Tag: CA

  • diacap to diarmf: C&A vs RMF

    DIACAP is transitioning from a Certification and Accreditation to a Risk Management Framework.  Most of the new Risk Manager Framework is in the NIST Special Publication 800-37.  The old NIST SP 800-37 was also based on Certification and Accreditation.  After FISMA 2002, it adjusted to a Risk Management Framework in NIST SP 800-37 Rev 1, Guide for Applying the Risk Management Framework to Federal Information Systems.

    diacap-to-diarmf-ca-vs-rmf
    diacap-to-diarmf-ca-vs-rmf

    NIST SP 800-37 to SP 800-37 rev 1 transformed from a Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF).  The changes included:

    1. Revised process emphasizes
    2. Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls
    3. Maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes
    4. Providing essential information to senior leaders to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems
  • Certification & Accreditation Change

    Standard-issue security
    Certification and accreditation process for national security systems to extend to the rest of government. A two-year-old effort to standardize processes for certifying and accrediting government IT systems could soon bear fruit, according to officials from several agencies.

    The Committee on National Security Systems is preparing instructions for implementing a unified certification and accreditation (C&A) process that could be used on all national security systems, including those in the Defense Department and intelligence community, said Tony Cornish, chairman of the CNSS’ C&A working group.

    At the same time, the National Institute of Standards and Technology plans to update its C&A guidance for systems covered by the Federal Information Security Management Act, said Ron Ross, a senior computer scientist and FISMA implementation lead at NIST.

    “We are very close to producing a unified C&A process for the entire federal government,” Ross said in July at a government security symposium hosted by Symantec. “Within the next six to eight months, you are going to see a plethora of new things coming out” from CNSS and NIST.

    CNSS’ instructions will be incorporated into NIST guidelines in its 800 series of special publications. Ross said a major update of SP 800-53 Rev. 2, “Recommended Security Controls for Federal Information Systems,” is expected in December, and a draft of the first revision of SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems,” is expected to be released for comment soon.

    A single, governmentwide approach would make it easier for agencies to share data and cooperate with one another and with states, foreign allies and the private sector.

    It could enable reciprocity, or the acceptance of other agencies’ C&A processes, without requiring recertification, and also could streamline acquisition processes by making it easier for vendors and developers to meet one set of standards.

    C&A is a process for ensuring that IT systems are operating with an appropriate level of security. In the certification phase, the security of the system is documented; for accreditation, a designated authority signs off on the system’s fitness to go into operation. The concept has been around for some time, but there has been little standardization.

    “In the past, we each had our own set of policies, and we didn’t look at each other’s,” said Sherrill Nicely, deputy associate director of national intelligence at the Office of the Director of National Intelligence.

    FISMA requires C&A of information technology systems, but that does not apply to national security systems. And within the national security community, the military and intelligence sectors each have had their own way of doing things.

    “Since about 1993, the Defense Department had its program, the Defense IT Security Certification and Accreditation Process,” said Eustace King, DOD chief of acquisition and technology oversight. “It worked pretty well” in a time before DOD’s emphasis on network- centric systems and information sharing, but it lacked enterprise visibility.

    That C&A program was replaced with the Defense Information Assurance Certification and Accreditation Process. DOD was moving to the program in 2006 to harmonize military and intelligence processes when, a year later, it was expanded to include the rest of the national security community by bringing in the CNSS.

    Through NIST, C&A procedures eventually will be standardized across all of government. However, policies do not change mind-sets, and old habits still remain one of the primary challenges to a standardized process. At DOD, there is a reluctance to accept reciprocity — that is, to give full credit to another agency’s C&A process without recertification, King said.

    The intelligence community faces a similar hurdle, said Sharon Ehlers, an assistant deputy associate director of national intelligence.

    “The cultural change has been the biggest challenge,” Ehlers said. “When it is not invented here, people don’t want to look at it.”

  • DIACAP Team

    DIACAP Team. Comprised of the individuals responsible for implementing the DIACAP for a specific DoD IS.  At a minimum the DIACAP Team includes the DAA, the CA, the DoD IS program manager (PM) or system manager (SM), the DoD IS IA manager (IAM), IA officer (IAO), and a user representative (UR) or their representatives. (DoDI 8510.01, E2.25)

    *update: DIACAP is DoD Risk Management Framework (2014)

    Designated Accrediting Authority (DAA). The official with the authority to formally assume responsibility for operating a system at an acceptable level of risk. This term is synonymous with designated approving authority and delegated accrediting authority. (Reference (d) leads with the term designated approving authority, which was favored at the time of publication.). (DoDI 8510.01, E2.19) *DAA is Authorization Officer (2014)

     

    Program Manager or System Manager (PM or SM). For the purpose of this Instruction, the individual with responsibility for and authority to accomplish program or system objectives for development, production, and sustainment to meet the user’s operational needs. (DoDI 8510.01, E2.50)

    Certifying Authority (CA). The senior official having the authority and responsibility for the certification of ISs governed by a DoD Component IA program. (DoDI 8510.01, E2.12)

    Certifying Authority Representative. An official appointed by and acting on behalf of the CA (DoDI 8510.01, E2.13).

    IA Manager (IAM). The individual responsible for the information assurance program of a DoD information system or organization. While the term IAM is favored within the Department of Defense, it may be used interchangeably with the IA title Information Systems Security Manager (ISSM). (DoDI 8500.2, E2.1.27). Requirements: Demonstrate Need to know DoDD 8500.1 para: 4.8, US Citizen 8500.2 para: 5.8.3. must fit DoD 8570 applicable certifications.

    IA Officer (IAO). An individual responsible to the IAM for ensuring that the appropriate operational IA posture is maintained for a DoD information system or organization. While the term IAO is favored within the Department of Defense, it may be used interchangeably with other IA titles (e.g., Information Systems Security Officer, Information Systems Security Custodian, Network Security Officer, or Terminal Area Security Officer). (DoDI 8500.2, E2.1.28)

    Requirements: Demonstrate Need to know DoDD 8500.1 para: 4.8, can be foreign with DAA approval 8500.2 E3.T1 must fit DoD 8570 applicable certifications.

    Other Roles:

    E2.54. Senior Information Assurance Officer (SIAO). The official responsible for directing an organization’s IA program on behalf of the organization’s chief information officer.

    The entire DIACAP process has many player involved with give the system a high level of visibility and decentralized responsibility.

    Air Force Roles:

    The Air Force DAA is AFNETOPS/CC (Gen. Elders, cira 2008). AFCA/CC serves as the DAA Representative (AFPD 33-2, para 5.9.6). The Air Force uses the DAA as the PAA. AFCA/EVSS acts as the Certifying Authority for the Security discipline of the SISSU process. Ref: AF 33-2, AFI 33-210

    Lt. Gen. Michael W. Peterson is USAF Chief of Warfighting Integration and Chief Information Officer

    Navy Roles:

    Commander Naval Network Warfare Command (COMNETWARCOM).

    CO designates, in writing, an Information Assurance Manager (IAM) who serves as POC for all command IA issues and implements command’s IA program. CO also designates, in writing Information Assurance Officer(s) to implement and maintain command’s network security requirements

    Ref: SECNAV M-5510.30, Chapter 2

    SECNAV M-5510.36, Chapter 2, 6, and 12

    SECNAV M-5239.1, DON Information Assurance Program

    Army Roles:The Director, Enterprise Systems Technology Activity (ESTA) is the DAA.

    Ref: AR 25-2

    *These roles are different for guard and reserve units