By Lon J. Berman, CISSP
For quite some time, it’s been well known that DoD would be making a transition from the legacy DIACAP Certification and Accreditation (C&A) Program to the Risk Management Framework (RMF). This transition is part of a broader effort to bring all Executive Branch departments and agencies … including DoD, the intelligence community and all “civil” departments/agencies … into a “unified information security framework.”
So why the inordinate delay in getting things rolling at DoD? There are probably numerous reasons that have more to do with politics than information security and are known only to insiders at the office of the DoD CIO. Beyond that, however, it is safe to say that one of the factors is DoD’s desire to ensure that all their ducks are in a row before “pulling the trigger” on the transition. That includes ensuring that there is an internally consistent set of supporting documents available, and that isn’t quite true just yet.
In order to explain this, a little bit of background is in order. DoD’s implementation of RMF will be based on publications of the National Institute of Standards and Technology (NIST) and the Committee on National Security Systems (CNSS). One of the key documents supporting RMF is NIST Special Publication (SP) 800-53, which contains the “catalog” of security controls. The most recent edition of this document is Revision 4. CNSS Instruction (CNSSI) 1253, which will likewise be one of the cornerstones of DoD RMF, is heavily dependent on NIST Special Publication 800-53, Revision 3. In other words, the NIST document and the CNSS document are “out of sync”. CNSS will soon be publising an updated edition of CNSSI 1253, which will correspond to NIST SP 800-53, Rev 4. At that point, CNSS and NIST will be “in sync” and the stage will be set for DoD to publish the updated versions of its own policies (i.e., DoD Directive 8500.01, and DoD Instructions 8500.02 and 8510.01) and officially set in motion the transition from DIACAP to “RMF for DoD IT”.
It now appears the transition will begin in earnest sometime in the second quarter of 2014. DoD personnel and contractors at all levels will soon be on a mission to get themselves educated in RMF and begin the process of transforming their information security programs.
In order to provide DoD programs with the opportunity to “jump start” their knowledge of RMF and the transition process, ITdojo is pleased to offer our DoD RMF Training Program. This is a four-day program consisting of DoD RMF Fundamentals (one day), followed by DoD RMF In Depth (three days).
Whether you are new to the entire concept of security assessment and authorization (aka. certification and accreditation) or a seasoned DIACAP veteran looking for RMF and transition knowledge, this training program will give you practical knowledge and skills you can put to work immediately in your environment.
