Defense information assurance certification amp accreditation process DIACAP Chris Cabuzzi DIACAP 12810 1 Purpose DoD approach to Information Systems IS risk management on an enterprise level ID: 775719
Download Presentation The PPT/PDF document " Christopher P. Cabuzzi CS 591" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Christopher P. CabuzziCS 591
Defense information assurance certification & accreditation process(DIACAP)
Chris Cabuzzi, DIACAP, 12/8/10
1
Slide2Purpose
DoD approach to Information Systems (IS) risk management on an enterprise levelMandated Information Assurance (IA) controls and Certification & Accreditation Process to standardize and align DoD ISsReduce risk to the lowest level possible to maintain the integrity, security and availability of mission critical systemsEstablish chain of responsibility from Information Assurance Officers (IAOs) all the way to the Designated Approval Authority (DAA) ultimately responsible for accepting the “risk” of the IS
Chris Cabuzzi, DIACAP, 12/8/10
2
Slide3methodology / approach
Assumption that all ISs have risks that cannot be completely eliminated (centered on risk management / acceptance)DoD definition of an IS includes personnel who use and administer the system, not just the system itselfIA controls implemented for IS dependent on Mission Assurance Category (MAC) of the system, as well as the Classification Level (CL)Recertification / Decommissioning activities included in the IS lifecycle (including changes to IS that may affect security posture)Goal is to obtain an “Authority to Operate” the IS
Chris Cabuzzi, DIACAP, 12/8/10
3
Slide4Parts of a diacap package
System Identification Profile (SIP) – List of system characteristics needed to register the IS with the governing DoD componentDIACAP Implementation Plan (DIP) – Defines IA controls, completion dates, responsible parties and implementation statusSupporting Certification Documentation – Validation results such as system scans and “artifacts” used to support accreditationDIACAP Scorecard – Results of implementation of baseline IA controls and the accreditation decision of the DAAPlan of Actions and Milestones (POA&M) – List of required actions needed to complete DIP and earn “full” accreditation
Chris Cabuzzi, DIACAP, 12/8/10
4
Slide5diacap Phases and activities
Phase 1 – Initiate and PlanPhase 2 – Implement and ValidatePhase 3 – Make C&A DecisionsPhase 4 – Maintain ATO (Review and Update)Phase 5 - Decommission
Chris Cabuzzi, DIACAP, 12/8/10
5
Slide6Questions?
Chris Cabuzzi, DIACAP, 12/8/10
6