4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.

4/29/2009 Michael J. Cohen 1

Practical DIACAP Implementation

CS526 Research Project

by Michael J. Cohen

4/29/2009


Agenda

• Research Objectives

• The Global Information Grid

• Introduction to DIACAP

• The Process

• The DIACAP Package

• Findings


Research Objectives

• Assist Boeing with instruction for new Information Assurance Professionals on what DoDI 8500.1 (DIACAP) is and how it is applied.

• Use a sample architecture provided by Boeing to demonstrate the implementation of DIACAP.


Related Research

• Hurkute S., Bele K., Nam, S., et. al. 2007. “Apply DITSCAP to Evaluate a PTC based Secure E-Voting System”.

– Retrieved from http://cs.uccs.edu/~cs591/studentproj/projS2007/shurkute/doc/E-votingDITSCAPProject.ppt

• Wilson, B., 2007. “Move Over DITSCAP…The DIACAP is Here!”.

– Retrieved from http://cs.uccs.edu/~cs591/studentproj/projS2007/bwilson3/doc/DIACAPClassPresentation.ppt


The Global Information Grid“The Global Information Grid1 (GIG) consists of information capabilities – information, information technology (IT), and associated people and processes that support Department of Defense (DoD) personnel and organizations in accomplishing their tasks and missions – that enable the access to, exchange, and use of information and services throughout the Department and with non-DoD mission partners. The principal function of the GIG is to support and enable DoD missions, functions, and operations.Therefore, the way that DoD warfighters, business and intelligence personnel operate must drive the way the GIG is designed, developed, acquired, implemented, and operated.”

-The DoD Global Information Grid Architectural Vision (2007)



DoD Global Information Grid• Examples of DoD Systems include:

– Joint Tactical Radio System (JTRS)

– Warfighter Information Network Tactical (WIN-T)

– Intelligence Community System for Information Sharing (ICSIS)

• What do these systems have in common?

– They must not be compromised in terms of:

• Confidentiality

• Integrity

• Availability

• Information Assurance is an understandable concern.


DIACAP

• Department of Defense (DoD)

• Information

• Assurance

• Certification and

• Accreditation

• Process

• This process ensures that a DoD information system meet the appropriate security policies throughout its entire lifecycle.


Why is a process necessary?

• Defines the steps necessary to implement the security policies.

• Guarantees that security requirements are implemented consistently throughout the system.

• Creates a paper trail.


3 Components Needed for Implementation

• The DIACAP Process

• DIACAP Knowledge Service

– Online knowledge base maintained by the DoD that contains the most current information on IA controls.

• Automated C&A Tool that automates workflow

– DoD recommends eMASS (Enterprise Mission Assurance Support Service)

– Boeing uses the I-Assure DIACAP Toolset


The DIACAP Process


Tasks for Initiating and Planning IA C&A

• Registering the System

– System is registered with the DoD

– Confidentiality level is defined

• Assigning IA Controls

– Security requirements are defined based on the level of mission criticality (MAC level) and confidentiality

• Assembling the DIACAP Team

• Initiating the Implementation Plan


DIACAP Implementation Team Roles

• Designated Accrediting Authority (DAA)

– Signs off on Accreditation status

– Ultimately responsible for the system

• Certifying Authority (CA)

– Makes the certification recommendation

– Oversees those performing the evaluation

• Information Assurance Officer (IAO)

– Ensures that appropriate security is maintained on the system

• Information Assurance Manager (IAM)

– Coordinates and supports the missions of the other team members

– Technical Lead


DIACAP Implementation Roles (cont.)

• Program Manager / System Manger (PM/SM)

– Manages Implementation

• User Rep

– Represents the user community to ensure that user needs of the system are met


Tasks for Implementing & Validating IA Controls

• Executing the Implementation Plan

• Conduct validation

• Prepare POA&M (if necessary)

• Enter results into DIACAP Scorecard


Tasks for Certification & Accreditation Determination

• The CA makes a certification determination

– Based on actual results of the implementation and testing of IA controls

• The DAA issues an accreditation decision

– Based on the CA’s recommendation along with the mission and business need.

• DAA’s decision can be one of the following:

– Authorization to Operate (ATO)

– Interim Authorization to Operate (IATO)

– Interim Authorization to Test (IATT)

– Denial of Authorization to Operate (DATO)

• All systems must be reaccredited every 3 years


Tasks for Maintaining Authorization to Operate

• Managed by IAM

• Maintaining situational awareness

• Maintaining security

• Initiate corrective action when necessary

• Conduct annual reviews of IA controls


Tasks for Decommissioning

• Make sure there are no negative impacts to other systems

• Update the SIP

• Remove and dispose of POA&M and DIACAP scorecard from all tracking systems

• Retire system according to the appropriate requirements and procedures


DIACAP Package

• Generated through the implementation of the DIACAP process.

• Comprehensive Package Contents:– System Identification Profile (SIP)

– DIACAP Implementation Plan (DIP)

– DIACAP Scorecard

– IT Security Plan of Action & Milestones (POA&M) (Optional)

– Supporting Certification Documentation


Sample Architecture

ARCHITECTURE

ConvertedFor Use (i.e. A to D)

`

Server 1MANAGE IMAGE

(UNIX OS)

WS 1-12PROCESS IMAGE(WINDOWS XP)

Router

BACKUP SITE


System Identification Profile (SIP)


DIACAP Implementation Plan (DIP)


DIACAP Scorecard


DIACAP POA&M


Findings

• The project was not as simple as simply running the I-Assure tool to generate the deliverables.

• There is not a lot of documentation online regarding DIACAP.


Conclusion

• The following was learned from this research project:

– The DIACAP methodology.

– The usage of a third party tool (I-Assure) tool in implementing DIACAP.


References

• Cooper, Ronald. Boeing Mentor.

• http://www.i-assure.com

• Department of Defense. (2009). DIACAP Training Module. DoD Information Assurance Support Environment.Retrieved from http://iase.disa.mil/eta/diacap/index.htm


4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.

Documents

dod information system

information technology

current information

diacap toolset slide

dod missions

implementation of diacap

global information grid1

information sharing