For military personnel on the farthest edges of an operation, risk doesn’t always involve front-line fighting or top-secret maneuvers. Moments of trepidation can also occur while sitting in front of a computer screen as new actionable information arrives. The uncertainty is immediate: Should I trust it? Has it been compromised? Will a decision based on this information advance the unit’s mission or put it in harm’s way?
Defense Department officials want to eliminate that kind of apprehension and give commanders confidence in the integrity of the data flowing across their networks. That’s a big reason for the development of the Defense Information Assurance Certification and Accreditation Process. DIACAP, which DOD will implement over the next few years, aims to give IA personnel the ability to perform certification and accreditation (C&A) functions based on risk to the enterprise rather than to a specific system. This is a major shift in how agencies now focus on C&A.
“We really needed to move into an enterprise way of managing security and a more holistic way to certify and accredit systems, using security controls and standards and basing it on a service-oriented architecture,” says Robert Lentz, director of information assurance at DOD. “With this approach, everybody will now be singing off the same song sheet, so to speak, and that will enable much more effective, faster and agile risk management across the entire enterprise.”
DIACAP promises plenty of benefits for both business and warfighting operations, Lentz says, including faster decision-making cycles and the ability to make those decisions in a way that facilitates the achievement of net-centric operations. “It still allows local commanders to make risk management decisions based on their environments, but at least they’re basing them on the same basic parameters.”
Or as Keith Frederick, founder of SecureInfo Corp. of San Antonio, puts it: “DIACAP will provide the right level of security at the right time for the right job.”
The Net-Centric Link
C&A sounds like an onerous exercise, but the function, as defined by the National Institute of Standards and Technology, is a practical one. Performed optimally, it determines system security requirements and enables IA personnel to the most effective controls possible, given mission requirements and technical, operational, cost and schedule constraints. Commanders can view the most complete and accurate information possible on a system’s security status and use that knowledge to make timely, credible and risk-based decisions about whether or not to authorize use of the system’s data. At least, that’s the premise.
DOD has been practicing and advocating C&A for much longer than the rest of government. For years, it has performed C&A functions using the Defense Information Technology Security Certification and Accreditation Process (DITSCAP). Unfortunately, that program stymied the potential value of C&A because it was platform-centric and performed within individual departments, independent of interoperability with other systems. The process also was documentation-heavy and slow, so by the time it was complete, the data often was outdated.
“IT personnel decided at some point that DITSCAP was a compliance issue, not a security issue, and so if they got their 500-page reports done, they were happy and ready to move on,” says Alan Paller, director of research for the SANS Institute of Bethesda, Md. “As a result, DITSCAP fundamentally failed to protect DOD systems because it was implemented as a single snapshot look at security in a world where the potential threats and security requirements are changing every day.”
DIACAP will replace DITSCAP. Security officials hope that will solve many of DITSCAP’s failings. Two chief ways to do that are by setting up an enterprisewide approach to systems security and by eliminating much of the arduous paperwork by using automated tools and putting the emphasis on continuous systems monitoring.
“This program is really a recognition of the proliferation of technology, the increased networking of information and the increased threats,” says Ray Bjorklund, chief knowledge officer at FedSources of McLean, Va. “It’s a very robust system, and with it, DOD has made the management of the C&A process disciplined and rigorous.”
Margaret Myers, principal director to the DOD deputy CIO, points out that DIACAP emphasizes consistency and providing trust and robust information security. “C&A is the basic method by which we ensure that things are built securely. If we can do that in a much more standard way, we have a better chance of achieving a more homogenous, effective kind of security across the enterprise,” she says.
Getting Started
No one thinks that the transition from DITSCAP to DIACAP will be easy. The move to a more centralized view of security will be a major culture shift and will require a completely different way of thinking about information security and C&A functions. But once it’s accepted, DIACAP will be a much easier process to implement and manage, Lentz says.
To ease the changeover, DIACAP is broken down into three major elements of implementation:
- Process improvement. This includes establishing a governance structure of principal accrediting authorities (PAAs), based on enterprise areas of responsibilities, including the business enterprise, warfighter enterprise, intelligence enterprise and core enterprise.
“By raising the accrediting area of responsibility to oversee these mission areas, it allows us to move away from the system-oriented stovepipes that we’ve been living in for the past 30 years or so and force the enterprise changes that are going to be necessary,” Lentz explains.
There will be other improvements, including establishing enterprise standards and procedures and developing training programs for C&A practitioners.
- Knowledge enhancement. DOD already implements a Web-based DIACAP Knowledge Service for information exchange about standards and procedures. It successfully piloted the system during the past year.
By making information available online and encouraging a collaborative environment, Lentz says, “commanders at the most local level of the largest enterprise will be able to access this body of work to help them understand how to certify networks and information systems in an enterprise fashion and then get them automatically accredited to operate.”
- Automation. By relying on automated tools and procedures, Lentz says, DIACAP will cut the time needed to perform C&A from months to days—even hours. DOD has developed an integrated suite of relational database management systems, known as the Enterprise Mission Assurance Support System (eMASS), to perform lifecycle management for DIACAP and that work with other commercial tools for implementing C&A.
“By having the process in a constant, ready-to-use format that gives everybody validated objects against policy-driven standards, you can repeat that constantly,” Lentz says. “You don’t have to keep reinventing the wheel, and you don’t generate tons of paper.”
Myers says eMASS makes a system’s accreditation status immediately visible to all DOD users, and in time it will provide significant time, manpower and dollar savings. Moreover, she says, it finally has created a way for DOD to collect accreditation data across systems for reporting purposes, something the department has never really been able to do. “It really provides an overall easy way of getting a consolidated, real-time picture of what’s going on with each system’s accreditation status.”
Enabling Synergy
The decision to develop a standards-based, enterprisewide C&A process offers the possibility for transformation, DOD and industry officials say. Most important, this new approach gives DOD and the intelligence community an opportunity to leverage their mutual needs for sharing trusted information with speed, agility and transparency.
Retired Air Force Maj. Gen. Dale W. Meyerrose, CIO of the Office of the Director of National Intelligence, has been developing the C&A Revitalization Element parallel to DOD’s efforts to develop DIACAP. He now works with Defense CIO John Grimes to develop as much commonality between the two programs as possible. These areas include standards, security controls and governance policies. Both programs will use service-oriented architectures, commercial software and open standards.
Meyerrose notes that nine of the government’s 16 intelligence agencies reside within DOD, and depending on how you calculate it, somewhere around 75 percent of intelligence systems are either wholly or partially under the Defense umbrella. “Very few systems solely support a single mission,” he says. “So what jurisdiction is there over a system that is 65 percent supporting DOD and 35 percent supporting intel? It can be pretty confusing, and we’re now looking to take that confusion out.”
This idea is already finding traction. Meyerrose, Grimes and Lt. Gen. Keith B. Alexander, CIO of the National Security Agency, have created the Joint Program for Cross-Domain Information Sharing to help work out various technical interfaces that exist between networks, domains, organizational boundaries and classifications.
While DOD and ODNI have different timelines for implementing an enterprise C&A process, the end goal is pretty much the same. “We are looking to get dynamic, living direction and policy that doesn’t take years to modify or come to agreement on,” Meyerrose says. “We are providing leadership that says our security policies and our missions involve the elements of speed, agility and transparency, and if we need to change a policy, we can’t wait years to do it.”
Lentz expects the two functions will eventually share the Knowledge Service, some automated tools sets “and whatever else we can to be compatible.” He adds that DOD has a long-term goal to extend the shared components with other agencies, including the Homeland Security Department. “If we’re all living with similar protocols, standards and architectures, then that’s great for the U.S. government at large. And as this evolves, that’s definitely how we would like to do it.”
To check out Defense DIACAP documents and information, go to www.defensesytems.com and enter 128 in the Quickfind search box.
![1105 Media [valor]](/images/ds1_pntmlogo.gif "1105 Media [valor]"){kind=small}
