Assessment - DITSCAP/DIACAP/RMF
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Welcome back to Cybrary ISSEP course,
00:00
I'm your instructor, Brad Rhodes.
00:00
We need a pause here for just a second.
00:00
We're still in the implementation/assessment phase
00:00
of the system developer life cycle.
00:00
We're going to talk specifically about
00:00
three processes that you should know,
00:00
two that are dead, and one that you really ought
00:00
to have some good familiarity with as an SE,
00:00
and for the ISSEP exam.
00:00
We're going to talk about DITSCAP and DIACAP.
00:00
We're going to talk about the risk management framework.
00:00
We're going to talk about risk levels in this video.
00:00
DITSCAP and DIACAP. Back in the day,
00:00
I'm going to date myself a little bit,
00:00
I used to be certified to
00:00
a credit technologies for
00:00
the Department of Defense for these two things.
00:00
DITSCAP the original,
00:00
DOD information technology security
00:00
certification and accreditation process,
00:00
DITSCAP say that eight times fast.
00:00
Then of course, the DOD information
00:00
assurance certification and accreditation process.
00:00
DITSCAP was first came out in the 90s,
00:00
was eventually replaced by
00:00
DIACAP and then it was eventually
00:00
replaced by
00:00
the risk management framework,
00:00
which we're going to touch on.
00:00
Both DITSCAP and DIACAP are dead.
00:00
They are gone right now,
00:00
will you as an ISSEP,
00:00
potentially run across systems
00:00
that were certified and accredited,
00:00
so C and aid right before
00:00
the risk management framework came out and
00:00
that's the only documentation you will have?
00:00
Yes. Absolutely. A 100 percent correct.
00:00
That is what you're going to find.
00:00
Now, the DOD and the US government
00:00
are working very fast and
00:00
hand in glove with
00:00
the National Institute for Standards and
00:00
Technologies to actually move
00:00
to the risk management framework.
00:00
Let's talk about that real quick.
00:00
That's what's shown here on the left-hand side.
00:00
You see these steps for the RMS categorizes system,
00:00
select controls to implement, assess,
00:00
authorized monitor, and prepares in the middle.
00:00
You need to memorize this dial for the ISSEP exam.
00:00
I'm just telling you you need to know that.
00:00
We're going to talk about many of
00:00
these special publications from
00:00
NIST in our next module. Don't worry about that.
00:00
Don't freak out, what I
00:00
need to order that we're going to talk about that.
00:00
Super important. But you need to
00:00
memorize these steps because these are very important.
00:00
There's some really key differences
00:00
between the risk management framework,
00:00
the RMF and DISTCAP and DIACAP.
00:00
On the left-hand side, here is
00:00
RMF on the right-hand side of
00:00
the key differences is what it used to be.
00:00
We go from static
00:00
every few years, annual checks patching,
00:00
and only a DOD standard for DISTCAP and DIACAP,
00:00
to on the left-hand side with RMF where we
00:00
have a dynamic process because we know things change.
00:00
It's continuous. That's where POAMs come in.
00:00
We're not just doing controls for
00:00
the sake of doing controls and then
00:00
checking them every once in a while.
00:00
No. This is a continuous cyclical process
00:00
[inaudible] we talk about everything
00:00
in ISSEP to this point.
00:00
Would you come on here continuous monitoring.
00:00
We don't just do annual reviews of our systems anymore,
00:00
we look at it all the time.
00:00
Those are looking at the technical controls,
00:00
the non-technical controls of preventative and detective.
00:00
All that stuff. We do real-time updates to our systems.
00:00
We know that in
00:00
today's world it's super complex systems,
00:00
patching is not going to
00:00
necessarily solve all the world's problems.
00:00
Then it's NIST, and so the National Institutes of
00:00
standard technology is the purveyor,
00:00
if you will, of the risk management framework.
00:00
By the way, it doesn't just apply to the US DOD,
00:00
it applies to all federal government organizations
00:00
and organizations that receive,
00:00
in many cases funding or
00:00
support from the US federal government.
00:00
They've got to be RMS certified.
00:00
Remember when we talked about these risk level,
00:00
so you've seen this chart
00:00
before in our previous sub domain discussions.
00:00
There are three levels in an organization.
00:00
You have the organization or the enterprise.
00:00
You have mission, business processes,
00:00
and you have information systems.
00:00
The farther down you go,
00:00
the more detailed and
00:00
granular perspective you're going to have on risk.
00:00
When you're talking about that level three system level,
00:00
that's where the rubber meets the road.
00:00
That's the hands-on keyboard folks.
00:00
They are going to have
00:00
the best view of risk from that perspective.
00:00
When you get up to the enterprise
00:00
at the organization level one,
00:00
they have that broad view.
00:00
Keep in mind that as we look at
00:00
risk management across the levels, again,
00:00
more granular are going down,
00:00
and communication reporting going
00:00
up gets less. Keep that in mind.
00:00
Remember this chart, you'll see it again.
00:00
In this video, we looked at DISTCAP and DIACAP.
00:00
Remember DISTCAP and DIACAP are dead.
00:00
Right now, you will probably run across
00:00
systems that still have that documentation.
00:00
It has been replaced by
00:00
the risk management framework or RMS.
00:00
It's not just for the Department of Defense anymore,
00:00
it applies to all US federal government systems
00:00
and those that receive funds from the federal government,
00:00
they have to follow NIST guidelines and their standards.
00:00
Then again, we talked about
00:00
those risk levels were at that system level.
00:00
That's where we get the best view,
00:00
the most granular view of risk,
00:00
and we get up the organization level.
00:00
That's what we're looking at, that visionary,
00:00
that strategic perspective. Will see you next time.
Up Next
Similar Content
