What policy, document, or standard ties the DIACAP phases into the Acquisition phases?
In the DAU Acquisition Community Connection (ACC), we have a Community Of Practice (COP) called "Information Technology." Under the IT COP, we have a area called "IA in Acquisition." When you click on this area, you will see a sub-area called "IA in the Acquisition Life-Cycle." When you click on this sub-area, you will find the complete acquisition life cycle along with DIACAP/IA schedule of events that maps directly to the Program Life Cycle. Here is the link (you might need to get an account in the ACC to access?):
Please find what it says below. This should fully answer your question.
IA in the Acquisition Lifecycle
IA tasks span the entire Acquisition Process. The resources below show where IA fits into the Acquisition Lifecycle. A web-enabled version with active links can be found in Section 7.5.3 of the Defense Acquisition Guidebook at http://akss.dau.mil/DAG/DoD5000.asp?view=document
Before Milestone A
- Examine program and system characteristics to determine whether compliance with DoD Directive 8500.1 is recommended or required, and whether an acquisition IA strategy is required.
- Establish an IA organization. Appoint a trained IA professional in writing as the IA Manager. This and other IA support may be organic to the program office, matrixed from other supporting organizations (e.g. Program Executive Office), or acquired through a support contractor.
- Begin to identify system IA requirements.
- Develop an acquisition IA strategy, if required.
Before Milestone B
- If program is initiated post-Milestone A, complete all actions for Milestone A.
- Ensure IA considerations are incorporated in the program's Acquisition Strategy.
- Update and submit the acquisition IA strategy.
- Secure resources for IA. Include IA in program budget to cover the cost of developing, procuring, testing, certifying and accrediting, and maintaining the posture of system IA solutions. Ensure appropriate types of funds are allocated (e.g. Operations & Maintenance for maintaining IA posture in out years).
- Initiate DoD Information Assurance Certification and Accreditation Process (DIACAP) or other applicable Certification & Accreditation process (such as Director of Central Intelligence Directive (DCID) 6/3 "Protecting Sensitive Compartmented Information Within Information Systems" for systems processing Sensitive Compartmented Information).
Before Milestone C
Test and evaluate IA solutions.
- Incorporate IA solutions through:
- Systems Security Engineering efforts.
- Procurement of IA/IA enabled products. DoD Instruction 5000.02, Section E4.2.7, states that: "When the use of commercial IT is considered viable, maximum leverage of and coordination with the DoD Enterprise Software Initiative shall be made." The Enterprise Software Initiative (ESI) includes commercial IA tools and should be utilized as the preferred source for the procurement of IA tools. The ESI Home Page lists covered products and procedures, and also shows DFARS (SUBPART 208.74) and Defense Acquisition System (DoD Instruction 5000.02, E4.2.7) requirements for compliance with the DoD ESI.
- Implementation of security policies, plans, and procedures
- Conducting IA Training
Accredit the system under the DIACAP or other applicable Certification and Accreditation process. For systems using the DIACAP, DIACAP Phase III should be completed, and an Approval to Operate should be issued by the Designated Approval Authority. Click here for DoD Instruction 5200.40 discussion of the Approval to Operate and Designated Approval Authority or other applicable Certification & Accreditation process elements (such as (DCID) 6/3 "Protecting Sensitive Compartmented Information Within Information Systems" for systems processing Sensitive Compartmented Information).
- Developmental Test
- Security Test & Evaluation, Certification and Accreditation activities
- Operational Test
After Milestone C and the Full-Rate Production Decision Review
- Maintain the system's security posture throughout its life cycle. This includes periodic re-accreditation.
- Assess IA during IOT&E on the mature system.