This answer is per DIACAP (Defense Information Assurance Certifications and Accreditation Program - DODI 8510), as the defacto standard in the field of information assurance; historically the process was over a three year period. However, after due diligence and oversight, it was discovered that many IA Managers and supporting IT personnel were essentially waiting until the last 6 to 12 months (of the 3 year cycle) before full IA reviews were conducted. Currently, in the IT/IA community, the IA posture is considered a dynamically changing process;as changes in the enterprise occur the IA Posture is updated, reviewed and documented, providing a living and current IA life cycle. This process ensures effective management in preventing and/or mitigating the day to day risks and threats of an IT environment as they can occur and immediately record/document the change.
DIACAP (DoD 8510.01) requires organizations to abide by DoDI 8500.2. Paragraph 4.9 of 8500.2 states:4.9. All DoD ISs with an authorization to operate (ATO) shall be reviewed annually to confirm that the IA posture of the IS remains acceptable. Reviews will include validation of IA controls and be documented in writing.Note that it is the IA posture of the SYSTEM that is reviewed rather than the organization and that the review is EVERY YEAR, not just every 2 years.
There is NO DoD instruction that states that IA posture gets reviewed every two years; the relevant DoD Instruction is DoDI 8500.2, but it states that the IA posture must be reviewed at least once a year, not just every two years.DoDI 8510.2 (DIACAP) also cites DoDI 8500.2, which requires that the IA posture of all systems belonging to an organization must be reviewed at least once a year.Furthermore, the system must be assessed and undergo reaccreditation by the Principal Accredditation Authority (PAA) - which generally means the DAA - at least every 3 years.
According to DoD regulations, the IA posture of any DoD organization must be reviewed at least annually. FISMA requires that the IA posture of all US government organizations be reviewed at least annually. Many other nations have adopted similar requirements for organizations that they regulate. It should be noted however that the IA postures of paticularly sensitive and/or critical systems need to be reviewed more frequently - perhaps twice a year or even more often depending on the system.
DoDI 8510.2 and DoDI 8500.2 require that the IA posture of all systems belonging to an organization must be reviewed at least once a year. Furthermore, the system must be assessed and undergo reaccreditation by the Principal Accredditation Authority (PAA) - which generally means the DAA - at least every 3 years.
FalseThe relevant DoD Instruction is DoDI 8500.2, but it should be noted that the IA posture must be reviewed at least once a year, not just every two years.DoDI 8510.2 (DIACAP) also cites DoDI 8500.2, which requires that the IA posture of all systems belonging to an organization must be reviewed at least once a year.Furthermore, the system must be assessed and undergo reaccreditation by the Principal Accredditation Authority (PAA) - which generally means the DAA - at least every 3 years.
No - DIACAP required that the posture be at least partially reviewed every year (for the Annual Security Review - aka ASR) except for very sensitive systems that must be reviewed more often - usually every six months. A comprehensive review is required every 3 years under DIACAP.
DoDI 8510.2 and DoDI 8500.2 require that the IA posture of all systems belonging to an organization must be reviewed at least once a year. Furthermore, the system must be assessed and undergo reaccreditation by the Principal Accredditation Authority (PAA) - which generally means the DAA - at least every 3 years.
Yes - DIACAP requires you to review your IA posture. DoDI 8510.2 (DIACAP) and DoDI 8500.2 both require that the IA posture of all systems belonging to an organization must be reviewed at least once a year. Furthermore, the system must be assessed and undergo reaccreditation by the Principal Accredditation Authority (PAA) - which generally means the DAA - at least every 3 years.
For US DoD systems: under DIACAP, the IA posture of an organization should be reviewed at least annually. All systems must undergo a complete review at least every 3 years but should also undergo at least a partial review every year (annual security review). More sensitive and more critical systems may be required to undergo review more often - some as often as every 6 months. NIST recommends pretty much the same.
The relevant DoD Instruction is DoDI 8500.2, which states that the IA posture must be reviewed at least once a year.
DIACAP requires you to review your IA posture at least annually for as long as the system is in operation (or every 6 months if it is a MAC I system).
According to DODI 8510.01 (DIACAP), paragraph 4.9:"All DoD ISs with an authorization to operate (ATO) shall be reviewed annually to confirm that the IA posture of the IS remains acceptable. Reviews will include validation of IA controls and be documented in writing."Note that in the case of a MAC I system, the reviews should occur semi-annually, i.e. every six months.