Welcome To DITSCAP.US - The Definitive Site For DITSCAP Information Welcome To DITSCAP-US The Definitive DoD DITSCAP Information Site
What is DITSCAP?
The DoD Information Technology Security Certification
and Accreditation Process

Department of Defense - INSTRUCTION DOCUMENT
December 30, 1997 - NUMBER 5200.40 - ASD (C31)
Revised August 07, 2002
Reformatted

DITSCAP COMPONENTS OVERVIEW

 

E8.1. The DITSCAP components

The DITSCAP components are composed of phases, activities, tasks, and steps. There are four phases: Definition, Verification, Validation, and Post Accreditation. Each phase is composed of activities that are in turn composed of tasks. Each certification analysis task is composed of one or more steps as determined by the level of certification analysis required.

E8.2. Table 8-1 shows the relationship of the phases, activities and tasks.

Table 8-1. Relationship of Phases, Activities, and Tasks.

Phase Associated Activities Associated Task
Phase 1, Definition. Document mission need. Determine and document mission functions.
  Conduct registration. Register the system - inform the DAA and the user representative that a system will require C&A support.
    Prepare mission description and system identification.
    Prepare environment and threat description.
    Prepare system architecture description.
    Determine the ITSEC class.
    Determine the system security requirements.
    Identify organizations that will support the C&A.
    Tailor the DITSCAP tasks, determine the C&A scope, level-of-effort, and prepare the DITSCAP plan.
    Develop the draft SSAA.
  Perform negotiation. Review the draft SSAA.
    Conduct the CRR.
    Approve the SSAA.
  Prepare the SSAA.  
Phase 2, Verification. Refine the SSAA.  
  Support system development activities.  
  Perform certification analysis. System architecture analysis.
    Software design analysis.
    Network connection rule compliance analysis.
    Integrity of integrated products analysis.
    Life-cycle management analysis.
    Vulnerability assessment analysis.
  Assess analysis results against SSAA requirements.  
Phase 3, Validation. Refine the SSAA.  
  Certification evaluation of the integrated system. ST&E.
    Penetration testing.
    TEMPEST and red-black verification.
    Validation of COMSEC compliance.
    System management analysis.
    Contingency plan evaluation.
    Risk-based management review.
  Develop recommendation to the DAA. CA's recommendation.
  DAA accreditation.  
Phase 4, Post 

Accreditation.

 Maintenance of the SSAA. Review the SSAA.
    Obtain approval of changes.
    Document changes.
  System operation. System maintenance.
    System security management.
    Contingency planning.
  Change management. Support system configuration management.
    Risk-based management review.
  Compliance validation. Review the SSAA.
    Physical security analysis.
    Procedural analysis.
    Risk-based management review.
U.S. Army sealU.S. Marine Corps sealU.S. Navy sealU.S. Air Force sealU.S. Coast Guard sealdisalogo2.gif (35678 bytes)

Please feel free to contact us at
  ditscap @ regulatorypro . us *
 (spammers beware)

Last Updated: Thursday October 04, 2007

Website Design By WebFossil

Copyright © 2000-2007
DITSCAP.us & DITSCAP-US are Trademarks
All Rights Reserved Worldwide & Webwide
CLICK HERE FOR LEGAL NOTICE & TERMS AND CONDITIONS

 VERIFIED WEBSITE OPERATOR
 

* Sorry about the spaces in our email addresses - this is done to prevent SPAM harvesting - copy and paste then remove the spaces.