Adapt Or Be Left Behind: The Changing World of Compliance within the United States Department of Defense
BY: SETH COWAND AND ROB AYOUB
We are familiar with the 'big boys' on the compliance block: Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLB), and Sarbanes-Oxley Act (SOX)...but if you work in the defense sector, there is a 'new kid on the block'—the Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP). What is DIACAP? Why do I need a new paradigm in DoD compliance policies? What does it mean to me?
DIACAP is the next generation of the Certification and Accreditation (C&A) policies within the United States DoD. The history and evolution of the DoD global mission and IT security public policies in the last 10 years has shaped the defense compliance industry with the creation of a new standard. This article intends to give a brief history and description of the DIACAP standard. We will discuss DITSCAP, DIACAP's predecessor and show the paradigm shift from Information Technology Security to Information Assurance and how DIACAP addresses that shift.
DIACAP's Predecessor: DITSCAP—A System-Centric Approach to IT Compliance
Since 1997, the DoD has functioned under the auspices of the DoD Information Technology Security Certification and Accreditation Process (DITSCAP), which also shaped the way the DoD conducts compliance validation. DITSCAP focused on DoD information systems risk-management and was designed to occur over a three-year certification life cycle. Under the DITSCAP paradigm, C&A had a limited view of what was "certified". Systems could be certified that were not truly secure. Local Designated Approving Authority (DAA) had the authority to 'accept the risks' for any vulnerability, resulting in an insecure system being accredited.
complete article here...
BY: SETH COWAND AND ROB AYOUB
We are familiar with the 'big boys' on the compliance block: Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLB), and Sarbanes-Oxley Act (SOX)...but if you work in the defense sector, there is a 'new kid on the block'—the Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP). What is DIACAP? Why do I need a new paradigm in DoD compliance policies? What does it mean to me?
DIACAP is the next generation of the Certification and Accreditation (C&A) policies within the United States DoD. The history and evolution of the DoD global mission and IT security public policies in the last 10 years has shaped the defense compliance industry with the creation of a new standard. This article intends to give a brief history and description of the DIACAP standard. We will discuss DITSCAP, DIACAP's predecessor and show the paradigm shift from Information Technology Security to Information Assurance and how DIACAP addresses that shift.
DIACAP's Predecessor: DITSCAP—A System-Centric Approach to IT Compliance
Since 1997, the DoD has functioned under the auspices of the DoD Information Technology Security Certification and Accreditation Process (DITSCAP), which also shaped the way the DoD conducts compliance validation. DITSCAP focused on DoD information systems risk-management and was designed to occur over a three-year certification life cycle. Under the DITSCAP paradigm, C&A had a limited view of what was "certified". Systems could be certified that were not truly secure. Local Designated Approving Authority (DAA) had the authority to 'accept the risks' for any vulnerability, resulting in an insecure system being accredited.
complete article here...