I-Assure Forums / Information Assurance / DIACAP

DISA STIG Checklist Workflows - Anyone Seen these?

TWest101 — Tue, 20 Jul 2010 15:34:55 GMT

The attached doc is very valuable to documenting the responses to manual checklists. I've posted the Network - Firewall STIG checklist from April but I don't have more recent copies of this. I'd be willing to share my versions (I have all STIG checklists dated on April '10) but don't know if you have access to more recent copies.

Also, please share your thoughts of these if you've never seen this before...

Thanks!

Tim

Scan Result Repository

TWest101 — Tue, 20 Jul 2010 14:02:18 GMT

Is anyone familiar with a tool that can import and report on the scan result data for devices? We use all of the DoD Site CD tools and have created our own monster access DB but it's becoming a bit much to handle. Are there products you're familiar with to manage this data?

IATT

MDIA — Wed, 23 Jun 2010 09:37:10 GMT

I have to give management a timeline of how long it will take to submit an IATT package to the DAA. My marching orders are to do a complete DIACAP executive package and the IACORA minimum IATT requirements as well as the AR Closed Restricted Network BBP option is out. Unfortunately, we do not have the networking hardware and will have to rely on the NEC for that. Deadline is 31 Jul. Anyone have any suggestions on the best way to get there in that time frame? This is for a MAC II Sensitive VM development environment.

It's really frustrating to explain to the system owners/stakeholders the processes involved when they can't even spell DIACAP.

PIT

jcisco — Thu, 10 Sep 2009 09:26:31 GMT

I am looking for a sample Platform Information Technology (PIT) submittal package for PIT designation.

Authority to Connect (ATC not ATO)

gatorback — Mon, 14 Jun 2010 15:28:31 GMT

I have been told that after an ATO has been issued, it is necessary to acquire an ATC for the system before the ARMY will allow the system to be connected. The ATC process is defined by DISN.

I realize that this may not be the best place for this post, however that being said, I think that this discussion would not only benefit me, but the IA community.

QUESTION: is an ATC necessary for each DIACAP-ed system or is only necessary for establishing a network that needs a connection point to the DISN network? My reading indicates that the former is true, however, I am hoping someone will tell me that this is incorrect and provide and example \ reference. Constructive comments are highly appreciated: Thanks!

Security Awareness Posters - Removable Media/Thumb drives

07caddy — Fri, 05 Mar 2010 14:00:09 GMT

We're looking for posters that talk to the risks of removable media (e.g., thumb drives, flash media).

Anyone know of a good location to find posters/flyers that we can use in a work center??

Thanks in advance,

DIACAP and COTS

rwool — Wed, 07 Oct 2009 12:55:19 GMT

I have a COTS based system (totally supplied by the vendor and offered to both Government and Commerical customers, not just DoD) which had a DITSCAP ATO and needs to be renewed. I'm being told by my DAA that the DIACAP does not apply to COTS products only the system in which the COTS is being used? Is this correct? What if the COTS is being used on the network? If not DIACAP what is necessary?

Category I Vulnerabilities During IATT

Dave3221 — Wed, 17 Jun 2009 16:58:26 GMT

DoDI 8510.1 only covers the disallowance of Category I vulnerabilities under ATO . It does not say anything about the condition of known Category I vulnerabilities in order to receiving an IATT.

Are Category I vulnerabilities an absolute impediment to an IATT even if it is planned to resolve these weaknesses by the time the test period concludes and the DIACAP package is submitted for an ATO?

Type-accreditation vs Site-accreditation

jimbob — Mon, 23 Nov 2009 12:56:35 GMT

I am about to do a local DIACAP on a Program of Record system that is type-accredited.

Am I to assume that I can take all the IA Controls that were addressed at the Program Management Office-level and automatically apply them to the local DIACAP package? Or should I validate every IA Control to ensure that the local administrators have installed the systems according to PMO guidance?

On one hand, it seems like I'd be doing work that was already done, but on the other hand, I feel like I need to make sure the local implementation of the Managed System was performed according to specs.

DIACAP vs. AF EITDR

Cville — Thu, 02 Jul 2009 13:01:26 GMT

Has EITDR completely replaced DIACAP? I understand that as you complete EITDR requirements, you are basically completing the DIACAP process as well. Please pass on your thoughts, likes and dislikes about the EITDR process, is it better than DIACAP, is it more paper-driven? I'm interested in your thoughts.

DIACAP requirement for third party validation

cinottkj — Thu, 25 Feb 2010 10:22:48 GMT

Is third party validation required for DIACAP?

'Artifacts Matrix'

IAUhOh — Sat, 20 Feb 2010 15:03:47 GMT

I noticed a post (from 7 July 2007) on the 'DIACAP Certification Plan Timeline' forum, mention of an 'Artifacts Matrix'. Please let me ask if this matrix - or anything similar - is available?

Thanks!

David

PIA for sharePoint environment

johnbeatle — Tue, 09 Feb 2010 10:46:10 GMT

Hello,

We are working a PIA for our SharePoint environment.

One question that has been posed involves how to handle the PIA given that we are actively developing custom solutions within the SharePoint framework.

If multiple custom SharePoint applications are deployed within the same SharePoint instance, can these be accounted for in advance?

We are trying to avoid a situation in which a PIA would be needed for each custom application. Most of these applications are very small and collect some PII, primarily inheriting it from Active Directory.

What say you?

Security CONOPS Template?

iaeng8 — Mon, 08 Feb 2010 12:51:44 GMT

Hello,

Does anyone have a Security CONOPS template that they can provide and/or post? Thank you.

Risk Assessment

clark3rd — Wed, 13 Jan 2010 11:16:16 GMT

Does DIACAP require a Risk Assessment for a new system? If so, what guidance is out there to follow?

Privacy Impact Assessment

clark3rd — Mon, 04 Jan 2010 11:12:58 GMT

Does anyone have a template or a document that outlines the process for a Privacy Impact Assessment for a system going through a DIACAP?

Third-party sharepoint webpart

johnbeatle — Fri, 20 Nov 2009 14:50:30 GMT

3 web part applicaitons. 2 from codeplex, 1 from a third party.
sharepoint is accredidted and these are just subsets of sharepoint.
does it need to go through the C&A process?

List rollup
http://store.bamboosolutions.com/ps-32-5-list-rollup-web-part.aspx

Community Kit
http://www.codeplex.com/CKS

Podcast toolkit
http://www.codeplex.com/pks

thanks!

DIACAP Toolset v3.1 BETA Release

Admin — Thu, 07 Jun 2007 13:37:10 GMT

The v3.1 BETA release is available for download. The download URL is located under the "DIACAP Toolset Download" topic within the forum main page.

This new version provides the following enhancements:

--Redesigned graphical user interface following Office 2007 design guidelines
--Inline filtering/sorting now available from within the ScoreCard
--Report output redesign
--Enabled FISMA IA controls to be added to project as Supplemental IA controls
--Tied Implementation status to ScoreCard status. User selection in DIP will change status in ScoreCard
--Allowed edit of POA&M Weakness statement
--Added ability to mark/label report output with classification designation (edit existing projects, last page of the Wizard contains the option.)
--Added multiple selection option in SIP for additional accreditation vehicles
--Fixed multiple minor bugs

These are major changes to the user interface. We are currently working on an updated Help file, as well as demonstration videos.

PRIOR TO INSTALLATION, ENSURE THAT YOU HAVE EXPORTED ANY CUSTOM PROJECTS. THESE PROJECTS CAN BE IMPORTED ONCE THE V3.1 BETA IS INSTALLED

A table out of the SDD

Stephen.Wolfe — Tue, 27 Oct 2009 10:31:06 GMT

In the below table from the SDD what is expected in the IT Designation column?

Because Secret in the Clearance column and ADP II seem wrong to me.

Role	Name	Clearance	IT Designation	Trained?
DAA	David N. Senty, Maj Gen, USAF
CA	Joseph G. Cronin HQ AFCA/EV
IAM	Stephen Wolfe	SECRET	ADP II	Security+

Thanks

Navy DIACAP

tryder — Thu, 31 Jan 2008 10:19:06 GMT

I saw the Navy just had and RFI for a DIACAP tool. Is this the DIACAP toolset or eMASS? If anyone has some scoop it would be appreciated. Thanks.

DIACAP Toolset CoNed??

Graverober — Thu, 22 Oct 2009 14:54:24 GMT

I have looked and I can find that one was started, but it was 'closed' with no result. I looked at the CoN Portal on AKO and found a quote on there from Army Regulation (AR) 25-2:
Army Regulation 25–2
Rapid Action Revision (RAR) Issue Date: 23 March 2009
4–6. Controls
g. Use of “shareware” or “freeware” is prohibited unless specifically approved through IA personnel and by the DAA for a specific operational mission requirement and length of time when no approved product exists. Notify RCIOs and the supporting RCERT/TNOSC of local software use approval.

Now, my organization is frustrated with what we are currently using. I just today got them to start using (or at least to review for use) the I-Assure artifact templates. My next push is to try and steer them towards the Toolset. I have read your license, and I wonder if it's the fact that you say "Free" so much as opposed to "Open Source"?? They Army looks at them TOTALY differently:
Army Regulation 25–2
Rapid Action Revision (RAR) Issue Date: 23 March 2009
4–6. Controls
h. Use of “open source” software (for example, Red Hat Linux) is permitted when the source code is available for examination of malicious content, applicable configuration implementation guidance is available and implemented, a protection profile is in existence, or a risk and vulnerability assessment has been conducted with mitigation strategies implemented with DAA and CCB approval and documentation in the C&A package. Notify RCIOs and the supporting RCERT/TNOSC of local software use approval.

Now I've read the License and it states that the code can be modified (with restrictions I know), that is open source code. I know it's stupid, I know it might not be a small thing to ask, but can you modify the license to say "free open source" or ...something?? I'm the new guy here, and what we're using only works half the time, we need something that *works* and as far as I'm concerned, that's you guys. So how do we make this happen? I'm a contractor. I know we need a Gov to put the paperwork in, I do work for the DAA/ACA/deputy CIO for my organization, so if I do talk them into using the DIACAP Toolset, this should get some decent momentum.

Free DIACAP Toolset

doriangray — Fri, 25 Aug 2006 10:23:01 GMT

Why is DIACAP Toolset being offered for free and even after it is finalized?

SSP Template?

rlymus — Tue, 05 Aug 2008 12:19:56 GMT

Can anyone direct me to where I can find a template for an SSP? This is for a small classroom network.

TIA!

artifacts vs other documents

johnbeatle — Mon, 05 Oct 2009 11:42:52 GMT

Is it more helpful to use the template DIACAP artifacts and submit those for answers to questions as opposed to SPIN-C's, SSA's and other documents like that? What does AFCA prefer? Does it speed things up to by using the template documents?

CBCP replace COOP?

harryh3o — Tue, 15 Sep 2009 10:38:14 GMT

Does the Contingency and Business Continuity Plan replce the need for a COOP Plan? It seems to be duplicate effort.

Thanks, Harry

Reciprocity

johnbeatle — Wed, 23 Sep 2009 14:30:01 GMT

How would I know what applications or systems the army / navy / air force have approved and compare them?

Once you find out that you have a match, what next?

Thank you!

DIACAP for Dummies

gregwright — Mon, 15 Dec 2008 09:36:42 GMT

Can anyone point us in the right direction? What is Step 1? Step 2? etc...

- We have multiple applications & database clients with no pre-existing DITSCAPS or DIACAPS to go by. When we ask questions of our IA folks, we are simply told that it is "All there in the documentation... just go do it."

diagram showing accreditation boundary for enclave?

eric.wieczorek — Mon, 26 Jan 2009 11:44:08 GMT

I need to create a one page diagram showing the accreditation boundary for our enclave (WAN). No idea how I'm going to put this all one page that is readable... Anyone have any examples?

Business Impacy Analysis for COOP

clark3rd — Fri, 11 Sep 2009 09:54:08 GMT

Can anyone tell me if they have or can refer me to a specific DoD process for performing a Business Impact Analysis as part of a COOP planning effort? Thank you.

DIACAP for all web apps?

IA newb — Wed, 29 Jul 2009 07:23:42 GMT

We found out about DIACAP while trying to get funding to move a legacy system to the web. We were told that we had to certify the old system before funding would be approved for the new system. We quickly realized that certifying a legacy system in which 0% code would be reused for the new web application would be cost-prohibitive. We are now treating this as a new system and not an upgrade.

The new web application is for a Navy contract that will be available on the internet (NIPRNET). The backend will be Oracle 10g and the frontend will be a mix of Oracle Forms/Reports and ASP.NET. The Oracle Forms/Reports frontend will be served using Oracle Application Server and Oracle Containers for J2EE (OC4J) and the ASP.NET frontend will be served using IIS on a Windows Server (2003 or above). Web services will also be developed to allow a dashboard hosted elsewhere to pull information from our database. Third-party software may be purchased to assist with the development of both the web pages and server-side logic.

The managers of the contract have been receiving certification cost estimates for the web app starting at $300,000 and they don't want to pay it. We've been told that some hosts can be already certified allowing us to just run our site without having to go through certification but getting answers hasn't been easy. I don't think there's a way to get around certification but some "higher ups" believe this is possible and now it feels like we're chasing our tails with no end in sight. Some hosts that we are currently researching are NSERC and DISA.

Any ideas or suggestions would be helpful. Thank you.

NIST SP 800-53 (revision 3)

james.broad — Thu, 20 Aug 2009 08:08:59 GMT

This month NIST has released Special Publication 800-53 revision 3. This document represents the most recent major updates and can be found at http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final-errata.pdf.

Adding new hardware/software to existing DIP..need help

DG — Mon, 29 Jun 2009 16:22:44 GMT

Hello there - longtime reader, first time poster. (great site)

I have an existing program that has a suite of hardware which is currently well-documented across the board. We are now adding a few more pieces of hardware to the system, and I have a concern with this. When we first started this program, we were working with an SSAA, which as you know, amongst other uses, documents all the hardware and software with descriptions of what everything does. Of course we transitioned without issue to DIACAP and with that, made certain that for IA controls DCHW and DCSW we had the related artifacts (hardware and software listings for the system). Now, with the addition of the new hardware pieces, I fully intend to update the hardware and software lists and generate up to date artifacts.

My question is what do you do with functional descriptions of new hardware that your DIP doesn't cover? My DIP (approved by the DAA and afforded me an ATO) doesn't cover any sort of description on what the system does, how it does it, etc.. that's all in the SSAA and we leaned on that for legacy support to say "here it is" when someone asked for further information. Of course I will not be updating the SSAA, but I am left wondering where this new information may go. Would I add an addendum to the DIP? Is there a formal process/document for doing that? Would simply adding the new hardware and software to the current documents be enough? -It sure doesn't seem like it could be, as I'd believe the function of all the hardware needs to be listed out somewhere. Yes, there are new functions being brought on board.

I'm thinking I have 2 choices here:
1. Some sort of addendum to the DIP, where in I state that previous hardware and software is covered in the SSAA, and this is just for the new stuff being added. (assuming an addendum can be added, and if so, if there's an official way to do this)
2. Re-author the DIP to include a hardware/software section and rewrite in all the stuff from the SSAA (seems like a lot of work)

Any help greatly appreciated.

Requirements to obtain an IATT

Dave3221 — Tue, 12 May 2009 08:50:27 GMT

We are designing an Enclave system which we want to obtain an IATT as a predecessor to a Type Accreditation. Many of the technical controls cannot be tested until the system is deployed in the operational environment for testing. I have some questions the answers to which I understand may vary depending on the component, CA, and DAA, but any guidance would be appreciated.

What are the minimum requirements for applying for an IATT? Will we need to submit a Comprehensive DIACAP Package with placeholders for those controls that cannot be validated until the after the system is granted an IATT and can be fully tested? Are the CA and DAA more likely to be less stringent in granting the IATT as opposed to an ATO? Will an Executive DIACAP Package be sufficient? The system is MAC II Sensitive. No classified information will be processed.

DIACAP FOR AIS APPLICATIONS

fischerr2 — Wed, 11 Jul 2007 12:32:45 GMT

HAS ANY BODY ACTUALLY COMPLETED THE DIACAP FOR A SMALL AIS APPLICATION? PER THE DOD GUIDANCE " An AIS application performs clearly defined functions for which there are readily identifiable security considerations and needs that are addressed as part of the acquisition" AND FOLLOWING THAT " AIS applications are deployed to enclaves for operations, and have their operational security needs assumed by the enclave." IF THE AIS INHERITS ALL THE SECURITY FROM THE ENCLAVE, WHAT IS THE APPLICABILITY OF A FULL DIACAP? THIS IS PARTICULARLY AN ISSUE IF THE AIS WAS GIVEN AN ATO UNDER DITSCAP AND NOW AFTER 3 YEARS NEEDS TO 'CONVER' TO DIACAP.

Control DCDS-1, where is this solidly addreesed?

Stephen.Wolfe — Mon, 18 May 2009 07:21:05 GMT

We have a system that has been under the C&A process since DITSCAP and we are now under our last IATO. One of the architectural network 'things' we allowed was a H/W VPN between the system and the base network. The AFCA valuator is saying the insertion of the VPN makes us responsible for all IA validation and network monitoring of the server since the base intrusion detection controls and scanners cannot see the network.

So, in which document do I solidly address this control the CONOPS, SDD or both?

All discussion and suggestions are welcomed.

Thanks!

Steve

DIACAP Stand Alone Laptop - Military Base

Ryland — Thu, 11 Jun 2009 09:58:26 GMT

Hello,

My company has developed a standalone application running on an ALPHA5 database on a type of Toughbook laptop. Since laptop this will not connect to any DoD/government networks, it still will contain government non-classified information.

Recently, we are now getting questions on the AR regulation that we need a DIACAP or a CON, but out interpretation of the regulation says no. It appears to us that if we are standalone and not connected to any network, this should make us exempt, but it appears that some people are saying that if it contains "information about the government", then it has to be DIACAP....

Does anyone have any suggestions......??

Port, Protocols, and Services (PPS) documentation

stokesg — Mon, 08 Sep 2008 12:53:22 GMT

What is the best way do document your PPS? I was thinking a simple excel spreadsheet but I'm worried about formatting, ideally the package should be cohesive and the docuemnt I have just sticks out like a sore thumb.

DIACAP and Industrial Control Systems

bkahler — Wed, 29 Apr 2009 07:31:31 GMT

The company I work for is in the development stages of a new industrial plant that will be built on an Army Depot. This plant is expected to have a processing life of about 2 years. After processing is complete the plant will be torn down. I am an Automation Engineer involved with the development, installation and operation of the Distributed Control System (DCS) that will control the plant. I have been tasked with finding out just how DIACAP might affect us and what steps we would need to take if it does affect us.

The configuration of the system will be something like this. The Control Processors (CP) that control the plant are custom built dedicated processors that handle machine and process control. The CPs communicate to Human Machine Interfaces (HMIs) via a fiber optic TCP/IP network. The HMIs are based on Windows XP boxes. There is a process data collection system (Historian) that collects data (alarms, events, analog data) from the CPs and stores the data in MySQL databases. This control system configuration is pretty much a stand alone system with the exception of the Historian which will have a web server interface to the site IS network. The IS network will be a company owned network whose users are engineers, admin, etc. This IS network will be connected to the corporate network which pretty much spans the country and/or world. There will also be a web server interface to our government oversight group. The physical foot print of the plant and the site IS network is located on the Army depot.

I have searched via Google for days now trying to find what kind of constraints DIACAP might place on the control system itself. From an Automation Engineer's standpoint once you get a system up and running and stable controlling dangerous processes the idea of "upgrading" or "patching" an OS is a scary thought.

Our government oversight group has given us a waiver saying we do not have to comply with AR 25-2 because our system is a "separate and distinct system and does not touch the LandWarNet/US Army Enterprise Infrastructure (AEI) at any point."

However in my research it would appear that even though the Army says we don't have to abide by AR 25-2 the DOD Directive 8500.1 and DOD Instruction 8500.2 would seem to be the over riding control and unless we get a waiver from DOD directly we still might have to comply with DIACAP. We do have to comply with AR 25-1 which does have direct mention of DIACAP. Needless to say this is very confusing!

On the assumption that we will end up being under DIACAP how do plant control systems fit into this? I can see a connection between the Historian and DIACAP because in a way it is an Information System containing data. However the DCS system and HMIs are a different animal.

If we had to apply DIACAP to the control system with the requirements for upgrades and patches the plant would spend more time "down" than processing while upgrades and patches were being tested. From an Automation Engineer standpoint anytime you make a change such as an upgrade or patch you have to verify the system functions the way it did before the change. This could/would end up being a costly and time consuming process for what I would argue would be little or no gain.

There is nothing "secret" about our data although some people might argue that it is "sensitive" information.

Any thoughts, tips, suggestions, ideas would be greatly appreciated.

Brad

Does DCID supersede DIACAP?

billh2009 — Mon, 04 May 2009 12:04:11 GMT

I have been tasked to start getting things going on an upcoming project that will involved accrediting a secure stand alone facility with stand alone IS's. This facility will process from Unclass up to SCI. I was wondering if the highest accreditation process - DCID - is all that I need to get the system accredited or if I have to go through each process, DCID, JAFAN and DIACAP procedures.

Thanks in advance!

Bill H

Vista/Windows 7

Cbuchanan — Tue, 28 Apr 2009 09:50:05 GMT

Looking for status of Vista and Windows 7 in relation to DIACAP. Does DIACAP require this upgrade once it's approved?