DIACAP stands for the Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP). It is the DoD’s process to ensure that all information systems, which include almost any system in the DoD which processes information, have some type of baseline for risk management. DIACAP is a set of standard activities, tasks, and reports that make up the process for the certification and accreditation (C&A). It establishes a C&A process to manage the implementation of IA capabilities and services and provide visibility of accreditation decisions regarding the operation of DoD systems. The main goal here is to ensure that all DoD IS will maintain an acceptable level of information assurance (IA) and information security risk management throughout the life of the system.
Previous to DIACAP, there was the DoD Information Technology Security Certification and Accreditation Process (DITSCAP). DITSCAP, which was referred to in the DoDI 5200.40. Once the NSA shifted its paradigm for security, DIACAP was developed with the signing of the Interim DIACAP guidance, signed July 6, 2006. On November 28, 2007, the final version of the DIACAP guidance was released as DoD Instruction 8510.01.
The DIACAP embraced the idea of information assurance controls were the primary set of security requirements for information systems. The IA controls are based upon the system’s mission assurance category (MAC) level and the confidentiality level (CL). I’m sure many of our C&A readers are very familiar with the IA controls of the DIACAP package.
The DIACAP states that all DoD IS shall be implemented using the baseline IA controls. DIACAP also states that all IS should develop a Plan of Action and Milestones (POA&M) that will record the status of any corrective actions, as well as the accreditation status and packages should be made available to interconnecting ISs, as requested.
The Future of DIACAP
DIACAP was a great idea when it was written and it is the primary way to get systems accredited in the DoD. As with anything developed, it has flaws and with some changes it could be viable for future DoD systems. There has been talk that DIACAP may be replaced soon, probably not within the next two years. The problem with any C&A process is that it’s a long and hard process. What happens when DoD starts doing true rapid prototyping and want to create apps and or services for a Services Oriented Architecture (SOA)? This process couldn’t possibly sustain in that type of environment, or could it? What do you all think?
- DIACAP Training
- DoD Instruction 8510.01 – DoD Information Assurance Certification & Accreditation Process
- Navy DIACAP Knowledge Service
We did rapid prototyping with SOA via IATO and also other activity with IATT. Eventual ATO was based on types of prototyping and testing activity. Related hardware/software list of the AIS changed often due to this activity so the equipment list was updated as needed.