Computer Security Law

Benefits:

• When registering you may get additional functionality of the product. Some companies use this as a means to enforce licensing of their products.
• Many software companies use the registration to create push lists for patches, updates, and important notifications.
• Registered users often recieve notifications of special offers and promotions that may be of interest to them.
• Sometimes software companies will provide free gifts to those who register as an incentive. The free gift might be addional software or some cheap swag like a thumb drive, mug, or t-shirt.

Additional purposes:

• The software company is able to compile a database of current users who are then potential future customers for additional products.
• Some companies will share or sell the information with other companies for financial gain (Remember to read the privacy policy statement of the company before you register!)

At a minimum the DIACAP Team includes the DAA, the CA, the DoD IS program manager (PM) or system manager (SM), the DoD IS IA manager (IAM), IA officer (IAO), and a user representative (UR) or their representatives.

___

DAA, CA, SIAO, PM, IAM, and IAO (or IASO)

____

From the sections below it would appear the list of individuals responsible for implementing DIACAP would be:

SIAO

DAA (aka PAA)

PM

IAM

IAO (as assigned by the IAM ) - note that the Army calls the IAO the IASO

UR - depending on how you interpret paragraph 5,17.

According to DoDI 8510.01 (DIACAP), paragraph 1.3, the DIACAP instruction:

Establishes or continues the following positions, panels, and working groups to implement the DIACAP: the Senior Information Assurance Officer (SIAO), the Principal Accrediting Authority (PAA), the Defense Information Systems Network (DISN)/Global Information Grid (GIG) Flag Panel, the IA Senior Leadership (IASL), the Defense (previously DISN) IA Security Accreditation Working Group (DSAWG), and the DIACAP Technical Advisory Group (TAG).

From this it can be inferred that individuals responsible for implementing DIACAP include:

the SIAO

the PAA - which can be the DAA

Besides the SIAO and DAA - the sections of DoDI quoted below identify the other team members with responsibility to implement DIACAP:

5.16. The Program Manager (PM) or System Manager (SM) for DoD ISs shall:

5.16.1. Ensure that each assigned DoD IS has a designated IA manager (IAM) with the support, authority, and resources to satisfy the responsibilities established in Reference (d) and this Instruction.

5.16.2. Implement the DIACAP for assigned DoD ISs.

5.16.3. Plan and budget for IA controls implementation, validation, and sustainment throughout the system life cycle, including timely and effective configuration and vulnerability management.

5.16.4. Ensure that information system security engineering is employed to implement or modify the IA component of the system architecture in compliance with the IA component of the GIG Architecture (Reference (c)) and to make maximum use of enterprise IA capabilities and services.

5.16.5. Enforce DAA accreditation decisions for hosted or interconnected DoD ISs.

5.16.6. Develop, track, resolve, and maintain the DIACAP Implementation Plan (DIP) for assigned DoD ISs.

5.16.7. Ensure IT Security POA&M development, tracking, and resolution.

5.16.8. Ensure annual reviews of assigned ISs required by FISMA are conducted.

5.17. The DoD IS URs shall:

5.17.1. Represent the operational interests of the user community in the DIACAP.

5.17.2. Support the IA controls assignment and validation process to ensure user community needs are met.

5.18. The IAMs, in addition to the responsibilities established in Reference (d), shall:

5.18.1. Support the PM or SM in implementing the DIACAP.

5.18.2. Advise and inform the governing DoD Component IA program on DoD ISs C&A status and issues.

5.18.3. Comply with the governing DoD Component IA program information and process requirements.

5.18.4. Provide direction to the IA Officer (IAO) in accordance with Reference (d).

5.18.5. Coordinate with the organization's Security Manager

According to DODI 8510.01:

5.16. The Program Manager (PM) or System Manager (SM) for DoD ISs shall:

5.16.1. Ensure that each assigned DoD IS has a designated IA manager (IAM) with the support, authority, and resources to satisfy the responsibilities established in Reference (d) and this Instruction.

The best answer is probably to flip the question around to ask when it is acceptable to NOT use a non-privileged account.

A non-privileged account should always be used except when it is absolutely necessary (and authorized) to use the permissions assigned to a privileged account. Only those acting as system administrators or system auditors should ever have privileged accounts and they should only use those accounts when the actions they are performing required the elevated privileges assigned to the privileged account. They should be assigned and use non-privileged accounts for all other actions.

Section 3-3 a.(13) states that privileged users must:

(13) Maintain and use at least 2 separate accounts for access to network resources, 1 for their privileged level access and a separate general user, non-privileged level account for routine procedures.

Section 4.5 c. states:

c. Access control. IA personnel will implement system and device access controls using the principle of least privilege (POLP) via automated or manual means to actively protect the IS from compromise, unauthorized use or access, and manipulation.

One consequence of this is that they are required to always implement non-privileged accounts except where elevated privileges are required.

According to DODI 8510.01 (DIACAP), paragraph 4.9:

"All DoD ISs with an authorization to operate (ATO) shall be reviewed annually to confirm that the IA posture of the IS remains acceptable. Reviews will include validation of IA controls and be documented in writing."

Note that in the case of a MAC I system, the reviews should occur semi-annually, i.e. every six months.