Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Practical DIACAP Implementation

advertisement 
Practical DIACAP
Implementation
CS526 Research Project
by Michael J. Cohen
4/29/2009
4/29/2009
Michael J. Cohen
1
Agenda
• Research Objectives
• The Global Information Grid
• Introduction to DIACAP
• The Process
• The DIACAP Package
• Findings
4/29/2009
Michael J. Cohen
2
Research Objectives
• Assist Boeing with instruction for new
Information Assurance Professionals on what
DoDI 8500.1 (DIACAP) is and how it is
applied.
• Use a sample architecture provided by
Boeing to demonstrate the implementation of
DIACAP.
4/29/2009
Michael J. Cohen
3
Related Research
•
Hurkute S., Bele K., Nam, S., et. al. 2007. “Apply DITSCAP to
Evaluate a PTC based Secure E-Voting System”.
– Retrieved from
http://cs.uccs.edu/~cs591/studentproj/projS2007/shurkute/doc/EvotingDITSCAPProject.ppt
•
Wilson, B., 2007. “Move Over DITSCAP…The DIACAP is Here!”.
– Retrieved from
http://cs.uccs.edu/~cs591/studentproj/projS2007/bwilson3/doc/DIA
CAPClassPresentation.ppt
4/29/2009
Michael J. Cohen
4
The Global Information Grid
“The Global Information Grid1 (GIG) consists of information capabilities –
information, information technology (IT), and associated people and
processes that support Department of Defense (DoD) personnel and
organizations in accomplishing their tasks and missions – that enable the
access to, exchange, and use of information and services throughout the
Department and with non-DoD mission partners. The principal function of
the GIG is to support and enable DoD missions, functions, and operations.
Therefore, the way that DoD warfighters, business and intelligence
personnel operate must drive the way the GIG is designed, developed,
acquired, implemented, and operated.”
-The DoD Global Information Grid Architectural Vision (2007)
4/29/2009
Michael J. Cohen
5
4/29/2009
Michael J. Cohen
6
DoD Global Information Grid
•
Examples of DoD Systems include:
– Joint Tactical Radio System (JTRS)
– Warfighter Information Network Tactical (WIN-T)
– Intelligence Community System for Information Sharing (ICSIS)
•
What do these systems have in common?
– They must not be compromised in terms of:
• Confidentiality
• Integrity
• Availability
4/29/2009
•
J. Cohen
Information Assurance is anMichael
understandable
concern.
7
DIACAP
• Department of Defense (DoD)
• Information
• Assurance
• Certification and
• Accreditation
• Process
• This process ensures that a DoD information system meet the
appropriate security policies throughout its entire lifecycle.
4/29/2009
Michael J. Cohen
8
Why is a process necessary?
• Defines the steps necessary to implement the
security policies.
• Guarantees that security requirements are
implemented consistently throughout the
system.
• Creates a paper trail.
4/29/2009
Michael J. Cohen
9
3 Components Needed for Implementation
• The DIACAP Process
• DIACAP Knowledge Service
– Online knowledge base maintained by the DoD
that contains the most current information on IA
controls.
• Automated C&A Tool that automates workflow
– DoD recommends eMASS (Enterprise Mission
Assurance Support Service)
– Boeing uses the I-Assure DIACAP Toolset
4/29/2009
Michael J. Cohen
10
The DIACAP Process
4/29/2009
Michael J. Cohen
11
Tasks for Initiating and Planning IA C&A
• Registering the System
– System is registered with the DoD
– Confidentiality level is defined
• Assigning IA Controls
– Security requirements are defined based on the
level of mission criticality (MAC level) and
confidentiality
• Assembling the DIACAP Team
• Initiating the Implementation Plan
4/29/2009
Michael J. Cohen
12
DIACAP Implementation Team Roles
•
Designated Accrediting Authority (DAA)
– Signs off on Accreditation status
– Ultimately responsible for the system
•
Certifying Authority (CA)
– Makes the certification recommendation
– Oversees those performing the evaluation
•
Information Assurance Officer (IAO)
– Ensures that appropriate security is maintained on the system
•
Information Assurance Manager (IAM)
– Coordinates and supports the missions of the other team members
– Technical Lead
4/29/2009
Michael J. Cohen
13
DIACAP Implementation Roles (cont.)
•
Program Manager / System Manger (PM/SM)
– Manages Implementation
•
User Rep
– Represents the user community to ensure that user needs of the
system are met
4/29/2009
Michael J. Cohen
14
Tasks for Implementing & Validating IA Controls
• Executing the Implementation Plan
• Conduct validation
• Prepare POA&M (if necessary)
• Enter results into DIACAP Scorecard
4/29/2009
Michael J. Cohen
15
Tasks for Certification & Accreditation Determination
•
The CA makes a certification determination
– Based on actual results of the implementation and testing of IA
controls
•
The DAA issues an accreditation decision
– Based on the CA’s recommendation along with the mission and
business need.
•
DAA’s decision can be one of the following:
– Authorization to Operate (ATO)
– Interim Authorization to Operate (IATO)
– Interim Authorization to Test (IATT)
– Denial of Authorization to Operate (DATO)
•
All systems must be reaccredited every 3 years
4/29/2009
Michael J. Cohen
16
Tasks for Maintaining Authorization to Operate
• Managed by IAM
• Maintaining situational awareness
• Maintaining security
• Initiate corrective action when necessary
• Conduct annual reviews of IA controls
4/29/2009
Michael J. Cohen
17
Tasks for Decommissioning
• Make sure there are no negative impacts to
other systems
• Update the SIP
• Remove and dispose of POA&M and DIACAP
scorecard from all tracking systems
• Retire system according to the appropriate
requirements and procedures
4/29/2009
Michael J. Cohen
18
DIACAP Package
• Generated through the implementation of the
DIACAP process.
• Comprehensive Package Contents:
– System Identification Profile (SIP)
– DIACAP Implementation Plan (DIP)
– DIACAP Scorecard
– IT Security Plan of Action & Milestones (POA&M)
(Optional)
– Supporting Certification Documentation
4/29/2009
Michael J. Cohen
19
Sample Architecture
BACKUP SITE
Converted
For Use (i.e. A to D)
`
WS 1-12
PROCESS IMAGE
(WINDOWS XP)
Router
Server 1
MANAGE IMAGE
(UNIX OS)
ARCHITECTURE
4/29/2009
Michael J. Cohen
20
System Identification Profile (SIP)
4/29/2009
Michael J. Cohen
21
DIACAP Implementation Plan (DIP)
4/29/2009
Michael J. Cohen
22
DIACAP Scorecard
4/29/2009
Michael J. Cohen
23
DIACAP POA&M
4/29/2009
Michael J. Cohen
24
Findings
• The project was not as simple as simply
running the I-Assure tool to generate the
deliverables.
• There is not a lot of documentation online
regarding DIACAP.
4/29/2009
Michael J. Cohen
25
Conclusion
• The following was learned from this research
project:
– The DIACAP methodology.
– The usage of a third party tool (I-Assure)
tool in implementing DIACAP.
4/29/2009
Michael J. Cohen
26
References
•
Cooper, Ronald. Boeing Mentor.
•
http://www.i-assure.com
•
Department of Defense. (2009). DIACAP Training Module. DoD
Information Assurance Support Environment.Retrieved from
http://iase.disa.mil/eta/diacap/index.htm
4/29/2009
Michael J. Cohen
27
4/29/2009
Michael J. Cohen
28
Related documents
Power Effect Size PowerPoint
Power Effect Size PowerPoint
The Great Gatsby and Elizabeth Barrett Browning Thesis
The Great Gatsby and Elizabeth Barrett Browning Thesis
Question 3—Argument
Question 3—Argument
One-Way BG ANOVA
One-Way BG ANOVA
Slide 1
Slide 1
Ministry of Finance Acting Director General Talks at the 12th Annual
Ministry of Finance Acting Director General Talks at the 12th Annual
CLASS SYLLABUS
CLASS SYLLABUS
Download
advertisement