Phase 2 Process Activities of DITSCAP C&A: Verification

EDBA.

The Defense Information Technology Security Certification and Accreditation Process (DITSCAP) is a standard process used to evaluate the security posture of a system before it is granted accreditation to operate within a specific environment. The process consists of four phases, which are Definition, Verification, Validation, and Post Accreditation.

Phase 2 of DITSCAP is known as Verification, and the main goal of this phase is to obtain a fully integrated system for certification testing and accreditation. The Verification phase involves several process activities, including:

A. Assessment of the Analysis Results: During this activity, the results of the Analysis phase are reviewed and evaluated to ensure that they are complete and accurate. Any discrepancies or issues that were identified during the Analysis phase are addressed and resolved during this activity.

B. Certification Analysis: This activity involves the development of a Certification Plan, which outlines the scope of the certification testing that will be performed. The Certification Plan includes the objectives of the testing, the methodology that will be used, and the resources that will be required. The Certification Plan is developed based on the System Security Authorization Agreement (SSAA), which was developed during the Definition phase.

E. Configuring refinement of the SSAA: During this activity, the System Security Authorization Agreement (SSAA) is updated and refined to reflect any changes that were made to the system during the Verification phase. The SSAA serves as the primary document that describes the security posture of the system and outlines the steps that were taken to achieve accreditation.

C. Registration: During this activity, the system is registered with the appropriate security authority. The registration process includes the submission of the SSAA and other relevant documentation to the security authority for review and approval.

D. System Development: This activity involves the implementation and integration of the security controls that were identified during the Analysis phase. The implementation of the security controls is based on the recommendations that were provided in the Security Requirements Traceability Matrix (SRTM).

In summary, the process activities of the Verification phase include the assessment of analysis results, certification analysis, configuring refinement of the SSAA, registration, and system development. These activities are critical to the successful certification and accreditation of a system and must be completed thoroughly and accurately to ensure the security posture of the system is adequate for the intended environment.