Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 669
  • Last Modified:

HomeWork-Network Security using C & A and DIACAP

Hello:
I am interested in learning what are the C&A versus DIACAP criterias when evaluating a system? Please refer to question below.

Question:
Assume you are doing the Certification & Accreditation (C&A) on a Department of Defense system. Which “activity” (if any) of the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) do the following tasks fit into? Explain briefly.
a.Risk analysis for possible leaks of Secret data to outsiders (e. g., Wikileaks)
b.Assessment of the security of a crypto-token for system access
c.Physical Security of the installation site
d.Software security testing processes for commercial software
e.Security assessment of software upgrades & patches
0
Sundayy
Asked:
Sundayy
  • 2
  • 2
1 Solution
 
Justin OwensITIL Problem ManagerCommented:
It's not an issue of C&A "verses" DIACAP.  DIACAP is one of the many certifications of networthiness which the DoD uses to insure compliance on their networks.  Remember that DoD networks are segmented into two different entities, one for classified information and one for genral communications.  The DIACAP scans on each network look for different issues.  The question doesn't state whether it is secured or non-secured network scan.  My assumption would be non-secure.  If that is the case, it would be B through E because Secret (a Classification) cannot exist on a non-secure network.  If it does, ALL devices on that network must be scrubbed.

If you gave a little more information on what it is you are trying to learn, rather than just asking a test question, I might be able to better explain or clarify.

DrUltima
0
 
SundayyAuthor Commented:
Hi:

I'm a Cyber Security Grad student ( Polytechnic Institute of NYU) and I am taking a online class on Information Security Management. The first two questions for this week dealt with the topic of Legal Requirements & Regulatory Compliance.We are to review what are information security laws and ethics.
To see a general view of how laws impact the design of information security.

The next set of questions covers (this one) deals with Assurance, Certification and Accreditation, and the Security Architecture DoD Classified Systems. We are to understand what are the general principles of evaluation and assurance of products with security related functions, and the role of these in system development.

In saying that is there any links which are good reference sites which will provide me with this information's overall ?

Any help you can provide will be appreciated.

Thank You
0
 
Justin OwensITIL Problem ManagerCommented:
A DIACAP scan checks for STIG compliance.  Remember that if all STIGs are applied, you basically are left with a server good for use as a boat anchor.  Once the DIACAP scan is completed, each site then has to certify each variance (divided into three STIG classes A, B, and C) has a Waiver.  If not it must be mitigated.

DIACAP's official site is http://iase.disa.mil/diacap/

STIG's official site is http://iase.disa.mil/stigs/

DrUltima
0
 
SundayyAuthor Commented:
Thank You for the infomation.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now