Home » Data Protection » Application Security

Ditscap: How the Feds Build Secure Applications

The DoD Information Technology Security Certification and Accreditation Process (Ditscap).

February 01, 2005 — CSO — Starting in the early 1990slong before the MyDoom worm, I Love You virus and the tragedy of 9/11the Department of Defense developed the DoD Information Technology Security Certification and Accreditation Process (Ditscap).

Ditscap is a standardized certification and accreditation (C&A) process that DoD employees and contractors must follow at every stage of an IT project. The certification portion of the process means the system has been analyzed as to how well it meets security requirements laid out in applicable federal documents (such as the Orange Book, part of the National Security Agency's Rainbow Series of books on how to evaluate the security of computer systems).

The final certification statement says to what degree (in terms of percentage) the system complies with the specified requirements. For example, this system meets 85 percent of the requirements. Of the 15 percent of the requirements the system does not meet, 8 percent represent high-risk vulnerabilities while 7 percent represent medium-risk vulnerabilities. Then an accrediting authority (from outside of the security organization) can elect to assume the identified risks inherent in the system by deploying it, send it back for more work or table it altogether.

Ditscap comprises four phases that span the project's lifecycle:

1. Definition. The designated accrediting authority, the user representative, the project manager and the certifier come together to determine what level of certification the project will entail, as well as define the requirements.

2. Verification. The system is developed and the certification process is analyzed to ensure it is sufficient. Once work on the system is complete, the C&A team determines whether the system is ready to be validated.

3. Validation. The system test and evaluation describes in detail the security features to be tested. The C&A team also produces several other documents, including the risk assessment report. The final step is the formal accreditation, issued to an IT system that is approved by the crediting authority to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk.

4. Post-accreditation. Includes activities necessary to operate and manage the system at an acceptable level of residual risk. Begins after the system has been deployed into the production environment and continues throughout the life of the system.

Source: The U.S. DOD