Transitioning from DITSCAP to DIACAP involves much more than policy changes; it requires whole new ways of looking at information security.
Process and Security Improvements under DIACAP
On November 28, 2007, the most significant change in security policy in 10 years occurred when the Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP) replaced the DoD Information Technology Security Certification and Accreditation Process (DITSCAP).
The Department of the Navy commenced full transition to DIACAP on March 31, 2008, with the release of a naval message issued by the DON Chief Information Officer, "Department of Navy's Transition Plan from DITSCAP to DIACAP." The message (311917Z Mar 08) is available on the DON CIO Web site at www.doncio.navy.mil, under the "Information Assurance" topic area.
All DoD and DON information systems are required to go through rigorous testing for certification and accreditation (C&A) prior to deployment on operational networks. Under DITSCAP, this process involved four review phases spanning several years of system development time before a system could obtain an approval to operate (ATO) in an operational environment.
Under DIACAP, a much greater emphasis is placed on key security stakeholder collaboration early in a system's development and the standardization of a robust, flexible, end-to-end C&A process, which results in a much shorter development cycle for a system to obtain an ATO and be fielded. The five key life-cycle phases for any system under the new DIACAP are summarized in Figure 1.
The changes ushered in by DIACAP don't stop with process improvements. DIACAP also provides a much needed net-centric approach to security risk determination and evaluation with expanded inheritability options relating to information assurance (IA) controls between systems, networks, sites and enclaves. It also forces IA to be built in from a system's concept stage through its entire life cycle. Not only will this yield improved security for fielded systems, but it will minimize the need for rework as C&A documentation proceeds through the independent government review process.
In fact, with this improved up-front security engineering, only a single security test will be required, either in a controlled development environment, or in the field to support an ATO decision.
The DON CIO's goal is to ensure a smooth and successful migration of all DON information systems from DITSCAP to DIACAP. To adequately plan for DIACAP transition and the requisite automation of the C&A process, the DON DIACAP working group (DWG) is chartered to develop a unified departmental transition plan to implement DIACAP.
Key aspects of this plan include:
• Establishment of a DON DIACAP Transition Program to develop detailed guidance for implementing DIACAP throughout the DON;
• Procurement and implementation of a commercial off-theshelf tool to support the DIACAP process; and
• Guidance to assist personnel, such as program managers, information assurance managers and system managers, involved in the security of information systems in developing DITSCAP to DIACAP transition plans.
DON DIACAP Tool Solution
To ensure the DON realizes efficiencies and improved speed to security capability, the DON CIO established the DON DIACAP transition effort to procure an automated tool to support the entire end-to-end C&A process for the DON enterprise. Appropriately, this tool is named the C&A Support Tool. Without CAST providing C&A automation, from initial system registration to eventual system decommissioning, the benefits resulting from DIACAP would be dramatically limited.
The increased DoD emphasis on system security, as a result of recent Federal Information Security Management Act (FISMA) mandates, makes it critical to automate the entire C&A process. A DON automated tool to improve and standardize the C&A process was recognized in early fiscal year 2007 and is now well underway. The plan indicates the procurement of CAST will occur in late 2008, with initial operational capability available in early 2009.
Figure 2 identifies the organizations and the major functional components of the DON DIACAP transition effort managed by Program Management Warfare (PMW) 160, Networks, Information Assurance and Enterprise Services, under Program Executive Office for Command, Control, Communications, Computers and Intelligence (PEO C4I).
PMW 160, as the technical agent for the DON CIO, will develop a standardized end-to-end C&A process and acquire and implement CAST, thus enabling the DON to fully transition from DITSCAP to DIACAP in a robust, controlled manner. In fulfilling this role, PMW 160 is providing the strategic planning, subject matter expertise and acquisition competency needed to not only fulfill DON CIO objectives, but to ensure a well-engineered, comprehensive and supportable tool is provided in a timely manner to support the entire C&A community.
DON DIACAP Transition Execution
The preliminary work in the DON DIACAP transition effort began in October 2007. To capture relevant requirements, a series of tabletop exercises and process walkthroughs were conducted with representatives from virtually all C&A stakeholder perspectives. The result was a C&A community understanding of the complexities of the DIACAP process, the respective roles and responsibilities of each level of interest and a very detailed process workflow chart characterized by five levels of fidelity.
This detail is illustrated in Figure 3, where Level 1 entails the process overview, Level 2 defines all activities, Level 3 assigns all tasks that must be performed, Level 4 delineates each task and the estimated time for completion, and Level 5 defines how each task is completed.
This workflow chart has been the basis for all follow-on efforts associated with requirements definition, procurement guidance, the training approach and community implementation.
To fully migrate from DITSCAP to DIACAP, four key program components must be successfully executed:
• C&A package generation and requirements estimation;
• Provision for DIACAP transition technical support;
• Acquisition of CAST to support end-to-end C&A processes; and
• CAST training to familiarize the C&A community with the tool’s capability.
As envisioned, CAST must support up to 25,000 users ashore and afloat, with a minimum of 2,500 concurrent users. This rate is estimated for NIPRNET, with up to an additional 5 percent of this activity level expected on the SIPRNET.
The architectural approach will not only accommodate this level of activity, but will also allow seamless expansion should greater access be required in the future.
CAST requirements include the ability to collect metrics on all aspects of processing and management of C&A information so that a continuous process improvement program can be supported as the nature and requirements associated with C&A continue to evolve.
With CAST, automating major DIACAP requirements will be met for all information systems, including information technology systems; networks; circuits; sites; infrastructures; enclaves; and environments and assets that require security certification and accreditation within the DON, regardless of current accreditation status.
Specific goals for CAST include:
• Ensuring IA is built in from the concept stage through the life cycle;
• Accounting for inheritance of information assurance controls;
• Enforcing annual reviews for all systems and sites; and
• Providing enterprise-wide visibility into security posture and risk.
By facilitating standardization and quality improvement for C&A packages from the initiation of the process, significant reductions in review times, rework and learning curves are expected immediately.
In addition, early collaboration by stakeholders will ensure adequate identification and resolution of security risk issues early in the process and not later during formal C&A reviews.
Once the CAST procurement award is made, the tool will be initially implemented during a pilot phase with the objective of testing processes, procedures and templates. The pilot will build the necessary databases, verify process steps and proper tool configuration, conduct test and evaluation, and process selected DIACAP C&A packages to verify tool effectiveness in a controlled environment.
At the same time, training will be provided to the C&A community on the tool and detailed DON processes and policies. It is expected that training will be an ongoing requirement throughout the life of CAST. Once CAST is fully implemented, DIACAP training will target personnel performing activities in the three main tiers of the C&A process: package creation, review and approval.
Training will focus on required tasks and how to perform these using the tool. Each tier of training will contain an overview of the DON process flow and build upon the activities accomplished by all members of the C&A team.
Since transition from DITSCAP to DIACAP will be gradual over the next three years, there is a phasing out of systems’ C&A documentation from DITSCAP to DIACAP. The DIACAP transition team will provide subject matter experts to support program and system managers, as well as IA managers, in planning each system transition to DIACAP. This will include assistance in developing transition plans and answering any related questions.
Finally, because systems will begin transitioning to DIACAP prior to full implementation of the DON automated tool, all submissions of C&A packages will continue using existing C&A package systems in the near term.
The transition to DIACAP is great news for DoD and DON system developers, program managers and security managers!
Ms. Yuh-Ling Su is the DON DIACAP transition assistant program manager under PMW 160.
The C&A process has undergone major changes over the last several years. These were driven by increased awareness of security vul¬nerabilities, shrinking resources and the pressing operational need to field new and improved capabilities to support the warfighter.
The movement from DITSCAP to DIACAP has provided an oppor¬tune time to both automate and standardize the entire end-to-end C&A process to conserve resources and ensure security risk is managed at acceptable levels. To stay abreast of the information being developed during this transition time, readers are encouraged to periodically ac¬cess the DON CIO Web site at www.doncio.navy.mil.
For now, programs desiring to make use of DIACAP templates can access them from the Fleet Forces Web site under the View All Site Contents/Documents tab on the left side of the page at https://www.fleetforces.navy.mil/netwarcom/navycanda/default.aspx.
For the Marine Corps, users can access the Marine Corps Xacta Information Assurance Manager tool available at https://hqtelosweb.hqmc.usmc.mil/.
The primary contact for DITSCAP to DIACAP transition technical support can be reached by e-mail at SPSC-DON-DIACAP@navy.mil. Secondary contacts for transition technical support are:
Navy -Operational Designated Approving Authority (ODAA) -e-mail: Navy_ODAA@navy.mil or (757) 417-6719 x0.
Marine Corps - Programs of record (not yet fielded), contact the Ma¬rine Corps Systems Command (Systems Engineering, Interoperability, Architectures & Technology (SIAT)) at (703) 437-3824.
All other systems (including fielded programs of record), contact the Marine Corps Enterprise Network Designated Approving Author¬ity (MCEN DAA) by e-mail: M_MCEN_DAA@usmc.mil or (703) 693¬-3490.
-- DON DITSCAP to DIACAP Transition Guide, version 1.1, June 9, 2008 –under the Information Assurance topic area at www.doncio. Navy.mil.
-- DON DIACAP Handbook, version 1.0, July 21, 2008 – under the Infor¬mation Assurance topic area at www.doncio.navy.mil.
-- DoD Instruction 8510.01, DoD Information Assurance Certification and Accreditation Process (DIACAP), Nov. 28, 2007 –www.dtic.mil/ whs/directives/corres/pdf/851001p.pdf.
-- Secretary of the Navy Manual, SECNAV M-5239.1, Information Assur¬ance Manual, November 2005 – http://doni.daps.dla.mil/SECNAV%20 Manuals1/5239.1.pdf.
-- DoD Directive 8500.01E, Information Assurance (IA), Oct. 24, 2002 – www.dtic.mil/whs/directives/. Certified as current April 23, 2007.
-- DoD Instruction 8500.2, Information Assurance (IA) Implementation, Feb. 6, 2003 - www.dtic.mil/whs/directives/corres/pdf/850002p.pdf.