Tuesday, February 21, 2012

The NeverEnding Story: C&A

Are you old enough to remember The NeverEnding Story (1984) - IMDb? There are so many puns here about C&A... from the story line to the title. :)

Someone recently asked for a list of links to learn more about the C&A processes. This list was created by Jeffrey Widom. (Thank you Jeffrey.) 

Jeffrey Widom's Top Ten List — IA Resources Online

10. DoD IA Training 
Online training provided by the Defense Information Systems Agency; includes a brief DIACAP overview.
9. DSS
Defense Security Service web site for the National Industrial Security Program. This information mostly concerns contractors handling clearances, classified documents, and/or classified computer systems on their premises.
8. DISA (NIPRnet/SIPRnet) 
Defense Information System Agency web site for Secret Internet Protocol Router Network (SIPRNet) and
Non-classified Internet Protocol Router Network (NIPRNet) connection approval processes.
7. CNSS 
Web site for the Committee on National Security Systems, including numerous publications. CNSS Instruction 4009, the National Information Assurance Glossary, was recently revised and is available for download. CNSS Instruction 1253 provides requirements for National Security Systems.
6. OMB Memoranda 
Web site for Office of Management and Budget (OMB) Memoranda, including those that address security, privacy and  FISMA requirements.
5. STIGs 
Defense Information Systems Agency web site for Security Technical Implementation Guides (STIGs), Security Checklists, and Security Readiness Review (SRR) scripts.  STIGs contain detailed configuration guidance for operating systems, databases, web servers, wireless systems, etc., and are mandatory for all DoD information systems. SRR scripts are automated tools that assist in validating STIG compliance.
4. DIACAP Knowledge Service 
Official Department of Defense web site for DIACAP. Common Access Card (or commercial certificate and DoD employee sponsor) required for access.
3. DoD Directives
Official Department of Defense web site for DoD Issuances including Directives, Instructions, Publications, Administrative Instructions, and Directive-Type Instructions. 
Official NIST web site for Federal Information Processing Standards (FIPS). FIPS Publications are issued by NIST after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Reform Act of 1996 (Public Law 104-106) and the Federal Information Security Management Act of 2002 (Public Law 107-347). 
1. NIST Special Publications
Official NIST web site for Special Publications. Special Publications in the 800 series present documents of general interest to the computer security community. Special Publications include documentation of the new Risk Management Framework (RMF) that will (hopefully) become the standard for all federal information systems.