T)

– Intelligence Community System for Information Sharing (ICSIS)

• What do these systems have in common?

– They must not be compromised in terms of:

• Confidentiality

• Integrity

• Availability

• Information Assurance is an understandable concern.

4/29/2009 Michael J. Cohen 8

DIACAP

• Department of Defense (DoD)

• Information

• Assurance

• Certification and

• Accreditation

• Process

• This process ensures that a DoD information system meet the appropriate security policies throughout its entire lifecycle.

4/29/2009 Michael J. Cohen 9

Why is a process necessary?

• Defines the steps necessary to implement the security policies.

• Guarantees that security requirements are implemented consistently throughout the system.

• Creates a paper trail.

4/29/2009 Michael J. Cohen 10

3 Components Needed for Implementation

• The DIACAP Process

• DIACAP Knowledge Service

– Online knowledge base maintained by the DoD that contains the most current information on IA controls.

• Automated C&A Tool that automates workflow

– DoD recommends eMASS (Enterprise Mission Assurance Support Service)

– Boeing uses the I-Assure DIACAP Toolset

4/29/2009 Michael J. Cohen 11

The DIACAP Process

4/29/2009 Michael J. Cohen 12

Tasks for Initiating and Planning IA C&A

• Registering the System

– System is registered with the DoD

– Confidentiality level is defined

• Assigning IA Controls

– Security requirements are defined based on the level of mission criticality (MAC level) and confidentiality

• Assembling the DIACAP Team

• Initiating the Implementation Plan

4/29/2009 Michael J. Cohen 13

DIACAP Implementation Team Roles

• Designated Accrediting Authority (DAA)

– Signs off on Accreditation status

– Ultimately responsible for the system

• Certifying Authority (CA)

– Makes the certification recommendation

– Oversees those performing the evaluation

• Information Assurance Officer (IAO)

– Ensures that appropriate security is maintained on the system

• Information Assurance Manager (IAM)

– Coordinates and supports the missions of the other team members

– Technical Lead

4/29/2009 Michael J. Cohen 14

DIACAP Implementation Roles (cont.)

• Program Manager / System Manger (PM/SM)

– Manages Implementation

• User Rep

– Represents the user community to ensure that user needs of the system are met

4/29/2009 Michael J. Cohen 15

Tasks for Implementing & Validating IA Controls

• Executing the Implementation Plan

• Conduct validation

• Prepare POA&M (if necessary)

• Enter results into DIACAP Scorecard

4/29/2009 Michael J. Cohen 16

Tasks for Certification & Accreditation Determination

• The CA makes a certification determination

– Based on actual results of the implementation and testing of IA controls

• The DAA issues an accreditation decision

– Based on the CA’s recommendation along with the mission and business need.

• DAA’s decision can be one of the following:

– Authorization to Operate (ATO)

– Interim Authorization to Operate (IATO)

– Interim Authorization to Test (IATT)

– Denial of Authorization to Operate (DATO)

• All systems must be reaccredited every 3 years

4/29/2009 Michael J. Cohen 17

Tasks for Maintaining Authorization to Operate

• Managed by IAM

• Maintaining situational awareness

• Maintaining security

• Initiate corrective action when necessary

• Conduct annual reviews of IA controls

4/29/2009 Michael J. Cohen 18

Tasks for Decommissioning

• Make sure there are no negative impacts to other systems

• Update the SIP

• Remove and dispose of POA&M and DIACAP scorecard from all tracking systems

• Retire system according to the appropriate requirements and procedures

4/29/2009 Michael J. Cohen 19

DIACAP Package

• Generated through the implementation of the DIACAP process.

• Comprehensive Package Contents:– System Identification Profile (SIP)

– DIACAP Implementation Plan (DIP)

– DIACAP Scorecard

– IT Security Plan of Action & Milestones (POA&M) (Optional)

– Supporting Certification Documentation

4/29/2009 Michael J. Cohen 20

Sample Architecture

ARCHITECTURE

ConvertedFor Use (i.e. A to D)

`

Server 1MANAGE IMAGE

(UNIX OS)

WS 1-12PROCESS IMAGE(WINDOWS XP)

Router

BACKUP SITE

4/29/2009 Michael J. Cohen 21

System Identification Profile (SIP)

4/29/2009 Michael J. Cohen 22

DIACAP Implementation Plan (DIP)

4/29/2009 Michael J. Cohen 23

DIACAP Scorecard

4/29/2009 Michael J. Cohen 24

DIACAP POA&M

4/29/2009 Michael J. Cohen 25

Findings

• The project was not as simple as simply running the I-Assure tool to generate the deliverables.

• There is not a lot of documentation online regarding DIACAP.

4/29/2009 Michael J. Cohen 26

Conclusion

• The following was learned from this research project:

– The DIACAP methodology.

– The usage of a third party tool (I-Assure) tool in implementing DIACAP.

4/29/2009 Michael J. Cohen 27

References

• Cooper, Ronald. Boeing Mentor.

• http://www.i-assure.com

• Department of Defense. (2009). DIACAP Training Module. DoD Information Assurance Support Environment.Retrieved from http://iase.disa.mil/eta/diacap/index.htm

4/29/2009 Michael J. Cohen 28