What exactly is a secure information system? How do you secure a system from development through deployment? According to DIACAP – the Department of Defense Information Assurance Certification & Accreditation Process – it goes beyond simply patching your servers, hardening firewall/intrusion detection devices, or implementing Operating System (OS) group policy restrictions. In other words, it is much more than just technical activities.
While it is certainly important for an Information System (IS) to meet all DIACAP technical security disciplines (COMPUSEC, COMSEC, EMSEC), it also requires you to meet other disciplines that are more policy/procedural related (PHYSEC, PROSEC, PERSEC, SATE), but just as important. What do all of these acronyms mean? I’ll cover them at the end of this article, but first I’ll take you through a quick history of DIACAP, its current challenges, and areas for improvement.
DIACAP is essentially an attempt to standardize how information systems achieve confidentiality, integrity, and availability or how they manage and reduce risk. It was created by the Department of Defense (DoD) in response to the Federal Information Security Management Act (FISMA) that was passed into law in 2002. This law recognized the importance of securing federal government information systems and its importance to U.S. national security. The National Institute of Standards & Technology (NIST) was the agency responsible for creating the framework for properly securing information systems, which came to be simply known as C&A – Certification & Accreditation, the process used by all Federal government agencies to this day. The DoD tailored C&A to better fit its needs and created DITSCAP – Department of Defense Information Technology Security Certification & Accreditation Process. That process was upgraded a few years ago and is now known as DIACAP, but we’re not quite done yet. The Air Force further modified DIACAP to better fit their needs and created AFCAP – Air Force C&A Process. All of this could soon change as NIST will soon deploy updates to the current C&A process, which will be known as the Risk Management Framework.
The first challenge with DIACAP is the timeframe. On average, completing DIACAP can take around 6 months. DIACAP involves coordinating and disseminating all relevant information with the system stakeholders which requires their input to proceed. While the process itself is said to be standardized, the inner requirements are not, and this adds to the timeframe. Other problems related to DIACAP deal with creating and submitting IS artifacts. Going through DIACAP requires the creation of numerous documents, with many that overlap each other with regards to the information content. In addition, the certifying authority that reviews and approves all artifacts can be said to be unpredictable. Depending on who reviews your documents can make DIACAP relatively straightforward or leave you very confused. Essentially there are no clear guidelines on what content the artifacts should have, which will inevitably lead to documents being kicked back for change. The last major issue with DIACAP is the process of implementing Information Assurance (IA) controls, which are the requirements (policy, procedure, technical) that need to be applied to your information system. How many IA controls are there? Around 100 give or take. The specific requirements on most IA controls are numerous, and deciding whether a particular control applies to your system or not can require a lot of research and take several days to get a definitive answer. Applying IA controls are the heart of DIACAP and will take the longest to complete. It requires coordinating, testing and documenting the results. In a nutshell, the process is too big.
As a result of the challenges and length of the process, the information reflected in DIACAP can inherently become inaccurate. Systems that receive accreditation approvals are really just certified at that point in time. It does not necessarily mean that the Information System remains in compliance throughout its lifecycle. It should, but that is not always the case. DIACAP should really be tailored to reflect a live system, as opposed to a snapshot, which is what the current process creates. Improving the guidance for creating the required artifacts should cut down on the overall time to complete DIACAP and reduce inaccurate information. Reducing the number of IA controls should also cut down on the time. Currently, there are numerous IA controls that almost overlap with each other. In other words, they ask for the same information but in a different artifact. IA controls can sometimes be considered not applicable but require you to provide detailed mitigation plans on that control anyway. Finally, inherited IA controls require unnecessary service level agreements or memorandum of agreements with the originating information system. To give you an example, an agency installs a server in a DoD data center which itself has gone through and completed DIACAP. The owner of that server will need to provide the certifying authority detailed information on the physical aspects of the already DIACAP approved data center, to include a MOA/SLA, which is difficult to obtain and really unnecessary. The DoD is aware that DIACAP needs improvement, and they are on the right track with continuing to improve and further standardize the process. Much work remains to be done, but with the latest iteration of C&A created by NIST upcoming (Risk Management Framework), we’ll see if the DoD improves on the process.
On an interesting side note, Google recently underwent the C&A process themselves, as they developed a version of Google Apps specifically for the government. It could certainly be that in the future the private sector begins embracing federal government standards when it comes to securing their information systems.
Now as promised, the DIACAP security disciplines:
- COMPUSEC: Computer Security
- COMSEC: Communications Security
- EMSEC: Emissions Security
- PHYSEC: Physical Security
- PERSEC: Personnel Security
- PROSEC: Procedural Security
- SATE: Security Awareness, Training & Education