Javascript is currently disabled. This site requires Javascript to function correctly. Please enable Javascript in your browser!


JDBiggs & Associates created the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) Life-cycle Methodology using Department of Defense Instructions (DODI) 8510.01 and 8500.2.  This methodology is our strategy to complete the assessment and authorization activities on systems for DoD Components and/or Commercial organizations required to comply with DIACAP.  The phases in this methodology contain detailed activities that must be performed by qualified members of the DIACAP Team.  

In addition, the DIACAP Methodology defines the system owner responsibilities for creating the System Identification Profile (SIP), conducting the initial security control assessment, monthly vulnerability assessments, quarterly integrity scans, annual penetration testing and recovery exercises. 

Phase 1.0 Initiate / Plan has a series of tasks for the purpose of creating the System Identification Profile (SIP) and the DIACAP Implementation Plan (DIP). These activities are designed to prepare the DIACAP Team, selected Stakeholders with accurate information about the system to conduct verification and validation of security controls.

Phase 2.0 Implement / Validate has four (4) distinct objectives:

  • Finalize and Execute the DIP
  • Produce a Security Assessment Report (SAR) to brief the DAA and Stakeholders
  • Develop / Update the Plan of Action & Milestone (POA&M)
  • Draft the DIACAP Scorecard for the DIACAP Package

When conducting the technical control assessment using automated tools, our team applies:

  • Database Scanning Tools - AppDetective and Nexpose
  • Web Scanning Tool - Acunetix
  • Operating System Scanning Tool - Nessus

Phase 3.0 Assessment & Authorization (A&A) decision is the last activity in completing the DIACAP Package. The DAA issues an accreditation letter on the system based on the Security Assessment Report (SAR).

Phase 4.0 Maintain Authority to Operate (ATO) involves the continuous monitoring of security controls and Re-Accreditation every three (3) years or Significant Change.

Phase 5.0 Decommission of the Major Application or General Support System.

The DIACAP Life-cycle Methodology applies Industry and Government Best Practices in Phases 1.0, 2.0 & 3.0 to reduce complexity and improve development of the DIACAP Package:

  • System Identification Profile (SIP),
  • DIACAP Implementation Plan (DIP),
  • DIACAP Scorecard,
  • IT Security POA&M
  • Accreditation Decision Letter

Primary Uses of DIACAP Life-cycle Methodology:

  • Developing Project Management Schedule
  • Education DIACAP Team and Stakeholders on Phases
  • Developing DIACAP Policy
  • Developing Guidelines and Standards for producing the Security Authorization Package 
  • Briefing Authorizing Official on the existing risks and mitigation activities for accepting risk and issuing an accreditation decision  
Asset 1