Security Tests and Evaluation (ST&E)/Trusted Facility Manual (TFM) Templates

Air Mobility Command (AMC) has one of the best Security Testing and Evaluation Templates I've seen. I think they get them from DISA and make some alterations. Either way great job guys:

https://www.amc.af.mil/amccg/index.cfm (must have .mil access)

On the left column under 805 CSPTS select "AMC Information Assurance"

Under Our Services click "IA Support"

Operating system TFMs and ST&E will be under: "Trusted Facility Manual/ST& Plans" Links

enjoy.

Information Support Program (ISP), formerly C4ISP

The Information Support Plan (ISP) evolved from the Command Control Communication Computer and Intelligence Support Plan (C4ISP). The C4ISP has evolved into the ISP as a result of the revision of the CJCS Instruction 3170.01 requirements documentation.

It is intended to fill in the information needs of an acquisition program is support of the operational capabilities of the system. The ISP is a tool used to identify problems or shortcomings of a given system and resolve implementation issues.

The ISP incorporates the System Security Authorization Agreement (SSAA). The SSAA and ISP really have much of the same information. Since the ISP requires the SSAA, the SSAA needs to be complete before the ISP can be accomplished. The ISP then draws much of its information from the SSAA.

There are scores of very wordy documents that can be used to assist you in the completion of the ISP.

Resources for the ISP:

• DoD Instruction 4630.8, Enclosure 4 provides the ISP format
• National Security Space Acquisition Policy, Number 03-01, requires submission of an ISP.
• DoD Instruction 5000.2, Enclosure 3, Regulatory Information Requirements
• CJCS Instruction 6212.01 implementing guidance regarding the ISP format

SAIC has one of the best sites on the ISP:
http://www.teao.saic.com/cbrtraining/default.asp

Other resources (reguires aggregator):
http://del.icio.us/rss/tag/c4isp

DITSCAP vs DIACAP

**Update:  DIACAP is being superceded by 8510.10, DoD Risk Management Framework.  We have been calling this DIARMF or Defense Information Assurance Risk Management Framework from 2011 to 2014, because originally that is the government was calling it while they were still writing it.  **

The DIACAP will include Netcentricity, GIG and FISMA concepts. Implementations such as online status of system information assurance and annual reviews will be done in hopes of keeping information assurance visible and current.

DITSCAP	DIACAP	TARGET
System-Unique Reqirements and Metric (Risk Assessment)	Baseline DOD Controls, Standards, Tests Metrics	Mature knowledge-base Integrates DoD, Component, Mission Area, Domain, and COI IA Control & Standards
System-Unique IA Architechure	Emerging GIG and DoD Component	Robust Plug-and-Play Enterprise IA Services
Information is Seldom Current	Review NLT Annual Status driven Online Repository	Automated Certification of IA posture
No Information on Many Systems	Expanded System Boundaries = Greater Coverage Status driven Online Repository	IA Posture Visible
OVERALL
Slow	Intergrates FISMA
Difficult to Share	Intergrates Netcentricity

DIACAP Rumors

DIACAP Rumor Mill:
From what I hear DIACAP is going through an Inspector General Process to ensure compliance with FISMA among other things. I've also heard from a fellow ISSA member that it is supposed to be officially release around 30 July.