This blog serves as a place for my information security notes.
Monday, June 05, 2006
System Description vs. Functional Description
Thursday, May 25, 2006
A VM to Replicate our Environment
I plan to get much more familiar with it.
IATO
I think we can get the SSAA done in the next week or so. I've contacted our AF rep. and he said I should call him next week to talk in person about who will fill the roles (DAA, etc.).
Also, I need to learn more about the negotiation phase. That is, when we turn in the SSAA, should we do it in person? Should we send it as an email and then have a face to face meeting later? Should we do both in person?
I'll call next week and get answers.
Friday, May 19, 2006
IATO -- let's go!
Yesterday, we decided to go the route of seeking IATO (Interim authority to operate) instead of a full-blown DITSCAP right away. This will give us a year, assuming we get an IATO, to operate and concurrently finish our entire DITSCAP with a FATO (full authority to operate). I feel good about this decision now, because it will get us going and seems achievable in the near term. Like taking a small bite instead of a big bite that we choke on. In the past, I wondered why we want to go the IATO route? I thought we had the time to do it all. Well, we don’t. No one ever has enough time.
The Project Manager Saves the Day
Yesterday, my project manager really got involved in putting together a project plan for our DITSCAP effort. It was great. He asked me lots of questions. I answered some and couldn’t answer others. The ones that I could answer were wonderful, because in the explaining, I learned what I know and identified areas that I don’t know much about.
I Feel Ready to Dive in
IÂve read the following article at least three times. On the third reading, just today, it has made more sense than ever. Every sentence makes sense. The previous readings left me with a foggy understanding that really didnÂt lead me to concrete work or lessons.
http://iac.dtic.mil/iatac Life Cycle Security and DITSCAP, IAnewsletter, Vol. 4, No. 2, Spring 01.
New blog, first post
Leave a record of lessons learned about our DITSCAP effort to help others and help us on future projects.
Our project: To certify our system so it can run inside a military domain. I’ll leave the details kind of vague, because I don’t want to bring public attention to our project. I don’t know what the confidentiality concerns are. So instead of pushing any limits, I’ll leave names, locations, and departments out of this blog. I’ll try to provide enough concrete information to make it useful to someone not familiar with my specific project.
This is my first DITSCAP effort. We’re certifying an off-the-shelf product to operate within a collaborative domain. The product is a web application server. Later, we will also certify web services that will be installed on the app. server. We’ll also certify some other systems that will use the web services.