Department of Defense
INSTRUCTION
NUMBER 5200.40
December 30, 1997
ASD(C3I)
SUBJECT: DoD Information Technology Security Certification and Accreditation
Process (DITSCAP)
References: (a) DoD Directive 5200.28, “Security Requirements for Automated
Information Systems (AISs),” March 21, 1988
(b) Public Law 100-235, “Computer Security Act of 1987,” January 8,
1988
(c) Office of Management and Budget Circular No. A-130, “Management
of Federal Information Resources,” February 8, 1996
(d) Director of Central Intelligence 1/16, “Security Policy on Intelligence
Information in Automated Systems and Networks,” March 14, 1988
(e) through (m), see enclosure E1.
1. PURPOSE
This Instruction:
1.1. Implements policy, assigns responsibilities, and prescribes procedures under
reference (a) for Certification and Accreditation (C&A) of information technology
(IT), including automated information systems, networks, and sites in the Department
of Defense.
1.2. Creates the DoD IT Security Certification and Accreditation Process
(DITSCAP) for security C&A of unclassified and classified IT to implement references
(a) through (d).
1.3. Stresses the importance of a life-cycle management approach to the C&A and
reaccreditation of DoD IT.
1
Downloaded from http://www.everyspec.com
