The Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP) is a process defined by the United States Department of Defense (DOD) for managing risk. DoD Instruction (DODI) 5200.40 establishes a standard DOD-wide process with a set of activities, general tasks and a management structure to certify and accredit an Automated Information System (AIS) that will maintain the Information Assurance (IA) posture of the Defense Information Infrastructure (DII) throughout the system's life cycle. DITSCAP applies to the acquisition, operation and sustainment of any DOD system that collects, stores, transmits, or processes unclassified or classified information since December 1997.

It identifies four phases:
System Definition
Verification
Validation
Re-Accreditation

DITSCAP also uses weighted metrics to describe risks and their mitigation. The DITSCAP processes were refined by the publication of the DITSCAP Application Manual. A similar methodology, NIACAP, is used for the certification and accreditation (C&A) of national security systems outside of the DOD. DITSCAP has been replaced by the DIACAP methodology in 2006.

The DoD Information Assurance Certification and Accreditation Process (DIACAP) is the United States Department of Defense (DOD) process to ensure that risk management is applied on Information Systems (IS). DIACAP defines a DOD-wide formal and standard set of activities, general tasks and a management structure process for the certification and accreditation (C&A) of a DoD IS that will maintain the Information Assurance (IA) posture throughout the system's life cycle. An interim version of the DIACAP was signed July 6, 2006 and now supersedes DITSCAP. The philosophical and managerial motivations behind DIACAP and its logical forerunner, DITSCAP, derive from accreditation work performed by a spectrum of customers by Barry Stauffer of CORBETT Technologies, long since purchased by BAE Systems. The technical requirements of the process ultimately derive from comprehensive requirements traceability matrix (RTM) prepared for CORBETT in response to a gamut of needs for Office of Justice Programs, Drug Enforcement Administrations, and United States Marshals service by Bruce Wilner of Network Security Laboratories.

Notwithstanding its lineage and the heavy-duty, classical trusted systems-theoretic experience of its original architects, DITSCAP and DIACAP ultimately emerged as extremely low-tech, procedure-centric "one size fits all" exercises in management-speak that have proven to be monumental disappointments to all involved. Unfortunately, since the National Security Agency's Commercial Product Evaluation Program (CPEP, based upon the Department of Defense Trusted Computer System Evaluation Criteria, or DOD TCSEC) proved to be an abject commercial failure—insofar as vendors were frustrated after the untold millions of dollars invested in formal mathematical modeling of secure systems and related tasking could not translate into meaningful sales of high-assurance platforms—the only option from the perspective of the United States government was to rapidly embrace the "certification and accreditation" approach rather than a scientifically sound, philosophically constructive, or intellectually demanding methodology.

Source: www.en.wikipedia.org 2007