0
The dod is has signed phase one system security authorization agreement and is currently in ditscap phase three what is the next step?
Wiki User
∙ 14y ago
Continue DITSCAP for a set period of time
Wiki User
∙ 14y ago
Add your answer:
Earn +20 pts
The DoD IS has initiated the DITSCAP but does not have a signed Phase One System Security Authorization What is the next step?
C. Continue DITSCAP This might have been a correct answer to a quiz in the past, but DoDI 5200.40 (DITSCAP) and DoD 8510.1-M (DITSCAP Manual) were cancelled when DoDI 8510.01 (DIACAP) was issued on November 28, 2007. If a system does not have a signed Phase One System Security Authorization Agreement (SSAA) they are required to conduct their certification and accreditation under DIACAP. Anything prepared under DITSCAP is useful only as reference material to aid in preparing the DIACAP documentation.
Does ditscap supersedes diacap?
DIACAP replaced DITSCAP as the process for certification and accreditation of DoD information systems. DIACAP supersedes DITSCAP.
The dod information system has a ditscap authorization to operate that is four years old?
DIACAP has been in force for more that 3 years so a system with a DITSCAP authorization has an EXPIRED authorization and the DAA should issue a DATO immediately unless the system owner can provide justifcation for continued operation AND sufficient documentation to allow the CA to evaluate the risk of continued operation and for DAA to accept the risk and issue an IATO until a full re-accreditation can be completed. Note that the DoD will soon be moving to RMF (risk management framework) so DITSCAP will be WAY, WAY out of date then!
Ditscap supersedes diacap?
False
What is the follow on to ditscap?
DODI 8510.01 (DIACAP) is the current DoD process for IA Certification and Accreditation of DoD systems. It replaced DITSCAP.
The dod information system has a ditscap authorization to operate that is four years old what is the next step?
Contact the DAA to request an IATO while you hurry up and get your act together and get the DIACAP documentation together before they shut the system down!
How does ditscap differ from diacap?
DITSCAP is the outdated version of the DoD process for assessing the security of DoD information systems. It was replaced by DIACAP. DIACAP is, in turn, being replaced by the RMF process where continuous montoring is to be implemented.DIACAP :Platform-centric as opposed to system or network centric.Information belongs to system owner and risks are identified specific to the systemIndividual C/S/A defined IA controlsCertification appointed Certification Authority
What must be done if information systems has a DITSCAP that is four years old?
Since under 8500.2, an ATO cannot be issued for more than 3 years, if a system is operating under a DITSCAP package that is 4 years old, its ATO has expired and the DAA can (and should) issue a DATO (Denial of Authorization To Operate), meaning that the system is immediately denied ATC (Authority To Connect), which means it is then cut off from the GIG. Even if the system is not connected to the GIG, a DATO means that the system must be shut down and not used until it gets at least an IATO from the DAA.
Does DISCAP supersede DIACAP?
No - DIACAP (DoDI 8510.01) superseded DITSCAP (DoDI 5200.40) in 2006.
Does IA BBP requires the IASO to ensure personnel receive system-specific and annual IA awareness training?
8510.01M was signed in 2000 was written to go with DITSCAP (DoDI 5200.40 - signed in 1997), which has since been superseded by DIACAP (DODI 8510.01 - signed in 2007)Ultimately, responsibility for ensuring the training rests with the IAM, but the IAM can, and often does, delegate the responsibility to the IAO.C3.4.4 requires preparation of the Environment and Threat Description, which, in turn requires:C3.4.4.2.1.8. Training. Identify the training for individuals associated with the system's operation and determine if the training is appropriate to their level and area of responsibility. This training should provide information about the security policy governing the information being processed as well as potential threats and the nature of the appropriate countermeasures.C3.4.7 requires identifying C&A Organizations and the Resources Required, which includes:C3.4.7.2.3. Resources and Training Requirements. Describe the training requirements, types of training, who is responsible for preparing and conducting the training, what equipment is required, and what training devices must be developed to conduct the training, if training is required. Funding for the training must be identified.C5.1.2 discusses certifying, among other things, "security education, training, and awareness requirements".C5.2.4.3 requires: The program manager, user representative, and ISSO should ensure that the proper security operating procedures, configuration guidance, and training is delivered with the system. Note that the term ISSO has since been replaced by IASO in current IA terminology.C5.3.9.2 requires: "that security Rules of Behavior, a Security Awareness and Training Program, and an Incident Response Program are in place and are current."Appendix 2, the "MINIMAL SECURITY ACTIVITY CHECKLIST" includes the questions:Table AP2.T11.10.(h) Do the ISSO duties include the following:Implementing or overseeing the implementation of the Security and Trainingand Awareness Program?Table AP2.T12.3.(o) Do employees receive periodic training in the following areas:(1) Power shut down and start up procedures?(2) Operation of emergency power?(3) Operation of fire detection and alarm systems?(4) Operation of fire suppression equipment?(5) Building evacuation procedures?If you examine DoDI 8500.2, you will find requirements dealing with training including:5.9 Each IA Manager, in addition to satisfying all responsibilities of an Authorized User, shall: (5.9.2) Ensure that all IAOs and privileged users receive the necessary technical and IA training, education, and certification to carry out their IA duties.E3.3.7. Requires that:All DoD employees and IT users shall maintain a degree of understandingof IA policies and doctrine commensurate with their responsibilities. They shall be capable of appropriately responding to and reporting suspicious activities and conditions, and they shall know how to protect the information and IT they access. To achieve this understanding, all DoD employees and IT users shall receive both initial and periodic refresher IA training. Required versus actual IA awareness training shall be a management review item.E3.4.6. Information Assurance Managers (IAMs) are responsible for establishing,implementing and maintaining the DoD information system IA program, and fordocumenting the IA program through the DoD IA C&A process. The program shall include procedures for:E3.4.6.6. Tracking compliance with the IA Controls applicable to the DoD information system and reporting IA management review items, such as C&A status, compliance with personnel security requirements, compliance with training and education requirements, and compliance with CTOs, IAVAs, and other directed solutions.Within the controls of 8500.2, you will find the following controls:VIIR-1 Incident Response PlanningAn incident response plan exists that identifies the responsible CND Service Provider in accordance with DoD Instruction O-8530.2, defines reportable incidents, outlines a standard operating procedure for incident response to include INFOCON, provides for user training, and establishes an incident response team. The plan is exercised at least annually.VIIR-2 Incident Response PlanningAn incident response plan exists that identifies the responsible CND Service Provider in accordance with DoD Instruction O-8530.2, defines reportable incidents, outlines a standard operating procedure for incident response to include INFOCON, provides for user training, and establishes an incident response team. The plan is exercised at least every 6 months.PETN-1 Environmental Control TrainingEmployees receive initial and periodic training in the operation of environmental controls.PRTN-1 Information Assurance TrainingA program is implemented to ensure that upon arrival and periodically thereafter, all personnel receive training and familiarization to perform their assigned IA responsibilities, to include familiarization with their prescribed roles in all IA- related plans such as incident response, configuration management and COOP or disaster recovery.Templates for validation of the controls by system validators include the following instructions:For PRRB-1:1. A set of rules that describe the IA operations of the DoD information system and clearly delineate IA responsibilities and expected behavior of all personnel shall be in place.2. The rules shall include the consequences of inconsistent behavior or non-compliance.3. Signed acknowledgement of the rules shall be a condition of access.4. Training or reminder of the IA operations rules and code of conduct shall be performed on an annual basis, or as frequently as in accordance with DoD policy.For PRTN-11. A set of rules that describe the IA operations of the DoD information system and clearly delineate IA responsibilities and expected behavior of all personnel shall be in place.2. The rules shall include the consequences of inconsistent behavior or non-compliance.3. Signed acknowledgment of the rules shall be a condition of access.4. Training or reminder of the IA operations rules and code of conduct shall be performed on an annual basis, or as frequently as in accordance with DoD policy.
