DITSCAP, developed by DISA (The Defense Information Systems Agency), serves for accrediting and evaluation of systems belonging to the Department of Defense. DITSCAP uses an infrastructure-centric approach for DoD systems. It is a mandatory element for all defense agencies for collecting, storing and processing information (either classified or unclassified). There is a document known as DoDI 5200.40 guiding the DITSCAP methodology. For more information and reference you can download it from http://www.enpointe.com/assets/pdf/i520040p.pdf.
Similarly to NIACAP, there are four DITSCAP phases:
1. Definition
2. Verification
3. Validation
4. Post accreditation
Form these phases, #2 is the most important. According to phase 2, the main areas of analysis for DITSCAP methodology are:
1. Architecture analysis for information systems
2. Network connections analysis to comply with actual rules and regulations.
3. Software design analysis
4. Validation rules to meet the security standards
5. Products’ vulnerability evaluation
6. Products’ integrity analysis
7. Products’ life cycle analysis
The Department of Defense has many procedures and directives (named with numbers beginning with 5200) that DITSCAP has to adhere to. The most important of all these directives is 5200.28-AIS (Security Requirements for Automated Information Systems) is available for download at http://csrc.nist.gov/groups/SMA/fasp/documents/c&a/DLABSP/d520028p.pdf. Under the 5200.28 directive, released in 1988, numerous other directives are mentioned. DITSCAP has to comply with all these regulations.
Here is the DITSCAP process explained:
