Department of Defense Information Assurance Certification and Accreditation Process

Add links
From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by 78.193.86.3 (talk) at 17:04, 5 August 2016 (Looks good to me.). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

The DoD Information Assurance Certification and Accreditation Process (DIACAP) is a United States Department of Defense (DoD) process that means to ensure that companies and organizations apply risk management to information systems (IS). DIACAP defines a DoD-wide formal and standard set of activities, general tasks and a management structure process for the certification and accreditation (C&A) of a DoD IS that maintains the information assurance (IA) posture throughout the system's life cycle.

NOTE: As of March 12, 2014(though the official transition will take place as of May 2015), the DIACAP is to be replaced by the "Risk Management Framework (RMF) for DoD Information Technology (IT)" Although re-accreditations continue through late 2016, systems that have not yet started accreditation by May 2015 will transition to RMF processes.[1] The DoD RMF aligns with the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF).[2][3]

History

DIACAP resulted from a NSA directed shift in underlying security approaches. An interim version of the DIACAP was signed July 6, 2006, and superseded the interim DITSCAP guidance. The final version is called Department of Defense Instruction 8510.01, and was signed on March 12, 2014 (previous version was November 28, 2007).

DODI 8500.01 Cybersecurity http://www.dtic.mil/whs/directives/corres/pdf/850001_2014.pdf,

DODI 8510.01 Risk Management Framework (RMF) for DoD Information Technology (IT) http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf

DIACAP differs from DITSCAP in several ways—in particular, in its embrace of the idea of information assurance controls (defined in DoDD 8500.1 and DoDI 8500.2) as the primary set of security requirements for all automated information systems (AISs). IA Controls are determined based on the system's mission assurance category (MAC) and confidentiality level (CL).

Process

  • System Identification Profile
  • DIACAP Implementation Plan
    • Validation
  • Certification Determination
  • DIACAP Scorecard
  • POA&M
  • Authorization to Operate Decision
  • Residual Risk Acceptance

References

  1. ^ "DoDI 8510.01 "Risk Management Framework (RMF) for DoD Information Technology (IT)" March 14th 2014" (PDF). Retrieved 29 March 2014.
  2. ^ "NIST Risk Management Framework".
  3. ^ "NIST:Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach".


Flag of United StatesJustice icon

This article relating to law in the United States or its constituent jurisdictions is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Department_of_Defense_Information_Assurance_Certification_and_Accreditation_Process&oldid=733138479"