Email this Article Email   

CHIPS Articles: Certification & Accreditation Transformation

Certification & Accreditation Transformation
By Jennifer M. Ellett - October-December 2011
Certification and accreditation (C&A) transformation is an initiative to align processes, terminology and frameworks for assessing information security risk across all federal agencies, including the defense and intelligence communities. This effort will provide efficiencies, standardization and support to reciprocity.

Reciprocity is an agreement among participating entities to accept each other's security assessment to reuse information security resources and accept each other's assessment and security posture to share information. This reduces rework and cycle time when deploying and receiving information systems from outside a single Department of Defense (DoD) component. Reciprocity between DoD components is based on transparency, uniform processes and a common understanding of expected outcomes.

The initial set of transformation goals, set by the DoD Chief Information Officer and the Director of National Intelligence (DNI) in 2007 is shown in Figure 1. The DoD worked with the Committee on National Security Systems (CNSS), DNI and the National Institute of Standards and Technology (NIST) in the years since to align guidance and policy across the federal government.

DoD is an active participant in updates to NIST and CNSS documents, including:

• NIST Special Publication 800-53 Revision 3, "Recommended Security Controls for Federal Information Systems and Organizations,"
(http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf);
• NIST SP 800-37 Revision 1, "Guide for Applying the Risk Management Framework to Federal Information Systems," (http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf); and
• CNSS Instruction No. 1253, "Security Categorization and Control Selection for National Security Systems" (www.cnss.gov/Assets/pdf/CNSSI-1253.pdf).

Now DoD is updating the following guidance to provide the DoD transformation to the federal framework:

• DoD Directive (DoDD) 8500.01E, "Information Assurance" (IA) (www.dtic.mil/whs/directives/corres/pdf/850001p.pdf);
• DoD Instruction (DoDI) 8500.2, "Information Assurance Implementation" (www.dtic.mil/whs/directives/corres/pdf/850002p.pdf); and
• DoDI 8510.01, "DoD Information Assurance Certification and Accreditation Process" (DIACAP) (www.dtic.mil/whs/directives/corres/pdf/851001p.pdf).

While DoD continues to develop updates to the DoD 8500 series, it is clear there will be a number of changes for the DoD cybersecurity community — some significant. Specifically, the revised DoD 8500 series will include aligning DoD terminology with NIST terminology, expanding the scope of information technology that falls under the 8500 series, incorporating interim policy memorandums (e.g., directive type memorandum and DoD CIO memos), and changing the security control catalog and categorization process.

At the earliest, the DoD 8500 series updates are expected in spring 2012. Once the policy updates are released, DoD will transition over

While DoD continues to develop updates to the DoD 8500 series, it is clear there will be a number of changes for the DoD cybersecurity community--some significant.
While DoD continues to develop updates to the DoD 8500 series, it is clear there will be a number of changes for the DoD cybersecurity community--some significant.

Figure 1 shows the goals of C&A Transformation, which are:
1. Define a common set of trust (impact) levels and adopt and apply them across the intelligence community (IC) and DoD. Organizations will no longer use different levels with different names based on different criteria.
2. Adopt reciprocity as the norm, enabling organizations to accept the approvals issued by others without retesting or reviewing.
3. Define, document and adopt common security controls, using NIST Special Publication 800-53 as a baseline.
4. Adopt a common lexicon, using CNSS Instruction 4009 as a baseline, thereby providing DoD and the intelligence community a common language and common understanding.
5. Institute a senior risk executive function, which bases decisions on an “enterprise” view of risk considering all factors, including mission, IT, budget and security.
6. Incorporate information assurance into enterprise architectures and deliver IA as common enterprise services across the IC and DoD.
7. Enable a common process that incorporates security within the “life cycle” processes and eliminate security specific processes. The common process will be adaptable to various development environments.
Figure 1. C&A Transformation Goals

Figure 2. DoDI 8510.01 Roles and Acronyms Compared with NIST SP 800-37
Figure 2. DoDI 8510.01 Roles and Acronyms Compared with NIST SP 800-37
Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer