The DoD Information Technology Security Certification and Accreditation Process (Ditscap). Starting in the early 1990slong before the MyDoom worm, I Love You virus and the tragedy of 9/11the Department of Defense developed the DoD Information Technology Security Certification and Accreditation Process (Ditscap).Ditscap is a standardized certification and accreditation (C&A) process that DoD employees and contractors must follow at every stage of an IT project. The certification portion of the process means the system has been analyzed as to how well it meets security requirements laid out in applicable federal documents (such as the Orange Book, part of the National Security Agency’s Rainbow Series of books on how to evaluate the security of computer systems).The final certification statement says to what degree (in terms of percentage) the system complies with the specified requirements. For example, this system meets 85 percent of the requirements. Of the 15 percent of the requirements the system does not meet, 8 percent represent high-risk vulnerabilities while 7 percent represent medium-risk vulnerabilities. Then an accrediting authority (from outside of the security organization) can elect to assume the identified risks inherent in the system by deploying it, send it back for more work or table it altogether. Ditscap comprises four phases that span the project’s lifecycle:1. Definition. The designated accrediting authority, the user representative, the project manager and the certifier come together to determine what level of certification the project will entail, as well as define the requirements.2. Verification. The system is developed and the certification process is analyzed to ensure it is sufficient. Once work on the system is complete, the C&A team determines whether the system is ready to be validated.3. Validation. The system test and evaluation describes in detail the security features to be tested. The C&A team also produces several other documents, including the risk assessment report. The final step is the formal accreditation, issued to an IT system that is approved by the crediting authority to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk. 4. Post-accreditation. Includes activities necessary to operate and manage the system at an acceptable level of residual risk. Begins after the system has been deployed into the production environment and continues throughout the life of the system. Source: The U.S. DOD Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe