Solved

HomeWork-Network Security using C & A and DIACAP

Posted on 2011-03-21
4
625 Views
Last Modified: 2012-05-11
Hello:
I am interested in learning what are the C&A versus DIACAP criterias when evaluating a system? Please refer to question below.

Question:
Assume you are doing the Certification & Accreditation (C&A) on a Department of Defense system. Which “activity” (if any) of the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) do the following tasks fit into? Explain briefly.
a.Risk analysis for possible leaks of Secret data to outsiders (e. g., Wikileaks)
b.Assessment of the security of a crypto-token for system access
c.Physical Security of the installation site
d.Software security testing processes for commercial software
e.Security assessment of software upgrades & patches
0
Comment
Question by:Sundayy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35182672
It's not an issue of C&A "verses" DIACAP.  DIACAP is one of the many certifications of networthiness which the DoD uses to insure compliance on their networks.  Remember that DoD networks are segmented into two different entities, one for classified information and one for genral communications.  The DIACAP scans on each network look for different issues.  The question doesn't state whether it is secured or non-secured network scan.  My assumption would be non-secure.  If that is the case, it would be B through E because Secret (a Classification) cannot exist on a non-secure network.  If it does, ALL devices on that network must be scrubbed.

If you gave a little more information on what it is you are trying to learn, rather than just asking a test question, I might be able to better explain or clarify.

DrUltima
0
 

Author Comment

by:Sundayy
ID: 35194139
Hi:

I'm a Cyber Security Grad student ( Polytechnic Institute of NYU) and I am taking a online class on Information Security Management. The first two questions for this week dealt with the topic of Legal Requirements & Regulatory Compliance.We are to review what are information security laws and ethics.
To see a general view of how laws impact the design of information security.

The next set of questions covers (this one) deals with Assurance, Certification and Accreditation, and the Security Architecture DoD Classified Systems. We are to understand what are the general principles of evaluation and assurance of products with security related functions, and the role of these in system development.

In saying that is there any links which are good reference sites which will provide me with this information's overall ?

Any help you can provide will be appreciated.

Thank You
0
 
LVL 31

Accepted Solution

by:
Justin Owens earned 500 total points
ID: 35195739
A DIACAP scan checks for STIG compliance.  Remember that if all STIGs are applied, you basically are left with a server good for use as a boat anchor.  Once the DIACAP scan is completed, each site then has to certify each variance (divided into three STIG classes A, B, and C) has a Waiver.  If not it must be mitigated.

DIACAP's official site is http://iase.disa.mil/diacap/

STIG's official site is http://iase.disa.mil/stigs/

DrUltima
0
 

Author Closing Comment

by:Sundayy
ID: 35196385
Thank You for the infomation.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
integration of incident management and linking to CMDB 1 66
Accessing two networks from one PC 30 152
Network Design Question 1 45
Wifi addin for wireshark? 5 46
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question