Welcome To DITSCAP.US - The Definitive Site For DITSCAP Information Welcome To DITSCAP-US The Definitive DoD DITSCAP Information Site
What is DITSCAP?
The DoD Information Technology Security Certification
and Accreditation Process

Department of Defense - INSTRUCTION DOCUMENT
December 30, 1997 - NUMBER 5200.40 - ASD (C31)
Revised August 07, 2002
Reformatted

SUBJECT:

DoD Information Technology Security Certification and Accreditation Process (DITSCAP)

References: click here

1. PURPOSE

This Instruction:

  • 1.1. Implements policy, assigns responsibilities, and prescribes procedures under reference (a) for Certification and Accreditation (C&A) of information technology (IT), including automated information systems, networks, and sites in the Department of Defense.
  • 1.2. Creates the DoD IT Security Certification and Accreditation Process (DITSCAP) for security C&A of unclassified and classified IT to implement references (a) through (d).
  • 1.3. Stresses the importance of a life-cycle management approach to the C&A and reaccreditation of DoD IT.

2. APPLICABILITY AND SCOPE

This Instruction:

  • 2.1. Applies to the Office of the Secretary of Defense (OSD), the Military Departments, the Chairman of the Joint Chiefs of Staff, the Combatant Commands, the Inspector General of the Department of Defense (IG, DoD), the Defense Agencies, and the DoD Field Activities (hereafter referred to collectively as "the DoD Components"), their contractors, and agents.
  • 2.2. Shall be used by milestone decision authorities when acquiring IT.
  • 2.3. Shall apply to the acquisition, operation and sustainment of any DoD system that collects, stores, transmits, or processes unclassified or classified information. It applies to any IT or information system life cycle, including the development of new IT systems, the incorporation of IT systems into an infrastructure, the incorporation of IT systems outside the infrastructure, the development of prototype IT systems, the reconfiguration or upgrade of existing systems, and legacy systems.

3. DEFINITIONS

Terms used in this Instruction are defined in enclosure 2.

4. POLICY

This Instruction implements the policies defined in DoD Directive 5200.28, Pub. L. 100-235 (1987), OMB Circular A-130, DCID 1/16, and DoD Directive 5220.22 (references (a) through (e)).

5. RESPONSIBILITIES

  • 5.1. The Assistant Secretary of Defense for Command, Control, Communications, and Intelligence shall:
    • 5.1.1. Oversee and review implementation of this Instruction.
    • 5.1.2. Review, oversee, and formulate overall policies that govern DoD security practices and programs to implement the DITSCAP as the standard DoD process for conducting IT C&A.
    • 5.1.3. Promulgate standards, establish support and training, and manage the transition to the DITSCAP.
    • 5.1.4. Conduct an annual assessment and/or review of the DITSCAP and consider proposed changes.
    • 5.1.5. Ensure that each designated approving authority (DAA) implements and maintains the DITSCAP for security C&A of DoD Component and DoD contractor IT and networks under their jurisdiction.
  • 5.2. The OSD Principal Staff Assistants and the Chairman of the Joint Chiefs of Staff, in respective areas of responsibility, shall ensure DoD Component compliance with the DITSCAP.
  • 5.3. The Director, Defense Information Systems Agency shall:
    • 5.3.1. Maintain DITSCAP procedural information in support of security C&A of DoD Component and DoD contractor IT systems and networks.
    • 5.3.2. In coordination with the National Security Agency (NSA), implement, operate, and maintain an on-line information assurance support environment (IASE).
    • 5.3.3. In coordination with NSA, provide assistance such as information system security engineering, security solutions, and security guidance to the DoD Components in the use of DITSCAP.
    • 5.3.4. Provide DITSCAP training for the DoD Components.
    • 5.3.5. Support the annual review of the DITSCAP.
  • 5.4. The Heads of the DoD Components shall:
    • 5.4.1. Implement the DITSCAP for security C&A of DoD Component and DoD contractor IT systems and networks in accordance with DoD Directive 5200.28, Pub. L. 100-235 (1987), OMB Circular A-130, DCID 1/16, DoD Directive 5220.22, DoD 5220.22-M, DoD 5220.22-M-Sup. and Chairman of the Joint Chefs of Staff S3231.01 (references (a) through (h)) as applicable.
    • 5.4.2. Provide assistance, and support to their respective Service or Agency constituents, in the implementation of the DITSCAP.
    • 5.4.3. Assign responsibility to implement the standard C&A process to DAA responsible for accrediting each IT and network under their jurisdiction.
    • 5.4.4. Support the annual review of the DITSCAP.

6. PROCEDURES

  • 6.1. Approach. This Instruction defines the activities leading to security C&A. The activities are grouped together in a logical sequence. This Instruction presents the objectives, activities, and management of the DITSCAP process.
  • 6.2. Objective. The objective of the DITSCAP is to establish a DoD standard infrastructure-centric approach that protects and secures the entities comprising the Defense Information Infrastructure (DII). The set of activities presented in the DITSCAP standardize the C&A process for single IT entities that leads to more secure system operations and a more secure DII. The process considers the system mission, environment, and architecture while assessing the impact of operation of that system on the DII.
  • 6.3. C&A Process. The DITSCAP, enclosures 2 through 8, defines a process that standardizes all activities leading to a successful accreditation. The principal purpose of that process is to protect and secure the entities comprising the DII. Standardizing the process will minimize risks associated with nonstandard security implementations across shared infrastructure and end systems. The IASE has been developed as the mechanism to support the implementation of the DITSCAP activities. The DITSCAP process shall consist of the following four phases:
    • 6.3.1. Phase 1, Definition. The Definition phase shall include activities to document the system mission, environment, and architecture; identify the threat; define the levels of effort; identify the certification authority (CA) and the DAA; and document the necessary security requirements for C&A. Phase 1 shall culminate with a documented agreement, between the program manager, the DAA, the CA, and the user representative of the approach and the results of the phase 1 activities.
    • 6.3.2. Phase 2, Verification. The Verification phase shall include activities to verify compliance of the system with previously agreed security requirements. For each life-cycle development activity, DoD Directive 5000.1 (reference (i)), there is a corresponding set of security activities, enclosure 3, that shall verify compliance with the security requirements and evaluate vulnerabilities.
    • 6.3.3. Phase 3, Validation. The Validation phase shall include activities to evaluate the fully integrated system to validate system operation in a specified computing environment with an acceptable level of residual risk. Validation shall culminate in an approval to operate.
    • 6.3.4. Phase 4, Post Accreditation. The Post Accreditation phase shall include activities to monitor system management and operation to ensure an acceptable level of residual risk is preserved. Security management, change management, and periodic compliance validation reviews are conducted.
  • 6.4. Life-Cycle and Tailoring. The DITSCAP process applies to all systems requiring C&A throughout their life-cycle. It is designed to be adaptable to any type of IT system and any computing environment and mission. It may be adapted to include existing system certifications, evaluated products, use new security technology or programs, and adjust to the applicable standards. The DITSCAP may be mapped to any system life-cycle process but is independent of the life-cycle strategy. The DITSCAP is designed to adjust to the development, modification, and operational life-cycle phases. Each new C&A effort begins with phase 1, Definition, and ends with phase 4, Post Accreditation, in which follow-up actions ensure that the approved information system or system component continues to operate in its computing environment in accordance with its accreditation. The activities defined in these four phases are mandatory. However, implementation details of these activities may be tailored, and where applicable, integrated with other acquisition activities and documentation. Systems are categorizing into a set of system classes to support definition of standard security requirements and procedures, and to facilitate reuse of previous certification evidence.

7. INFORMATION REQUIREMENTS

  • 7.1. The Systems Security Authorization Agreement (SSAA) Outline identified at enclosure 6, of this Instruction, is exempt from licensing in accordance with paragraph E.4.b, of DoD 8910.1-M (reference (j)). The annual assessment to review and consider proposed changes to the standard C&A process, procedures and tools is exempt from licensing in accordance with paragraph E.4.c. of DoD 8910.1-M (reference (j)).

8. EFFECTIVE DATE

  • 8.1. This Instruction is effective immediately.
  • 8.2. This instruction shall be reviewed annually.
 
U.S. Army sealU.S. Marine Corps sealU.S. Navy sealU.S. Air Force sealU.S. Coast Guard sealdisalogo2.gif (35678 bytes)

Please feel free to contact us at
  ditscap @ regulatorypro . us *
 (spammers beware)

Last Updated: Thursday October 04, 2007

Website Design By WebFossil

Copyright © 2000-2007
DITSCAP.us & DITSCAP-US are Trademarks
All Rights Reserved Worldwide & Webwide
CLICK HERE FOR LEGAL NOTICE & TERMS AND CONDITIONS

 VERIFIED WEBSITE OPERATOR
 

* Sorry about the spaces in our email addresses - this is done to prevent SPAM harvesting - copy and paste then remove the spaces.