Department of Defense Information Technology Security Certification and Accreditation Process

The Department Of Defense Information Technology Security Certification and Accreditation Process (DITSCAP) is a process defined by the United States Department of Defense (DoD) for managing risk.

DoD Instruction (DoDI) 5200.40 establishes a standard DoD-wide process with a set of activities, general tasks and a management structure to certify and accredit an Automated Information System (AIS) that will maintain the Information Assurance (IA) posture of the Defense Information Infrastructure (DII) throughout the system's life cycle.

DITSCAP applies to the acquisition, operation and sustainment of any DoD system that collects, stores, transmits, or processes unclassified or classified information since December 1997. It identifies four phases:

1. System Definition
2. Verification
3. Validation
4. Re-Accreditation

DITSCAP also uses weighted metrics to describe risks and their mitigation.

The DITSCAP processes was refined by the publication of the DITSCAP Application Manual. A similar methodology, NIACAP, is used for the certification and accreditation (C&A) of national security systems outside of the DoD.

DITSCAP has been replaced by the DIACAP methodology in 2006.

References

• DITSCAP website
• DoDI 5200.40
• DoD 8510.1-M, DITSCAP Application Manual, July 31, 2000