JDBiggs & Associates created the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) Life-cycle Methodology using Department of Defense Instructions (DODI) 8510.01 and 8500.2. This methodology is our strategy to complete the assessment and authorization activities on systems for DoD Components and/or Commercial organizations required to comply with DIACAP. The phases in this methodology contain detailed activities that must be performed by qualified members of the DIACAP Team.
In addition, the DIACAP Methodology defines the system owner responsibilities for creating the System Identification Profile (SIP), conducting the initial security control assessment, monthly vulnerability assessments, quarterly integrity scans, annual penetration testing and recovery exercises.
Phase 1.0 Initiate / Plan has a series of tasks for the purpose of creating the System Identification Profile (SIP) and the DIACAP Implementation Plan (DIP). These activities are designed to prepare the DIACAP Team, selected Stakeholders with accurate information about the system to conduct verification and validation of security controls.
Phase 2.0 Implement / Validate has four (4) distinct objectives:
When conducting the technical control assessment using automated tools, our team applies:
Phase 3.0 Assessment & Authorization (A&A) decision is the last activity in completing the DIACAP Package. The DAA issues an accreditation letter on the system based on the Security Assessment Report (SAR).
Phase 4.0 Maintain Authority to Operate (ATO) involves the continuous monitoring of security controls and Re-Accreditation every three (3) years or Significant Change.
Phase 5.0 Decommission of the Major Application or General Support System.
The DIACAP Life-cycle Methodology applies Industry and Government Best Practices in Phases 1.0, 2.0 & 3.0 to reduce complexity and improve development of the DIACAP Package:
Primary Uses of DIACAP Life-cycle Methodology: