By AMAG Technology, Sr. Systems Design Architect, Adam Shane
I recently read an article in a security industry trade journal that talked about the importance of becoming familiar with the Department of Defense Information Assurance Certification and Accreditation Process, DIACAP. The author failed to explain what DIACAP was and provided considerable misinformation regarding how a successful certification could be used or marketed.
The main point in the article was that Department of Defense customers should work with integrators and manufacturers that are familiar with DIACAP because that will simplify the process of getting their new system certified. This point is true, and AMAG Technology has helped a number of DOD customers through the DIACAP process. The following is our understanding of the processes and sequence of events required to get approval to use IT equipment on a government network.
The US Federal Government is required by law (Federal Information Security Management Act, FISMA) to certify and accredit all IT systems that are deployed on government networks. In the most basic sense, certification and accreditation is the process by which an IT system is tested against known vulnerabilities. Appropriate measures must be taken to mitigate identified vulnerabilities – this could be shutting down services and ports that aren’t used by the system, applying security patches, or adding encryption to otherwise unencrypted communications. The process of certification usually consists of scanning a system with Commercial Off-The-Shelf (COTS) software, NIST certified tools, or agency-specific tools. The scanners will list vulnerabilities found in the system and assign a severity to them. In some cases issues of little consequence are documented but not mitigated.
In the DOD, an Authority to Operate, ATO, is required before a system can be used operationally. The system will need to be installed and configured before it can be scanned and tested, so generally an interim ATO, IATO, is issued to get the ball rolling. The results of system scanning, documentation of the system, the purpose it serves, and how it is connected into other systems is submitted to the Defense Information Systems Agency, DISA. Once the system is approved there may be other certifications required before a full ATO is issued. For instance, in the US Army a Certificate of Networthiness, CoN, is required; and in the Navy and Marine Corps the system generally must be certified to run on the Navy-Marine Corps Internet, NMCI. AMAG’s Symmetry system has completed all of these certifications.
Recently the DOD announced that it favored a transition from DIACAP to a new process based on the NIST Risk Management Framework, DIARMF. The basics of DIARMF are similar to DIACAP, however more of an emphasis is put on the on-going assessment of risk over the life of the system rather than a one-time assessment.
In this age of cyber warfare, the importance of network-hardened solutions is more apparent to a wider range of folks. Therefore, AMAG has been developing a design guide to assist customers in hardening the OS, SQL Server, and the Symmetry application. Integrators selling to the Federal government will appreciate the exceptional customer service offered by AMAG Technology as they proceed through the certification and accreditation process.