|
|
|
Forum Newbie
Group: Forum Members
Last Login: 10/7/2009 12:39:44 PM
Posts: 1,
Visits: 1
|
|
| I have a COTS based system (totally supplied by the vendor and offered to both Government and Commerical customers, not just DoD) which had a DITSCAP ATO and needs to be renewed. I'm being told by my DAA that the DIACAP does not apply to COTS products only the system in which the COTS is being used? Is this correct? What if the COTS is being used on the network? If not DIACAP what is necessary?
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 10/16/2009 5:16:24 PM
Posts: 1,
Visits: 3
|
|
| rwool, I am new to the forum so I hope this is helpful. If what you have is a system, and not just a COTS product in use as an application (such as MS office), then you will DIACAP the system. That is probably the case if you had a DITSCAP for the system previously. I too have a COTS based system which previously had a DITSCAP. I'm in the last stages of the full DIACAP phase 3 validation. Correct, the DIACAP applies to the system not the COTS, but you will list the COTS products in use in certain controls such as DCSW (software baseline), DCAS, DCSR, ECRC, and COBR. So the COTS products being used within the system are part of your accreditation boundary/package and it's all DIACAP'd together.
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 11/16/2009 10:04:02 AM
Posts: 5,
Visits: 82
|
|
It sounds like you are describing an Outsourced IT-Based Process That Also Supports Non-DoD Users. The system (not just the software application) would need to be accredited.
v/r, Vince
Vincent D. Williams, CISSP
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 6/17/2010 9:51:25 AM
Posts: 7,
Visits: 12
|
|
Step back for a second -- think of it this way.
If it was your network and resources: what would you require? Risk management.
So, DIACAP does specify what to do with COTS & the controls specify what to do to manage the risk.
Below is a paraphrase.
(af-centric)
Did the program go through the planning so that requirements point to that COTS solution?
In the design, was there a comparative analysis, etc? -- that is the only product that meets that solution?
So, is the software already on the approved list? No, submit software worksheets that capture the company, where development is performed, etc, etc.
Include your own risk assessment of that software -- what does it alter, touch, do.
Was source available? Did you ask?
Did the company perform any vulnerablity/risk assessment on their product? did you ask?
Is the product IA-enabled? -- lots of controls around that one, be careful.
The DISA application security and development checklist has a set of controls for generic applications' implementation.
Does the PMO IAM accept all that?
-- joe
AF 653 ELSG
Airborne Network Systems & Tactical Data Links
|
|
|
|