Email this Article Email   

CHIPS Articles: Certification & Accreditation Transformation

Certification & Accreditation Transformation
By Jennifer M. Ellett - October-December 2011
Certification and accreditation (C&A) transformation is an initiative to align processes, terminology and frameworks for assessing information security risk across all federal agencies, including the defense and intelligence communities. This effort will provide efficiencies, standardization and support to reciprocity.

Reciprocity is an agreement among participating entities to accept each other's security assessment to reuse information security resources and accept each other's assessment and security posture to share information. This reduces rework and cycle time when deploying and receiving information systems from outside a single Department of Defense (DoD) component. Reciprocity between DoD components is based on transparency, uniform processes and a common understanding of expected outcomes.

The initial set of transformation goals, set by the DoD Chief Information Officer and the Director of National Intelligence (DNI) in 2007 is shown in Figure 1. The DoD worked with the Committee on National Security Systems (CNSS), DNI and the National Institute of Standards and Technology (NIST) in the years since to align guidance and policy across the federal government.

DoD is an active participant in updates to NIST and CNSS documents, including:

• NIST Special Publication 800-53 Revision 3, "Recommended Security Controls for Federal Information Systems and Organizations,"
(http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf);
• NIST SP 800-37 Revision 1, "Guide for Applying the Risk Management Framework to Federal Information Systems," (http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf); and
• CNSS Instruction No. 1253, "Security Categorization and Control Selection for National Security Systems" (www.cnss.gov/Assets/pdf/CNSSI-1253.pdf).

Now DoD is updating the following guidance to provide the DoD transformation to the federal framework:

• DoD Directive (DoDD) 8500.01E, "Information Assurance" (IA) (www.dtic.mil/whs/directives/corres/pdf/850001p.pdf);
• DoD Instruction (DoDI) 8500.2, "Information Assurance Implementation" (www.dtic.mil/whs/directives/corres/pdf/850002p.pdf); and
• DoDI 8510.01, "DoD Information Assurance Certification and Accreditation Process" (DIACAP) (www.dtic.mil/whs/directives/corres/pdf/851001p.pdf).

While DoD continues to develop updates to the DoD 8500 series, it is clear there will be a number of changes for the DoD cybersecurity community — some significant. Specifically, the revised DoD 8500 series will include aligning DoD terminology with NIST terminology, expanding the scope of information technology that falls under the 8500 series, incorporating interim policy memorandums (e.g., directive type memorandum and DoD CIO memos), and changing the security control catalog and categorization process.

At the earliest, the DoD 8500 series updates are expected in spring 2012. Once the policy updates are released, DoD will transition over

While DoD continues to develop updates to the DoD 8500 series, it is clear there will be a number of changes for the DoD cybersecurity community--some significant.
Figure 1. C&A Transformation Goals
Figure 2. DoDI 8510.01 Roles and Acronyms Compared with NIST SP 800-37
Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer