Government // Cybersecurity
News
3/14/2014
09:45 AM
Connect Directly
LinkedIn
RSS
E-Mail
100%
0%

Defense Department Adopts NIST Security Standards

DOD replaces longstanding information assurance process with NIST's holistic "built-in, not bolt-on," risk-focused security approach.

In a significant change in security policy, the Department of Defense (DOD) has dropped its longstanding DOD Information Assurance Certification and Accreditation Process (DIACAP) and adopted a risk-focused security approach developed by the National Institute of Standards and Technology (NIST).

The decision, issued Wednesday by Defense Department CIO Teri Takai in a DOD Instruction memo (8510.01), aligns for the first time the standards the Defense Department and civilian agencies use to ensure their IT systems comply with approved information assurance and risk management controls.

The new policy shifts the DOD from a legacy of DIACAP compliance, which prescribes a standard set of activities and a management process to certify and accredit DOD information systems before implementation and every three years thereafter. The Defense Department will now embrace a combination of more heavily risk-management-focused approaches developed over many years by NIST, including standards for assessment and authorization, risk assessment, risk management, and dynamic continuous monitoring practices.

The change in policy reflects a "move away from unique DOD standards, to a more broad use of the NIST standards and other government standards," Takai told InformationWeek in an interview last December in advance of the instruction letter's formal release. The change was prompted in part because, she said, "we were concerned we're driving up our costs by virtue of having companies have to fit our standards as well as to other national standards."

[FedRAMP is redefining cloud computing security standards. See Defense CIO Takai: Why FedRAMP Helps Everyone.]

NIST's holistic "built-in, not bolt-on" mantra underscores the formal language of Takai's policy instruction. The new instruction details how DOD components, security practitioners, and program managers will implement the NIST Risk Management Framework for DOD information systems.

Defense Department CIO Teri Takai
Defense Department CIO Teri Takai

The policy is sweeping in scope, encompassing "all DOD information in electronic format" and "all organizational entities within the Department of Defense." It even applies to IT that resides on weapons, in space, on vehicles, on aircraft, or in medical devices (collectively referred to as platform IT), though some forms of platform IT and other unique system types are handled under slightly different procedures and rules. The instruction was developed in a Defense Department collaboration with the nation's intelligence community, NIST, and the Committee on National Security Systems (CNSS).

The DOD transition timeline calls for an end to new accreditations under the legacy DIACAP process within six months, and for the full transition of all existing DIACAP-based accreditations within three-and-a-half years from the policy's effective date, March 12, 2014.

The transition to a common set of security and risk management standards actually began more than five years ago when NIST fellow Dr. Ron Ross was tapped to lead the Joint Task Force Transformation Initiative (JTF-TI) interagency working group, according to those familiar with the policy change. Ross is the principal architect of the NIST Risk Management Framework (RMF), the core standard by which the security requirements and risk assessments of civilian agency information systems are applied, monitored, and managed. They are also the standards used by FedRAMP, the GSA's cloud-centric Federal Risk and Authorization Management Program.

Cloud service providers seeking FedRAMP certification, as well as government IT suppliers, are expected to benefit from the Defense Department's decision by no longer having to comply with two separate security standards.

However, vendors working on classified DOD networks will still need to meet additional DOD requirements. "From a cloud perspective, we believe the NIST standards are the absolute minimum level of standards" for securing DOD systems, Takai said.

The NIST library of security controls (in NIST publication 800-53 Rev. 4), currently in use at most civilian agencies, are much larger and the controls more granular, yet easier to understand and implement, than DIACAP, say those familiar with both methods. The NIST security controls can be customized for the defense IT environment, and DISA has already created more than 1,700 Control Correlation Identifiers (CCIs) that make the controls much easier to implement as system design and development requirements.

Program managers, however, must integrate the engineering, documentation, and testing of the RMF security requirements earlier in the planning process and throughout their system lifecycle.

Information Week Government editor Wyatt Kash contributed to this report.

Cloud Security Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

Leonard T. Marzigliano works as a certified Information Assurance Architect on contract at the Defense Logistics Agency in Ft. Belvoir, Va.  With more than 23 years of experience as an IT contractor and consultant, he has worked with hundreds of ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jmyerson
100%
0%
jmyerson,
User Rank: Apprentice
6/7/2014 | 6:04:19 AM
Participation in the Control Correlation Identification efforts
Thanks for the article.

A draft version of the CCI List conforming to CCI version 2 is now available. This list contains CCIs derived from NIST SP 800-53.

Participation from the members of the Information Security Community in the CCI efforts is encouraged. You can provide feedback on the CCI list, disa.letterkenny.FSO.list.cci@mail.mil. You may also provide comments using the CCI Comment Matrix.
WKash
100%
0%
WKash,
User Rank: Author
3/17/2014 | 7:18:30 PM
Re: DISA CCIs
Thanks for noting DISA's role in mapping DOD's controls to NIST's. l'm sure you're right, that's hugely valuable to developers.

 
WKash
100%
0%
WKash,
User Rank: Author
3/17/2014 | 7:15:27 PM
Re: Industry inflection point
Yes this is an inflection point for DOD, and the federal government, and a credit to the work NIST does in finding the common ground.  The only downside is it took NIST and DOD 5 years to reach this point.
JudyD173
100%
0%
JudyD173,
User Rank: Apprentice
3/14/2014 | 6:01:53 PM
Re: Smart move
I agree.  NIST has been leading the way on this for a long time.  With DoD on board, it just makes the case that much stronger.  As a result, life will be much simpler at DoD.
Kevin_Jackson
100%
0%
Kevin_Jackson,
User Rank: Apprentice
3/14/2014 | 3:48:30 PM
Industry inflection point
This decision marks an important inflection point for the US federal marketplace. By accepting the NIST Security Standards, the DoD is demostrating strong support for a government-wide IT management and governance paradigm. This also supports a consistent cycbersecurity model and bodes well for the current adoption of cloud computing services.
DanielC558
100%
0%
DanielC558,
User Rank: Apprentice
3/14/2014 | 1:38:04 PM
From a developer / Architect point of view
As a developer / architect, we have to learn a wide variety of different environments, and when we have multiple confusing sets of standards we have to meet, depending on the customer being one federal agency or another, it's more challenging to be successful.

In most environments I have worked security is an after thought.   To do security right, it needs to be baked into the design, and for that to happen, we need clear standards for how to achieve it in a given environment / tool set.

This sounds like a step forward on how to achieve that.   I look forward to learning more about it.
LenMarzigliano
100%
0%
LenMarzigliano,
User Rank: Apprentice
3/14/2014 | 12:06:47 PM
DISA CCIs
I think one of the secret sauce ingredients to a successful 'baked in' DoD RMF system implementation is the DISA CCIs (Control Correlation Identifiers).  Many haven't noticed, but DISA FSO has been re-writing and re-wiring all of the STIGs (Security Technical Implementation Guires for product-specific technologies) based on their SRGs (product-agnostic Security Requirements Guides), which are built from combined IA requirements (NIST controls, CYBERCOM CTOs, etc.)  

Read any of the CCIs, and it quickly becomes obvious that DISA literally ran a Cartesian Product style breakdown of every control/enhancement in the NIST library, meaning if a control calls for A, B, and C to be done on X, and Y, then six CCIs were created to handle every aggregate requirement (A on X, A on Y, B on X, etc.)  This may seem trivial, but when engineers/developers are given these as design/development requirements, guess what?  They respond!  They appreciate the clear/concise breakdown, and they will execute on it accordingly.

I'm constantly evangelizing that IA does not have to be adversarial.  If it is, you're doing it wrong.  The NIST controls and DISA CCIs go a long way toward achieving that.  
WKash
100%
0%
WKash,
User Rank: Author
3/14/2014 | 11:24:49 AM
Smart move
This decision comes as welcome news.  NIST's risk management framework, and its related documents (linked in this story), including 800-53 Rev 4, indeed take a more holistic approach to information assurance and security.  That DOD CIO Teri Takai and her team were able to get this decision to the goal line, and get DOD to move from DIACAP to NIST standards, and thus create one standard across the federal government, is a BIG deal.  
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.