One C&A package to rule them all?
The federal government has a bunch of Certification & Accreditation processes. There is Department of Defense Information Assurance Certification & Accreditation (DIACAP) for the DOD, there’s Director of Central intelligence Directive (DCID) 6/3 for certain classified systems, there is National Information Assurance Certification & Accreditation (NIACAP) for National Security Systems. And under each of these their processes differ according the branch, leadership, organization and/or mission. Each process, organization, branch and mission has a different set of resources that they pull from. DIACAP pertains to military branches and pulls from the DoD 8500 series, many other federal agencies use National Institute of Standards and Technology (NIST) Special Publication (SP) 800-xx series.
Each agency, organization and/or branch uses their own methods and everyone is happy. The only problem is when a system gets exploited. When it happens there is mass panic and they realize that there are massive holes in the process.
Rumors and Trends
There have been rumors floating around about many of these federal C&A processes merging into one. At their core they are actually pretty similar. Take NIST SP 800-37, C&A of Federal Information Systems and DOD 8510, DIACAP for example. Both have an initial phase where data is gathered on the system and all parties involved with a system are pulled together (see table. 1 for more similarities).
|
Federal C&A Process |
Phases |
Activities |
|
SP 800-37 |
Initiation Phase |
Gather data, get agreement of all stake |
|
DIACAP |
Initiate & Plan IA C&A |
|
|
|
|
|
|
SP 800-37 |
Security Certification Phase |
IA Control Assessment and agreement |
|
DIACAP |
Implement & Validate Assigned IA |
|
|
|
|
|
|
SP 800-37 |
Security Accreditation Phase |
Security implementation and assessment |
|
DIACAP |
Make Cert. Determination & |
|
|
|
|
|
|
DP 800-37 |
Continuous Monitoring Phase |
Configuration management; FISMA reporting; |
|
DIACAP |
Maintain Authorization to Operate |
|
|
|
|
|
|
DIACAP |
Decommission |
Retire System |
|
|
|
|
|
|
|
|
12-37?
Ready to actually get the RMF/ISSO job?
Go from reading about the Risk Management Framework to doing it — with the full video course, the books, and a community of GRC professionals taught by Bruce Brown (CISSP, CGRC).
Get the RMF ISSO Foundations course → Browse the RMF & GRC books Join the free GRC community
Leave a Reply