Network Services

VTF DIACAP

PRINT PAGE Add This

The Video Teleconference Facility (VTF) Department of Defense (DoD) Information Assurance Certification & Accreditation Process (DIACAP) Web Site

The purpose of this Web site is to guide you through the process of certifying & accrediting your VTF. Getting your VTF certified and accredited helps protect the information that is vital to your mission.

If your system has a current and valid DITSCAP accreditation, click here.

The Six-Step VTF DIACAP Process


The six-step VTF DIACAP Process, outlined below, will help you get your VTF certified and accredited. These six steps are also outlined in the VTF DIACAP Presentation (MS PowerPoint, 745KB).

Step 1: Plan the DIACAP

  1. First, consult your organization's Designated Accrediting Authority (DAA) about your organization's certification and accreditation (C&A) process and follow it.
    1. Your DAA is the official with the authority to formally assume responsibility for operating your VTF at an acceptable level of risk.
    2. If you cannot reach your DAA, contact your DAA representative or someone else on your organization's IA team.
    3. Contact your Certifying Authority (CA) about your organization's IA control validation process and to schedule the necessary information assurance assessments for your VTF.
    4. Plan and Schedule DIACAP Activities.
      1. Know the accreditation expiration date and the DIACAP package submission deadline.
      2. Ensure you have the proper resources to conduct the DIACAP.
      3. Assemble the DIACAP Team.
      4. Assign the Mission Assurance Category (MAC) and Confidentiality Level (CL)
        1. If you need guidance on how to select the proper MAC and CL, click HERE.
        2. Assign IA Record Type
          1. AIS Application, Enclave, Outsourced IT-Based Process, or Platform IT Interconnection
          2. Assign Mission Criticality
            1. Mission Critical (MC), mission essential (ME), or mission support (MS)
            2. Decide on the type of C&A you will conduct.
              1. Type accreditation
              2. Stand alone IS accreditation

              Step 2: Document the System

              1. Register your system with your DoD component IA program.
                1. Complete your System Identification Profile (SIP)
                  1. The SIP is generated during the registration process and becomes part of the DIACAP package for the IS.
                  2. For more information about the SIP, click HERE.
                  3. Ensure that your system's documentation is complete and up-to-date.
                    1. Accreditation boundary
                      1. Guidance about your VTF accreditation boundary.
                      2. System architecture, hardware & software inventory
                        1. The VTF System Architecture template helps you document your VTF architecture and hardware/software inventory. It has a diagram you can use to show your network topology.
                        2. Download a copy of the VTF System Architecture Template (MS Word, 983KB).
                        3. Guidance on VTF architecture and configuration (MS PowerPoint, 2,639KB).
                        4. Assign the IA Controls
                          1. For guidance on assigning IA controls, click HERE.
                          2. Initiate the DIACAP Implementation Plan
                            1. Outlines the baseline IA controls, etc.

                            Step 3: Conduct Security Assessments

                            Execute the DIACAP Implementation Plan
                            Each assigned IA control is implemented according to the applicable implementation guidelines described in the DIACAP Knowledge Service (KS).

                            Conduct Security Assessments with STIGs
                            Compliance with applicable DISA Security Technical Implementation Guides (STIGs) is critical for secure and successful VTF deployment. Non-compliance with applicable STIGs can negatively affect your mission.

                            Recommend STIGs
                            Of course, which STIG Security Checklists are utilized in the assessments depends on what you have inside your accreditation boundary. We recommend that assessments are conducted utilizing the following STIG Security Checklists, as appropriate:

                            For a VTF that utilizes only dial-up

                            1. IA Control Checklist
                              1. Use the IA Control Checklist with the proper IA control baseline for your VTF (based on the documented MAC & CL for your VTF).
                              2. Video Teleconference (VTC) Checklist
                                1. This checklist specifies which requirements are for IP and/or ISDN.
                                2. DoD Telecommunications & Defense Switched Network (DSN) Checklist

                                For a VTF that utilizes IP or both IP and ISDN

                                1. IA Control Checklist
                                  1. Use the IA Control Checklist with the proper IA control baseline for your VTF (based on the documented MAC & CL for your VTF).
                                  2. Video Teleconference (VTC) Checklist
                                    1. This checklist specifies which requirements are for IP and/or ISDN.
                                    2. Network Security Checklist – Firewall
                                    3. Network Security Checklist – General Infrastructure Router
                                    4. Network Security Checklist – Intrusion Detection System (IDS)
                                    5. Network Security Checklist – Network Policy
                                    6. DoD Telecommunications & Defense Switched Network (DSN) Checklist
                                      1. Use only if you have Dial-up as well as IP.

                                      These DISA STIG Checklists are available at: http://iase.disa.mil/stigs/checklist/.

                                      Additional IA Control Validation Requirements and eMass
                                      Check with your DAA to see whether your organization has any additional security testing requirements. For information about using the VTF DIACAP Scorecard Matrix with the IA Control Validation Procedures in the DIACAP Knowledge Service (KS) and eMass, click HERE.

                                      Manage Vulnerabilities
                                      After you conduct the security assessments, you should work to close as many CAT I and CAT II vulnerabilities as possible. According to Department of Defense Instruction (DoDI) 8510.01p, page 18:

                                      • CAT I weaknesses shall be corrected before an ATO is granted.
                                      • CAT II weaknesses shall be corrected or satisfactorily mitigated before an ATO can be granted.
                                      • CAT III weaknesses will not prevent an ATO from being granted if the DAA accepts the risk associated with the weaknesses.

                                      Depending on the criticality of your mission, and your DAA's discretion, DoDI 8510.01p does offer some flexibility concerning CAT I and CAT II vulnerabilities. For further guidance, check DoDI 8510.01p and consult with your DAA.

                                      Step 4: Develop a DIACAP Scorecard
                                      Now you need to translate your security assessment results into a DIACAP Scorecard for your DoD information system. DISA's VTF DIACAP Scorecard Matrix can help you do this. You can get the VTF DIACAP Scorecard Matrix HERE.

                                      Download instructions on how to use the VTF DIACAP Scorecard Matrix (MS PowerPoint, 3,748KB).

                                      Since the completed Scorecard Matrix summarizes your information system's compliance status with all applicable STIGs as well as all 8500.2 IA controls, it could be uploaded to eMass as an artifact.

                                      Step 5: Complete All DIACAP Documents
                                      Complete the DIACAP documents requested by your DAA in accordance with your organization's requirements and submit them to your CA. The primary DIACAP document you will submit is the DIACAP Scorecard.

                                      To download the DIACAP Scorecard and other DIACAP documents your DAA may request, and for more information about these documents, click HERE.

                                      Step 6: Accredit the VTF System
                                      Your CA will make a certification recommendation to your DAA based on the DIACAP package that you submitted. Then depending on your organization, it could take well over a month to get the accreditation decision from your DAA. Your DAA will convey the accreditation decision by signing a printed copy of the DIACAP Scorecard for your VTF.

                                      The VTF Is Accredited. What Next?

                                      Once your VTF has been accredited, you will need to go through the Connection Approval Process (CAP), maintain the accreditation, conduct reviews, and reaccredit the system. For more information, click HERE.

                                      More Information about the VTF DIACAP Process


                                      The VTF DIACAP Frequently Asked Questions (FAQ) Document
                                      Remember, DISA is here to help advise you on how to secure your video services. If you have a question about the VTF DIACAP process and how it fits into your organization's DIACAP process, chances are that you are not alone. Check the VTF DIACAP FAQ, which DISA will regularly update.

                                      The Defense Information System Network (DISN) Global Support Center (DGSC)
                                      If you have a question that is not answered in the VTF DIACAP FAQ, please contact the DGSC:

                                      • DSN (312) 850-4790, option 3
                                      • Global DSN (510) 376-3222, option 3
                                      • Commercial (614) 692-4790, option 3
                                      • Commercial Toll Free (800) 554-DISN (3476), option 3
                                      • dgsc@csd.disa.mil

                                      DoD DIACAP & Information Assurance References
                                      For more information about DIACAP, please consult the following DoD Instructions and Directive:

                                      DoDI 8510.01, "DOD Information Assurance Certification and Accreditation Process (DIACAP) " November 28, 2007
                                      DoDI 8500.2, "Information Assurance (IA)," February 6, 2003
                                      DoDD 8500.01E, "Information Assurance (IA)," October 24, 2002.

                                      For a more comprehensive list of DIACAP, Connection Approval Process, and other Information Assurance references, please check out the VTF DIACAP FAQ document.

                                      DIACAP Documentation that Your DAA May Require


                                      This section outlines the DIACAP documentation that your DAA may need to see in order to make an accreditation decision concerning your VTF system.

                                      • The DIACAP Executive Package
                                        • According to DoDI 8510.01 Enclosure 3, the DIACAP Executive Package contains the minimum amount of information required by your DAA to make an accreditation decision. Each DAA will determine what information is necessary to make an accreditation decision. Contents of the DISA VTF DIACAP Executive Package:
                                        • DIACAP Scorecard
                                          • Results of the implementation of required baseline IA controls and additional IA controls that may be required by the DoD Component or local information system
                                          • IT Security Plan of Action & Milestones (POA&M)
                                            • Records the status of any corrective actions directed in association with an accreditation decision
                                            • System Identification Profile (SIP)
                                              • System characteristics required to register an information system with the governing DoD Component IA program
                                              • DIACAP Implementation Plan (DIP)
                                                • Assigned 8500.2 IA controls & their implementation status
                                                • Responsible entities and necessary resources
                                                • Estimated completion date for each assigned IA control

                                                Download the VTF DIACAP Executive Package Template, which contains the DIACAP Scorecard, the SIP, the POA&M, and the DIP. Your DAA may or may not require the DIP to be a part of your DIACAP Executive Package.

                                                Please remember that with the signed DIACAP Scorecard, as mentioned in Step 5 of the VTF DIACAP Process, DISA needs to have an attachment that lists the details of the switches in your VTF.

                                                DIACAP Comprehensive Package
                                                Your DAA may require that you complete a DIACAP Comprehensive Package for your VTF. In this case, on top of the DIACAP Executive Package, and the DIP, you would also need various artifacts, which could be made up of system policies, documentation, plans, test procedures, test results, and other evidence that express or enforce the IA posture of the DoD information system, make up the certification and accreditation (C&A) information, and provide evidence of compliance with the assigned IA controls. It is up to your DAA what artifacts, if any, need to be in the DIACAP package for your system. DISA provides templates that you can use to make your DIACAP package.

                                                System Security Plan (SSP)
                                                The SSP is one of the documents that your DAA may require in a DIACAP comprehensive package. It describes the technical, administrative, and procedural IA program and policies that govern the DoD information system and identifies all IA personnel and specific IA requirements and objectives. You can use the SSP template provided by your organization, or you can download the DISA VTF SSP Template.

                                                Other Artifact Templates
                                                Templates for other DIACAP artifacts that your DAA may require can be found in the Component Workspaces section of the DIACAP Knowledge Service (KS) Web site at https://diacap.iaportal.navy.mil/.

                                                The DIACAP KS is a Web-based repository of information and tools for implementing the DIACAP and is maintained through the DIACAP Technical Advisory Group (TAG).

                                                NOTE: For more information about which DIACAP artifacts you need, and how you can complete your required artifacts, please consult your DAA.

                                                The VTF DIACAP Scorecard Matrix and the DIACAP Knowledge Service IA Control Validation Procedures, and eMass


                                                According to DoDI 8510.01p, DoD Information Assurance Certification and Accreditation Process (DIACAP), Section 6.3.2.2, DIACAP IA control validation procedures are maintained through the DIACAP CCM and published in the DIACAP Knowledge Service (KS). The DIACAP KS is located at: (https://diacap.iaportal.navy.mil/).

                                                Download the DIACAP IA Control Validation Procedures (MS Excel, 956KB)

                                                In eMass, these IA Control Validation Procedures walk you through the IA control validation process.

                                                It is possible that your DAA will not require the use of the DIACAP IA Control Validation Procedures. In this case, perhaps you would only need to utilize the DISA STIGs to conduct a security assessment on your VTF.

                                                On the other hand, if your DAA does require you to use the DIACAP IA Control Validation Procedures, you should use the DIACAP IA Control Validation Procedures. In support of these procedures, you can conduct the DISA STIG assessments. In this case, if you are using an automated tool like eMass, you could put the STIG assessment results into the Scorecard Matrix, and then use the Scorecard Matrix as an artifact. You can then use the IA control validation results in the Scorecard Matrix to satisfy many of the IA Control Validation Procedures in eMass.

                                                If you are not using an automated tool for your DIACAP, you could combine the results from the Scorecard page of your completed Scorecard Matrix with your IA Control Validation Procedure results and develop a final DIACAP Scorecard for your VTF that can be printed and submitted to your DAA for signature.

                                                Other VTC IA Requirements for IP and ISDN


                                                On top of the requirements in the VTC security checklist, you should ensure the following VTC requirements are being met:

                                                • Secure/Non-Secure VTC Security - need to specify the following requirements:
                                                  • Use of approved A/B switch (8500.2 IA Control DCSR-3)
                                                  • Periods processing when switching between classification levels and between conferences; the later is to protect information for need to know. Per above paragraph, periods processing requires clearing of domain specific information on both volatile and non-volatile memory of the CODEC. In addition, domain specific media must also be removed; these include storage media, PC connected to the CODEC, to printed information in the room (8500.2 IA Control PECS-2).
                                                  • Must be connected to networks, e.g. IP and ISDN, with the same classification level (8500.2 IA Control ECIC-1)

                                                  What if the VTF has a Current DITSCAP Accreditation?


                                                  DoDI 8510.01p, Enclosure 5, states that if a DoD IS has a DITSCAP accreditation decision that is current within 3 years, a strategy and schedule for transitioning to DIACAP, achieving compliance with 8500.02 baseline IA controls, satisfying the DIACAP Annual Review, and meeting the reporting requirements of Subchapter III of Chapter 35 of the Federal Information Security Management Act (FISMA) of 2002 should be completed.

                                                  Download the DIACAP Transition Plan template (MS Word, 820KB)