Chapter 3 IT Risk Assessment

DIACAPThe DoD Information Assurance Certification and Accreditation Process (DIACAP) is the United States Department of Defense process to ensure that risk management is applied to information systems. DIACAP is a process by which information systems are certified for compliance with DoD security requirements and accredited for operation by a designated official. DIACAP provides visibility and control for the secure operation of DoD information systems.
DIACAP defines a DOD-wide formal and standard set of activities, general tasks and a management structure process for the certification and accreditation of a DoD IS that maintains the information assurance posture throughout the system’s life cycle.
DIACAP considers:
Mission or business need
Protection of personally identifiable information
Protection of the information being processed
Protection of the system’s information environmentThe Defense Information Assurance Certification & Accreditation Process (DIACAP) is the current compliance standards for Federal Information Systems which handle information deemed at the classified level. (However, in March of 2014, DOD has officially begun its transition from the DIACAP process to the new “RFM for DOD IT” process.) It has 5 phases:
Phase 1 – Initiate & Plan: Register the system with DIACAP, create a DIACAP team, a strategy, and an IA plan.
Phase 2 – Implement & Validate: During this phase, the IA group works with the ISO or Information Systems Security Officer (ISSO) regarding the requirements and plan developed in Phase 1. As the plan is executed and the controls and system are implemented, the system is tested to validate the strength of those controls.
Phase 3 – Certify & Accredit: Once the security controls have been implemented and the testing has been completed, the IA team works with the Certifying Authority (CA); or the designed Agent of the Certifying Authority (ACA) so they can make a decision on Accreditation of the system in…