CHAPTER 16:
THE FUTURE – REVITALIZING AND TRANSFORMING C&A
We need to establish a community environment, across security domains, equipped with standard enterprise services and universal data access.115
Dale Meyerrose, former Chief Information Officer, Director of National Intelligence Office
Certainly the most change will result from the actions we take to reduce redundant activity, unnecessary documentation and shorten the overall process.116
John Grimes, Chief Information Officer, Department of Defense
In this chapter:
Why transform?
Goals of the transformation
The transformation process
Proposed approach to C&A
Status of the transformation
Transition
What is the value-added by the transformation?
There is a revolutionary top-to-bottom transformation of certification and accreditation (C&A)117 in progress that is really about changing the way the entire national community manages security risk. One of the primary goals of the C&A transformation has been to break down unnecessary barriers between its members and to improve information sharing and reciprocity among the information systems security, information technology provider, and information technology user communities. The partnership encompasses the Department of Defense (DOD), the Director of National Intelligence (DNI), the Committee on National Security Systems (CNSS), the National Institute of Science and Technology (NIST), the Office of Management and Budget (OMB), and industry.
Why transform?
C&A first originated at a time when there were only a few, large standalone mainframes with custom code and security risks which were simpler to quantify. But now, in this environment of globally interconnected information systems, the legacy, system-centric practice of C&A obstructs information sharing and can impede the timely delivery of mission-critical information.
According to Sharon Ehlers, Planning Division of the CIO, Director of National Intelligence, the national community needed to find “an innovative and efficient way to perform Certification and Accreditation (C&A) activities across the National Security Community.”
Goals of the transformation
In January 2007, the DOD and DNI CIOs published seven specific goals of the transformation. Many of these highlight the DOD-IC partnership. But, federal agencies, such as the National Institute of
Standards and Technology, have been primary contributors to the outcomes of the transformation.
The seven goals are listed here, together with information on how each goal is being achieved:
Define a common set of trust (impact) levels and adopt and apply them across the Intelligence Community (IC) and DOD. Organizations will no longer use different levels with different names based on different criteria.
Execution: The process for assigning trust and impact levels is being defined in the pending CNSS Instruction (CNSSI) 1199. This document is being written with an understanding of the authorities, complexities, classification needs, and special risks inherent in the national security community.
Adopt reciprocity as the norm, enabling organizations to accept approvals by others without retesting or reviewing.
Execution: Commonly recognized types of national security information and systems are being described in the new CNSSI 1260. These will be supported by generic reciprocity profiles and tailored sets of security controls for information sharing among specific types of national security information or systems. This will assist the national security community in reaching agreement on security objectives. The use of common security control, compliance criteria, and assessment methods will provide transparency of security implementation across the national information systems.
Define, document, and adopt common security controls, using NIST Special Publication (SP) 800-53 as a baseline.
Execution: The pending CNSSI 1253 is a comprehensive information system security controls catalog that used NIST Special Publication 800-53 as its basis. The document normalizes and consolidates security controls extracted from DODI 8500.2, DCID 6/3, the Unified Cross Domain Management Office (UCDMO), and CNSS policies. New controls have been developed to reflect emerging security considerations, such as outsourcing, supply chain risk, and service-oriented architecture. The CNSSI 1253A, which is based on NIST SP 800-53A, is a companion document that defines common assessment objectives (i.e. expected results) and methods for the common controls.
Adopt a common lexicon, using CNSS Instruction 4009 as a baseline, thereby providing DOD and IC with a common language and common understanding.
Execution: The pending revision of the current CNSSI 4009 will serve as a shared dictionary of security-related terminology across the national security community.
Institute a senior risk executive function, which bases decisions on an “enterprise” view of risk considering all factors, including mission, IT, budget, and security.
Execution: The complex, many-to-many relationships among the missions, business functions, and supporting information systems of the national security community require a holistic, enterprise-wide view to managing risks. DOD is meeting this goal through DIACAP governance structure established in DODI 8510.01. Other federal agencies are establishing governance structures to define system security authorization (C&A) roles and responsibilities and collaboration mechanisms at every organizational level, from heads of agencies and their chief information officers down to the individual system program managers, security staff, developers, and operators. A comprehensive governance structure with an executive level risk function is necessary to understand the relationship between aggregated information security risks and organizational or enterprise mission and business risks. Individuals with responsibilities for system security implementation and operations will obtain the support they need to better understand how the information security issues associated with their specific information systems can affect organizational or enterprise security concerns. Over time, the national security community will continue to improve this structure and strengthen its interfaces across federal agencies.
Incorporate information assurance (IA) into enterprise architectures and deliver IA as common enterprise services across the IC and DOD.
Execution: The national security community is addressing this goal by means of an integrated architecture concept and a suite of system security capabilities and services being made accessible to the national security community and supporting industry.
Enable a common process that incorporates security within the “life cycle” processes and eliminates security-specific processes. The common process will be adaptable to various development environments.
Execution: As part of the next generation, NIST Special Publication 800-37, the DOD, NIST and the DNI are collaborating to establish C&A processes that will span the national security enterprise, to include systems and services that can span departments and agencies, coalitions, industry, and international strategic partners.118
The transformation process
The C&A transformation was officially kicked off during a meeting jointly hosted by Dale Meyerrose, the CIO, Director of National Intelligence; John Grimes, the CIO of the Department of Defense; and Dr Ron Ross, National Institute of Standards and Technology.
The fact that these three agencies were standing together to establish a new C&A process made it immediately clear to over 600 attendees that this effort was something new and clearly intended to bring massive change to existing C&A processes. Anyone who had
118 As we are writing this book, NIST has issued NIST SP 800-37 Rev 1 for public comment. It is anticipated that it will be issued by March 2009.
ever been involved in developing national level policy also recognized that this transformation process would proceed in a very non-traditional way.
The participants in the C&A transformation process used highly collaborative technologies, such as Internet collaboration forums for sharing information. Input from government, industry and academia was assembled by volunteer “Tiger Teams” and evaluated by a multi-group and multi-national “War Room” panel. Over 1000 individuals participated in the process.
The processes targeted a unified federal approach to C&A by integrating organizations and capabilities across the national security community:
Committee on National Security Systems (CNSS). CNSS is the organization tasked to update and publish a series of publications reflecting the C&A transformation results.
National Institute of Standards and Technology (NIST). NIST Special Publications 800-37, 800-53, and 800-53A provided the baseline. NIST – as represented by Dr Ron Ross – provided both advice and “sanity checks” to ensure the efforts remained aligned and coordinated.
Office of Management and Budget (OMB) Information Systems, Security Line of Business (ISS LOB). The transformation effort was linked to OMB to ensure that best practices were shared across federal agencies and that the efforts were in sync with the FISMA oversight requirements.
Program Manager Information Sharing Environment (PM-ISE). PM-ISE helped to define C&A requirements that would facilitate information sharing.
Unified Cross Domain Management Office (UCDMO). UCDMO provided input to the security controls focused on the challenges of sharing information across multiple domains.
In addition to these participants in the process and their insights, the C&A transformation process also sought input from the financial sector to obtain a better understanding of the rapid integration of technology and risk management processes.
Approach to developing the revised C&A policy
The transformation team determined that the best results would be obtained by leveraging existing C&A policies and directives. A multifaceted approach was taken:
Leverage existing NIST Special Publications as written, e.g. NIST SP 800-37, NIST SP 800-53, and NIST SP 800-53A in order to:
• bring the Intelligence Community closer to FISMA requirements;
• facilitate compliance with Inspector General (IG) audits, which are based on NIST standards;
• align with rest of federal government to support reciprocity.
Where necessary, CNSS instructions and supplements to Federal Information Processing Standards (FIPS) and NIST Special Publications are being developed
• Reflect and normalize “differences” between national security systems in terms of their processes for:
• system categorization;
• security controls catalog;
• risk management/assessment.
Figure 42: C&A transformation policy structure
Source: Adapted from ODNI
Proposed approach to C&A
The C&A approach proposed by the transformation effort encompasses a consistent set of policies and processes together with supporting tools. The primary elements are:
Committee on National Security Systems (CNSS) issuances, which will supplement the NIST risk management framework (RMF) and provide guidance to the national security community.
Single, four step C&A processes that can be easily integrated into the federal, DOD, and IC acquisition models.
Automated tools and templates to streamline reporting.
Continuous monitoring to provide real-time view and eliminate the need for the standard three-year re-accreditation.
Realistic requirements to meet agency mission needs including the ability (and responsibility) to “tailor” security controls to agency and system requirements.
Enterprise risk approach which includes more than just technical security requirements.
The elements of the enterprise risk perspective
The enterprise risk perspective is based heavily on NIST’s risk management framework (RMF). The key activities of addressing risk – the key words are in bold – from an enterprise view are:
Categorize the information and systems (impact/criticality/ sensitivity).
Select and tailor the security controls.
Supplement the security controls based on risk assessment.
Document the security controls as required essential information (iterative process).
Implement the security controls in the information system.
Assess the security controls for effectiveness.
Decide the enterprise/agency-level risk and risk acceptability and authorize information system operation.
Monitor security controls on a continuous basis.
Combining the processes with the system life cycle views
The authorization processes issued in NIST SP 800-27 and the C&A processes published by DOD in DODI 8510.01, as well as those from the Intelligence Community all stress the need to link security and the C&A process to the system life cycle. NIST clearly calls out the role of the information system security engineer (ISSE) as a critical element in ensuring that systems security engineering is a part of the process.
Information system acquisition and development follows a number of different models that vary from agency to agency. The figure below shows several of the most common models and their relationship to the C&A process proposed by the transformation team.
The basis for reciprocity
One of the primary objectives of the C&A transformation has been to improve system security reciprocity across the federal government, contractors, and industry. While this may sound simple, it is a daunting task. Over the many years of approaching C&A as an agency-unique process, each of the agencies has developed an approach that mimics their culture and risk tolerance. It is hard for them to let go.
Figure 43: Mapping C&A through acquisition, system (development) life cycle, and the risk management framework
Source: Adapted from ODNI
The transformation process has approached this thorny problem by including all of the stakeholders in the process and by seeking to achieve concurrence on the proposed content. The foundation for achieving reciprocity is represented in the following concepts:
Utilizing a common set of baseline requirements and standards (CNSS 1253 and CNSS 1253A).
Adopting a common lexicon (CNSS 4009).
Leveraging previously certified technologies for re-use.
Centralizing certification results and accreditation approvals.
Providing a knowledge repository of approved and validated components (the Information Security Automation Program and the Security Content Automation Protocol available at http://nvd.nist.gov/scap.cfm).
Contributing to trust relationships by establishing one approach based on input from the stakeholders.
Status of the C&A transformation and transition
Although the C&A transformation remains under the joint sponsorship of the DOD and DNI CIOs, significant progress could not have been achieved without the integration and support of key partners, including CNSS, and NIST, particularly the computer security division under Dr Ron Ross.
The engagement and sponsorship of CNSS has facilitated the development of the central policies and guidelines. Close coordination with NIST allows for a synchronization of concepts, standards, and guidelines across all federal agencies. Some of the policy documents have already been issued (e.g. Intelligence Community Directive (ICD) 503). Others are currently undergoing a formal community review; while others are still in the drafting stage. The following table provides a status of the policies as of June 2009:
Table 43: C&A transformation document status as of April 2009
|
NIST documents in progress |
Topic |
Status |
|
SP 800-37 |
Guide for the Security Authorization of Information Systems |
Delayed approximately one month in restarting. Final publication target 30 Sep 09. |
|
SP 800-53 (Rev 3) |
Security Controls |
Highest NIST priority: Final publication target 31 Jul 09. |
|
SP 800-30 |
Risk Management Guide |
Will focus on risk assessment concepts within RMF. |
|
SP 800-39 |
Managing Risk from Information Systems: An Organizational Perspective |
Will “operationalize” risk assessments and focus on tools. |
|
CNSS documents in progress |
Topic |
Status |
|
CNSSI 1253 |
Information and Systems Categorization and Security Control Selection (Formerly Security Controls Catalog) |
Will be a “delta” document: Will point to SP 800-53 and also include key parts of (former) 1199 plus NSS controls selection guidance. |
|
CNSSI 1253A |
Guide for Assessing the Security Controls in National Security Systems |
V1 complete: V2 Draft projected completion TBD |
|
CNSSI 1199 |
Security Categorization |
Cancelled (CNSSI 1253 will have equivalent content) |
|
CNSSP 22 |
National Risk Management Policy |
Approved |
|
CNSSI 1230 |
Risk Assessment Methodology |
Postponed |
|
CNSSI 4009 |
Information Assurance Glossary |
WG meeting weekly to adjudicate comments: 40% complete |
|
Intelligence community documents in progress |
Status |
|
ICS for Interconnection Security Agreement |
ICS 503-1 signed 28 Jan 09. |
|
ICS for Security Controls Catalogue |
Cancelled (Will use NIST 800-53). |
|
ICS for Security Categorization |
Cancelled (Will use NIST 800-60). |
|
ICS for Security Authorization |
Cancelled (Will use NIST 800-37). |
|
ICS for Risk Management |
(Will be discussed during TGG). |
Transition
Transition to the revised C&A (authorization) process will vary in time and method across the national security community. Some organizations have already started to follow the transformed C&A processes and doctrines – even while the documents are still undergoing a final review.
Other agencies have elected to wait until the authoring process is completed, which was originally expected to occur around the end of calendar year 2008. As of this writing, the authoring process is still not complete. However, the participants have indicated that the focus is on “transition” as of late Spring of 2009.
We recommend that the readers of our book refer to their own agency’s information system security program for details on their agency’s transition timeframe.
For example, the Intelligence Community has initiated their transition through the publication of IC Directive (ICD) 503, Intelligence Community Information Technology Systems Security Risk Management, Certification and Accreditation. Additional detail on intelligence community documents in progress is in Table 43.
DOD’s transition details are being promulgated in the DOD 8500 series, primarily through the recently issued DOD Instruction (DODI) 8510.01, the online DIACAP Knowledge Service, and the planned revision of DODI 8500.2, Information Assurance Implementation. The DIACAP will remain DOD’s process and the DOD transition will take place within the existing DIACAP. In the words of the DOD CIO: “DOD C&A is DIACAP” and will be managed as follows:
Policy: DODI 8510.01 (Nov 2007).
Governance: PAAs, DISN/GIG Flag Panel, DOD component leadership and staff … and more.
Change management: DIACAP Technical Advisory Group.
Enterprise automation: DIACAP Knowledge Service, eMASS.
Enterprise training: see DOD IA Portal.
C&A transformation: DOD transition will be inside DIACAP.
DOD recently “de-bunked” some existing myths regarding DOD’s perspective on the transition. These included:
DIACAP is going away soon, so don’t bother. The truth: DIACAP is here to stay, so learn it now.
DOD information systems must be C&A’d to both DIACAP and NIST SP 800-37. The truth: DOD information systems will use the DIACAP processes.
DOD information systems must be C&A’d to both DODI 8500.2 and NIST SP 800-53 – and sometimes to DCID 6/3. The truth: DOD will be adopting the NIST control set. The signed agreement is included on the accompanying CD.
Only DOD NSS are subject to the 8500 series; other information systems are subject to NIST Special Publications. The truth: All DOD information systems will use a single control set.
DIACAP requires more paperwork than DITSCAP. The truth: the required documentation is significantly reduced; however, the implementation and validation requirements have been reinforced.
We need a single DAA for the entire GIG. The truth: DOD components are responsible for the DIACAP process within their organizations.
Systems with non-compliant IA controls cannot be accredited. The truth: A mitigation plan must be in place and documented in the POA&M.
C&A is a bureaucracy and practitioners don’t have the power to innovate. The truth: There is sufficient flexibility built in to the DIACAP process to allow knowledgeable C&A practitioners to innovate as needed.
The following table provides a summary of the DOD transition plan and alignment to the Risk Management Framework (RMF).
Table 44: DOD transition plan and alignment to RMF
What is the value added by the transformation and transition?
Another motivation for streamlining existing C&A processes is the enormous cost associated with processes that are executed at different levels at every agency. There is a significant benefit to be achieved through standardization and reciprocity. The Office of the Director of National Intelligence (ODNI) is both a sponsor and an early adopter of the standardized processes.
In a recent meeting in Dallas, Texas, ODNI presented the early results of a cost benefit analysis, which revealed significant results:
Reduction of manpower costs by 30%: Savings in excess of $1 million on one program.
Reduction in labor hours by 30%: Numbers down from thousands to hundreds of hours.
Reduction in certification time by 30%: Test activities conducted in 2 to 4 months versus 8 to 12 months.
Reduction in documentation by 50%: Number of security documents produced down to 2 or 3.
Additional value added prospects which extend beyond the Intelligence Community include:
Certified system interconnections within and between agencies and departments to share information can be established in less time and with less effort.
No longer need to rely on costly and time-consuming case-by-case evaluations and judgments.
Maximize reuse of components and test data across multiple information systems to minimize effort to secure and accredit information systems.
Consistency and standardization ensure that FISMA reports for department heads and OMB could be generated in half the time.
Security staff resources can be shifted from 80% administrative to 80% operational.
Critical new technologies could be deployed in days and weeks instead of months and years.
References
Intelligence Community Directive (ICD) 503, Intelligence Community Information Technology Systems Security Risk Management, Certification and Accreditation, 16 September 2008.
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 Rev 1, Draft, Guide for Security of Federal Information Systems, released for comment 19 August 2008.
The Information Security Automation Program and The Security Content Automation Protocol (SCAP) available at http://nvd.nist.gov/scap.cfm .