DoD Security Controls for DIACAP

Overview of the Security Controls for Integral Applications
The biggest part of the DIACAP process is testing the application to make sure it’s compliant with regulations. The testing is based on security controls. DoDI 8500.2 contains 157 security controls. We don’t have to evaluate (test) all of those controls.
To find out which controls apply to our application, we must determine the MAC level and sensitivity of the information of our application. The short answer is that ECSSR and ESP are MAC III, Sensitive applications. Arriving at those two categories is another topic.
The security controls come in a spreadsheet that filters the controls after we select our MAC code and sensitivity level. This leaves us with 100 controls.
The controls fall into the eight subject areas listed below. Many of the subject areas overlap. After becoming familiar with the controls, you may not see the value of dividing the controls into subject areas. But when you are new to the controls, the breakdown divides the controls into manageable chunks.
Abbreviation Subject Area Name Number of IA Controls in Subject Area

• DC Security Design & Configuration 23
• IA Identification and Authentication 5
• EC Enclave and Computing Environment 29
• EB Enclave Boundary Defense 6
• PE Physical and Environmental 18
• PR Personnel 5
• CO Continuity 12
• VI Vulnerability and Incident Management 2

Total 100

DC – Security Design and Configuration
The subject area of security design and configuration covers the system architecture and best security practices used when designing, building and maintaining the system. Here are some examples of specific controls:
• System security design documentation
• Acquisition of components
• Hardware and software baselines
• System interface documentation
• Software quality issues
• Configuration management practices and documentation

IA – Identification and Authentication
The subject area of Identification and Authentication covers the access management design and implementation of the system. Here are a few example controls in this subject area:
• Hardware token use (CAC badges)
• User account management process

EC – Enclave and Computing Environment
The Enclave Computing Environment subject area includes controls covering security concepts like need-to-know, least privilege, audit record retention and reviews, encryption standards, and marking and labeling. This subject area overlaps with the Enclave Boundary Defense subject area.
Here are some of the specific controls included in this subject area:
• Audit record retention
• Software development change controls
• Virus protection
• Warning banner
• Encryption for Confidentiality (Data at rest)

EB – Enclave Boundary Defense
The subject area of Enclave Boundary Defense covers network security and design. Here are a few example controls:
• Public WAN connection (use of DMZ)
• Remote access for users
• Boundary Defense (use of IDS/IPS devices)

PE – Physical and Environmental
As the name implies, the Physical and Environmental subject area controls include physical access controls to the computing facility, physical access to facilities, fire detection and suppression measures, and backup power. Here are a few examples of the controls in this subject area:
• Voltage Regulators
• Emergency Lighting
• Access to Computing Facilities
• Fire Detection

PR – Personnel
The Personnel subject area includes controls related to making sure people have the right amount of access and training for the systems they use and have proper background investigations for the sensitivity of the application’s information. Some example controls are:
• Security Rules of Behavior or Acceptable Use Policy
• Maintenance Personnel
• Access to Need-to-Know Information

CO – Continuity

The Continuity subject area includes restoration of business functions, asset protection, and disaster recovery. Here are a few examples of controls in the Continuity subject area:
• Alternate site designation
• Disaster recovery planning
• Scheduled exercises and drills (DR)

VI – Vulnerability and Incident Management
The Vulnerability and Incident Management subject area covers the issues of incident response and vulnerability management. Here are the two controls in that subject area for MAC III, Sensitive applications:
• Incident Response Plan
• Vulnerability Management