Practical DIACAP Implementation CS 526 Research Project by Michael J. Cohen 4/29/2009 Michael J. Cohen 1
Agenda • Research Objectives • The Global Information Grid • Introduction to DIACAP • The Process • The DIACAP Package • Findings 4/29/2009 Michael J. Cohen 2
Research Objectives • Assist Boeing with instruction for new Information Assurance Professionals on what Do. DI 8500. 1 (DIACAP) is and how it is applied. • Use a sample architecture provided by Boeing to demonstrate the implementation of DIACAP. 4/29/2009 Michael J. Cohen 3
Related Research • Hurkute S. , Bele K. , Nam, S. , et. al. 2007. “Apply DITSCAP to Evaluate a PTC based Secure E-Voting System”. – Retrieved from http: //cs. uccs. edu/~cs 591/studentproj/proj. S 2007/shurkute/doc/Evoting. DITSCAPProject. ppt • Wilson, B. , 2007. “Move Over DITSCAP…The DIACAP is Here!”. – Retrieved from http: //cs. uccs. edu/~cs 591/studentproj/proj. S 2007/bwilson 3/doc/DIA CAPClass. Presentation. ppt 4/29/2009 Michael J. Cohen 4
The Global Information Grid “The Global Information Grid 1 (GIG) consists of information capabilities – information, information technology (IT), and associated people and processes that support Department of Defense (Do. D) personnel and organizations in accomplishing their tasks and missions – that enable the access to, exchange, and use of information and services throughout the Department and with non-Do. D mission partners. The principal function of the GIG is to support and enable Do. D missions, functions, and operations. Therefore, the way that Do. D warfighters, business and intelligence personnel operate must drive the way the GIG is designed, developed, acquired, implemented, and operated. ” -The Do. D Global Information Grid Architectural Vision (2007) 4/29/2009 Michael J. Cohen 5
4/29/2009 Michael J. Cohen 6
Do. D Global Information Grid • Examples of Do. D Systems include: – Joint Tactical Radio System (JTRS) – Warfighter Information Network Tactical (WIN-T) – Intelligence Community System for Information Sharing (ICSIS) • What do these systems have in common? – They must not be compromised in terms of: • Confidentiality • Integrity • Availability 4/29/2009 • Michael J. Cohen Information Assurance is an understandable concern. 7
DIACAP • Department of Defense (Do. D) • Information • Assurance • Certification and • Accreditation • Process • This process ensures that a Do. D information system meet the appropriate security policies throughout its entire lifecycle. 4/29/2009 Michael J. Cohen 8
Why is a process necessary? • Defines the steps necessary to implement the security policies. • Guarantees that security requirements are implemented consistently throughout the system. • Creates a paper trail. 4/29/2009 Michael J. Cohen 9
3 Components Needed for Implementation • The DIACAP Process • DIACAP Knowledge Service – Online knowledge base maintained by the Do. D that contains the most current information on IA controls. • Automated C&A Tool that automates workflow – Do. D recommends e. MASS (Enterprise Mission Assurance Support Service) – Boeing uses the I-Assure DIACAP Toolset 4/29/2009 Michael J. Cohen 10
The DIACAP Process 4/29/2009 Michael J. Cohen 11
Tasks for Initiating and Planning IA C&A • Registering the System – System is registered with the Do. D – Confidentiality level is defined • Assigning IA Controls – Security requirements are defined based on the level of mission criticality (MAC level) and confidentiality • Assembling the DIACAP Team • Initiating the Implementation Plan 4/29/2009 Michael J. Cohen 12
DIACAP Implementation Team Roles • Designated Accrediting Authority (DAA) – Signs off on Accreditation status – Ultimately responsible for the system • Certifying Authority (CA) – Makes the certification recommendation – Oversees those performing the evaluation • Information Assurance Officer (IAO) – Ensures that appropriate security is maintained on the system • Information Assurance Manager (IAM) – Coordinates and supports the missions of the other team members – Technical Lead 4/29/2009 Michael J. Cohen 13
DIACAP Implementation Roles (cont. ) • Program Manager / System Manger (PM/SM) – Manages Implementation • User Rep – Represents the user community to ensure that user needs of the system are met 4/29/2009 Michael J. Cohen 14
Tasks for Implementing & Validating IA Controls • Executing the Implementation Plan • Conduct validation • Prepare POA&M (if necessary) • Enter results into DIACAP Scorecard 4/29/2009 Michael J. Cohen 15
Tasks for Certification & Accreditation Determination • The CA makes a certification determination – Based on actual results of the implementation and testing of IA controls • The DAA issues an accreditation decision – Based on the CA’s recommendation along with the mission and business need. • DAA’s decision can be one of the following: – Authorization to Operate (ATO) – Interim Authorization to Operate (IATO) – Interim Authorization to Test (IATT) – Denial of Authorization to Operate (DATO) • All systems must be reaccredited every 3 years 4/29/2009 Michael J. Cohen 16
Tasks for Maintaining Authorization to Operate • Managed by IAM • Maintaining situational awareness • Maintaining security • Initiate corrective action when necessary • Conduct annual reviews of IA controls 4/29/2009 Michael J. Cohen 17
Tasks for Decommissioning • Make sure there are no negative impacts to other systems • Update the SIP • Remove and dispose of POA&M and DIACAP scorecard from all tracking systems • Retire system according to the appropriate requirements and procedures 4/29/2009 Michael J. Cohen 18
DIACAP Package • Generated through the implementation of the DIACAP process. • Comprehensive Package Contents: – System Identification Profile (SIP) – DIACAP Implementation Plan (DIP) – DIACAP Scorecard – IT Security Plan of Action & Milestones (POA&M) (Optional) – Supporting Certification Documentation 4/29/2009 Michael J. Cohen 19
Sample Architecture 4/29/2009 Michael J. Cohen 20
System Identification Profile (SIP) 4/29/2009 Michael J. Cohen 21
DIACAP Implementation Plan (DIP) 4/29/2009 Michael J. Cohen 22
DIACAP Scorecard 4/29/2009 Michael J. Cohen 23
DIACAP POA&M 4/29/2009 Michael J. Cohen 24
Findings • The project was not as simple as simply running the I-Assure tool to generate the deliverables. • There is not a lot of documentation online regarding DIACAP. 4/29/2009 Michael J. Cohen 25
Conclusion • The following was learned from this research project: – The DIACAP methodology. – The usage of a third party tool (I-Assure) tool in implementing DIACAP. 4/29/2009 Michael J. Cohen 26
References • Cooper, Ronald. Boeing Mentor. • http: //www. i-assure. com • Department of Defense. (2009). DIACAP Training Module. Do. D Information Assurance Support Environment. Retrieved from http: //iase. disa. mil/eta/diacap/index. htm 4/29/2009 Michael J. Cohen 27
4/29/2009 Michael J. Cohen 28
Скачать презентацию Practical DIACAP Implementation CS 526 Research Project by
57bf801fb898b7b15ba618089340268e.ppt