Solved

HomeWork-Network Security using C & A and DIACAP

Posted on 2011-03-21
4
640 Views
Last Modified: 2012-05-11
Hello:
I am interested in learning what are the C&A versus DIACAP criterias when evaluating a system? Please refer to question below.

Question:
Assume you are doing the Certification & Accreditation (C&A) on a Department of Defense system. Which “activity” (if any) of the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) do the following tasks fit into? Explain briefly.
a.Risk analysis for possible leaks of Secret data to outsiders (e. g., Wikileaks)
b.Assessment of the security of a crypto-token for system access
c.Physical Security of the installation site
d.Software security testing processes for commercial software
e.Security assessment of software upgrades & patches
0
Comment
Question by:Sundayy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35182672
It's not an issue of C&A "verses" DIACAP.  DIACAP is one of the many certifications of networthiness which the DoD uses to insure compliance on their networks.  Remember that DoD networks are segmented into two different entities, one for classified information and one for genral communications.  The DIACAP scans on each network look for different issues.  The question doesn't state whether it is secured or non-secured network scan.  My assumption would be non-secure.  If that is the case, it would be B through E because Secret (a Classification) cannot exist on a non-secure network.  If it does, ALL devices on that network must be scrubbed.

If you gave a little more information on what it is you are trying to learn, rather than just asking a test question, I might be able to better explain or clarify.

DrUltima
0
 

Author Comment

by:Sundayy
ID: 35194139
Hi:

I'm a Cyber Security Grad student ( Polytechnic Institute of NYU) and I am taking a online class on Information Security Management. The first two questions for this week dealt with the topic of Legal Requirements & Regulatory Compliance.We are to review what are information security laws and ethics.
To see a general view of how laws impact the design of information security.

The next set of questions covers (this one) deals with Assurance, Certification and Accreditation, and the Security Architecture DoD Classified Systems. We are to understand what are the general principles of evaluation and assurance of products with security related functions, and the role of these in system development.

In saying that is there any links which are good reference sites which will provide me with this information's overall ?

Any help you can provide will be appreciated.

Thank You
0
 
LVL 31

Accepted Solution

by:
Justin Owens earned 500 total points
ID: 35195739
A DIACAP scan checks for STIG compliance.  Remember that if all STIGs are applied, you basically are left with a server good for use as a boat anchor.  Once the DIACAP scan is completed, each site then has to certify each variance (divided into three STIG classes A, B, and C) has a Waiver.  If not it must be mitigated.

DIACAP's official site is http://iase.disa.mil/diacap/

STIG's official site is http://iase.disa.mil/stigs/

DrUltima
0
 

Author Closing Comment

by:Sundayy
ID: 35196385
Thank You for the infomation.
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question