Connection Approval Process (CAP)
Once your VTF has been accredited, you will need to go through the CAP to get an Authorization to Connect (ATC). For more information, see DVS Customer Connection Approvals (MS PowerPoint, 1,665KB).
Maintain Authorization to Operate (ATO) and Conduct Reviews
An ATO is contingent on the sustainment of an acceptable Information Assurance (IA) posture. The DoD Information System (IS) Information Assurance Manager (IAM) has primary responsibility for maintaining situational awareness and initiating actions to improve or restore IA posture.
Maintain Situational Awareness
Included in the IA controls assigned to all DoD ISs are IA controls related to configuration and vulnerability management, performance monitoring, and periodic independent evaluations (e.g., penetration testing). The IAM continuously monitors the system or information environment for security-relevant events and configuration changes that negatively impact IA posture and periodically assesses the quality of IA controls implementation against performance indicators such as security incidents, feedback from external inspection agencies (e.g., Inspector General (IG) DoD, Government Accountability Office (GAO)), exercises, and operational evaluations.
In addition the IAM may, independently or at the direction of the Certifying Authority (CA) or Designated Accrediting Authority (DAA), schedule a revalidation of any or all IA controls at any time. Subchapter III of Chapter 35 of title 44, United States Code (USC), "Federal Information Security Management Act (FISMA) of 2002," requires revalidation of a select number of IA controls at least annually. DoD ISs with a current ATO that are found to be operating in an unacceptable IA posture through GAO audits, IG DoD audits, or other reviews or events such as an annual security review or compliance validation shall have the newly identified weakness added to an existing or newly created IT Security POA&M.
If a newly discovered CAT I weakness on a DoD IS operating with an ATO cannot be corrected within 30 days, the system can only continue operation under the terms prescribed in subparagraph 6.3.3.2.6.1.2 of DoDI 8510.01. If a newly discovered CAT II weakness on a DoD IS operating with a current ATO cannot be corrected or satisfactorily mitigated within 90 days, the system can only continue operation under the terms prescribed in subparagraph 6.3.3.2.6.2.5 of DoDI 8510.01.
Maintain IA Posture
The IAM may recommend changes or improvement to the implementation of assigned IA controls, the assignment of additional IA controls, or changes or improvements to the design of the IS itself.
Perform Reviews
All DoD ISs with an ATO shall be reviewed at least annually to confirm that the IA posture of the IS remains acceptable. Reviews will include validation of IA controls and be documented in writing. At least annually, the IAM shall provide a written or DoD public key infrastructure (PKI)-certified digitally signed statement to the DAA and the CA that indicates the results of the security review of all IA controls and the testing of selected IA controls as required by FISMA. The review will either confirm the effectiveness of assigned IA controls and their implementation, or it will recommend: changes such as those described in subparagraph 6.3.4.2 of DoDI 8510.01; a change in accreditation status (e.g., accreditation status is downgraded to IATO or DATO); or development of an Information Technology (IT) Security Plan of Actions and Milestones (POA&M). The CA and DAA shall review the IAM statement in light of mission and information environment indicators and determine a course of action that will be provided to the concerned Chief Information Officer (CIO) or Senior Information Assurance Officer (SIAO) for reporting requirements described in FISMA. The date of the annual security review will be recorded in the System Identification Profile (SIP). A DAA may downgrade or revoke an accreditation decision at any time if risk conditions or concerns so warrant.
Initiate Reaccreditation
In accordance with Office of Management and Budget (OMB) Circular A-130, an IS must be recertified and reaccredited once every 3 years. The results of an annual review or a major change in the IA posture at any time may also indicate the need for recertification and reaccreditation of the IS.
Decommission
When a DoD IS is removed from operation, a number of DIACAP-related actions are required. Prior to decommissioning, any inheritance relationships should be reviewed and assessed for impact. Once the system has been decommissioned, Lines 8, "DIACAP Activity," and 9, "System Life Cycle Phase," of the SIP should be updated to reflect the IS decommissioned status. Concurrently, the DIACAP Scorecard and any POA&Ms should also be removed from all tracking systems. Other artifacts and supporting documentation should be disposed of according to its sensitivity or classification. Data or objects in IA infrastructures that support the Global Information Grid (GIG), such as key management, identity management, vulnerability management, and privilege management, should be reviewed for impact.