Phase 1.0 Initiate / Plan has a series of tasks for the purpose of creating the System Identification Profile (SIP) and the DIACAP Implementation Plan (DIP). These activities are designed to prepare the DIACAP Team, selected Stakeholders with accurate information about the system to conduct verification and validation of security controls.
Phase 2.0 Implement / Validate has four (4) distinct objectives:
- Finalize and Execute the DIP
- Produce a Security Assessment Report (SAR) to brief the DAA and Stakeholders
- Develop / Update the Plan of Action & Milestone (POA&M)
- Draft the DIACAP Scorecard for the DIACAP Package
Phase 3.0 Certification & Accreditation (C&A) Decision is the last activity in completing the DIACAP Package. The DAA issues an accreditation letter on the system based on the Security Assessment Report (SAR).
Phase 4.0 Maintain Authority to Operate (ATO) involves the continuous monitoring of security controls and Re-Accreditation every three (3) years or Significant Change.
Phase 5.0 Decommission of the Major Application or General Support System.
The DIACAP Lifecycle Methodology applies Industry and Government Best Practices in Phases 1.0, 2.0 & 3.0 to reduce complexity and improve development of the DIACAP Package:
- System Identification Profile (SIP),
- DIACAP Implementation Plan (DIP),
- DIACAP Scorecard,
- IT Security POA&M
- Accreditation Decision Letter
Primary Uses of DIACAP Lifecycle Methodology:
- Developing Project Management Schedule
- Education DIACAP Team and Stakeholders on Phases
- Developing DIACAP Policy
- Developing Guidelines and Standards for Certification & Accreditation (C&A) of Major Applications and General Support Systems