OrangeSec offers a number of services to agencies undertaking security certification. See our certification support page for details, or contact us for more information.

Table of Contents

• Overview
• System Security Authorization Agreement (SSAA)
• Links

Overview

The Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP) is the standardized approach designed to guide DoD agencies through the certification and accreditation process for a single information technology (IT) entity. The aim is to:

• provide guidance to organizations
• standardize the C&A approach for all services
• define the scope of effort
• tailor documentation for all system architectures

There are four phases to the DITSCAP process. The phases are definition, verification, validation, and post-accreditation. During the definition phase, all system requirements and capabilities are documented to include mission, function, and interfaces. The resulting deliverable is a preliminary System Security Authorization Agreement (SSAA). In the verification phase, recommended changes to a system are performed and the resulting deliverable is a refined SSAA. The validation phase proceeds with a review of the SSAA. Vulnerability and penetration tests are also performed and the deliverable is a certification package containing the final SSAA. Using the certification package, a system can receive one of three designations: 1)Full Accreditation, 2)Interim Approval to Operate, or 3)Withhold Accreditation. Finally, the key to the post-accreditation phase is maintenance. In this phase, system changes are managed, system operations are reviewed, acceptable risk is maintained, and the SSAA is updated. All of the information relevant to the certification and accreditation is collected and then compiled into the SSAA.

System Security Authorization Agreement

The System Security Authorization Agreement (SSAA) is key to the DITSCAP. This document defines all system specifications. A description of the system mission, target environment, target architecture, security requirements, and applicable data access policies are provided. The SSAA also describes the applicable set of planning and certification actions, resources, and documentation required to support the certification and accreditation. In essence, the SSAA is the vehicle that guides the implementation of INFOSEC requirements and the resulting certification and accreditation actions.

Links

There is a comprehensive DITSCAP site at www.disa.mil