Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

HomeWork-Network Security using C & A and DIACAP

Posted on 2011-03-21
4
Medium Priority
?
658 Views
Last Modified: 2012-05-11
Hello:
I am interested in learning what are the C&A versus DIACAP criterias when evaluating a system? Please refer to question below.

Question:
Assume you are doing the Certification & Accreditation (C&A) on a Department of Defense system. Which “activity” (if any) of the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) do the following tasks fit into? Explain briefly.
a.Risk analysis for possible leaks of Secret data to outsiders (e. g., Wikileaks)
b.Assessment of the security of a crypto-token for system access
c.Physical Security of the installation site
d.Software security testing processes for commercial software
e.Security assessment of software upgrades & patches
0
Comment
Question by:Sundayy
  • 2
  • 2
4 Comments
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35182672
It's not an issue of C&A "verses" DIACAP.  DIACAP is one of the many certifications of networthiness which the DoD uses to insure compliance on their networks.  Remember that DoD networks are segmented into two different entities, one for classified information and one for genral communications.  The DIACAP scans on each network look for different issues.  The question doesn't state whether it is secured or non-secured network scan.  My assumption would be non-secure.  If that is the case, it would be B through E because Secret (a Classification) cannot exist on a non-secure network.  If it does, ALL devices on that network must be scrubbed.

If you gave a little more information on what it is you are trying to learn, rather than just asking a test question, I might be able to better explain or clarify.

DrUltima
0
 

Author Comment

by:Sundayy
ID: 35194139
Hi:

I'm a Cyber Security Grad student ( Polytechnic Institute of NYU) and I am taking a online class on Information Security Management. The first two questions for this week dealt with the topic of Legal Requirements & Regulatory Compliance.We are to review what are information security laws and ethics.
To see a general view of how laws impact the design of information security.

The next set of questions covers (this one) deals with Assurance, Certification and Accreditation, and the Security Architecture DoD Classified Systems. We are to understand what are the general principles of evaluation and assurance of products with security related functions, and the role of these in system development.

In saying that is there any links which are good reference sites which will provide me with this information's overall ?

Any help you can provide will be appreciated.

Thank You
0
 
LVL 31

Accepted Solution

by:
Justin Owens earned 2000 total points
ID: 35195739
A DIACAP scan checks for STIG compliance.  Remember that if all STIGs are applied, you basically are left with a server good for use as a boat anchor.  Once the DIACAP scan is completed, each site then has to certify each variance (divided into three STIG classes A, B, and C) has a Waiver.  If not it must be mitigated.

DIACAP's official site is http://iase.disa.mil/diacap/

STIG's official site is http://iase.disa.mil/stigs/

DrUltima
0
 

Author Closing Comment

by:Sundayy
ID: 35196385
Thank You for the infomation.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question