By Lon Berman of BAI, Inc.
Now that RMF is official DoD policy, every DoD system owner needs to begin planning their “transition” from DIACAP. In order to plan and execute the transition, system owners need the answers to three basic questions:
- What does the transition process entail?
- When do I need to begin the process?
- How long do I have to complete the process?
DoDI 8510.01 provides straightforward answers to question 1. The transition process includes:
- System categorization in accordance with CNSSI 1253
- Selection of a security control baseline from NIST SP 800-53; selection to be made in accordance with CNSSI 1253
- Tailoring and/or enhancement of the security control baseline in accordance with DoDI 8510.01 guidance
- Documentation of the security control baseline in a System Security Plan
- Approval of the baseline by the Authorizing Official or Representative
- Implementation of the security controls and enhancement in the approved baseline
- Independent assessment of compliance in accordance with the DoD component’s process, using DoD assessment procedures based on NIST SP 800-53a
- Documentation of assessment results in a Security Assessment Report
- Development of a Plan of Action and Milestones (POA&M) in response to assessment findings
- Assessment of risk based on assessment results and POA&M
- Risk-based decision by the Authorizing Official (ATO)
When to start? DoDI 8510.01 states that DoD system owners can begin planning and executing their transition immediately.
How long to complete? Here’s where things get messy. DoDI 8510.01 requires all systems to be completely transitioned by September, 2017. Various transition strategies are provided based on the system’s current status in the DIACAP life cycle, but the bottom line is all systems were to begin transitioning at some level (and no new DIACAP activity to be started) by September, 2014. So, more than likely, you’re already behind schedule!
Thankfully, DoD has already recognized that the transition timeline in DoDI 8510.01 was too ambitious. A revised transition timeline was released in the form of a memorandum dated October, 2014. It provides for a modest extension of the timeline for all of DoD to be fully transitioned (from September 2017 to mid-2018). The biggest change is that it allows system owners to actually go through one more cycle of accreditation under DIACAP before being forced to transition. The catch is that the longer you wait to initiate a new DIACAP (or reaccreditation), the shorter the maximum ATO duration can be.
Systems receiving DIACAP accreditation (or re-accreditation) between now and mid-2015 (calendar year) can receive a maximum of 2 . years ATO
- Systems receiving DIACAP accreditation between mid-2015 and early 2016 can receive a maximum 2 year ATO
- Systems receiving DIACAP accreditation beyond early 2016 can receive a maximum 18 months ATO
As you can see, there are clear incentives for transitioning sooner rather than later.
The revised timeline memo is posted on the RMF Knowledge Service (https://rmfks.osd.mil).
IT Dojo offers a comprehensive course on the transition from DIACAP to RMF. Please take a look at our RMF training courses here.
Here is a link to a great book on RMF that we highly recommend.
A ton of other information can be found on the NIST web site.
