Adapt Or Be Left Behind: The Changing World of Compliance within the United States Department of Defense BY: SETH COWAND AND ROB AYOUB

We are familiar with the 'big boys' on the compliance block: Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLB), and Sarbanes-Oxley Act (SOX)...but if you work in the defense sector, there is a 'new kid on the block' - the Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP). What is DIACAP? Why do I need a new paradigm in DoD compliance policies? What does it mean to me?

DIACAP is the next generation of the Certification and Accreditation (C&A) policies within the United States DoD. The history and evolution of the DoD global mission and IT security public policies in the last 10 years has shaped the defense compliance industry with the creation of a new standard. This article intends to give a brief history and description of the DIACAP standard. We will discuss DITSCAP, DIACAP's predecessor and show the paradigm shift from Information Technology Security to Information Assurance and how DIACAP addresses that shift.

DIACAP's Predecessor: DITSCAP - A System-Centric Approach to IT Compliance
Since 1997, the DoD has functioned under the auspices of the DoD Information Technology Security Certification and Accreditation Process (DITSCAP), which also shaped the way the DoD conducts compliance validation. DITSCAP focused on DoD information systems risk-management and was designed to occur over a three-year certification life cycle. Under the DITSCAP paradigm, C&A had a limited view of what was "certified". Systems could be certified that were not truly secure. Local Designated Approving Authority (DAA) had the authority to 'accept the risks' for any vulnerability, resulting in an insecure system being accredited.

Through transformations in DoD's global presence and policy, DIACAP was brought into fruition, and addresses the inherent shortcomings of the DITSCAP standard.

DoD Policy Changes - A Paradigm Shift
Since the DITSCAP's 1997 inception, the following critical events have occurred:

• The national threat level has changed; there is an increase in nation state probes and attacks.
• The 9-11 attacks; the Global War on Terror began.
• Changes in military global presence and mission; shift from European and Far East Asia focused, to emphasis on Southwest Asia, Middle East, and African regions.

As a result of these events, the DoD's enterprise backbone, referred to as the Global Information Grid (GIG), was transformed to support these strategic changes. One major policy transformation was the Defense Information Systems Agency's (DISA's) development of the Net-Centric Enterprise Services (NCES) Program Office. The NCES Program Office began in 2004 and was intended to revolutionize the way The War on Terror was executed. The creation of the NCES Program Office accelerated the shift in the DoD from a system-centric viewpoint to an enterprise-centric (Net-Centric) perspective. Department of Defense senior leaders began viewing and treating the GIG as a weapon system, which shifted how the GIG was operated and protected. With this policy shift, dependent processes, methodologies and world views were forced to shift, including the certification and accreditation standards.

The New World of DIACAP
So what is DIACAP and what does DIACAP provide?

DIACAP provides a standard methodology and framework to manage and disseminate enterprise-wide, inherited, Information Assurance (IA) requirements and controls. This seems basic, but is semantically noticeable. DITSCAP, focuses on Information Technology Security; DIACAP focuses on IA. IA is more encompassing than just the security of technology. The most noticeable change with DIACAP is its use of IA Controls as a baseline for accreditation decisions.

Stakeholders for their respective C&A environments must make the following critical decisions:

• What is my actual mission criticality in relation to DoD goals, objectives and the War Fighter's combat mission?
• What classification of data do I create, process, store and transmit?
• What IA controls do I currently have implemented? How well do they map to the applicable IA Control requirements in the Department of Defense Instruction 8500.2 (DoDI 8500.2) based on mission and confidentiality level?
• What is my current IA posture? What are my deficiencies?

These questions feed the decision points and outline the process for determining the enterprise-level risks of operating an information system. The required IA Controls are defined in the DoDI 8500.2. The controls are based on the environment's Mission Assurance Category (MAC) (from I to III) combined with the Confidentiality Level (Classified, Sensitive, or Public). MAC I's require more stringent controls, followed by MAC II and then MAC III. The MAC level defines the criticality of the system in relation to the War Fighters' combat mission and the Confidentiality Level refers to the type of information processed by the respective accredited environment. Under the DITSCAP framework, focus was placed on the amount of identified vulnerabilities and on the residual risks associated with a specific information system. This view lacked emphasis on the global mission and the enterprise posture. Any Security 101 course emphasizes "you are only as strong as your weakest link." This philosophy places IA focus on the enterprise view.

With a new enterprise IA Control view, systems, major applications and enclaves can inherit IA Controls from higher placed and implemented enterprise IA controls. For example, a data center whose mission is to host automated information systems (AIS) will incorporate IA Controls regarding the physical environment (i.e. back up power capability, physical security, etc). The implementation and effectiveness of these controls directly affect the IA Posture of the hosted infrastructure. As a result, the hosted infrastructure may inherit the physical controls from the data center.

Another component of DIACAP is the elimination of the System Security Authorization Agreement (SSAA); the major deliverable and focus of a DITSCAP C&A process. The SSAA is being replaced with the DIACAP Comprehensive Package.

The DIACAP standard provides a paradigm shift for the certifying authority (CA). The new C&A documentation will revolve around the requirement for a DIACAP Scorecard and requirement for providing a recommendation for one of four operating status. The four-operation status are: Interim Authority to Test [IATT] - recommendation for a system or major application under development that requires connection to the GIG for limited and controlled testing purpose. They cannot be used for operational purposes.

Interim Authority to Operate [IATO] - recommendation for a system, major application, or enclave that has been assessed, has IA deficiencies, but will still be allowed to operate.

Authority to Operate [ATO] - recommendation for a system, major application, or enclave that has been assessed and its IA posture is acceptable and will be allowed to fully operate. This recommendation is the highest recommendation that a certifier can provide. Under DITSCAP, this was provided for a three-year period. This remains true under the DIACAP.

Denial of Authority to Operate [DATO] - recommendation for a system, major application, or enclave that has significant and detrimental IA posture and its operation would poses a high risk. This is reserved for systems that have "gaping chest wounds" that cannot be quickly or easily corrected. Operational systems, major applications, or enclaves with a DATO are halted immediately; until deficiencies are corrected, confirmed and additional assessments are conducted. This recommendation is new and specific to DIACAP accreditations.

The DIACAP Scorecard conveys the IA posture of the respective system along with the recommended accreditation status. The Scorecard is an integral part of the DIACAP package - which is developed electronically in an automated support application system.

The final change with DIACAP is the creation of a DIACAP Enterprise Governance to synchronize and integrate DIACAP activities across the DoD. The DIACAP Knowledge Service (KS) is the official DoD resource for implementing and executing the DIACAP. Its content includes tools, diagrams, templates and other information to aid in the execution of the DIACAP.

These differences are captured in the following table in order to provide a side-by-side comparison of the two standards.

DITSCAP:	DIACAP:
4 Distinct C&A Phases.	5 Dynamic Activities.
Requires creating and maintaining an SSAA (paper-based).	C&A packages are electronically generated.
C&A package includes a Certification and Accreditation Recommendation Memo and Residual Risk Analysis.	C&A packages are streamlined and include the DIACAP Scorecard, which documents certification recommendations and accreditation decisions.
DAA assigned to an individual system who accept all risks.	DAA risk acceptance through the DoD-wide configuration control and management (CCM) process.
C&A efforts and decisions focus on the individual system.	C&A efforts focus on the enterprise mission, individual systems, major applications and enclaves can inherit higher placed IA Controls.
Two operating status: ATO or IATO.	Four operating status: ATO, IATO, IATT and DATO.
C&A process based on a three-year cycle.	C&A process is continuous (annual review required to meet FISMA guidelines) including a three-year accreditation requirement.

Conclusion
Due to the changing security complexity and requirements of a net centric environment, the DIACAP has emerged as the new C&A standard for the DoD. DIACAP is a drastic paradigm shift from its predecessor. In addition to having a much more concise view of security, DIACAP makes the entire C&A much more streamlined and efficient. Although there is still unknown territory with the DIACAP, it appears to be a stronger C&A platform for the government and a standard that is here to stay.