1. What is Information Assurance (IA)?
  2. What is the goal of IA?
  3. Where does the DoD IA guidance come from?
  4. How are IA controls defined?
  5. What are the primary steps in the IA DIACAP process?
  6. How does Cybernet help the DoD limit their exposure to vulnerabilities and meet Information Assurance requirements?

Q.What is Information Assurance (IA)?
  • The overarching security process of protecting DOD information systems
    • IA Requirement is based on Federal Information Security Management Act (FISMA) of 1998
    • There are 2 dozens laws that state IA is required for DOD and Federal information systems
  • The process that is performed on the DOD information systems is called Certification and Accreditation (C&A)
  • All computers, whether a part of a network or stand alone must be C&A
  • All network gear must go thru C&A as well

Q.What is the goal of IA?
  • A secure information system or network
  • Lowering risk of being hacked, losing data and managing the security risk thru a systems life cycle
  • Achieving a Authority to Operate
    • The end goal of the DIACAP or any IA process
    • Interim Authority to Operate (IATO) can be granted if there are minor security risks that need to be fixed
    • Interim Authority to Test (IATT) – Small period in which a system can test
    • Denial to Operate – (DTO) Bad, very Bad, stuff happens if you get one of these

Q.Where does the DoD IA guidance come from?
  • DOD 8500.1 – direction for IA
  • DOD 8500.2 – IA Controls (i.e. requirements)
  • DOD 8510.01 – DOD Information Assurance Certification and Accreditation Process (DIACAP)
    • This is how 8500.1 and 8500.2 are implemented
  • If you want to “know” IA then these 3 regulations are required reading

Q.How are IA controls defined?
  • Most important part of C&A
  • There are 3 determining factors on which controls must be implemented
    • Mission Assurance Category (MAC)
      • There are 3 levels; 1 being the most stringent and 3 being the least stringent
    • Confidentiality
      • Classified, Sensitive or Public
      • DOD systems will be either Classified or Sensitive (Public is very rare)
    • Applicability
      • If a IA Control is about wireless and your system does not have wireless then it is N/A

Q.What are the primary steps in the IA DIACAP process?

There are 5 activities

  1. Design
    • This activity is usually completed by SRR
    • Designs the IA controls into the systems architecture
  2. Implementation
    • Building of the system
  3. Test
    • Test that the IA Controls are met (completed during TRR)
  4. Maintaining
    • Manages the security of the system life cycle (usually conducted by CSS or Gov’t people)
  5. Decommissioning
    • Securely decommissions system so memory with sensitive or classified data falls into hands of the bad guys

Q.How does Cybernet help the DoD limit their exposure to vulnerabilities and meet Information Assurance requirements?
  • Removing as many vulnerabilities as possible (e.g. encrypt when appropriate, configure things securely, remove unnecessary functions, eliminate weak passwords, etc.)
  • Layering protections that incrementally limit the computer users with access to a given vulnerability (defense-in-depth)
  • Automating as many of IA maintenance requirements as possible (automated vulnerability management, patching, backups, etc.)
  • Achieving an Authority to Operate (ATO) through the formal DoD certification and accreditation (C&A) process.