DIACAP Methodology

During the process for DIACAP C&A, SecureState uses DIACAP in association with other standards and guidance including DoDI 8500.2.

DODI 8500.2

The SecureState team uses the baseline controls outlined in DoDI 8500.2 as required by DIACAP. The final control set is determined based on mission assurance category (MAC) and confidentiality level (CL) determined during Phase 1. The 8500.2 framework specifies eight areas and the controls are referred to as IA controls.

The DIACAP Lifecycle

1. DC Security Design & Configuration
2. IA Identification and Authentication
3. EC Enclave and Computing Environment
4. EB Enclave Boundary Defense
5. PE Physical and Environmental
6. PR Personnel
7. CO Continuity
8. VI Vulnerability and Incident Management

Phase 1 - Initiate & Plan:

During this phase, the SecureState team works with the Information System Owner (ISO) to define the security requirements for the system. The determining factors in developing the proper IA control set are the Mission Assurance Category (MAC) Level for the system in question as well as the confidentiality of the information being passed through the system. The MAC is determined as defined below:

• MAC I - Systems handling information that is determined to be vital to the operational readiness or mission effectiveness of deployed and contingency forces in terms of both content and timeliness. The consequences of loss of integrity or availability of a MAC I system are unacceptable and could include the immediate and sustained loss of mission effectiveness. Mission Assurance Category I systems require the most stringent protection measures.
• MAC 2 - Systems handling information that is important to the support of deployed and contingency forces. The consequences of loss of integrity are unacceptable. Loss of availability is difficult to deal with and can only be tolerated for a short time. The consequences could include delay or degradation in providing important support services or commodities that may seriously impact mission effectiveness or operational readiness. Mission Assurance Category II systems require additional safeguards beyond best practices to ensure assurance.
• MAC 3 - Systems handling information that is necessary for the conduct of day-to-day business, but does not materially affect support to deployed or contingency forces in the short-term. The consequences of loss of integrity or availability can be tolerated or overcome without significant impacts on mission effectiveness or operational readiness. The consequences could include the delay or degradation of services or commodities enabling routine activities. Mission Assurance Category III systems require protective measures, techniques, or procedures generally commensurate with commercial best practices.

Phase 2 - Implement & Validate:

During this phase, the IA group works with the ISO or Information Systems Security Officer (ISSO) regarding the requirements and plan developed in Phase 1. As the plan is executed and the controls and system are implemented, the system is tested to validate the strength of those controls.

For the implementation, the SecureState team leverages our Risk Management team, which balances strong project management capabilities as well as tactical implementation experts to provide efficient and correct implementation of the transition plan and controls developed in the Systems Security Authorization Agreement (SSAA) were correctly implemented to the systems that were tested.

For the validation, the IA team has a ST&E group to provide technical testing including system audits, vulnerability scanning, and penetration testing. This group uses not only certified tools, but also has their vulnerability scanning process reviewed and certified on an annual basis.

Based on the requirements for availability and integrity of the information handled by the system in question and the consequences of the loss of that availability or integrity determines the level of testing and validation needed. Given those issues, The SecureState team tests appropriately using a variety of methods including:

• Documentation Review – Reviews of the policies that are currently in place.
• Test – Technical testing of the system including vulnerability scan, penetration tests and focused device interrogation and configuration reviews.
• Observation - A visual test/exam of a policy in operation to determine its compliance.
• Interviews – Discussions with key system owners and administrators to determine their day-to-day activities and ensure they are in compliance with both the requirements and policies in place.

Upon completion of the testing phase, the SecureState team develops a Plan of Action and Milestones (POA&M) to note the appropriate remediation action required to mitigate those vulnerabilities discovered. Additionally, all vulnerabilities are ranked in accordance with the DISA Severity Codes:

• CAT I – Any vulnerability that may result in a total loss of information or provides an attacker immediate access into a system, grants privileged user access, bypasses a firewall or results in a Denial of Service (DoS)
  • Immediate actions must be taken to remediate
• CAT II – Any vulnerability that provides information that has a high potential of giving access to an intruder or gives an unauthorized person the means to circumvent the controls in place
  • Actions must be taken within 90 days to remediate
• CAT III – Any vulnerability that provides information that could potentially lead to a compromise or unauthorized access
  • Actions must be taken within 180 days to remediate
• CAT IV – All other possibilities that contribute to degraded security
  • Actions must be taken within one year to remediate
  • The SecureState team also leverages the use of the DIACAP scorecard, which is a summary of the results to convey the security posture in a transmittable electronic format.

Phase 3 - Certify & Accredit:

Once the security controls have been implemented and the testing has been completed, the IA team works with the Certifying Authority (CA); or the designed Agent of the Certifying Authority (ACA) so they can make a decision on Accreditation of the system in question.

The specific activities included are:

• Gathering all final certification documentation
• Finalize the Certification Package
• Present the package to the Accreditation Team
• Facilitate analysis of for Accreditation
• Document any additional risks identified for additional POA&M

Phase 4 – Maintain:

Once a C&A decision has been issued, it is important for organizations to maintain their current environment as to not slip out of compliance with DIACAP. The SecureState team assists in the process by:

• Initiating and Updating Lifecycle Implementation Plan for IA Controls
• Maintaining Situational Awareness
• Maintaining IA Posture through re-performance of ST&E activities from Phase 2
• Providing Incident Response including forensic capabilities used by multiple federal agencies such as the FBI, NASA, and SEC.

Phase 5 – Decommission:

Upon the end of the system lifecycle, DIACAP and the DOD require that certain activities be conducted during decommission of the system. The SecureState team assists in conducting those activities related to the disposition of the DIACAP registration information and system related data or objects in GIG supporting IA infrastructure and core enterprise services.

DIACAP C&A Toolkit

A wide variety of test tools are used to ensure that the system under evaluation meets all of the test objectives. Security tests require a range of specialized programs that perform network analysis, network vulnerability detection, and system administration. In some cases, the C&A team has developed and published custom tools for the IA community.

To verify that the system in question meets system specific security requirements, the test team conducts independent testing using the test procedures developed for each system’s specific security requirement. The test team records the outcome of each test procedure for inclusion in the Report.

As an organization that does not sell security products or tools, the SecureState team leverages a mix of the best commercial tools available. The list below is the tools that the SecureState team current uses during C&A activities for DIACAP.

Security Readiness Review Checklists:

Security Readiness Review Checklists: DoDI 8500.2 mandates compliance with approved security configuration guidelines produced by the National Security Agency (NSA) in coordination with the Defense Information Systems Agency (DISA). Test procedures include running Security Readiness Review (SRR) checklists and the scripts listed in each STIG applicable to the system undergoing ST&E. DISA has automated many of the SRR Checklists in the form of Gold Disk Scan Utilities. The CT&E Security Engineer uses the automated scripts where appropriate.

Retina Network Vulnerability Scanner:

The Retina Network Vulnerability Scanner is part of the Security Configuration Compliance Validation Initiative (SCCVI) software suite. Retina scrutinizes systems for compliance with DoD and applicable policies. Retina discovers assets and identifies known security vulnerabilities on a number of different platforms and technologies including servers, databases, switches, routers and wireless access points. Retina is authorized for use on the Non-secure Internet Protocol Router Network (NIPRNET) and the Secret Internet Protocol Router Network (SIPRNET). Additionally, Retina provides report generation options which become part of the ST&E Report.

DISA Gold Disk:

Gold Disk supports the ability to detect installed products, identify and remediate applicable vulnerabilities, and generate a file that can be used for asset registration and uploading findings into DISA’s Vulnerability Management System (VMS). The Gold Disk software was designed to provide the capability for the detection, remediation, and reporting of vulnerabilities on Windows-based systems and applications. The Gold Disk scan and fix engine relies on Extensible Markup Language (XML) control files to specify the technical check and fix parameters for each vulnerability.

Wireshark Network Troubleshooter:

The Wireshark network troubleshooter is a network packet sniffer capable of displaying the encapsulation, protocol fields, data structures, and frame data for network protocols. Wireshark requires network supported devices and interfaces to implement the pcap (packet capture) application programming interface (API). Data can be captured in real-time off the Ethernet wire from a live network or piped into a file for later review. Advanced capture filters and programming plugins can be used to trace, stream and reconstruct data sessions and transmissions from specific systems, ports or protocols. Wireshark is used to confirm and validate the data entered into the Ports, Protocols and Services (PP&S) document required for the CT&E test plan. Additionally, Wireshark can be used to identify traffic that violates the confidentiality and integrity of data in transit.

Nmap Security Scanner:

The Nmap security scanner is used to discover computers and services on a dedicated network, or networks that cross perimeter boundaries. Nmap is capable of discovering local or remote ports listening on devices, passive services on a network, and protocols in transit or supported by devices. Additionally, Nmap can be used to determine various details about systems and network devices such as operating systems, versions, device types, uptime, firewall configurations, and software product specifications. Nmap is be used to audit the security and network connections of the devices within the certification boundary. Specifically, Nmap will identify and validate all systems to be tested and their open ports, network communications, and protocols.

Security Technical Implementation Guides:

DoDI 8500.1 requires that “all IA and IA-enabled Information Technology (IT) products incorporated into DoD information systems shall be configured in accordance with DoD-approved security configuration guidelines”. The core mission of Security Technical Implementation Guides (STIGs) is to aide in securing DoD Networks. The processes and procedures outlined in each STIG, when applied, decreases the vulnerability of DoD sensitive information.

Custom Developed Exploitation Tools:

During the testing phase, the SecureState team uses a variety of manual and automated techniques to discover and exploit vulnerabilities on the specified system. Our experienced Team Members have developed a variety of tools to increase the efficiency of these tests; by automating many of the activities associated with a manual penetration test. These tools include many that are available to the public and have been released at conferences such as DefCon and ShmooCon.

• SecureState has several years of providing IA services to the Federal and private sectors
• The staff at SecureState has strong past performance in providing DIACAP services
• We employ individuals with DoD 8570 compliant certifications
• Our Team Members understand the processes for security compliance and performs these services for several other regulations/standards including FISMA/NIST, ISO, PCI, etc.

• FERPA, HIPAA’s Immature Cousin, Says ‘Happy Data Privacy Day!’
• Red Flag Rules The New Deadline
• eDiscovey Planning
• Disclose This!!!
• The Network Neutrality Debate Good or Evil

• Security Test & Evaluation
• FISMA/NIST
• DoD 8570.01 Training
• Penetration Testing
• Vulnerability Assessments