New Certification & Accreditation Process (Rumor)

One C&A package to rule them all?

The federal government has a bunch of Certification & Accreditation processes. There is Department of Defense Information Assurance Certification & Accreditation (DIACAP) for the DOD, there’s Director of Central intelligence Directive (DCID) 6/3 for certain classified systems, there is National Information Assurance Certification & Accreditation (NIACAP) for National Security Systems. And under each of these their processes differ according the branch, leadership, organization and/or mission. Each process, organization, branch and mission has a different set of resources that they pull from. DIACAP pertains to military branches and pulls from the DoD 8500 series, many other federal agencies use National Institute of Standards and Technology (NIST) Special Publication (SP) 800-xx series.

Each agency, organization and/or branch uses their own methods and everyone is happy. The only problem is when a system gets exploited. When it happens there is mass panic and they realize that there are massive holes in the process.

Rumors and Trends

There have been rumors floating around about many of these federal C&A processes merging into one. At their core they are actually pretty similar. Take NIST SP 800-37, C&A of Federal Information Systems and DOD 8510, DIACAP for example. Both have an initial phase where data is gathered on the system and all parties involved with a system are pulled together (see table. 1 for more similarities).

Federal C&A Process

Phases

Activities

SP 800-37

Initiation Phase

Gather data, get agreement of all stake
holders

DIACAP

Initiate & Plan IA C&A

 

 

 

SP 800-37

Security Certification Phase

IA Control Assessment and agreement

DIACAP

Implement & Validate Assigned IA
Controls

 

 

 

SP 800-37

Security Accreditation Phase

Security implementation and assessment

 

DIACAP

Make Cert. Determination &
Accreditation Decision

 

 

 

DP 800-37

Continuous Monitoring Phase

Configuration management; FISMA reporting;
sustainment

DIACAP

Maintain Authorization to Operate

 

 

 

DIACAP

Decommission

Retire System

 

 

 

 

 

 

12-37?

Ready to actually get the RMF/ISSO job?

Go from reading about the Risk Management Framework to doing it — with the full video course, the books, and a community of GRC professionals taught by Bruce Brown (CISSP, CGRC).

Get the RMF ISSO Foundations course → Browse the RMF & GRC books Join the free GRC community

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *