Information Assurance (IA) has been around for decades and has finally obtained the attention it deserves. Ten years ago, the term "IA" was known only by small groups of security experts often labeled as ‘paranoid’ or ‘rigid’. Today, IA is well-known by most individuals involved with Government contracts ranging from high-level executives to engineers of many disciplines. Many have sought information on IA processes through reading papers and attending briefings, however, many questions still loom concerning the nuts and bolts of baking IA into systems being developed. This time, let's forget the four-phase DITSCAP and the five-activity DIACAP and talk implementation.

This paper goes beyond IA processes and addresses how to actually integrate IA requirements into your system. The paper delves deeper into the IA controls using Department of Defense Instruction (DoDI) 8500.2 as an example. It discusses in detail, the technical, administrative, and physical controls required for many systems, summarizes what they mean, and provides guidance on how to implement them. Additionally, the paper covers product selection and what to do if a desired product is not on an approved products list. The paper also addresses the importance of establishing a secure baseline configuration on the products selected prior to software and application development.

Implementing IA in system development is paramount to protecting all information systems from any form of compromise. If left ignored, not only would systems be more vulnerable to attack, they would also not be permitted to operate without obtaining the required Authorization to Operate (ATO). If you are looking for a good read on IA processes, our 2008 I/ITSEC Paper, "DIACAP - Information Assurance Evolved" can be downloaded from the I/ITSEC site; however, if you truly crave knowledge on the nuts and bolts of implementing IA, beyond the process, you want to read this paper.