A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


A Crosswalk of the Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP) - John McLain Louisville InfoSec 2014 (Hacking Illustrated Series InfoSec Tutorial Videos)

A Crosswalk of the Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP)
John McLain
Louisville InfoSec 2014

The Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) is the current model the Army utilizes to certify and accredit network boundaries. This presentation is an overview and crosswalk of this process. Additionally, there will be a brief discussion on the transition from DIACAP to the Risk Management Framework (RMF). (outline) I. Introduction (Certification and Accreditation History) a. System Security Authorization Agreement (SSAA) b. DoD Information Technology Security Certification and Accreditation Process (DITSCAP) c. DoD Information Assurance Certification and Accreditation Process (DIACAP) d. Risk Management Framework (RMF) II. DIACAP Crosswalk a. Regulations i. Army Regulation 25-1 – Army Information Technology ii. Army Regulation 25-2 – Information Assurance iii. Army Regulation 380-5 – Department of the Army Information Security Program iv. DoD Directive 8500.1 – Information Assurance v. DoD Directive 8500.2 – Information Assurance Inspection Program b. Cross Walk i. Network Classification a. MAC l, Classified b. MAC l, Sensitive c. MAC l, Public d. MAC ll, Classified e. MAC ll, Sensitive f. MAC ll, Public g. MAC lll, Classified h. MAC lll, Sensitive i. MAC lll, Public ii. Items Inspected 1. Information Assurance (IA) Documentation Controls = 161 a. Physical Files i. Log Sheet ii. IA Control Procedure Name and Description with list of artifacts that validate control iii. Artifacts b. Electronic Files i. IA Control Procedure Name and Description with list of artifacts that validate control ii. Artifacts 2. Physical Security Inspections a. Unclassified i. Facilities ii. Equipment b. Classified i. Facilities ii. Equipment 3. Technical Controls a. Network i. Security Technical Implementation Guides (STIGs) ii. Retina Scan/Security Content Automation Protocols (SCAP scan) b. Applications i. Retina Scan ii. SCAP Scan iii. Knowledge Management 1. Physical Files 2. Electronic Files 3. SharePoint iv. Authorized Certification Authority (ACA) inspection 1. The art of inspections a. ACA Map b. DIACAP Philosophy c. Inspection Outline 2. Cross walking the inspectors a. Inspections b. Hot washes c. Results i. Interim Authority to Operate (IATO) 1. Deficiencies found 2. Mitigation dates defined ii. Authorization to Operate (ATO) 1. Minimal deficiencies found 2. Once the Designated Approval Authority (DAA) signs assuming unmitigated risk, the network is accredited III. The future a. Risk Management Framework (RMF) i. Similarities 1. Documentation Controls 2. Physical Controls 3. Technical Controls ii. Dissimilar 1. Naming conventions 2. Cyber security controls John McLain is the founding President of the ISC2 Kentucky Triangle Chapter servicing Lexington and Louisville Kentucky as well as Indiana. He is a Major in the US Army with over twenty-nine years of service and twenty years in the IA field. Additionally, John has over ten years experience with the Department of Defense (DoD) Information Assurance Process (DIACAP). He was the 2012 Finalist for the ISC2 Government Information Security Leadership Award (GISLA) for his process and policy improvements in deploying the DIACAP while stationed at the 9th Mission Support Command in Hawaii (2009-2012). John is currently the Chief over the Information Assurance Office and is the Command Information Assurance Program Manager (IAPM) for the Human Resources Command on Fort Knox. Note: he is not presenting as an Army spokesperson.

Back to Louisville InfoSec 2013 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast