Stuff I learned from people in the class:

-AFCA is changing its name (to what?)

DOD is going to put the new IA controls in NCSSI 12-53 (currently in draft)

-a lot of what I need in there is in NIST 800-53

Marines use something called Exacta

Site called securitycritics.org

33-202 is now completely irrelevant and obsolete (not even mentioned ONCE in the class)

800-30

Feds call Certification &Accreditation (C&A) “Security authorization”

NIST SP 800-37

Day 4:

Validator Activities & Issue Accreditation Decision

Prepare POA&M

Validate Results/Scorecard

Scorecard

Make certification determination

CA/DAA Package review

Day 5:

Validation procedures were discussed. On day five, we looked at how the validators look at a system.

I thought is was interesting. It should help me get through the EITDR/DIACAP process easier.

Maintain Situational Awareness

Maintain IA Posture

Conduct Review

R-Accreditation

Retire system

Day 3:

DIACAP Structure

Terminology Review

Assemble DIACAP Team

Registered System/System Information Profile

Assign IA Controls

Initiate DIACAP Implementation Plan

The Security, Interoperability, Supportability, Sustainability and Usability (SISSU) is considered a part of the USAF IT LEAN process.  SISSU is a comprehensive database of security controls (IA Controls) addressed in DoDI 8500.02 needed to complete the DIACAP process. 

 

The SISSU questions includes everything from documentation of the system to physical security, to network security.  To access the SISSU process in the EITDR one need an account and “stakeholders list” approval via AFCA/EV.

Security, Interoperability, Supportability, Sustainability and Usability are each considered disciplines.  Each discipline is assigned a set of roles: producer, reviewer, validator, and approver.  Once all of these roles have done their part on each of their applicable questions in a given discipline they can move on to the next phase.  The phases are Define Need, Design, Build & Test, and Release.