|
|
|
Forum Newbie
Group: Forum Members
Last Login: 11/24/2009 4:43:23 PM
Posts: 1,
Visits: 9
|
|
I am about to do a local DIACAP on a Program of Record system that is type-accredited.
Am I to assume that I can take all the IA Controls that were addressed at the Program Management Office-level and automatically apply them to the local DIACAP package? Or should I validate every IA Control to ensure that the local administrators have installed the systems according to PMO guidance?
On one hand, it seems like I'd be doing work that was already done, but on the other hand, I feel like I need to make sure the local implementation of the Managed System was performed according to specs.
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 6/17/2010 9:51:25 AM
Posts: 7,
Visits: 12
|
|
DIACAP knowledge portal has a list of typically inherited controls
(and a set of ... overly broad ... negotiable controls)
For each of the (Mac 2, Classified? 110) number of controls -- you either implement, inherited, non-applicable, or planned/non-compliant.
I tend to map my controls into:
- fully inherited
(physical security, e.g.)
- inherited
(backups -- we list what the controls require: hw, sw, and procedure; but the control is operationally performed by the site)
- implemented
(its all ours: build, fully validated, etc.)
In the AF, the accreditors are starting to enforce the full management of the controls. That is:
- require the PMO collect feedback from the sites' COOP testing, etc., and update their POA&M)
- wanting a signed SLA before granting accreditation
- etc.
There is an SLA Generator (SLAG) that AFNIC shared out with programs -- excel with macros, takes all the marked-inherited controls and builds the boilerplate text/table of requirements for a hosting site. You simply need to tweak the output to include your system-unique information or notes.
-- joe
AF 653 ELSG
Airborne Network Systems & Tactical Data Links
|
|
|
|