Certification and accreditation (C&A) transformation is an initiative to align processes, terminology and frameworks for assessing information security risk across all federal agencies, including the defense and intelligence communities. This effort will provide efficiencies, standardization and support to reciprocity.
Reciprocity is an agreement among participating entities to accept each other's security assessment to reuse information security resources and accept each other's assessment and security posture to share information. This reduces rework and cycle time when deploying and receiving information systems from outside a single Department of Defense (DoD) component. Reciprocity between DoD components is based on transparency, uniform processes and a common understanding of expected outcomes.
The initial set of transformation goals, set by the DoD Chief Information Officer and the Director of National Intelligence (DNI) in 2007 is shown in Figure 1. The DoD worked with the Committee on National Security Systems (CNSS), DNI and the National Institute of Standards and Technology (NIST) in the years since to align guidance and policy across the federal government.
DoD is an active participant in updates to NIST and CNSS documents, including:
• NIST Special Publication 800-53 Revision 3, "Recommended Security Controls for Federal Information Systems and Organizations,"
(http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf);
• NIST SP 800-37 Revision 1, "Guide for Applying the Risk Management Framework to Federal Information Systems," (http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf); and
• CNSS Instruction No. 1253, "Security Categorization and Control Selection for National Security Systems" (www.cnss.gov/Assets/pdf/CNSSI-1253.pdf).
Now DoD is updating the following guidance to provide the DoD transformation to the federal framework:
• DoD Directive (DoDD) 8500.01E, "Information Assurance" (IA) (www.dtic.mil/whs/directives/corres/pdf/850001p.pdf);
• DoD Instruction (DoDI) 8500.2, "Information Assurance Implementation" (www.dtic.mil/whs/directives/corres/pdf/850002p.pdf); and
• DoDI 8510.01, "DoD Information Assurance Certification and Accreditation Process" (DIACAP) (www.dtic.mil/whs/directives/corres/pdf/851001p.pdf).
While DoD continues to develop updates to the DoD 8500 series, it is clear there will be a number of changes for the DoD cybersecurity community — some significant. Specifically, the revised DoD 8500 series will include aligning DoD terminology with NIST terminology, expanding the scope of information technology that falls under the 8500 series, incorporating interim policy memorandums (e.g., directive type memorandum and DoD CIO memos), and changing the security control catalog and categorization process.
At the earliest, the DoD 8500 series updates are expected in spring 2012. Once the policy updates are released, DoD will transition over