An effort to align defense and federal civilian cybersecurity guidance culminated this month with the Defense Department jettisoning its specialized certification and accreditation process.
In a March 12 instruction (.pdf), DoD Chief Information Officer Teri Takai said that starting that same day, defense and military systems will henceforth go through the risk management framework outlined by the National Institute of Standards and Technology rather than through the now-defunct DoD Information Assurance Certification and Accreditation Process.
The change is an expected one that grew in likelihood as the DoD and NIST actively sought over the past few years through a joint task force common ground in their cybersecurity guidance documents.
The change will bring about a common cybersecurity terminology across defense and civilian networks and reduce the potential for an automatic need to re-certify a system that's shared across organizational boundaries.
The NIST risk management framework is governed by a handful of documents known as special publications, including SP 800-37 and SP 800-39. NIST publishes a catalog of security controls known as SP 800-53, to which defense components will now look to when implementing cybersecurity safeguards.
The heart of the risk management framework is a three-tiered pyramid, each level responsible for addressing the risk a system penetration would pose according to their hierarchical perspective, ranging from strategic down to tactical.
The framework also requires a six step process that begins with risk categorization and ends with monitoring the security controls to ensure they're effective – a step risk management framework proponents highlight in response to criticism that federal cybersecurity is pedantic rather than dynamic.
- download the new DOD instruction, 8501.01 (.pdf)
- go to the webpage for NIST special publications
NIST to mine special publications for additional cybersecurity framework guidance
Q&A: NIST's Ron Ross on the fourth revision of SP 800-53