Department of Defense Information Assurance Certification and Accreditation Program (DIACAP)
DIACAP supports the Certification and Accreditation (C&A) of Department of Defense (DoD) Information Technology (IT) systems by providing the framework and requirements for C&A to be utilized by organizations and system owners. Mandated in 2007 by DoD Instruction 8510.01, DIACAP was developed to address inefficiencies in the previous C&A process. The C&A process allows system owners to ensure systems are compliant and operating under appropriate security and assurance controls for the full system lifecycle. Predecessor processes tended to be system-centric and did not address integration challenges, whereas DIACAP is net-centric and focuses on systems within their environments. An official in each DoD Component is designated to serve as the Senior Information Assurance Officer (SIAO), as well as the designated Certifying Authority, responsible for the DIACAP process for all Component IT systems.
DIACAP Lifecycle Phases of an IT System
"*POA&M stands for Plan of Action and Milestones. Please see “Resources” Section for more information
DIACAP certification must be obtained for all DoD owned or controlled information systems that receive, process, store, display or transmit DoD information, throughout the entire life cycle, regardless of classification or sensitivity of the information or information system.
P&R IM's Role
P&R IM provides oversight to and/or manages the C&A process on Defense Human Resources Activity (DHRA) components’ information systems. In 2007, DIACAP (DoDI 8510.01) replaced the DoD Information Technology Security Certification and Accreditation Process (DITSCAP). As a result, P&R IM has been migrating existing systems from DITSCAP to DIACAP and implementing DIACAP for new systems. The DHRA SIAO is a member of the P&R IM staff.
P&R IM C&A Process Approach
P&R IM supports system owners by implementing the comprehensive and proven C&A approach that achieves Information Assurance (IA) compliance with Federal, DoD, and other applicable IA policies and guidance. This approach, as illustrated above, addresses critical steps in the C&A process. Additionally, P&R IM ensures that Security Testing and Evaluation (ST&E) of systems is accomplished when required. ST&E is accomplished with Defense Information System Agency (DISA) tools including: eEye Retina network scanner, the Gold Disk, and Security Readiness Review Scripts (SRRs).
The system DIACAP Team develops C&A documentation to ensure and show compliance with DIACAP standards. The major artifacts of the DIACAP package include:
- The System Identification Profile (SIP)
- The DIACAP Implementation Plan (DIP)
- The DIACAP Scorecard
- The Plan of Action and Milestones (POA&M)
The C&A documentation is submitted to the Certifying Authority who recommends to the Designated Approving Authority (DAA) whether to grant an Authority to Operate (ATO)/Interim ATO (IATO) for the system. The DAA is responsible for granting the ATO, IATO, or Denial of ATO (DATO).See also: