diarmf risk management of information security

diacap to diarmf: manage information security risk

Risk Management Framework is implemented throughout an organization.

NIST 800-39, Manage Information Security Risk, describes how to implement risk within t three layers (or tiers) of of an organization:

Tier 1: Organization level
Tier 2: Mission/Business Process level
Tier 3: Information System level

diarmf risk management of information security

Tier 1: Organization Level risk management
Tier one addresses security from the organizations perspective. The activities include the implementation of the first component of risk management, risk framing. Risk framing provides context of all the risk activities within an organization, which affects the risk activities of tier 1 & 2. The output of risk framing is Risk Management Strategy. In tier 1 the organization establishes and implements governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.

Tier 2: Mission/Business Process Level risk management

Tier 2 risk management activities include: 1) defining the mission/business processes to support the organization. 2) Prioritize the mission/business process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, criticality/sensitivity of the information and the information flows both internal and external of the information.

Having a risk-aware process is an important part of tier 2. To be risk-aware senior leaders/executives need to know: 1) types of threat sources and threat events that could have an adverse affect the ability of the organizations 2) the potential adverse impacts on the organizational operations and assets, individuals, the Nation if confidentiality, integrity, availability is compromised 3) the organization�s resilience to such an attack that can be achieved with a given mission/business process

Tier 3: Information System risk management

From the information system perspective, tier 3 addresses the following tasks:
1) Categorization of the information system
2) Allocating the organizational security control
3) Selection, implementation, assessment, authorization, and ongoing

Chapter 3 focuses on the step to have a comprehensive risk management program. The tasks discussed include:
Risk Framing
Risk Assessing
Risk Response
Risk Monitoring

 

For more information go to: http://elamb.org/training-certification800-39-manage-information-security-risks/

 

DIACAP to DIARMF: Assessment Authorization

DIACAP to DIARMF: Assessment Authorization

DIACAP to DIARMF: Assessment Authorization

With the move from certification and accreditation (C&A) to risk management framework, comes a few new terms.  “C&A” will be replaced with assessment and authorization.  Even though “information assurance (IA) controls” will be call “security controls”, the definition and work is still the same, but the hope is that its done continuously and more cost-effective.

 

Certification (NIST Assessment) – Comprehensive evaluation of an information system assessment of IA Controls/Security Controls to determine the extent to which the controls are implemented correctly and operating as intended. That means when evaluated, they produce the desired outcome.  An assessment is about gathering information to providing the factual basis for an authorizing official (Designated Accrediting Authority) to render a security accreditation decision

Accreditation (NIST Authorization) – Security accreditation is the official management decision to operate (DAA – Formal approval of the system). Authorization is given by a senior agency official (upper-management/higher head quarters/combat commander). The official should have the authority to oversee the budget and business operations of the information system explicitly accept the risk to operations, assets, individuals. They accept responsibility for the security of the system and are fully accountable for the security of the system.

The official management decision given by a senior organization“The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.”

– NIST SP 800-37 rev 1

March 14, 2014, UPDATE RMF – DoD IT:

DIARMF will be known as Risk Management Framework for DoD IT.

 

diacap diarmf

diacap to diarmf: intro

DIACAP to DIARMF: Intro

diacap diarmf

image of diacap to rmf

DoD Chief Information Officer (formerly Assistant Security Defense), in collaboration with the Department of the Navy CIO, has developed a DoDI 8500.2 to NIST SP 800-53 IA control mapping (2010). More DIACAP Knowledge Service.

DIACAP Knowledge Service

On the DIACAP Knowledge Service goto “C&A Transformation”. This page introduces some of the coming changes from Certification & Accreditation changes to the Risk Management Framework seen in NIST SP 800-37.

DIACAP has “Risk Management Framework Transformation Initiative” underway that provides information on use of NIST SP 800-53, NIST SP 800-37, CNSS Instruction 1253.

The site introduces changes being made to DoDD 8500.01, DoDI 8500.2, DoDI 8510.01 and other documents that will be aligned with NIST 800 and FISMA 2013. They will feature an attempt to keep up with new arising cyberthreats, vulnerabilites and security incidence using real-time, “continuous monitoring” technologies such as HP ArcSight, McAfee ESM, ePO, NSP, Retina, Nessuss and other near real-time active monitoring systems.

diacap to diarmf

road to diarmf

Why DIACAP to DIARMF?

Federal government has gotten more serious about security.  They realize that enterprise level security and process is a continuous and expensive business.  The old certification & accreditation process is not only long and expensive but so slow that it cannot keep up with the constant changes of information technology.

Risk based/cost effective security means creating security systems and policies that focus on “adequate security”.  The Executive Branch Office of Management and Budget (OMB) defines as adequate security, or security commensurate with risk, to include the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.  The feds are also attempting to make the process of implementing and evaluating security controls by creating as much paper-less automation as possible.

note IMHO: Since technology is changing at a rate of what Ray Kurzweil calls “accelerating returns” I think for governments and organizations stuck in “static policy” based systems there is no way they can ever keep up with information technology without revolutionary shift in thinking.  Google is probably the closest to understanding what is actually happening.  The best any of us can do is observe.

 Source documents for all U.S. Federal information security:

OMB A-130 – Management of Federal Information Resources

FISMA – Federal Information Security Management Act of 2002

Federal Information Security Management Act of 2002 (FISMA, 44 U.S.C. § 3541) enacted as Title III of the E-Government Act of 2002 (Public Law 107-347)

Required for all government agencies  to develop, document, and implement an agency-wide information security program to provide information security for the information and systems that support the operations and assets of the agency Applies to contractors and other sources.

The federal government has created various acts/laws to implement to changes to the C&A process to a more risk management approach and emphasize a risk-based policy for cost-effective security. These acts include (but are not limited to):

  •  Federal Information Security Management Act of 2002 (amended as of 2013 April)
  • The Paperwork Reduction Act of 1995
  • The Information Technology Management Reform Act of 1996 (Clinger-Cohen Act) supported by Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources

 

who-created-manages-nist-800

Who Created/Manages NIST 800?

Who Creates and/or Manages the NIST 800?

This NIST 800 is a well thought out set of federal security standards that DoD and the Intel world is moving too.  It aligns with International Organization for Standardization (ISO) and International Electotechnical Commissions (IEC) 27001:2005,  Information Security Management System (ISMS).

who-created-manages-nist-800

who-created-manages-nist-800

NIST 800 is updated and revised by the following organizations:
Joint Task Force Transformation Initiative Interagency  (JTFTI) Working Group National Institute of Standards and Technology (NIST)
JTFTI is made up of from the Civil, Defense, and Intelligence Communities.  This working group reviews and updates the following documents

  •      NIST Special Publication 800-37, Revision 1 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
  •     NIST Special Publication 800-39, Enterprise-Wide Risk Management: Organization, Mission, and Information Systems View
  •     NIST Special Publication 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations
  •     NIST Special Publication 800-53A, Revision 1 Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans

These core documents are a standard on how to implement FISMA. The organization has done a good job of keeping NIST 800 inline with international standards of ISO 27001.  The JTFTI is made up of ODNI, DoD, CNSS.  This document is also publicly vetted.

Office of the Director of National Intelligence (ODNI)
The DNI is a position required by Intelligence Reform and Terrorism Prevention Act of 2004.  This office serves as adviser to the president, Homeland Security and National Security Counsil as well and director of National Intelligence.

Department of Defense (DoD)
DoD is composed of (but not limited to) the USAF, US Army, DON and Marines.  It is the most powerful military organization in recorded history.

Committee on National Security Systems (CNSS)
This committee was created to satisfy National Security Directive 42, “National Policy for the Security of National Security Telecommunications and Information Systems“,
the group has represtatives from NSA, CIA, FBI, DOD, DOJ, DIA and is focused on protecting the US crititcal infrastructure.

Sources: http://en.wikipedia.org/wiki/Committee_on_National_Security_Systems

Public (review and vetting) – the draft is posted online on NIST.gov

http://csrc.nist.gov/publications/PubsDrafts.html

 

sources:

FISMA JTFI

http://www.fismapedia.org/index.php?title=Joint_Task_Force_Transformation_Initiative

Scadahacker – mappings NIST to International

http://scadahacker.com/library/Documents/Standards/mappings/Mapping%20NIST%20800-53.pdf

 

diacap-diarmf

diacap to diarmf: FISMA 2013

The Federal Information Security Amendments Act, H.R. 1163, Amends the Federal Information Security Management Act of 2002 (FISMA).

Main Points of FISMA 2002:

  • Cost-effectively reduce information technology security risks
  • Vulnerability Database  System
  • Maintain an inventory of major information systems
  • Security Categorization of Federal IS by risk levels
  • Minimum security requirements
  • System Security planning process
  • Annual review of assigned IS compliance
  • Risk Management

 

The amendment has a few big changes to the previous 2002 version that will affect federal agencies.  But two main ones the stood out for me is the emphasis on automation and the CISO position.

The FISMA Amendment was passed by the House of Representatives (4 April 2013) but must still pass the Senate and be signed into law by the President.

 

1 – Continuous monitoring / automation of Everything -FISMA 2013, requires continuous monitoring (automation) and regular cyberthreat assessments for better oversight to federal organizations.

Security Incidents –  Security incidents are automatically detected with tools like McAfee Network Security Platform (IPS), Source Fire SNORT (IDS), McAfee ePO and Cisco IDS.  With the right people to manage the signatures and the configuration, theses are great products.  Once they are detected you can then do incident handling with something like Remedy.  FISMA 2013: “with a frequency sufficient to support risk-based security decisions, automated and continuous monitoring, when possible, for detecting, reporting, and responding to security incidents, consistent with standards and guidelines issued by the National Institute of Standards and Technology”

Information Systems Security – Vulnerability scanners such as Retina and Tenable’s Nessuss are great with automatically detecting security controls and policies within an agency.  Change Auditor and other tools can detect changes the GPO’s within a domain.  FISMA 2013: “with a frequency sufficient to support risk-based security decisions, automated and continuous monitoring, when possible, for testing and evaluation of the effectiveness and compliance of information security policies, procedures, and practices, including…” Security controls

Risk Level & Impact of Harm – McAfee ESM and ArcSight are good and pulling in the data from security tools that detect security events, evaluating the risk level and giving an measurement of the possible harm of and asset.  FISMA 2013: “automated and continuous monitoring, when possible, of the risk and magnitude of the harm that could result from the disruption or unauthorized access, use, disclosure, modification, or destruction of information and information systems that support the operations and assets of the agency;

Detection/Correlation – this one could be grouped in with Security Incident, but Security Incident gets more into incident handling.  Also, ArcSight, McAfee, LogRythm, LogLogic, AlienVault and other Security Incident Event Managers do Correlation automatically.  FISMA 2013: “efficiently detect, correlate, respond to, contain, mitigate, and remediate incidents that impair the adequate security of the information systems of more than one agency. To the extent practicable, the capability shall be continuous and technically automated.”

2 – CISO positions and responsibilities backed by Law – The amendment requires each department head to be held accountable for IT.  In DoD Information Assurance Risk Management Framework (DIARMF) this department director is known as the Authorizing Official (aka Designated Authorizing Authority in DIACAP).  FISMA 2013 require the AO to have an Chief Information Security Officer.  This is a position that is already assigned under Risk Management Framework.  The DoD has referred to this position as Senior Information Assurance Officer in DIACAP.  Under FISMA 2013, CISO/SIAO must have must have qualifications to implement agency-wide security programs for which they are responsible
and report directly to the AO.

The CISCO/SIAO will also have responsibility of Automated Security systems.  The CISO will be responsible for development, maintaining and overseeing these automated systems.

FISMA 2013 is targeted to minimize the risk of cyberattacks by conducting pentesting.

Overall, they made automation a requirement, which is the direction the field of information security has already been following and put some more emphasis on the CISO.  The amendments highlight the changes from DIACAP to DIARMF as many of the changes are already in the NIST 800 series that DIARMF is based on.

source:
http://beta.congress.gov/bill/113th/house-bill/1163/text

Approved System

Information Assurance is based on obtaining a high level of confidence on information’s confidentiality, integrity, and availability.  Some organizations that deal with “critical information”.  Critical information included things like banking transactions, classified data, information that is evidence in an ongoing investigation.  Companies, unions and government that handle this kind of information usually have a lot of exposure because they are handling public data, share holder data, employee data and are doing a lot of translation across the un-trusted networks such as the Internet.  With critical information and high exposure these organizations MUST have “approved processes” for vetting, testing and validating “approved software” and “approved systems”.

For example, in the Department of Defense there are many lists that have approved software.  These lists are per command within larger organizations.  One over arching process/list is the Common Criteria:

Common Criteria is an international standard for validating technical security built in to security feature of information systems.  The international standard is known as ISO/IEC 15408.

This standard is used by many large organizations all over the world that serve the public:

www.commoncriteriaportal.org

http://www.commoncriteria.com

Each organization has there own specific security needs so most of the time they have many levels of application approval and process:

NSA / DOD / US Gov – www.niap-ccevs.org – National Information Assurance Partnership (NIAP) uses Common Criteria Evaluation and Validation Scheme (CCEVS) to ensure that only approved Information Assurance (IA)  and IA-Enabled Information Technology (IT) products are used

Canadian Trusted Computer Product Evaluation Criteria
UKhttp://www.cesg.gov.uk/servicecatalogue/ccitsec‎

Commercial organizations that want their products used by organization processing and storing critical information must submit to common criteria as well:

Applehttps://ssl.apple.com/support/security/commoncriteria/

Microsofthttp://www.microsoft.com/en-us/sqlserver/common-criteria.aspx‎

xeroxCommon Criteria

Citrixhttp://www.citrix.com/support/security-compliance/common-criteria.html‎

CiscoCisco Common Criteria 
Emc – EMC – Common Criteria

Organizational units also have their own criteria for approved applications and systems:

US ArmyArmy Chess

US Air ForceAF E/APL – Certified Air Force Evaluated Approved Product List

 

 

How to get a certification: CAP Exam part 1

CAP Exam

passed the cap exam

me with picture of CAP notificaiton

I had studied all night after freaking out about the test. I was sick and had to drive to another city to take that damn test. I was exhausted and tired.. lame excuse for being ugly lol. Its all good.. I still get laid.. but enough about ME.. lets talk about the test 😀

How to get a certification

– ISC2 Certified Authorization Professional (ISC2 CAP)
– Risk Management Certification
– Passing Score 700 out of 1000 points (125 questions on the test *25 test questions not counted toward the results)
– Application Fee: $419
– Verify 2 years experience in this field
– Endorsement Form
– Answer questions to criminal history and background
– Other Info: its a CBT, 3 hours to test, based on NIST 800 series

How Hard is the CAP Exam

I just took the ISC2 Certified Authorization Professional test (CAP Exam). I just want to give others who are about to take this test some idea of what they are up against. I noticed there is not a lot of Security Professionals talking about it. I keep hearing that there are only *1000 CAP certified people on Earth (circa 2011). I don’t think its because of the difficulty level (lol.. i mean i would not call it an EASY test, but its no CISSP or CCIE.. btw CCIE has about 25,000 certified as of about 2010 individuals on early despite being around for since 1993… according to Cisco, “fewer than 3% of Cisco certified individuals attain CCIE certification”). I think there are so few CAP certified people because its not a well know certification and its in a specialized field. Perhaps the numbers of CAP certified individuals will always be low.

My overall impression is that it is much harder than Security+ but much easier than CISSP. If you have recent experience with DoD Information Assurance Certification & Accreditation Process (DIACAP) you should have an easy time grasping the National Institute of Standards & Technology (NIST) Special Publication 800 series concepts allowing you to pass the CAP exam. I would say the same about all the C&A frameworks, NIACAP, NISPOM, DCID 6/3, DITSCAP etc. If you know the certification & accreditation process well than you will pick up risk management framework fast. If you have been doing the NIST C&A and/or Risk Management Framework, the test should be a mere refresher course for you and a couple of weeks of reviewing NIST 800 regulations and OMBs you already know might be enough for you to pass the CAP Exam and get this certifications. You should know, however, that quite a bit has changed since 2009 in the certification & accreditation process of getting authorization.

The test is in the style of the CISSP in that you must choose what is MOST right in many cases. All questions are 4-multiple choice type questions.

Study Material for the Certified Authorization Professional

One of my biggest issues about the CAP material is that is has almost NO decent study material. There is “The CISSP and CAP prep guide” by Russell Dean & Ronald L. Krutz, this is the ONLY book I have found aside from one or two lame ebooks (as of 2011).

What I used to get a CAP Certification

The very first thing you should do is become a member of Isc2.org and download the ISC2 CAP Candidate Information Bulletin. The CAP Exam CIB breaks down all the objectives that you need to be knowledgeable in.

Read and/or be very familiar with the following NIST & OMB documents:
– NIST 800-37
– NIST 800-53
– NIST 800-53A
– NIST 800-64
– NIST 800-30
– NIST 800-100
– NIST 800-83
– NIST 800-53
OMB circular A-130
Privacy Act of 1974
FISMA Act of 2002
**The full list of documents & regs to be familiar with are located in CAP CIB

Another great resource is practice tests. Ucertify.com has GREAT content for the CAP, some of the best you will find for the Certified Authorization Professional.

Areas to Spend a LOT of time on:

I would definitely know and fully understand the Risk Management Framework (800-37). You need to know the tasks on each of the six steps of the Risk Management Framework (800-37). System Development Lifecycle is also HUGE on this test(800-64). I would know how Risk Management Framework lines up with SDLC and Risk Assessment process (800-37, 64, 30). Risk Assessment process, Risk Management Framework and SDLC are all interconnected. You should know how they work together. Tasks that are done at each stage and step in all those process and what role does each task is a need to know. Roles and Responsibilities should be fully understood and memorized. Although everyone of the steps in the Risk Management framework are covered pretty good, I feel like the following two steps were beaten to death: Continuous Monitoring & assessments (security control assessor)

The test is computer based and randomized so you might get a completely different set of subject areas. Your best bet is to study what is in the CAP-CIB and use a bunch of practice tests.

What I DID NOT see on the Exam:

I was surprised not to see anything on the NIACAP, DIACAP, FITSAP, DCID 6/3 and DITSCAP. I was fully expecting it and prepared for it. Many of the practice test go on and on about Project/Program Management subject areas. But the only question I recall on that had to do with knowing the role of a Program Manager… thats about it.

Pro & CON on the ISC2 CAP Cert

CONS: I feel like the CAP is currently (2011) not in great demand. If you do a search on any job database (monster, indeed, simplyhired) you see that there are not many employees listing it as a requirement. For example, a 2011 search on isc2 CAP anywhere in the US gives 49 results — http://jobsearch.monster.com/search/?q=isc2-cap
I also think that the certification is WAY over priced. Its $419 which I think is even more than the ISC2 CISSP concentrations.
There is almost no study material for it.

PROS: Covers very important risk management framework material. Its computer based, so the results are instant. Its good lead up and practice for the ISSEP. The ISSEP covers a lot of what is in the CAP. NIST will get increasingly more important as DoD, NSA and other national security system agencies take on the NIST.

*CAP Exam: CAP certified people in the world (circa 2011):
Canada 6
Germany 1
Korea, Republic of 2
Puerto Rico 2
United States 997
reference: https://www.isc2.org/member-counts.aspx#cap

**Certification Authorization Professional Candidate Information Bulletin is on ISC2.org. May have to be a member to get the document

Training & Certification: Risk Management Approach to Security Authorization

Understand the Risk Management Approach to Security Authorization

The concept of management of information security risks across an enterprise is discussed in 800-39. An organization takes a multitier approach to the risk management at the organizational, mission, and system levels. Risk management framework is a process that is broken down in NIST 800-37, Risk Management Framework. The CAP addresses the following:

    Distinguish between applying risk management principles and satisfying compliance requirements
    Identify and maintain information systems inventory
    Understand the criticality of securing information
    Understand organizational operations

Distinguish between applying risk management principles and satisfying compliance
Risk management includes satisfying compliance. Even though some controls may not be able to be made fully compliant due to limited resources, residual risk to the organization can still be mitigated and managed. Concepts of NIST SP 800-37, Guide of RMF

Identifying and maintaining information system (IS) inventory is addressed in NIST 800-37, Risk Management Framework, 800-18, System Security Plan & 800-64, System Development Life Cycle. 800-37 addresses inventory of the IS in RMF Step 1 Categorization of IS. Of the tasks of categorization includes information system registration which begins with by identifying the information system in the system inventory. This is documented in the security plan. NIST SP 800-18 discusses how the inventory is documents, and logically separates the system authorization boundary. That inventory is maintained and monitored throughout the life cycle of the IS (from imitation to disposal and from categorization to monitoring of the system).

A CAP candidate can understand the criticality of security information from reading FIPS 199, categorization of federal information systems.

Understanding the organizational operations of the system is imperative to a CAP candidate for the purpose of scope guidance described in NIST SP 800-53.

Risk Management in IT: NSS

Risk Management of IT: National Security Systems

Risk Assessments and Risk Management will apply to National Security Systems (NSS).

What is a Risk Assessment?

A risk assessment is the results/process to determine the likelihood that a threat will exploit a weakness. Risk assessment is a part of the risk management.

What is risk management?

Risk Management is the on-going process of determining assessing, identifying and prioritizing of risks.

Is My System a National Security System?

NIST SP 800-59, Guidance for Identifying an information system as an NSS. 800-39 is a 17 page document developed in conjunction with the Department of Defense, including the National Security Agency, for identifying an information system as a national security system. It is basised on the Federal Information Security Management Act of 2002 (FISMA).

Who determines if you have an NSS?

The head of each agency is responsible for designating an agency information security official to determine which, if any, agency systems are national security systems.

Tools to determine if you have a NSS system:

National Security System Identification Checklist (NIST SP 800-59, Appendix A). The NSS ID Checklist asks (6) questions. Answering yes to any of these questions qualifies your system as an NSS:
Does the function, operation, or use of the system involve intelligence activities?
Does the function, operation, or use of the system involve cryptologic activities related to national security?
Does the function, operation, or use of the system involve command and control of military forces?
Does the function, operation, or use of the system involve equipment that is an integral part of a weapon or weapons system?
Is the system critical to the direct fulfillment of military or intelligence missions?
Does the system store, process, or communicate classified information?

NSS RMF
The guidance of CNSSI 1253 is the result of NIST collaborated with the Intelligence Community (IC), Department of Defense (DoD), and the Committee on National Security Systems (CNSS) to ensure NIST SP 800-53 contains security controls to meet the requirements of National Security Systems (NSS).

KEY DIFFERENCES BETWEEN CNSS INSTRUCTION NO. 1253 AND NIST PUBLICATIONS

The key differences between CNSSI 1253 and the rest of the NIST publications is that NSS systems do not follow high-water mark, NSS maybe tailored through risk-based adjustment, control profiles, and a method that allows organization to practice reciprocity.

NSS and High Water Mark
Both FIPS 200 and NIST 800-53 apply the concept of a high-water mark (HWM) when categorizing information systems according to the worst-case potential impact of a loss of confidentiality, integrity, or availability of information or an information system. This Instruction does not adopt this HWM usage. In the National Security Community, the potential impact levels determined for confidentiality, integrity, and availability are retained, meaning there are 27 possible three-value combinations for NSI or NSS, as opposed to the three possible single-value categorizations obtained using the guidelines in FIPS 200. CNSSI 1253

Risk-Based Adjustment
Potential impact-based security categorizations for NSS may be tailored through the use of a risk-based adjustment. This adjustment takes into consideration the physical and personnel security measures already employed throughout the National Security Community and factors such as aggregation of information.

Control Profile
Method by which organizations may designate sets of controls for NSS based on their enterprise-wide risk assessment and taking into account business objectives, system risks, and mission needs.

NSS Reciprocity
It is the policy of the National Security Community that member organizations practice reciprocity with respect to the certification of systems and system components to the greatest extent practicable. Reciprocity of certification reduces the cost and time to implement systems and system components.

DoD Risk Management FrameWork (Part 1): Look Ahead


The DoD is working on using the National Institute of Standards and Technology (NIST) Certification & Accreditation method of assessing & authorizing systems. The NIST system of C&A is actually known as Risk Management Framework (RMF). This would require the the Assistant Secretary of Defense Networks & Information Integration ASD(NII) office to move the DoDI 8500.2, Information Assurance (IA) controls to be mapped to the NIST SP 800-53, Recommended Security Controls. I am not certain yet whether they will eliminate the 8500.2 or just have all departments move to the NIST SP 800-53. They will also need to switch the DoD Information Assurance Certification & Accreditation Process (DIACAP) to the NIST SP 800-37 rev 1, Risk Management Framework or something similar.

If the transition is anything like their move to from DoD Information Technology Security Certification & Accreditation Process (DITSCAP) to the DIACAP then they will give about 2 years for the DoD to transition. As of Mar. 2011, there is no policy on this. It is serious because its on the DIACAP KS and the Department of Navy CIO has been releasing information on it since 2009. The DON CIO & the ASD (NII) have been working on the project to transition from DIACAP to some sort of DoD Risk Management Framework. So far, they have mapped the DoDI 8500.2 IA controls to the NIST SP 800-53 Controls: Certification and Accreditation Transformation: Security Control Mapping. Here is a May 2010 update to the NIST to DIACAP mapping. 800-53 to DoD IA contols map also includes the Director of Central Intelligence Directive (DCID) 6/3 controls. This is very telling. The plan seems to be to have one standard for all Federal Information System.

Since DoD 8510.01, DIACAP & NIST SP 800-37, Risk Management Framework (RMF) cover so much of the same ground, I think the only real benefit is that reciprocity between Federal agency will be easier if all departments have one standard of risk management and one security control set.

The DON uses the certification and accreditation (C&A) process to assess and understand the residual risk associated with operating information systems (IS) and information technology (IT). The DON is participating with the DoD, the IC, and the rest of the Federal government in C&A transformation. One goal of transformation is to achieve common security controls enabling the DON, the DoD, the IC, and the rest of the Federal government to develop systems to the same protection standards.

The recently released National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, revision 3 provides recommended consolidated security controls in an effort to achieve common security controls across the Federal government.

The DON will continue to use the DoDI 8500.2 as the authoritative source for security controls until otherwise specified. However, understanding the changes represented in NIST SP 800-53r3 will be essential as DoD and the DON begin transitioning to this new set of security controls. To support the transition, the DON CIO developed this security control mapping document to demonstrate how existing DoD and IC security controls map to the security controls recommended by the NIST SP 800-53r3 publication.

Security Control Mapping Document Aids Transition, DON CIO Site

1 2 3