NIST 800: DoD Risk Management Framework

by Rob Elamb | 0 comment

There are a couple defense policy reflecting the DoD’s move to NIST 800 standards: Defense Acquisition Regulation Supplement (DFARS 2011-D039) & CJCSI 6510.01, Information Assurance and Support to Computer Network Defense

Defense Acquisition Regulation Supplement (DFARS 2011-D039)
Defense contractors will have to meet the NIST Special Publication 800-53 security controls. Most large defense contractor have already started meeting defense controls for DIACAP (which are very similar to NIST 800 controls).
more info @ firegovernment IT

CJCSI 6510.01, Information Assurance and Support to Computer Network Defense
The new 6510.01F replaces the old 6510.01E. The document refers to changes in the name of the Information Assurance Manager (IAM) to Information System Security Manager (ISSM) and the Information Assurance Officer (IAO) to Information System Security Officer (ISSO). The name Designated Accreditation Authority (DAA) is changed to Authorizing Official (AO). The former DIACAP term “certification” is changed to 800-37 term “assessment”.

Updates titles for Designated Accrediting Authority (DAA) to Authorizing Official; Information Assurance Manager (lAM) to Information Systems Security Manager (ISSM); and Information Assurance Officer (IAO) to Information Systems Security Officer (ISSO) to align with CNSSI No. 4009 (reference e) terms. Replaces term certification with assessment and accreditation with authorization (to operate) in alignment with CNSSI No. 4009 (reference e) terminology. The new terms are followed by legacy terms in parentheses throughout instruction.

The document also refers to the coming changes to DoD 8500 policies. The changes will focus on NIST 800:

Select security controls lAW DODI 8500.2 (reference g). Note: The next update to DODI 8500.2 (reference g) and DODI 8510.01 (reference i) will direct DOD IS categorization and security control selection lAW CNSSI No. 1253, “Security Categorization and Control Selection for National Security Systems” (reference ill) with additional specific guidance on the DIACAP Knowledge Service. DODI 8500.2 (reference g) and DODI 8510.01 (reference i) will also direct the use of security controls in NIST SP 800-53, “Recommended Security Controls for Federal Information Systems and Organizations” (reference kkk) with supporting validation procedures in NIST SP 800-53A, “Guide for Assessing the Security Controls in Federal Information Systems and Organizations” (reference 111), and additional DOD guidance published in the DIACAP Knowledge Service.

The ultimate goal will be to move away from “Certification & Accreditation” and to a Risk Management Framework” as in NIST SP 800-37:

NIST 800-37 SP, “Guide for Applying the Risk Management Framework to Federal Information Systems” (reference mmmmm), provides guidelines for applying the Risk Management Framework to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization, and security control monitoring.

Leave a Reply

Your email address will not be published. Required fields are marked *






Comment *