DITSCAP was developed for evaluating and accrediting Department of Defense systems and also includes four phases. DITSCAP was developed and is published by the Defense Information Systems Agency (DISA) and it applies to the acquisition, operation, and on-going support of any Department of Defense system that collects, stores, transmits, or processes unclassified or classified information. It is mandatory for use by all defense agencies.

The DITSCAP guidance is described in a document known as DoDI 5200.40 and is available at www.dtic.mil/whs/directives/corres/pdf/i520040_ 123097/i520040p.pdf.

The four DITSCAP phases are the same as the NIACAP phases and are known as:

1. Definition

2. Verification

3. Validation

4. Post Accreditation

The major areas of analysis for the DITSCAP methodology, as described in Phase II, are:

1 System Architecture Analysis

2. Software Design Analysis

3. Network Connection Rule Compliance

4. Integrity Analysis of Integrated Products

5. Life Cycle Management Analysis

6. Security Requirements Validation Procedures

7. Vulnerability Evaluation

DISTCAP uses an infrastructure-centric approach and stresses that DoD systems are network-centric and interconnected.There are numerous DoD policies, referred to as directives that the DITSCAP must also adhere to. All the directives are named with numbers and begin with the numbers 5200. One of the most important DoD directives with which DITSCAP must be in compliance is DoDD 5200.28.The subject of 5200.28 is Security Requirements for Automated Information Systems (AIS). 5200.28 is available at http://csrc.nist.gov/fasp/FASPDocs/authorize-process/d520028p.pdf. 5200.28 is a 32-page document that names numerous other directives that must be complied with while adhering to the DITSCAP process. Relatively speaking, 5200.18 is an old document released in 1988. However, it is still in effect today, and there are many concepts related to information security that have not changed over time, which is why this policy is still relevant.