The Transition from Certification & Accreditation to Assessment & Authorization: DIACAP to Become Risk Management Framework (RMF) DoD IT
Any organization familiar with the inner-workings of the Department of Defense (DoD) Information Assurance (IA) world knows that a high level of expectation goes into the adequate protection of data. Those same folks also know that very seldom is the expectation ever achieved. Certification & Accreditation (C&A) was introduced to the federal government in the mid-1990’s, and then attempted to span all federal agencies. However, the classification of data quickly became an issue with the DoD and this lead to their formal adoption of a completely separate C&A process.
Since the inception of the C&A process within the DoD, the ability to reduce risk to an acceptable level and not over-secure a system in the process has been a constant struggle. Defense Information Technology Security Certification & Accreditation Process (DITSCAP) was introduced in 1997 and slowly became the requirement for information systems processing DoD data. While it was a start to security as-we-know-it in IA, it lacked the security controls and accountability needed to remain the constant within the DoD.
In 2007, DoD Information Assurance Certification & Accreditation Process was introduced to the IA workforce and advertised to have a far more reliable risk management component. For the most-part, DIACAP has been considered successful in reducing risk in the enterprise environment, but has experienced significant pitfalls with its introduction to commercial organizations conducting business with the DoD and translation of requirements to other (non-DoD) federal agencies. In short, the ability to interconnect systems spanning the DoD and federal agencies has become so difficult and wasteful of resources, that another transition is on the horizon. That change is the Risk Management Framework (RMF).
The RMF started initially as an Intelligence Community (IC) effort and evolved into a Joint-Task-Force (JTF) initiative. Now the RMF embodies all of the major components of the federal government cyber-security committee to include IC, JTF, National Institute of Standards & Technology (NIST), and the Committee on National Security Systems (CNSS). In addition to the involvement of agencies outside of the DoD, the re-writing of formal policy has been conducted to include DoDD 8500.1, DoDI 8500.2, and DoDI 8510.01. Below are some of the many items that you should expect to see improvement with in this transition process:
DoD participation in CNSS and NIST policy development to synchronize the cybersecurity landscape and protect the unique requirements of DoD missions.
- Direct mapping of DIACAP IA Controls to NIST SP 800-53
- Streamlining of processes and policy to allow for interconnections and sharing of information between agencies
- Removal of C&A Processes, and the adoption of Risk Management Framework Lifecycle
- Improvements to DoDI 8500.01 “Cybersecurity”
- Cybersecurity replaces Information Assurance
- Emphasizes operational resilience and integration
- Adopts common federal cybersecurity terminology
- Transitions to newly revised NIST SP 800-53 Security Control Catalog
- Improvements to DoDI 8510.01 “Risk Management Framework for DoD IT”
- Moves checklist driven process to risk-based approach
- Strengthens enterprise-wide IT governance
- Emphasizes continuous monitoring and timely correction of deficiencies
- Implements cybersecurity via security controls as opposed to policy/processes
While DIACAP remains the official C&A method for the DoD (as of March 2014), the change to RMF is inevitable and overdue. At last, our federal government plans to speak one common language for cybersecurity and one central process for managing the risk associated with systems and overall data protection. As with anything new, we fully expect there to be some obstacles presented early-on in the process and we should allow for a slow transition and formal adoption with the introduction of new requirements. That said, it appears our federal government has finally stumbled upon something in which we can all stand upon “united”.
Praetorian Secure, LLC has years of experience in working DITSCAP, DIACAP, and NIST-related projects with both federal and commercial organizations. Our certified security experts have the knowledge required to assist with the implementation, monitoring, and maintenance of the proposed Risk Management Framework (RMF).
If your organization is looking to begin work with the Assessment and Authorization of RMF, or planning a transition from DIACAP to RMF, contact us today to learn more about our unique offerings or visit us at http://www.praetoriansecure.com/risk-management-framework-rmf-dod-it/ .