Ben Tchoubeneh
Department of Defense (DoD) information systems must be protected with adequate, or acceptable, security controls. Controls can be anything from high level policies to user level access permissions. Obviously, if too few controls are implemented, a system is left highly vulnerable to attack. But if too many controls are put in place, valuable resources are wasted with no tangible benefits.
This leaves system owners with several challenges:
- What is the process for defining “adequate” security for each system?
- How many controls should be utilized and specifically what should they be?
- Is there a standard list of controls to choose from?
- Who, within the organization, is ultimately accountable for any breaches in the system?
History of the Certification & Accreditation (C&A) Process
The challenges listed above were the driving factors behind the development of the DoD’s first Certification & Accreditation (C&A) process and all of its subsequent revisions.
In the typical C&A process, a system is first registered. Then a risk analysis is carried out to effectively categorize the system. Based on the chosen category, a list of controls is selected and implemented. Once the controls are in place (think firewalls and security guards), a certifier assesses the controls for effectiveness. If the controls work, a responsible party accredits the system and voila! You have a fully certified and accredited system ready to go live.
DITSCAP
The DoD came up with their very first C&A process all the way back in 1997. They called it DITSCAP for the Defense Information Technology Security Certification and Accreditation Process. DITSCAP was a valiant first try but it had some serious shortcomings. One major issue was that systems were treated as independent silos, irrespective of their place in the larger Enterprise. Also, a standard list of controls did not exist and a mountain of documentation was required. In hindsight, DITSCAP was merely a paperwork exercise and did little to improve the overall security posture of a system.
DIACAP
In 2007, DITSCAP was replaced with DIACAP, Defense Information Assurance Certification & Accreditation Process. DIACAP was much more enterprise-centric and also drew from the DoD 8500.2 standard control set. The paperwork requirements were streamlined and a web-based support portal was established. But one major problem still remained. While the DoD used DIACAP, the rest of the Federal Government and the Intelligence Community used completely different C&A processes and control sets, making interconnectivity between these systems virtually impossible without a lengthy discovery and translation process.
RMF
DIACAP was the law of the land and the official DoD C&A process, but not for long. A new process named DoD RMF, for Risk Management Framework, hit the shelves in late 2013. This new process is referred to solely as RMF not the previously speculated DIARMF acronym.
RMF’s claim to fame is that the same C&A process and control set will be applicable throughout the entire Federal Enterprise, allowing for greater interconnectivity between agencies.
10 Major Changes in RMF
Below are the top ten improvements in the DIACAP to RMF transition, listed from least to most important:
10: C&A to A&A
The words “Certification & Accreditation” are actually misnomers. When security professionals evaluate a particular system, they actually don’t certify anything; they “assess” it and provide recommendations. In DIACAP this recommendation was incorrectly called a “certification”, leaving many wondering why they still couldn’t go live after their system was “certified”. To avoid confusion, RMF will call this step an “assessment”.
The second part of the process is similarly confusing, after “certification” the recommendation was sent to a Designated Accrediting Authority (DAA). The DAA’s signature actually completed the “accreditation” portion and allowed the system to go live or remain in operation. But really the DAA’s role is to “authorize” the assessment instead of “accredit” it.
To clarify the entire process, RMF will change Certification & Accreditation (C&A) to Assessment & Authorization (A&A).
9: New Roles
The original RMF process was created by the National Institutes of Standards and Technology (NIST) for use by all the agencies and departments within the Federal Government. In fact, it’s detailed in NIST SP 800-37 Revision 1 published in 2010.
NIST’s RMF lists specific roles involved in the A&A process, such as:
- The Risk Executive Function (maps to DIACAP’s PAA)
- Authorizing Official (maps to DIACAP’s DAA)
- Security Control Assessor (maps to DIACAP’s CA)
- Information System Security Officer (maps to DIACAP’s IAM)
All indications are that when DoD’s RMF is published in a few months, the DoD will retain NIST’s job roles. This means it’s best to begin mapping the old DIACAP titles to their equivalent RMF titles as soon as possible. If you have a DoD issued Common Access Card, you can access a complete mapping in the DIACAP Knowledge Service (CAC required) under the C&A Transformation section.
8: Stronger Integration with SDLC
Security is strongest when it’s “baked” into a system while that system is still being developed. Unfortunately, many systems are still being designed and implemented without security considerations. Tight budgets and an emphasis on functionality have left security on the back burner to be quickly implemented at the last minute to simply pass accreditation paperwork. This results in systems going live without establishing the proper levels of trust and assurance.
To be fair, the DoD has shown steady improvements in its training and enforcement as well as its processes through updating acquisition policies to map to the DIACAP C&A.
RMF will take this one step further by directly integrating with the Systems Development Life Cycle (SDLC). This means Systems and Program Managers will hopefully have no choice but to consider security from the get go.
7: Renewed Focus on Reciprocity
If all systems are categorized, analyzed, secured, assessed and authorized using the same guidelines and standards, then it stands to reason that a system authorized by one branch, say the Army, could then securely be plugged into an Air Force network without a time consuming and costly re-authorization process, and vice-versa.
This reciprocal relationship could one day exist among all agencies in the federal government between systems that store information of equal classification. The DoD is even pushing a common A&A management tool called eMass that would, when used by all branches, facilitate truly automated reciprocal interconnection of systems for immediate data exchange and availability as needed.
But this is still years away at best. The biggest obstacle to achieving true reciprocity will always be the ever-evolving threat landscape and, of course, politics.
6: Continuous FISMA Reporting
The Federal Information Security Management Act (FISMA) of 2002 – and subsequent updates – mandates that all agencies report their security posture to the Office of Management and Budgets (OMB) annually. Since 2011, FISMA reports go to the Department of Homeland Security (DHS) instead, since DHS is better equipped to guide agencies through their cyber security woes. In addition, agencies must send security data about their systems monthly instead of annually. Through the RMF process and with wider adoption of tools such as CyberScope, the hope is that eventually, security vulnerability information from across the government will be collected in near real time, allowing the Feds to react immediately to perceived threats and vulnerabilities.
5: Common Lexicon
Different agencies have always been using different terms to mean the same things. As a result, when systems from multiple agencies try to interconnect, officials are faced with the harrowing task of translating one lexicon to another, resulting in costly errors and duplication of effort. Through the adoption of RMF, the DoD hopes to move its agencies and components toward the use of a common set of cyber security terms with the rest of the Fed, thereby facilitating interconnectivity and reciprocity.
4: Improved System Categorization
As anyone in the cyber security world will tell you, CIA actually stands for Confidentiality, Integrity and Availability, which are the three main objectives of information security.
Currently, DoD categorizes their systems using Mission Assurance Category (MAC) and Confidentiality Level (CL). While CL maps directly to confidentiality requirements, MAC applies to both integrity and availability and is not granular enough, resulting in confusion about how to exactly categorize systems.
RMF will adopt a new system using the actual CIA objectives. Under this mechanism, each of the three objectives is rated High (H), Moderate (M) or Low (L) for each system. So one system may be rated as {C:L; I:M; A:M} while another maybe rated as {C:H; I:H, A:L} and so on. This will dramatically improve the way systems are categorized, reducing confusion in terms of the exact security needs of a system.
3: One Standard Process
As mentioned above, The RMF process will soon be adopted by the DoD and the Intelligence Community (IC). When that happens, a single risk management process will have been adopted by the entire Federal Government.
RMF requires minimal documentation and will finally put the focus on achieving actual results and a much improved security posture. The risk assessment methodology in RMF follows the proven NIST 9 step process from SP 800-30. In addition, the existing online tools such as eMass and the Knowledge Service (CAC required) will be updated to support the new process.
2: Continuous Monitoring & Authorization
RMF actually integrates into ongoing security activities instead of focusing on paperwork. To that end, there is a huge emphasis on continuous monitoring of the system for security relevant events. The hope is for systems to eventually move away from the traditional three year accreditation cycle to continuous ongoing monitoring and authorization, removing the need for any special accreditation activity altogether. The NIST guidance specifically mentions that if a system’s automated monitoring tools effectively feed authorization, the Authorizing Official may decide not to require the standard three year accreditation package. This represents a quantum leap in efficiency and cost savings.
1: Standard Control Set
Currently, DoD uses the DODI 8500.2 control set for the DIACAP implementation. With the move to RMF, DoD agencies and components will need to move to the NIST SP 800-53 Revision 4 control set to match the controls used by the rest of the Federal Government. From the point of view of the people on the ground, this represents the most substantial change from DIACAP to RMF. The two control sets were created by completely different organizations at different times, so there is almost nothing in common between the two. One example I tell my students, if you are a native English speaker you may struggle with trying to learn Mandarin Chinese. The same idea is true with the control sets. If your native control set understanding is 8500.2, trying to learn 800-53 is like trying to learn a completely different language.
While this may seem like a nerve-racking change, in reality the NIST controls have a much simpler structure than the DoD controls. Too boot, DoD has published a matrix that maps DoD controls to their equivalent NIST controls which is available on the Knowledge Service (CAC required). So the translation work has already been done!
System owners and ISSO’s will initially need to work on updating all their control documentation to use the new NIST control names. Once that’s accomplished, the rest should flow easily into the RMF process.
Who is required to know RMF?
Once the policy is signed, all branches of the DoD will be required to transition to this new framework. Whether or not federal employees will be mandated to attend RMF training is unknown as of now but the changes from DIACAP to RMF are substantial and what has been touched on above is simply the tip of the iceberg.
To learn more about RMF training visit our course page or contact us directly today and we would be happy to direct you to the information you need!