DISA IA Boot Camp (June 2007)
About two weeks ago I attended the DISA IA Boot Camp. The training was run by two guys who had removed all of their childhood memories and replaced them with DODD 8500.01E and DODI 8500.2. They knew information assurance like nobodies business.
I would recommend this class to ALL Information Assurance Officers (IAO) and Information Assurance Managers (IAM). The level of the material stays right in the middle – its not really technical and backs off of some of the intricate details of a specific organization’s implementation of something like the DIACAP. Which brings me to the most controversial and frustrating part of the training.
These guys were saying that the DIACAP was rejected (as of mid-2006/beginning 2007 time frame) by a few key organizations (namely the Inspectors Generals office) because the method in which it was approved did not comply with regs. The irony is like a knife stabbing itself.
Anyway, they emphasized the importance of maintaining with the IA Controls indicated in both the DIACAP and DITSCAP. Beyond the mountain of documentation and mind numbing bureaucracy, it is MOST important to secure the systems.
What guys out in the field are doing is implementing the DITSCAP’s SSAA package as a supplement (artifact.. whatever you want to call it) in the DIACAP package in order to cover all tracks.
Comments (5)
Doing a SSAA as an attachment to the DIACAP package? How much extra cut-n-paste with no value added and at a large cost to the taxpayers can we produce?
Cut & Paste?
I don’t know how your process works but, C & A packages are a lot of travel and work for me. We are currently in limbo on the use of DIACAP and DITSCAP. Paperwork wise, the only thing the DIACAP adds is a stripped down version of the SSAA. The cool thing about it is that it is all supposed to be online. So its the DITSCAP online (digital DITSCAP).
Ah, but if you have polyinstantiation of data, then you play the cut-n-paste game.
It also duplicates some effort. If you change the DIACAP part, then you have to change the various pieces of the SSAA. Polyinstantiation means that you have started to write spaghetti code in the version of a security controls document.
Trick here is that you *can* use a requirements traceability matrix as your SSAA/SSP/$foo and that’s what the overall trend is going to. Hopefully the free-form text documents are on their way to an early grave. =)
Knowing IGs, they don’t like it because the presentation layer of the policy stack needs to be in a format that they are used to. In the long run, it’s easier to give them what they want than it is to educate them.
Knowing IA, all I really want is a brief description of the controls and where I can go for more information if I have a question.
I have looked on both the DISA and IASE websites and can’t find any information on this course. Do you have a web link or POC for it? Thank you.
The problem with DIACAP is that, while its lofty goals of weaving security through the enterprise, embedding it into the planning and development of our systems, and cutting out much of the fluff from the SSAA were truly overdue, the implementation of the DIACAP has been an absolute mess (at least from the ground level view). That is if you call putting DIACAP into effect, publishing some token documents and hosting the “figure it out amongst yourselves” forum on the DIACAP portal an implementation plan. With DITSCAP, I actually had more control over making my C&A package a true representation of my system. Now, because the Air Force has rolled up its Clinger-Cohen, FISMA, DIACAP IT Lean and countless other requirements into a single database, I have to repeatedly enter the same information about my system in different sections of the same database, despite the fact that most of the items being asked about do not apply to my system. SPAWAR had an good transition concept that combined the SIP and the new controls/RTM and DIACAP-relevant sections of the old SSAA. This may not have worked for an enterprise system but for a relatively simple system like the one I have, I could have directed my efforts to improving the documentation and applying more security to the system rather than filling out an endless series of “not applicable”.
Having not utilized the previous DITSCAP process the DIACAP process appears to be a good device to bring all the necessary documentation together so it does corelate with all the other processes used for maintaining certifications. Guess I’m not confussed by all the previous methods.
Not to worry, having a military background lets me know this will all change again in a couple of years and then I be lost like everone else.
Cheers!