We haven’t posted on DoD’s pending transition from the DoD Information Assurance Certification & Accreditation Process (DIACAP) to what is called – at least for now – the DoD IA Risk Management Framework (RMF). Now, after reading the articles by noted security experts Len Marzigliano and Richard Bejtlich, it’s time to take a look at what this transition might really mean for DoD and its supporting contractors.
For those of us who have been around a while, we remember the emergence of the DoD Information Technology C&A Process (DITSCAP) and the somewhat reluctant transition from that C&A process to the DIACAP in 2007/2008. We watched while the DIACAP, which was intended to be a standardized process that would be applied consistently across the entire DoD to support reciprocity and cost savings, was subjected to modification and interpretation by each of the services. The result – standardization and consistency flew out the window and the DoD was back to incompatible, non-standardized processes and the inability (and perhaps unwillingness) to support full reciprocity across the DoD. In the end, despite all of the best intentions of the DoD authors of the DIACAP, it became yet another resource-intensive, paperwork centric process. But, 5 years into the transition and some of the wrinkles are getting sorted out.
And now, DoD wants to change yet again? Whoa, and we are just getting used to the DIAC AP!
So, why now, and why the RMF? It all goes back five years or so ago to a series of discussions hosted by then Director of National Intelligence, Hon. Dale Meyerrose, along with the DoD CIO, Hon. John Grimes. The goal of their conversations was to jointly find solutions to long-standing problems relating to the extensive resources the IC and DoD historically expend for C&A, ensure that C&As accomplished by one agency would be valid for all agencies, and to deliver systems to the customer faster. Concurrently, the National Institute of Standards and Technology (NIST) was working on a revision of the C&A processes used for Federal Information Systems. And then it dawned….. why not work together across the Federal government to create a single process that would be applicable across the entire Federal government to include the DoD and Intelligence Community (IC)?
The result is the NIST RMF and the IC and DoD have agreed to adopt this standard as their own – with some minor modifications, of course. Stay tuned for our next posting where we will continue this journey.
Lunarline is on the front lines of this new transition. Please be sure to take a look at our White Paper at http://lunarline.com/Services/Whitepapers.aspx. With our extensive experience in applying the NIST RMF, our participation in Federal, DoD and IC C&A transition working groups, and our NSA/CNSS certified training in this process, we can support you today and help prepare you for tomorrow.