Background: The Defense Information Technology Security Certification & Accreditation Process (DITSCAP) document describes the requirements and instructions on how to take a US government automated information system/network through a certification and accreditation. This process involves security evaluations, threat assessments, security penetration tests, and risk mitigation of large communication networks and its components. This DITSCAP regulation is being replaced by a new Defense Information Assurance Certification & Accreditation Process (DIACAP) document. This new document involves new processes and requirements that should simplify C&A efforts, make them more consistent, shorten the time for evaluation, reduce the paperwork required, and implement an interoperable scoring system for use by all government systems being accredited.
Task description: Search for DITSCAP and download the desired parts of the document. Take a small network system (perhaps a private network within UCCS labs) through the DITSCAP process/requirements to include penetration testing, threat/vulnerability assessment, and finally draft related documentation. Maximize use of diagrams and tables to simply information for presentation.Deliverable: The final report must include the completed System Secutiry Authorization Agreement (SSAA) document required by the DITSCAP regulation, as it applies to the selected target network (the one being certified). During presentation of the final report, the audience needs to clearly understand your findings and rationale in dealing with threats/vulnerabilities mitigation for each applicable section of the SSAA.
Background: Most popular OS systems software in use today, were designed with some Information Assurance in mind. Many of them have adequate security features and capabilities. However; their default configuration is wide-open with most security not-enabled when installed in operational environments. This leaves the applications and networks using these OS systems exposed to attacks by computer hackers and unauthorized access to their resources.
Task description: Select the 4 most popular OS systems (Windows VISTA, VxWorks, Red Hat and LinxOS) for this analysis. Investigate and document the secure hardening procedures that best apply to each OS. Describe the pros and cons of enabling each one of the available security features. Also describe any security capabilities that are obviously missing from a particular OS.
Deliverable: OS Secure Hardening report with analysis of tables and comparisons that can be used by IA and IT professionals to quickly configure and ensure OS security is properly enabled.