Our Approach and Methodology
During the process for DIACAP C&A, SecureState uses DIACAP in association
with other standards and guidance including DoDI 8500.2.
The SecureState team uses the baseline controls outlined in DoDI 8500.2
as required by DIACAP. The final control set is determined based on mission
assurance category (MAC) and confidentiality level (CL) determined during
Phase 1. The 8500.2 framework specifies eight areas and the controls are
referred to as IA controls.
The DIACAP Lifecycle
- DC Security Design & Configuration
- IA Identification and Authentication
- EC Enclave and Computing Environment
- EB Enclave Boundary Defense
- PE Physical and Environmental
- PR Personnel
- CO Continuity
- VI Vulnerability and Incident Management
Phase 1 - Initiate & Plan:
During this phase, the SecureState team works with the Information System
Owner (ISO) to define the security requirements for the system. The
determining factors in developing the proper IA control set are the Mission
Assurance Category (MAC) Level for the system in question as well as the
confidentiality of the information being passed through the system. The MAC
is determined as defined below:
- MAC I - Systems handling information that is determined to be
vital to the operational readiness or mission effectiveness of deployed
and contingency forces in terms of both content and timeliness. The
consequences of loss of integrity or availability of a MAC I system are
unacceptable and could include the immediate and sustained loss of
mission effectiveness. Mission Assurance Category I systems require the
most stringent protection measures.
- MAC 2 - Systems handling information that is important to the
support of deployed and contingency forces. The consequences of loss of
integrity are unacceptable. Loss of availability is difficult to deal
with and can only be tolerated for a short time. The consequences could
include delay or degradation in providing important support services or
commodities that may seriously impact mission effectiveness or
operational readiness. Mission Assurance Category II systems require
additional safeguards beyond best practices to ensure assurance.
- MAC 3 - Systems handling information that is necessary for
the conduct of day-to-day business, but does not materially affect
support to deployed or contingency forces in the short-term. The
consequences of loss of integrity or availability can be tolerated or
overcome without significant impacts on mission effectiveness or
operational readiness. The consequences could include the delay or
degradation of services or commodities enabling routine activities.
Mission Assurance Category III systems require protective measures,
techniques, or procedures generally commensurate with commercial best
Phase 2 - Implement & Validate:
During this phase, the IA group works with the ISO or Information Systems
Security Officer (ISSO) regarding the requirements and plan developed in
Phase 1. As the plan is executed and the controls and system are
implemented, the system is tested to validate the strength of those
For the implementation, the SecureState team leverages our Risk
Management team, which balances strong project management capabilities as
well as tactical implementation experts to provide efficient and correct
implementation of the transition plan and controls developed in the Systems
Security Authorization Agreement (SSAA) were correctly implemented to the
systems that were tested.
For the validation, the IA team has a ST&E group to provide technical
testing including system audits, vulnerability scanning, and penetration
testing. This group uses not only certified tools, but also has their
vulnerability scanning process reviewed and certified on an annual basis.
Based on the requirements for availability and integrity of the
information handled by the system in question and the consequences of the
loss of that availability or integrity determines the level of testing and
validation needed. Given those issues, The SecureState team tests
appropriately using a variety of methods including:
- Documentation Review – Reviews of the policies that are
currently in place.
- Test – Technical testing of the system including
vulnerability scan, penetration tests and focused device interrogation
and configuration reviews.
- Observation - A visual test/exam of a policy in operation to
determine its compliance.
- Interviews – Discussions with key system owners and
administrators to determine their day-to-day activities and ensure they
are in compliance with both the requirements and policies in place.
Upon completion of the testing phase, the SecureState team develops a
Plan of Action and Milestones (POA&M) to note the appropriate remediation
action required to mitigate those vulnerabilities discovered. Additionally,
all vulnerabilities are ranked in accordance with the DISA Severity Codes:
- CAT I – Any vulnerability that may result in a total loss of
information or provides an attacker immediate access into a system,
grants privileged user access, bypasses a firewall or results in a
Denial of Service (DoS)
- Immediate actions must be taken to remediate
- CAT II – Any vulnerability that provides information that has
a high potential of giving access to an intruder or gives an
unauthorized person the means to circumvent the controls in place
- Actions must be taken within 90 days to remediate
- CAT III – Any vulnerability that provides information that
could potentially lead to a compromise or unauthorized access
- Actions must be taken within 180 days to remediate
- CAT IV – All other possibilities that contribute to degraded
- Actions must be taken within one year to remediate
- The SecureState team also leverages the use of the DIACAP
scorecard, which is a summary of the results to convey the
security posture in a transmittable electronic format.
Phase 3 - Certify & Accredit:
Once the security controls have been implemented and the testing has been
completed, the IA team works with the Certifying Authority (CA); or the
designed Agent of the Certifying Authority (ACA) so they can make a decision
on Accreditation of the system in question.
The specific activities included are:
- Gathering all final certification documentation
- Finalize the Certification Package
- Present the package to the Accreditation Team
- Facilitate analysis of for Accreditation
- Document any additional risks identified for additional POA&M
Phase 4 – Maintain:
Once a C&A decision has been issued, it is important for organizations to
maintain their current environment as to not slip out of compliance with
DIACAP. The SecureState team assists in the process by:
- Initiating and Updating Lifecycle Implementation Plan for IA
- Maintaining Situational Awareness
- Maintaining IA Posture through re-performance of ST&E activities
from Phase 2
- Providing Incident Response including forensic capabilities used by
multiple federal agencies such as the FBI, NASA, and SEC.
Phase 5 – Decommission:
Upon the end of the system lifecycle, DIACAP and the DOD require that
certain activities be conducted during decommission of the system. The
SecureState team assists in conducting those activities related to the
disposition of the DIACAP registration information and system related data
or objects in GIG supporting IA infrastructure and core enterprise services.
DIACAP C&A Toolkit
A wide variety of test tools are used to ensure that the system under
evaluation meets all of the test objectives. Security tests require a range
of specialized programs that perform network analysis, network vulnerability
detection, and system administration. In some cases, the C&A team has
developed and published custom tools for the IA community.
To verify that the system in question meets system specific security
requirements, the test team conducts independent testing using the test
procedures developed for each system’s specific security requirement. The
test team records the outcome of each test procedure for inclusion in the
As an organization that does not sell security products or tools, the
SecureState team leverages a mix of the best commercial tools available. The
list below is the tools that the SecureState team current uses during C&A
activities for DIACAP.
Security Readiness Review Checklists:
Security Readiness Review Checklists: DoDI 8500.2 mandates compliance
with approved security configuration guidelines produced by the National
Security Agency (NSA) in coordination with the Defense Information Systems
Agency (DISA). Test procedures include running Security Readiness Review
(SRR) checklists and the scripts listed in each STIG applicable to the
system undergoing ST&E. DISA has automated many of the SRR Checklists in the
form of Gold Disk Scan Utilities. The CT&E Security Engineer uses the
automated scripts where appropriate.
Retina Network Vulnerability Scanner:
The Retina Network Vulnerability Scanner is part of the Security
Configuration Compliance Validation Initiative (SCCVI) software suite.
Retina scrutinizes systems for compliance with DoD and applicable policies.
Retina discovers assets and identifies known security vulnerabilities on a
number of different platforms and technologies including servers, databases,
switches, routers and wireless access points. Retina is authorized for use
on the Non-secure Internet Protocol Router Network (NIPRNET) and the Secret
Internet Protocol Router Network (SIPRNET). Additionally, Retina provides
report generation options which become part of the ST&E Report.
DISA Gold Disk:
Gold Disk supports the ability to detect installed products, identify and
remediate applicable vulnerabilities, and generate a file that can be used
for asset registration and uploading findings into DISA’s Vulnerability
Management System (VMS). The Gold Disk software was designed to provide the
capability for the detection, remediation, and reporting of vulnerabilities
on Windows-based systems and applications. The Gold Disk scan and fix engine
relies on Extensible Markup Language (XML) control files to specify the
technical check and fix parameters for each vulnerability.
Wireshark Network Troubleshooter:
The Wireshark network troubleshooter is a network packet sniffer capable
of displaying the encapsulation, protocol fields, data structures, and frame
data for network protocols. Wireshark requires network supported devices and
interfaces to implement the pcap (packet capture) application programming
interface (API). Data can be captured in real-time off the Ethernet wire
from a live network or piped into a file for later review. Advanced capture
filters and programming plugins can be used to trace, stream and reconstruct
data sessions and transmissions from specific systems, ports or protocols.
Wireshark is used to confirm and validate the data entered into the Ports,
Protocols and Services (PP&S) document required for the CT&E test plan.
Additionally, Wireshark can be used to identify traffic that violates the
confidentiality and integrity of data in transit.
Nmap Security Scanner:
The Nmap security scanner is used to discover computers and services on a
dedicated network, or networks that cross perimeter boundaries. Nmap is
capable of discovering local or remote ports listening on devices, passive
services on a network, and protocols in transit or supported by devices.
Additionally, Nmap can be used to determine various details about systems
and network devices such as operating systems, versions, device types,
uptime, firewall configurations, and software product specifications. Nmap
is be used to audit the security and network connections of the devices
within the certification boundary. Specifically, Nmap will identify and
validate all systems to be tested and their open ports, network
communications, and protocols.
Security Technical Implementation Guides:
DoDI 8500.1 requires that “all IA and IA-enabled Information Technology
(IT) products incorporated into DoD information systems shall be configured
in accordance with DoD-approved security configuration guidelines”. The core
mission of Security Technical Implementation Guides (STIGs) is to aide in
securing DoD Networks. The processes and procedures outlined in each STIG,
when applied, decreases the vulnerability of DoD sensitive information.
Custom Developed Exploitation Tools:
During the testing phase, the SecureState team uses a variety of manual
and automated techniques to discover and exploit vulnerabilities on the
specified system. Our experienced Team Members have developed a variety of
tools to increase the efficiency of these tests; by automating many of the
activities associated with a manual penetration test. These tools include
many that are available to the public and have been released at conferences
such as DefCon and ShmooCon.