Defense Department information systems (IS) are routinely deployed across the globe, embedded in host enclaves and connected to naval operational networks. Command and control, logistics, intelligence — regardless of the function, all information systems must be assessed to meet security requirements prior to connection.
Reciprocity is the mutual agreement among participating enterprises to accept each other's security assessments to reuse IS resources and/or accept each other's assessed security posture to share information. Without reciprocity, the receiving activity must conduct a security certification and accreditation process (C&A) from square one.
Air Force Maj. Gen. Michael J. Basla, then Vice Director, Command, Control, Communications and Computer Systems for the Joint Staff, reflected on the negative impact of reciprocity delays on the warfighter, "From the warfighting mission area perspective, we have witnessed the protracted delay of fielding capability to the warfighting community due to lack of comprehensive security review criteria and an executable, repeatable process."
On July 23, 2009, reciprocal acceptance of information systems certification and accreditation documentation within the DoD took a giant leap forward with the issuance of a groundbreaking memorandum.
The memorandum, "DoD Information System Certification and Accreditation Reciprocity," seeks to ensure the rapid and secure fielding of DoD information systems by providing clear communication of the reciprocity policy and implementing guidance to establish a systematic, repeatable process.
The memorandum was endorsed by the four DoD mission area (MA) principal accrediting authorities (PAAs) responsible for resolving accreditation issues within their respective mission areas working with other PAAs to resolve issues among mission areas as needed.
The PAAs and their associated MAs are:
• Assistant Secretary of Defense (Networks and Information Integration)/DoD Chief Information Officer, ASD (NII)/DoD CIO; Enterprise Information Environment MA
• Under Secretary of Defense for Acquisition, Technology and Logistics, USD (AT&L); Business MA
• Chairman of the Joint Chiefs of Staff; Warfighting MA
• Under Secretary of Defense for Intelligence, USD(I); Defense Intelligence MA
In the memorandum, the principal accrediting authorities state that the timely deployment of information systems is critical to attaining the department's strategic vision of netcentricity. They also stress that reciprocity of accreditation decisions and the artifacts contributing to the accreditation decision will advance information sharing; reduce rework and cycle time when establishing combined and joint information systems and networks; and support DoD mission accomplishment.
The memorandum reaffirms that each DoD information system has one, and only one, assigned designated accrediting authority (DAA), who is responsible for issuing an accreditation decision based on achieving an acceptable risk posture, and it requires due diligence in complying with the DoD Information Assurance Certification and Accreditation Process (DIACAP). However, it also recognizes that DoD components receiving and deploying DoD information systems are also stakeholders, and therefore must be provided situational awareness and access to C&A data to make informed connection and net-worthy decisions.
The PAAs recognize that reciprocity requires a level of trust based on transparency, uniform processes and a common understanding of expected outcomes, and the memo provides for continuous visibility of information assurance C&A packages, deployment milestones and transparency of risk management decisions.
Connection and net-worthy requirements for other than IA can also have an impact on a DoD component's decision to accept deploying information systems. These req