I-Assure Forums / DIACAP Toolset / Suggestions and Feature Requests

FISMA, NIST, OMB and PII information listings

jaylangham — Mon, 12 Mar 2007 15:02:56 GMT

I just downloaded and played with the tool today. I have a few recommendations/questions.

DIACAP requires using the NIST 800-53 yet I don't see a recognizable 53 mapping (looking for the 21 families) for requirements. Did I miss it?

OMB requirements are also not truly defined for Personal Information in Identifiable Form (PII or IFF data) HSPD-12 should be the source. (NIST has promised a PII authoritative reference but has not delivered)

FISMA / NIST applications could be an easy inclusion for the tool. (I'm looking at contractors that are trying to meet DoD and Federal standards)

Also, the standardized testing for the requirements could be included.

NIST Accreditation Toolset

Theresa.Smith — Thu, 08 Oct 2009 11:50:12 GMT

I have read that a NIST accreditation toolset was set to be realeased and cannot find it anywhere. Has it been released yet and if not, is there still a plan for it?

Thanks!

DCID 6/3 Toolset

DaneyMi — Thu, 09 Apr 2009 10:21:54 GMT

Can anyone tell me when or if there is a free toolset for DCID 6/3. I was using the DIACAP (8500.2) free toolset for a good while, and loved it. But my new position requires me to use the DCID 6/3 COntrols, which are pretty closely related really. Just wondering if anything is out there right now, or soon will be. Sure makes life a whole lot easier. Thanks.

Error in Beta and Release

sfaulconer — Wed, 24 Jun 2009 10:40:05 GMT

I've installed the released version (3.0.1) and the Beta (3.1.1) and I'm getting the same error just moving through / manipulating projects. On the Beta (the version I currently have installed). I generated this error trying to delete the TEST2 project included in the Beta version:

Unhandled exception has occurred in your application. If you click Continue, the application will ignore this error and attempt to continue. If you click Quit, the application wil close immediately.

Conversion from string "0" to type 'Double' is not valid.

Details:
See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.InvalidCastException: Conversion from string "0" to type 'Double' is not valid. ---> System.FormatException: Input string was not in a correct format.
at Microsoft.VisualBasic.CompilerServices.Conversions.ParseDouble(String Value, NumberFormatInfo NumberFormat)
at Microsoft.VisualBasic.CompilerServices.Conversions.ToDouble(String Value, NumberFormatInfo NumberFormat)
--- End of inner exception stack trace ---
at Microsoft.VisualBasic.CompilerServices.Conversions.ToDouble(String Value, NumberFormatInfo NumberFormat)
at Microsoft.VisualBasic.CompilerServices.Conversions.ToDouble(String Value)
at I_Assure_DIACAP_Toolset.modChart.AddACCSTATUSChart()
at I_Assure_DIACAP_Toolset.modChart.CreateACCStatusChart()
at I_Assure_DIACAP_Toolset.frmMain.RefreshExistingProjects()
at I_Assure_DIACAP_Toolset.frmMain.DeleteProject()
at I_Assure_DIACAP_Toolset.frmMain.UltraToolbarsManager1_ToolClick(Object sender, ToolClickEventArgs e)
at Infragistics.Win.UltraWinToolbars.UltraToolbarsManager.OnToolClick(ToolClickEventArgs e)
at Infragistics.Win.UltraWinToolbars.UltraToolbarsManager.FireEvent(ToolbarEventIds id, EventArgs e)
at Infragistics.Win.UltraWinToolbars.ToolBase.OnToolClick()
at Infragistics.Win.UltraWinToolbars.ButtonToolUIElement.DoClickProcessing(MouseEventArgs e)
at Infragistics.Win.UltraWinToolbars.ButtonToolUIElement.OnMouseUp(MouseEventArgs e)
at Infragistics.Win.ControlUIElementBase.ProcessMouseUpHelper(Object sender, MouseEventArgs e)
at Infragistics.Win.ControlUIElementBase.ProcessMouseUp(Object sender, MouseEventArgs e)
at Infragistics.Win.Utilities.ProcessEvent(Control control, ProcessEvent eventToProcess, EventArgs e)
at Infragistics.Win.UltraControlBase.OnMouseUp(MouseEventArgs e)
at Infragistics.Win.UltraWinToolbars.UltraToolbarsDockArea.OnMouseUp(MouseEventArgs e)
at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.Control.ControlNativewindow.OnMessage(Message& m)
at System.Windows.Forms.Control.ControlNativewindow.WndProc(Message& m)
at System.Windows.Forms.Nativewindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

************** Loaded Assemblies **************

My system has .Net installed (versions 1.1, 2.0 and 3.5SP1) and I'm running XP SP3.

Thanks!

IA Control Artifacts

vytuarte — Tue, 04 Mar 2008 16:18:42 GMT

Have you seen below error when inserting an artifact?

Unhandled exception has occurred in your application. If you click continue, the application will ignore this error and attempt to continue. If you click quit, the application will close immediately.

Could not find a part of the path 'C:\Program Files\I-Assure\DIACAP Toolset\artifacts\AFNEWS\XXX.ext.

Thanks.

Virginia

Certification Test Plan vs Security Test Plan

pointguard76 — Thu, 15 Jan 2009 12:21:26 GMT

As far as content is concerned, what is the difference in the CTP versus the STP and chronologically, when should they be administered. I noticed that you host a STP as an artifact on the site, would you happen to have samples of a CTP to post?

v/r pg76

Validation Procedures - Export .xls

otterit — Wed, 14 May 2008 06:21:27 GMT

Recommend providing the users the capability to export the Validation Procedures to a standard table/worksheet (.xls). Right now, the toolset attempts to translate the actual format of the validation procedures layout rather than placing the content into the correct columns of a table. The same thing happens with a .csv.

Regards,

Validation Procedures report

Guntherm — Fri, 09 Jan 2009 05:39:47 GMT

When you run the Validation report is doesn't populate the Validation Procedure Name field in the report.

Field Sizes in the Access DB

millsks — Wed, 01 Oct 2008 11:55:45 GMT

Sorry about this, but some of the programs that i deal with went over board when they named their application. I made a quick fix by updating the field size in the Access DB table, but just wanted to give you a heads up. The field that I updated was SYSTEMNAMEID in the PROJECT table. I left it as a TEXT field, but updated it from 50 to 255. Didnt see any reason to switch it to a MEMO.

Kevin.

Customizing the IA controls

warnerd — Thu, 10 Jan 2008 15:13:53 GMT

I work for the Dept of the Army certifying "platform IT" and alot of our systems dont have servers, PCs, etc. MILES is one of our systems. MILES is basically laser tag on a grand scale. The system for a soldier has a set of wireless laser detectors, and laser transmitter, and a radio to send kills and trigger pulls. The problem here is that most of the IA controls for a MAC III Sensitive system do not apply.

Request:

Would like to be able to create custom control sets for my programs. Be able to create for instance a "standalone" computing system control set based the IA controls.

In creation you could identify the following

The MAC level

The conf level

Then highlight the controls which apply to the system and save the new template and call it whatever you like.

My latest work is on a MILES system that 90% of the controls dont apply. I guess i could clone the project but it would be nice to create custom control sets.

IA controls

sjlyon5 — Tue, 05 Feb 2008 09:55:25 GMT

Is it possible to have a report be developed which explains the IA controls. It would basically break down the control take PETC-1 for example I'm guessing it means (Physical environment temperature control). When I have to send out the validation procedures for responses not all the responsible parties understand what the controls mean. This would provide them with a guide to easily find the controls they need to answer.

DIACAP ScoreCard

Here2StayOH — Thu, 03 May 2007 13:39:54 GMT

Would it be possible to add another item to the Compliant/Non-compliant drop down on the DIACAP Scorecard? The item would be "Not Yet Assessed (NYA)". We have systems that are in development and test that we haven't determined how a particular IA Control is going to be met and the three choices available "Compliant", "Non-Compliant", and "N/A" don't really give the true status of the control.

DIP (Planned) to POA&M

otterit — Thu, 04 Oct 2007 23:23:54 GMT

Recommend DIACAP toolset provide a prompt asking the use if they would like to automatically populate the POA&M based on the information provided in the DIP or Scorecard. The toolset could ask, "Would you like to add the "Planned" control in the POA&M?". A positive response would move the control number and risk information right into the POA&M. The tool could then ask the uesr if they would like to provide amplifying information such as costs and milestones.

The same concept could apply to non-compliant (NC) controls in the scorecard.

toolset feature

lars — Mon, 14 Aug 2006 13:08:58 GMT

I downloaded the toolset today, installed and ran. One of the tabs in the bottom right frame titled "IA Control Validation Text" is grayed out on my version. Do I need a different license to enable this? Thanks.

Everything else ran fine. And thanks - for automating what is described in the interim CA guidance, July 06.

Is anyone out there actually initiating a DIACAP, as opposed to transitioning from DITSCAP for their project?

Developmental Test

DIACAP4DT&E — Mon, 14 Aug 2006 09:58:54 GMT

Networks and instrumentation used for data acquisition during Developmental Testing are a unique breed. Often the DoD and Service specific regulations for Information Assurance do not address the specific needs of this community.

I'd hope this topic can discuss areas of interest to this unique community ... which I see including the Major Range and Test Facility Base (MRTFB) installations, Installations connected by the DREN, and HPC networks. Data Acquisition systems could be connected to the test item either by hard-wire or wirelessly. How do we secure these systems? Do we apply the same rules/procedures as those used for the NIPRNET? Do we connect to the NIPRNET?

Any and all information in this area would be greatly appreciated.

Thanks for your time.

Realingment of IA Controls

edwards — Tue, 05 Feb 2008 08:48:13 GMT

As stated in the DODD 5200.28 paragraph 4.3 "The safeguarding of information and AIS resources (against sabotage, tampering, denial of service, espionage, fraud, misappropriation, misuse, or release to unauthorized persons) shall be accomplished through the continuous employment of safeguards consisting of administrative, procedural, physical and/or environmental, personnel, communications security, emanations security, and computer security (i.e., hardware, firmware, and software), as required. The mix of safeguards selected shall achieve the requisite level of security or protection.”

It would be beneficial for all if the IA controls were grouped into safeguard groupings with subsequent Subject Matter Areas (SMA) for a a more feasible process of completing a C&A Package. Each SMA would have multiple sub-questions for a compilation or percentage tabulation for showing compliance. These SMA's would be linked to the POAM and DIP for failed controls and vice versa in that when a control is mitigated in any of the three document a dominio effects is implemented in order to lessen the need to repeat the same entry over again. Example provided.

Adminstrative	Transmission Security	Configuration Security	Personnel Security	Physical Security	Operations Security
Subject Matter Areas	Subject Matter Areas	Subject Matter Areas	Subject Matter Areas	Subject Matter Areas	Subject Matter Areas
Security Education Training and Awareness Training (SETAP)	Partitioning	Remote Access	Personnel	Facility Description	Acquistion Plan
System Rules of Behavior	Shared Resources	Functionality Checks	Limited Access Authorizations	Access Control	Resources

Add artifacts to DIACAP Implementation Tab

warnerd — Fri, 11 Jan 2008 08:40:52 GMT

I would like to see an additional Column that we can add text to in order to assign the IA controls to an artifact.

When you open a project there are 3 tabs and they are the project summary, DIP plan, and DIACAP scorecard page. Clicking the DIP plan brings up the DIACAP Implementation Plan page.

I would like to see an additional column named "artifact" which allows us to assign controls to an artifact. For instance. The DCFA-1 control is satisfied by our Information Security Plan (ISP). It would be nice when completed the DIP to be able to see the controls and the artifact which satisfies the control. Makes is easier to manage with so many controls. I am using the resources tab right now so I guess it will work for now.

The column could be blank and allow us to put the name of the artifact we assign to it in the box.

DCFA-1

Functional Architecture for AIS Applications

ISP

Source

Fri, 09 Mar 2007 09:10:48 GMT

I understand that the source for the DIACAP Toolset is available according to the license agreement. How do you get the source? Is there a support or development group for modifying the source?

Cheers
Vern

Is it possible to update a record on the toolset?

lectrik1 — Fri, 18 Aug 2006 12:14:37 GMT

I downloaded the toolset today and have been checking it out. So far, I like what I am seeing. I was wondering if there was a way of editing or updating a record once it has been created. For example, if you initially put the status as Unaccredited and then later it gets an IATO, is it possible to change the status without having to recreate the whole record? How about changing names within the record? What happens if the DAA changes? I would appreciate any answer. I really like this product and I hope there is a way to make the changes without having to recreate the record. Thanks.