DIACAP Compliance, Certification & Accreditation:
Commercial Companies Awarded Contracts for Outsourced IT-based Process, Automated Information System (AIS) Application, or Interconnecting with DoD Required to Complete DIACAP Certification Before Selling or Transferring Data. Moreover, company’s responsible for storing, transmitting, displaying DoD Data. DoD Instruction 8510.01, DIACAP security responsibilities are normally written in during acquisition. A Service Level Agreement should be requested to assigned a MAC/CL and DoD 8500.2 IA Controls.
A C&A reviewer examines the scorecard, validation report, and Plan of Action and Milestones (POA&M) to determine if there are any identifiable vulnerabilities. If there are no vulnerabilities, the CA reviewer may start drafting the certification determination. If vulnerabilities are identified, the CA reviewer analyzes the severity codes that the validator assigned.
If the CA reviewer does not concur with the severity codes assigned by the validator, the CA reviewer annotates the severity codes and documents the justification for the changes. The CA reviewer makes an overall risk assessment by considering all vulnerabilities, severity codes, system architecture, the intended environment, mitigation/corrective actions contained in the POA&M, and any modifications to the severity codes that were made. The overall risk assessment is recorded in the CA detailed assessment and an accreditation recommendation is made (ATO, IATO, IATT, DATO – see definitions below).
Issue CA Certification Determination
The CA reviews the C&A package and draft certification recommendation. If the CA does not concur with the certification determination, the C&A package is sent back to the certification or validation team for further analysis or additional justifications are requested. If the CA concurs with the reviewer’s recommendations, CA signs the certification determination document and creates the Executive C&A package which contains the following documentation:
- System Identification Profile (SIP)
- DIACAP Implementation Plan (DIP)
- DIACAP scorecard
- IT Security Plan Of Action and Milestone (POA&M)
- Certification Testing
- Certification Determination (IATT, ATO, IATO, DATO)
- Other required documentation and justifications
This complete package is then provided to the respective Designated Approval Authority (DAA) for final accreditation decision.
The accreditation decision balances risk to the GIG, operational need to operate, and cost/time to put corrective measures in place. Until now, most of the focus was at the system or enclave level. However, the DAA takes a GIG and enterprise view when issuing an accreditation decision. The accreditation decision involves one of the following:
- Authority To Operate (ATO) – An ATO accreditation decision must specify an ATD that is within 3 years of the authorization date.
- Interim Authority To Operate (IATO) – An IATO accreditation decision is intended to allow the system to operate (usually due to criticality of need) while IA weaknesses are managed and rectified. An IATO can be issued for no more than 180 days and may be extended if necessary. Concurrent IATO may be granted, but may not exceed a total of 360 days.
- Interim Authority To Test (IATT) – An IATT is a very limited accreditation decision to support testing using operational data in a test environment or test data in the operational environment which mandates de-installation at ATD unless further operation is authorized by the DAA
- Denial Authority To Operate (DATO) – A DATO accreditation decision mandates the removal of a system either permanently or until the risk