Tag Archives: DIACAP

diacap tarry town

Job position for DIACAP Compliance Engineer at Tarrytown, NY

Role: DIACAP Compliance Engineer
Location: Tarrytown, NY
Duration: 6+ months

Keywords: – STIG, TFS, DevOps, Windows Imaging WIX, MSI, PowerShell, Anti-Virus, Whitelisting

Job Description:
Background
Source code management (SCM) & DEVOPS team (Infrastructure Team) manages the entire continuous integration, continues development chain process of a global Engineering conglomerate.
Application is developed using Microsoft technology C#, C++, WPF, MVVM and custom control on Windows-7 platform. The backbone of the entire SCM is Microsoft TFS while the packaging strategy is utilizing MSI and WIX. The current build management is driven by customized XMAL with PowerShell usage. Now the plans are to move to VNEXT that provides flexibility as an orchestrator and allows better reporting, triggering and logging facility.
The Goal of this team is to make the entire infrastructure to be in compliant with DIACAP (DoD Information Assurance Certification and Accreditation) process

Expectations – The team is looking out for Engineers who can augment the current team and support on following tasks
This means the identified engineer needs experience in DIACAP process (not knowledge) on how the system could be transformed to be DIACAP compliant system.
• Experienced in the Security Technical Implementation Guide (STIG) that provides security guidance for .NET deployments in workstations or servers and focuses on the secure configuration of the .NET Common Language Runtime (CLR).
• Identify loopholes and open items as part of IIS 7.0 Web Server to ensure that the IIS 7.0 becomes STIG compliant and thus related request handling and filtering are done in control manner and encryption is applied for protocols or data exchange for HTTP, FTP or telnet and more of such tasks etc.
• Ensuring the basic need of McAfee VirusScan 8.8 Managed Client STIG that highly suggests to have antivirus to be monitoring 24*7 along with no possibility of stoppage of such services and availability of antivirus signed files almost every day
• Ensure security enablement in Microsoft Internet Explorer 11 client used on Windows-7 workstations like script execution, popup restrictions as needed and stoppage of unsigned ACTIVEX controls
• Experience in interpreting STIG scans that reflect results on periodic basis.
• Experience in working on adding check and controls in build management system that automates scans ensure STIG compliance.

Soft Skills
• Good Team Player
• Good Written and verbal communication skills
• Customer facing experience would be added advantage

www.enterprisesolutioninc.com Pradyut Bhattacharya
Enterprise Solution Inc.
500 E. Diehl Road, Suite 130, Naperville, IL 60563
Office: # 630-214-9485

DIACAP vs DoD RMF for IT vs NIST RMF

There are differences between the old DIACAP (being phased out), DoD RMF for IT and NIST RMF. What is “DIACAP”? It stands for Department of Defense Information Assurance Certification & Accreditation Process and it is based on the old DoDI 8510.01 and DoD 8500 documents. The process was designed to make absolutely sure federal systems have security on them.

With the constant exponential evolution of information technology this process has had to change to keep up with the times. DIACAP is being replaced with DoD Risk Management Framework for Information Technology (DoD RMF for IT). This process has more granularity, more detailed, more frequent and covers many new technology that was not covered by DIACAP. DoD RMF for IT is actually based fundamentally on NIST SP 800-37, Risk Management Framework.

 

 

PCI DSSPCI an example of information system security framework

Information Security Framework aka System Compliance

What are Cyber Security Standards?
These are rules that put in place to protect every aspect of an information system.

Also know as information system security standards, information security framework, security system compliance, information system compliance, risk management framework. There are also many types that specialize on different functions of a given industry. For example the medical industry has a standard for protecting patient information called HIPAA which is an acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. And there is a standard for protecting point of sale and merchant systems called PCI. There are many others.. but the mission is the same… to protect the confidentiality, availability and integrity of important data.

DIACAP transition to RMF for DoD IT slides

Intro: 

  • DoDI 8510.01, DoD Information Assurance Certification & Accreditation (DIACAP) is being replaced/modified
  • DoD 8510, Risk Management Framework For DoD IT (The RMF)
    • NEW 8500 based on NIST SP 800 series

DIACAP to the RMF Authority

  • Teri M. Takai Defense CIO (former ASD(NII)), Is the authority behind the transition from DIACAP to The RMF
  • “The DON will continue to use the DoDI 8500.2 as the authoritative source for security controls until otherwise specified. However, understanding the changes represented in NIST SP 800-53r3 will be essential as DoD and the DON begin transitioning to this new set of security controls. To support the transition, the DON CIO developed this security control mapping document to demonstrate how existing DoD and IC security controls map to the security controls recommended by the NIST SP 800-53r3 publication.” —DON CIO

Future of DIACAP

  • DIACAP KS “C&A Transformation” pages that introduce some of the coming changes
  • DIACAP has “Risk Management Framework Transformation Initiative” underway
  • Provides information on use of NIST SP 800-53, NIST SP 800-37, CNSS Instruction 1253
  • Introduces changes being made to DoDD 8500.01, DoDI 8500.2, and DoDI 8510.01

http://youtu.be/7BC7tgCBtyo

RMF Knowledge Service (RMFKS)

The DoD CIO gave an overview of the Risk Management Framework (RMF) transition.  The Risk Management Framework Knowledge Service (RMFKS) is a central repository for RMF DoD for IT.  This site is up for access as long as you have a Common Access Card (CAC) or ECA cert.  The link is below but some of the links on the site are still under construction.

Information Assurance
Information Assurance

The former site was for certification & accreditation / risk management was the DIACAP Knowledge Service (https://diacap.iaportal.navy.mil/).

 

dod 8570 chart

dod 8570 chart

The dod 8570 chart is designed to provide guidance for government agencies (mainly in defense) to categorize and identify certification of personnel conducting Information Assurance (IA) functions.

Defense Information Assurance workforce is broken up into category, specialty, level, and function to for better protection of confidentiality, integrity and availability of DoD information, information systems, and networks.

Information Assurance Profiles DoD 8570:

 

dod 8570 chart
dod 8570 chart – http://iase.disa.mil/eta/iawip/content_pages/iabaseline.html
IA Management Level I IAM Level I personnel are responsible for the implementation and operation of an Information System (IS) within their CE. Personnel ensure that IA related IS are functional and secure within the CE.
IA Management Level II IAM Level II personnel are responsible for the IA program of an IS within the NE. Personnel in these positions perform a variety of security related tasks, including the development and implementation of system information security standards and procedures. They ensure that IS are functional and secure within the NE.
IA Management Level III IAM Level III personnel are responsible for ensuring that all enclave IS are functional and secure. They determine the enclaves’ long term IA systems needs and acquisition requirements to accomplish operational objectives. They also develop and implement information security standards and procedures through the certification and accreditation process.
IA Technical Level I IAT Level I personnel make the CE less vulnerable by correcting flaws and implementing IAT controls in the hardware or software installed within their operational systems.
IA Technical Level II IAT Level II personnel provide network environment (NE) and advanced level CE support. They pay special attention to intrusion detection, finding and fixing unprotected vulnerabilities, and ensuring that remote access points are well secured. These positions focus on threats and vulnerabilities and improve the security of systems. IAT Level II personnel have mastery of the functions of the IAT Level I position.
IA Technical Level III PIAT Level III personnel focus on the enclave environment and support, monitor, test, and troubleshoot hardware and software IA problems pertaining to the CE, NE, and enclave environments. IAT Level III personnel have mastery of the functions of both the IAT Level I and Level II positions.
CND-SP Analyst (CND-A) CND-A personnel use data collected from a variety of CND tools (including intrusion detection system alerts, firewall and network traffic logs, and host system logs) to analyze events that occur with their environment.
CND-SP Infrastructure Support (CND-IS) CND-IS personnel test, implement, deploy, maintain, and administer the infrastructure systems which are required to effectively manage the CND-SP network and resources. This may include, but is not limited to routers, firewalls, intrusion detection/prevention systems, and other CND tools as deployed within the NE or enclave.
CND-SP Incident Responder (CND-IR) CND-IR personnel investigate and analyze all response activities related to cyber incidents within the NE or Enclave. These tasks include, but are not limited to: creating and maintaining incident tracking information; planning, coordinating, and directing recovery activities; and incident analysis tasks, including examining all available information and supporting evidence or artifacts related to an incident or event.
CND-SP Auditor (CND-AU) CND-AU personnel perform assessments of systems and networks within the NE or enclave and identify where those systems/networks deviate from acceptable configurations, enclave policy, or local policy. CND-AUs achieve this through passive evaluations (compliance audits) and active evaluations (penetration tests and/or vulnerability assessments).
CND-SP Manager (CND-SPM) CND-SPMs oversee the CND-SP operations within their organization. CND-SPMs are responsible for producing guidance for their NE or enclave, assisting with risk assessments and risk management for organizations within their NE or enclave, and are responsible for managing the technical classifications within their organization.
IASAE I Applies knowledge of IA policy, procedures, and structure to design, develop, and implement CE system(s), system components, or system architectures.
IASAE II Applies knowledge of IA policy, procedures, and workforce structure to design, develop, and implement a secure NE.
IASAE III Responsible for the design, development, implementation, and/or integration of a DoD IA architecture, system or system component for use within CE, NE, and enclave environments
General User A user who is granted use of Government Information Systems (IS) and access to Government networks. This is not an IA position.
Power User Personnel with limited administrative privileges to their PC only. This is not an IA position.

DoD 8570 Chart is being replaced soon with DoDD 8140, Cyberspace workforce which will have 7 high level categories under a National Initiative for Cybersecurity Education framework:

Security Provision, Maintain and Operate, Protect & Defend, Analyze, operate & collect, Oversight & Development and Investigate.

These categories are broken down further into a sum total of 31 tasks.  It was supposed to be released in 2013, but there is actually no telling when it will come out.