2014 – Update, DIACAP has been upgraded to Risk Management Framework for DoD IT (aka DIARMF). Its base on the NIST SP 800-37, Risk Management Framework for Federal IT and takes from CNSSI 1253.
Risk Management Framework for DoD IT takes all IA Controls (Security Controls) from NIST SP 800-53.
New DIACAP Certification & Accreditation IA Controls
The DoD has had the same IA controls since DoD 8510.1-M, controls since DoD 8510.1-M, Department of Defense Information Technology System Certification & Accreditation Process (DITSCAP), July 31, 2000 – it was developed late last century.
The DoD has a total of 157 IA controls spread across 8 subject areas in 4 classes:
DC – Security Design & Configuration
IA – Identification and Authentication
EC – Enclave & Computing
EB – Enclave Boundary Defense
PE – Physical & Environmental
PR – Personnel
CO – Continuity
VI – Vulnerability
There is a huge change coming in certification & accreditation for the DoD coming. The IA controls are being expanded and changed. The last two DIACAP classes I’ve been to mentioned that there is a big change coming. Essentially, all the IA Controls (security controls, safeguards, countermeasures.. whatever your organization is calling them) are getting expanded. All federal organizations will have security controls that look more like what is in the National Institute of Standards and Technology Special Publication 800-53. This is all being placed in the Committee on National Security Systems Instruction (CNSSI) 1253. As of 25 June 2009, the CNSSI 1253 is still in draft.
The draft has 17 families & identifiers in three security control classes.
TABLE 1: SECURITY CONTROL CLASSES, FAMILIES, AND IDENTIFIERS
IDENTIFIER FAMILY CLASS
AC Access Control Technical
AT Awareness and Training Operational
AU Audit and Accountability Technical
CA Certification, Accreditation, and Security Assessments Management
CM Configuration Management Operational
CP Contingency Planning Operational
IA Identification and Authentication Technical
IR Incident Response Operational
MA Maintenance Operational
MP Media Protection Operational
PE Physical and Environmental Protection Operational
PL Planning Management
PS Personnel Security Operational
RA Risk Assessment Management
SA System and Services Acquisition Management
SC System and Communications Protection Technical
The CNSSI has about 500 controls with pretty good granularity.
One of the really cool thing about 1253 was the security control mapping. It’s a table that matches up 800-53, DCID 6/3 and DODI 8500.2.