US Department of Defense Information Assurance: Achieving Successful DITSCAP with eZ publish as a Platform

There are four phases to the DITSCAP process: Definition, Verification, Validation and Post-Accreditation. Within each phase, there are a number of activities and associated tasks and deliverables that must be completed and validated prior to advancing to the next phase. See the following diagram for an overview of the phases (click to enlarge).

Phase I - Definition: In the Definition phase, three main activities are completed: preparation, registration, and negotiation. There are multiple tasks that must be completed to support each of these activities. The deliverable of the Definition phase is a preliminary System Security Authorization Agreement (SSAA).

The SSAA document is crucial to the DITSCAP. It defines all system specifications including the system mission, target environment, target architecture, security requirements and applicable access policies. The SSAA also describes the applicable planning and certification actions, resources and documentation required to support the certification and accreditation. In essence, the SSAA is the vehicle that guides the implementation of information security. The SSAA is updated and revised during each of the four phases.

Phase II - Verification: The Verification phase involves activities and tasks that verify the compliance of the evolving system with the agreed-upon security requirements negotiated in Phase I. In addition, recommendations for changes to the system are tendered. The resulting deliverable is a refined SSAA.

Phase III - Validation: During the Validation phase, the SSAA is reviewed and the fully integrated system is validated for compliance with the security requirements. Vulnerability and penetration tests are performed to check for security vulnerabilities and risks. The resulting deliverable is a certification package containing the final SSAA.

Upon review of the certification package, a system receives one of three designations:

• Approval to Operate (ATO) - (full accreditation)
• Interim Approval to Operate (IATO) - (three months allowed to achieve full accreditation)
• Withhold Accreditation

Phase IV - Post-Accreditation: The Post-Accreditation phase includes activities that continue to monitor and manage the system so it will maintain an acceptable level of risk. In this phase, ongoing maintenance of the SSAA, system operations, security operations, configuration management and compliance validation occur.

See the following diagram for more information on the activities, tasks and deliverables in each phase (click to enlarge).