DoD Switching to New Risk FrameworkCIO Explains Switch to NIST Model Widely Used in Government
The Defense Department's plan to adopt NIST's risk management framework means that, for the first time, defense, intelligence and civilian federal agencies will use the same set of risk management standards.
DoD Chief Information Officer Teresa Takai on March 12 issued an instruction for the department to transition from the DoD Information Assurance Certification and Accreditation Process, commonly known by the acronym DIACAP, to NIST's risk management framework as outlined in Special Publication 800-37 (see NIST Guidance Seen Saving Government Millions).
The National Institute of Standards and Technology risk management framework places greater emphasis than DIACAP on standards for continuous monitoring, risk assessment, risk management and systems' assessment and authorization.
Besides adopting the NIST risk management framework, Takai in her instruction says department components must adhere to the principals established in SP 800-53, NIST's guidance on security and privacy controls (see NIST Unveils Security, Privacy Controls), and meet the requirements of the Federal Information Security Management Act, the law that governs federal government IT security. "DoD must meet or exceed the standards required by the Office of Management and Budget and the Secretary of Commerce, pursuant to FISMA and section 11331 of Title 40," Takai says, referring to the section of the law that details the responsibilities for federal information systems standards.
DoD's adoption of the NIST risk management framework should improve the agility in all areas of the federal government to develop defenses to threats emanating from cyberspace, says Ron Ross, the NIST computer scientist who's the principal architect of the risk management framework and leads the Joint Task Force Transformation Initiative. That interagency working group - which includes representatives from DoD, NIST and the intelligence community - produced a unified information security framework for the federal government, which serves as the basis for the NIST risk management framework and security controls guidance.
Ross points out that many networks throughout the government are interconnected, often relying on the same commercial technology. "Having a unified front to defend critical systems when everything is connected is significant," he says.
Eugene Spafford, a Purdue University computer science professor who's a nationally known information security expert, says DoD's adoption of the NIST risk management framework should standardize risk management practices across the government, resulting in more efficient purchasing and configuration of IT wares.
But Spafford says DIACAP was tailored to address particular DoD needs, unlike the NIST guidance that offers a broad framework designed to meet the needs of a wide range of government operations. "Some of the special cases, some of the special attention that was in the DIACAP for specific things may not be present in the NIST framework and may not get the same attention," Spafford says.
Still, with Defense's adoption of the NIST risk management framework, Ross says NIST should gain greater access to the latest DoD threat information that will enable the institute to more quickly update its library of security controls. That in turn will strengthen DoD cyberdefenses, he contends.
The risk management framework DoD is implementing should not be confused with President Obama's cybersecurity framework, the set of information security best practices that NIST helped develop (see The Evolving Cybersecurity Framework).
Simplifying Security Requirements
DoD's adoption of the NIST risk management framework also will make it easier for government contractors to adhere to just one set of security requirements rather than three, one each for civilian, defense and intelligence agencies. "Having to comply with three different solutions proved to be much less effective to them," Ross says. "They can now provide more efficient services based on clear, unified requirements."
The adoption of the framework helps facilitate implementation of the Federal Risk and Authorization Management Program, known as FedRAMP, which allows agencies to use the security vetting by other government agencies of providers cloud computing services. As part of the instruction issued by Takai, the move to the risk management framework promotes cybersecurity reciprocity that's an essential element in developing the department's information enterprise. "Applied appropriately, reciprocity reduces redundant testing, assessing and documentation and the associated costs in time and resources," the addendum to the instruction states.
The instruction says DoD components using FedRAMP can negotiate with the IT service provider for additional measures if the Defense unit determines the provider does not offer adequate security.
Takai, in her instruction, discusses how DoD must enhance efforts to employ continuous monitoring to assure systems maintain appropriate security controls and assesses periodically the quality of security controls implementation against performance indicators, such as security incidents and feedback from auditors.
DoD implemented an interim version of DIACAP in 2006, with the department adopting a permanent version of the process in 2007. The precursor of DIACAP was known as DITSCAP, the DoD Information Technology Security Certification and Accreditation Process. DIACAP placed a greater focus on adopting security controls as the primary set of security requirements for DoD IT systems than did DITSCAP.