Premium Essay

Diacap

In: Computers and Technology

Submitted By maxoh
Words 16882
Pages 68
Department of Defense

INSTRUCTION
NUMBER 8510.01 November 28, 2007 ASD(NII)/DoD CIO SUBJECT: References: DoD Information Assurance Certification and Accreditation Process (DIACAP) (a) Subchapter III of Chapter 35 of title 44, United States Code, “Federal Information Security Management Act (FISMA) of 2002” (b) DoD Directive 8500.01E, “Information Assurance (IA),” October 24, 2002 (c) DoD Directive 8100.1, “Global Information Grid (GIG) Overarching Policy,” September 19, 2002 (d) DoD Instruction 8500.2, “Information Assurance (IA) Implementation,” February 6, 2003 (e) through (ab), see Enclosure 1

1. PURPOSE This Instruction: 1.1. Implements References (a), (b), (c), and (d) by establishing the DIACAP for authorizing the operation of DoD Information Systems (ISs). 1.2. Cancels DoD Instruction (DoDI) 5200.40; DoD 8510.1-M; and ASD(NII)/DoD CIO memorandum, “Interim Department of Defense (DoD) Information Assurance (IA) Certification and Accreditation (C&A) Process Guidance” (References (e), (f), and (g)). 1.3. Establishes or continues the following positions, panels, and working groups to implement the DIACAP: the Senior Information Assurance Officer (SIAO), the Principal Accrediting Authority (PAA), the Defense Information Systems Network (DISN)/Global Information Grid (GIG) Flag Panel, the IA Senior Leadership (IASL), the Defense (previously DISN) IA Security Accreditation Working Group (DSAWG), and the DIACAP Technical Advisory Group (TAG). 1.4. Establishes a C&A process to manage the implementation of IA capabilities and services and provide visibility of accreditation decisions regarding the operation of DoD ISs, including core enterprise services- and Web services-based software systems and applications.

DoDI 8510.01, November 28, 2007 1.5. Prescribes the DIACAP to satisfy the requirements of Reference (a) and requires the Department of Defense to meet

Similar Documents

Premium Essay

New Networks

...Defense (DoD) are directed to implement the Host-Based Security System (HBSS). This is a multifaceted software security application used within the DoD to protect vital network resources from exploitation. Protecting vital data on information systems by ensuring the information’s availability, integrity, authentication, confidentiality and non-repudiation is called Information Assurance (IA). The process used within the DoD to certify information systems meet documented IA requirements is known as the DIACAP process. The DIACAP process was established in order to comply with the Federal Information Security Management Act 2002 (FISMA). The DIACAP directly supports and identifies the IA security tool, HBSS and fully implements those practices as prescribed in accordance with DoD I 8500.1M. All organizations within the DoD are mandated to comply with DoD I 8500.1M and Fragmentary Order (FRAGO) 13 to remain connected to the DoD’s GRID. This project envelops all applicable DIACAP processes necessary to obtain the accreditations for the Centrixs-M software application. This project outlines the process used to develop a complete set of HBSS policies for the Centrixs-M software application. The development phase of this project includes the site configuration within the ePO system tree, deployment of the McAfee agents, and the configuration of secure site as prescribed by FARGO 13, policy development, and validation testing of the newly created policies. One of the main reasons...

Words: 527 - Pages: 3

Premium Essay

Unit 2 Lab Align Auditing Frameworks for a Business Unit with in the Dod

...1. What is the difference between DITSCAP and DIACP? a. DITSCAP provided guidance on roles, activities and documents for performing C&A, but it did not clearly identify what requirements to use. b. DIACAP points to DoDD 8500.2, making it clear where to start identifying the IA capabilities that should be included and assessed for a particular C&A effort. c. One of the biggest complaints about DITSCAP was that it required too much documentation and took too long to perform. d. DIACAP identifies four spreadsheets that summarize important C&A information. e. A second complaint about DITSCAP was that it only accommodated individual systems. f. DIACAP addresses the need to expand C&A to account for components outside of a site’s control. 2. What is DCID 6/3, and why would you use DCID 6/3 as opposed to DIACAP for Certification and Accreditation of a system? g. It is the policy for “Protecting Sensitive Compartmented Information Within Information Systems”. This directive establishes the security policy and procedures for storing, processing, and communicating classified intelligence information in information systems (ISs). For purposes of this Directive, intelligence information refers to Sensitive Compartmented Information and special access programs for intelligence under the purview of the DCI. An information system is any telecommunications and/or computer related equipment or interconnected system or subsystems...

Words: 1031 - Pages: 5

Premium Essay

Lab1

...1. What is the difference between DITSCAP and DIACP? a. DITSCAP provided guidance on roles, activities and documents for performing C&A, but it did not clearly identify what requirements to use. b. DIACAP points to DoDD 8500.2, making it clear where to start identifying the IA capabilities that should be included and assessed for a particular C&A effort. c. One of the biggest complaints about DITSCAP was that it required too much documentation and took too long to perform. d. DIACAP identifies four spreadsheets that summarize important C&A information. e. A second complaint about DITSCAP was that it only accommodated individual systems. f. DIACAP addresses the need to expand C&A to account for components outside of a site’s control. 2. What is DCID 6/3, and why would you use DCID 6/3 as opposed to DIACAP for Certification and Accreditation of a system? g. It is the policy for “Protecting Sensitive Compartmented Information Within Information Systems”. This directive establishes the security policy and procedures for storing, processing, and communicating classified intelligence information in information systems (ISs). For purposes of this Directive, intelligence information refers to Sensitive Compartmented Information and special access programs for intelligence under the purview of the DCI. An information system is any telecommunications and/or computer related equipment or interconnected system or subsystems of equipment that is used in the acquisition...

Words: 1031 - Pages: 5

Premium Essay

Tech

...Project for IS4550 Shurleen E. Wilson-Fye ITT-Duluth Ms. Brown Contents Coversheet ……………………………………………………………………………… 1 Glossary…………………………………………………………………………………….2-3 Overview, Purpose, Scope……………………..4-5 Training………………………………………………….5-6 Procedure………………………………………………….6 Policy……………….………………………………….….6-9 Policy 1: Information Systems Policy..…..10-13 Policy 2: Security of Laptop…………………..14-16 Policy 3: Clean Desk policy…….……………..17-18 Policy 4: Workstation Policy………………………19 Policy 6: Email Policy………………………..….20-21 Policy 7: Personnel policy………………….…22-23 Policy 9: Data Breach Policy………………...24-27 Policy 10: Software policy………………………29-31 Policy 11: Data and information classification……32 Policy 12: Internal Treats…………………………………….33 Policy 13: Policies and Procedures for Electronic Protected Health Information (ePHI) and Personally Identifiable Information (PII)...34-35 Policy 14: Wireless LAN Security Policy……………………..36 IS security Awareness policy…………………………………..37-38 Conclusion……………………………………………………………………39 References……………………………………………………………………40 Overview: DSA contractors has been awarded a contract with the Department of Defense. Our next task is to revamp the companies’ policy to ensure compliance with DOD policy. All employees have to be retrained on new policy to ensure that DSA medicate violations. The attitudes and atmosphere of change will also be needed to ensure compliance with DOD standards. Training sessions is scheduled for all employees...

Words: 9781 - Pages: 40

Free Essay

Is4680 Lab 4

...1) The DoD Information Assurance Certification and Accreditation Process (DIACAP) is the United States Department of Defense (DoD) process to ensure that risk management is applied on Information Systems from an enterprise view. DIACAP is a DoD-wide standard set of activities, tasks and process for the certification and accreditation of a DoD information system that will maintain the Information Assurance posture throughout the system's life cycle. The Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP) is a process defined by the United States Department of Defense (DOD) for managing risk. DoD Instruction (DODI) 5200.40 establishes a standard DOD-wide process with a set of activities, general tasks and a management structure to certify and accredit an Automated Information System (AIS) that will maintain the Information Assurance (IA) posture of the Defense Information Infrastructure (DII) throughout the system's life cycle. DITSCAP applies to the acquisition, operation and sustainment of any DOD system that collects, stores, transmits, or processes unclassified or classified information since December 1997. 2) The Director of Central Intelligence Directive (DCID) 6/3 establishes the security policy and procedures for storing, processing, and communicating classified intelligence data in information systems. To achieve compliance with DCID 6/3, agencies must ensure that information is safeguarded at all times and that...

Words: 360 - Pages: 2

Premium Essay

Is3110 Project Plan Part 1

...not mentioned above, will be denied access due to the high security risk they may present by possibly allowing unauthorized personnel access the DLIS systems, information, files, and/or data. Compliance to laws applicable to our company All federal agencies, including DLIS, are required to abide by all laws and regulations of the Federal Information Security Management Act (FISMA) to allow the protection of sensitive information. Since DLIS provides logistics and information technology services to the U.S. Department of Defense (DoD) and other federal agencies and international partners, they are also provided with standards for risk management including the Defense Information Assurance Certification and Accreditation Process (DIACAP) and the Control Objectives for Information and related Technology (COBIT). Roles and Responsibilities i. Chief of Information Technology. a. Maintains Risk Management Plan b. Established Policies and Procedures c. Develops Risk Response and Contingency Action Plan ii. Information Technology Managers. a. Maintains...

Words: 1341 - Pages: 6

Premium Essay

Vulnerability Management Plan

...WESTERN GOVERNORS UNIVERSITY Submittal Cover Sheet [pic] Date: 06/12/2012 Student Name: Michael Paul Douglas Student ID Number: 150777 Student Degree Program: Bachelor of Science Information Technology Security Student Email: douglasm@my.wgu.edu Four Digit Assessment/Project Code: CAPW4 Mentor Name: Martin Palma For Revisions Only Indicate Previous Grader: Submissions received with an altered, incomplete or missing cover sheet will be returned for resubmission. Submit to: Western Governors University Attn.: Assessment Delivery Department 4001 South 700 East, Suite 700 Salt Lake City, Utah 84107-2533 wgusubmittals@wgu.edu Capstone Project Cover Sheet Capstone Project Title: Vulnerability Management Plan Student Name: Mike Douglas Degree Program: Bachelor of Science Information Technology Security Mentor Name: Martin Palma Signature Block Student’s Signature Mentor’s Signature Table of Contents Capstone Report Summary (Introduction) 1 Review of Other Work 3 Rationale and Systems Analysis 8 Goals and Objectives 13 Project Timeline 22 Project Development 24 References 28 Appendix 1: Competency Matrix 29 Appendix 2: CVSS GUIDE 32 Appendix 3: DICES IV vulnerability management plan 33 Capstone Report Summary (Introduction) ...

Words: 6924 - Pages: 28

Premium Essay

Lab 6

...Anthony Purkapile Introduction Information security continuous monitoring is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. This publication specifically addresses assessment and analysis of security control effectiveness and of organizational security status in accordance with organizational risk tolerance. Security control effectiveness is measured by correctness of implementation and by how adequately the implemented controls meet organizational needs in accordance with current risk tolerance. Organizational security status is determined using metrics established by the organization to best convey the security posture of an organization’s information and information systems, along with organizational resilience given known threat information. This includes Maintaining situational awareness of all systems across the organization Maintaining an understanding of threats and threat activities Assessing all security controls Collecting, correlating, and analyzing security-related information Providing actionable communication of security status across all tiers of the organization Active management of risk by organizational officials Purpose The purpose of this guideline is to assist organizations in the development of an ISCM strategy and the implementation of an ISCM program that provides awareness of threats and vulnerabilities, visibility into organizational...

Words: 1881 - Pages: 8

Premium Essay

Emerging Cybersecurity Policies in the Federal Government

...Emerging Cybersecurity Policies in the Federal Government Information Assurance Officer and Risk Management Analyst Department of Defense. Emerging Cybersecurity Policies in the Federal Government Information Assurance Officer and Risk Management Analyst Department of Defense. CSEC 655 UMUC Individual Assignment 1 September 16, 2014 CSEC 655 UMUC Individual Assignment 1 September 16, 2014 Table of Contents Emerging Cybersecurity Policies in the Federal Government 3 Emerging Policies and Practices 4 Defense in Depth (DID) 5 Security Risk Frameworks 6 Test Driven Development 8 Business Service Frameworks 9 Acceptance and Preparation for Failure 11 The Federal Government and these Emerging Policies and Practices 13 The Feds and Defense in Depth 14 The Feds and Security Risk Frameworks 14 The Feds and Test Driven Development 16 The Feds and Business Service Frameworks 17 The Feds and Acceptance and Preparation for Failure 19 How could the Feds continue to improve 20 References 22 Emerging Cybersecurity Policies in the Federal Government One of the largest and most important enterprises there is to protect in the cyber security realm are the various networks that make up the federal government. This massive undertaking to secure the systems, networks, and data of the various governmental agencies is a never ending uphill battle. The requirements of the federal government enterprise to be globally far reaching, as well...

Words: 6354 - Pages: 26

Premium Essay

Risk Management Plan

...Introduction: Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. This publication specifically addresses assessment and analysis of security control effectiveness and of organizational security status in accordance with organizational risk tolerance. Security control effectiveness is measured by correctness of implementation and by how adequately the implemented controls meet organizational needs in accordance with current risk tolerance. Organizational security status is determined using metrics established by the organization to best convey the security posture of an organization’s information and information systems, along with organizational resilience given known threat information. This necessitates: • Maintaining situation awareness of all systems across the organization; • Maintaining an understanding of threats and threat activities; • Assessing all security controls; • Collecting, correlating, and analyzing security-related information; • Providing actionable communication of security status across all tiers of the organization; and • Active management of risk by organizational officials. Purpose: The purpose of this guideline is to assist organizations in the development of an ISCM strategy and the implementation of an ISCM program that provides awareness of threats and vulnerabilities, visibility...

Words: 4395 - Pages: 18

Premium Essay

Risk Management Plan

...------------------------------------------------- Risk Management – Sector I Risk Management Plan Introduction Version 1.2.0 Designed by: Defense Logistics Information Systems Designers: Matthew Gugumuck Michael Mawyer Daryl Giggetts | Overview | * The goal of the Risk Management plan is to design and execute the implementation of various security policies and different counter-measures in the event of any type of risk, threat, and/or vulnerabilities against the organizations daily operations and sensitive information. By combining both hardware devices and software applications will boost the effectiveness of security and preventing unauthorized access and effectively repulsing attacks. | Authority/Ownership | * Any information and sensitive contents contained in this document has been planned and developed by DLA Logistics Information Service and in which is the rightful owner of this document. All materials contained within this document is considered CLASSIFIED and is also copyrighted by DLA Logistics Information Service (DLIS). Any wrongful use of such material and/or reference to this document without the rightful expressed and written consent of the owner(s) may result in criminal prosecution. | Sections contained in DLIS Risk Management Plan | * Risk Management Overview * Planning and Implementation of Risk Management * Key Personnel Roles * Risk Assessment Plan * System Analysis and Characterization ...

Words: 4166 - Pages: 17

Premium Essay

Ngineer

...Plan-Do-Check-Act Cycle ENISA: Risk Management and Isms activities An information security management system[1] (ISMS) is a set of policies concerned with information security management or IT related risks. The idioms arose primarily out of BS 7799. The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk. Contents * 1 ISMS description * 2 Need for an ISMS * 3 Critical success factors for ISMS * 4 Dynamic issues in ISMS * 5 See also * 6 Notes and references ISMS description As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organization and external environment. ISO/IEC 27001:2005 therefore incorporated the "Plan-Do-Check-Act" (PDCA), or Deming cycle, approach: * The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls. * The Do phase involves implementing and operating the controls. * The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS. * In the Act phase, changes are made where necessary to bring the ISMS back to peak performance. ISO/IEC 27001:2005 is a risk based information security standard, which means that organizations need to have...

Words: 5234 - Pages: 21

Premium Essay

Audit

...Student Lab Manual © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION Student Lab Manual © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT Auditing IT Infrastructures for Compliance © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION IS4680 © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett©Learning, LLC Learning, LLC, an Ascend Learning Company Bartlett Current Version Date: 11/21/2011 © Jones & Learning, LLC Copyright 2013 by Jones & Bartlett www.jblearning.com! NOT FOR SALE OR DISTRIBUTION ...

Words: 30948 - Pages: 124