diacap diarmf

diacap to diarmf: intro


diacap diarmf

image of diacap to rmf

DoD Chief Information Officer (formerly Assistant Security Defense), in collaboration with the Department of the Navy CIO, has developed a DoDI 8500.2 to NIST SP 800-53 IA control mapping (2010). More DIACAP Knowledge Service.

DIACAP Knowledge Service

On the DIACAP Knowledge Service goto “C&A Transformation”. This page introduces some of the coming changes from Certification & Accreditation changes to the Risk Management Framework seen in NIST SP 800-37.

DIACAP has “Risk Management Framework Transformation Initiative” underway that provides information on use of NIST SP 800-53, NIST SP 800-37, CNSS Instruction 1253.

The site introduces changes being made to DoDD 8500.01, DoDI 8500.2, DoDI 8510.01 and other documents that will be aligned with NIST 800 and FISMA 2013. They will feature an attempt to keep up with new arising cyberthreats, vulnerabilites and security incidence using real-time, “continuous monitoring” technologies such as HP ArcSight, McAfee ESM, ePO, NSP, Retina, Nessuss and other near real-time active monitoring systems.

diacap to diarmf

road to diarmf


Federal government has gotten more serious about security.  They realize that enterprise level security and process is a continuous and expensive business.  The old certification & accreditation process is not only long and expensive but so slow that it cannot keep up with the constant changes of information technology.

Risk based/cost effective security means creating security systems and policies that focus on “adequate security”.  The Executive Branch Office of Management and Budget (OMB) defines as adequate security, or security commensurate with risk, to include the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.  The feds are also attempting to make the process of implementing and evaluating security controls by creating as much paper-less automation as possible.

note IMHO: Since technology is changing at a rate of what Ray Kurzweil calls “accelerating returns” I think for governments and organizations stuck in “static policy” based systems there is no way they can ever keep up with information technology without revolutionary shift in thinking.  Google is probably the closest to understanding what is actually happening.  The best any of us can do is observe.

 Source documents for all U.S. Federal information security:

OMB A-130 – Management of Federal Information Resources

FISMA – Federal Information Security Management Act of 2002

Federal Information Security Management Act of 2002 (FISMA, 44 U.S.C. § 3541) enacted as Title III of the E-Government Act of 2002 (Public Law 107-347)

Required for all government agencies  to develop, document, and implement an agency-wide information security program to provide information security for the information and systems that support the operations and assets of the agency Applies to contractors and other sources.

The federal government has created various acts/laws to implement to changes to the C&A process to a more risk management approach and emphasize a risk-based policy for cost-effective security. These acts include (but are not limited to):

  •  Federal Information Security Management Act of 2002 (amended as of 2013 April)
  • The Paperwork Reduction Act of 1995
  • The Information Technology Management Reform Act of 1996 (Clinger-Cohen Act) supported by Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources



This slide will tell you everything you need to know for now:

http://www.sdissa.org/downloads/Revised_DIACAP_KS_eMASS_Brief ISSA_10-28-05.ppt

According to rumors about the DIACAP, the document (8510.bb) is waiting to be signed (or is signed). DoD 8510.bb will be the DIACAP Instruction guide. The DoD 8510.bb, Defense Information Assurance Certification and Accreditation Process will replace the 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP) and 8510.1-M, Department of Defense Information Technolgoy Security Certification and Accreditation Process (DITSCAP) Application Manual.


Read More on the DIACAP Guide.

NR-KPP stands for Net Ready Key Performance Parameters

NR-KPP stands for Net Ready Key Performance Parameters.
Net Ready is the ability to have immediate access to mission or business essential information. Like the term Netcentric, Net Readiness is the full exploitation of the Internet and/or Intranet whether the organization's primary mission is business, volunteerism or warfare.

So Net Ready Key Performance Parameters refers to evaluating the “net readiness” of a given information system or organization.

Formal Definition:
NR-KPP was developed to assess net-ready attributes required for both the technical exchange of information and the end-to-end operational effectiveness of that exchange. The NR-KPP replaces the Interoperability KPP, and incorporates net-centric concepts for achieving Information Technology (IT) and National Security System (NSS) interoperability and supportability.

What are the elements within the Net Ready Key Performance Parameters?

Net Centric Operations and Warfare Reference Model (NCOW RM) Compliance Statement

Information Assurance (IA) Accreditation Compliance Statement

Your guide on creating the NR-KPP will be the CJCSI 6212, Interoperability and Supportability on National Security Systems:

Net-Ready Key Performance Parameter. All Information Support Plans (ISP) for systems that exchange information with other systems will contain a Net-Ready KPP. For all ISPs with an associated approved JCIDS CDD or CPD capabilities document, the ISP can refer to the associated CDD/CPD. ISPs for CRDs, ORDs, non-ACAT and fielded systems will include the NR-KPP in the ISP.

The NR-KPP will consist of the following:
a. AV-1, OV-2, OV-4, OV-5, OV-6C
b. SV-4, SV-5, SV-6
c. TV-1 generated from DISR online
d. Applicable CRD crosswalk (See Table D-3)
e. Initial LISI Profile (Interface Requirements Profile) See Enclosure K
f. NR-KPP statement. (Table I-1)
g. IA Statement of Compliance
h. Key Interface Profile (KIP) Declaration (list of the KIPS that apply to
the system)

Key Interface Profiles (KIPs) Compliance Statement

CJCSI 6212, Interoperability and Supportability on National Security Systems
ß http://www.teao.saic.com/cbrtraining/docs/CJCSI_6212_01.pdf

Net Ready -> http://del.icio.us/tag/%22net%2Bready%22
More on NR-KPP à http://del.icio.us/tag/%22nr%2Bkpp%22