CyberSecurity March 10, 2011

Pages
- Home
- About
- Archives
- ArchivesList
- Contact
- email scam
- hacked
  - remove malware
- internet scam check
- Quiz
  - Security+ Module1
- Report A Scam
- scams
- DIACAP
Archives
- May 2020
- May 2019
- April 2019
- September 2018
- August 2018
- July 2018
- June 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- December 2016
- November 2016
- October 2016
- August 2016
- July 2016
- June 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- June 2015
- April 2015
- March 2015
- January 2015
- December 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- December 2013
- October 2013
- September 2013
- August 2013
- June 2013
- May 2013
- April 2013
- March 2013
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- March 2011
- February 2011
- January 2011
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
- August 2005
- July 2005
- June 2005
- May 2005
- April 2005
Calendar

March 2011

S M T W T F S

1 2 3 4 5

6 7 8 9 10 11 12

13 14 15 16 17 18 19

20 21 22 23 24 25 26

27 28 29 30 31

« Feb May »
Categories

March 2011
S	M	T	W	T	F	S
	1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Archive for March 10th, 2011

DoD Risk Management FrameWork (Part 1): Look Ahead

March 10th, 2011

The DoD is working on using the National Institute of Standards and Technology (NIST) Certification & Accreditation method of assessing & authorizing systems. The NIST system of C&A is actually known as Risk Management Framework (RMF). This would require the the Assistant Secretary of Defense Networks & Information Integration ASD(NII) office to move the DoDI 8500.2, Information Assurance (IA) controls to be mapped to the NIST SP 800-53, Recommended Security Controls. I am not certain yet whether they will eliminate the 8500.2 or just have all departments move to the NIST SP 800-53. They will also need to switch the DoD Information Assurance Certification & Accreditation Process (DIACAP) to the NIST SP 800-37 rev 1, Risk Management Framework or something similar.

If the transition is anything like their move to from DoD Information Technology Security Certification & Accreditation Process (DITSCAP) to the DIACAP then they will give about 2 years for the DoD to transition. As of Mar. 2011, there is no policy on this. It is serious because its on the DIACAP KS and the Department of Navy CIO has been releasing information on it since 2009. The DON CIO & the ASD (NII) have been working on the project to transition from DIACAP to some sort of DoD Risk Management Framework. So far, they have mapped the DoDI 8500.2 IA controls to the NIST SP 800-53 Controls: Certification and Accreditation Transformation: Security Control Mapping. Here is a May 2010 update to the NIST to DIACAP mapping. 800-53 to DoD IA contols map also includes the Director of Central Intelligence Directive (DCID) 6/3 controls. This is very telling. The plan seems to be to have one standard for all Federal Information System.

Since DoD 8510.01, DIACAP & NIST SP 800-37, Risk Management Framework (RMF) cover so much of the same ground, I think the only real benefit is that reciprocity between Federal agency will be easier if all departments have one standard of risk management and one security control set.

The DON uses the certification and accreditation (C&A) process to assess and understand the residual risk associated with operating information systems (IS) and information technology (IT). The DON is participating with the DoD, the IC, and the rest of the Federal government in C&A transformation. One goal of transformation is to achieve common security controls enabling the DON, the DoD, the IC, and the rest of the Federal government to develop systems to the same protection standards.

The recently released National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, revision 3 provides recommended consolidated security controls in an effort to achieve common security controls across the Federal government.

The DON will continue to use the DoDI 8500.2 as the authoritative source for security controls until otherwise specified. However, understanding the changes represented in NIST SP 800-53r3 will be essential as DoD and the DON begin transitioning to this new set of security controls. To support the transition, the DON CIO developed this security control mapping document to demonstrate how existing DoD and IC security controls map to the security controls recommended by the NIST SP 800-53r3 publication.

—Security Control Mapping Document Aids Transition, DON CIO Site

Posted in Assurance, Assurance/DIACAP, Assurance/DITSCAP, Assurance/Netcentric, Assurance/SSAA, C&A, DoD Risk Management Framework, DoD RMF, Main Digg by Bruce Brown

1 Comment

Pages

Archives

Calendar

Categories