The Department of Defense last changed its approach to cyber security, or, in DoD parlance, “Information Assurance,” in 2006, when Defense Information Technology Security Certification and Accreditation (DITSCAP) was replaced by Defense Information Assurance Certification and Accreditation Process (DIACAP). The small change in name, with “Technology Security” replaced by “Assurance,” said little about the reason for the change in system, but one intent of DIACAP was the promotion of consistency and standardization, all in the hope that cross-service reciprocity and cost savings would follow.
Those noble goals were never quite realized, and DoD is now ready to launch DIACAP’s replacement, the Defense Information Assurance Risk Management Framework (DIARMF).
DIARMF is another attempt to hit that same target. It grew out of a plan to devise a system that would be valid across all federal agencies, an idea that, in this iteration, was part of an initiative that the National Institute of Standards and Technology (NIST) hoped to apply to Federal Information Systems. Given the resources that DoD and the intelligence community devote to certification and accreditation, the best plan would include them in any new standard.
With DIARMF, DoD is adopting the controls in place in civilian agencies, the NIST Risk Management Framework, but with significant variations. At a relatively superficial level, names have been changed: For one thing, “Certification and Accreditation” is now “Assessment and Authorization.” Other changes will be more fundamental.
DIARMF applies a new scheme for control inheritance, a process that will now be governed by the Common Control Provider. A given system can inherit resources that are not part of that system. A network operating through a group of servers in a data center, for example, inherits many of its controls, especially in the physical world, from that data center. It does not control its own power resources or temperature regulation. In this situation, assessment measures the validity of the inherited controls as part of the authorization of the network that relies on them. Under DIARMF, loss of authorization at one level can lead to loss of authorization for dependent systems.
Security controls themselves are more complicated under DIARMF. Where NIST puts systems into high, moderate and low categories that depend on a system’s impact, DIARMF elaborates on that scheme by applying other criteria, including the confidentiality and integrity of the information, and by classifying the system’s specialized role, whatever it might be. A weapons system and a medical system will have different places within the matrix of security controls.
Each system, then, finds its particular place in a matrix of choices, and security controls can be added or subtracted depending on the system’s very specific characteristics. In addition, the location of a system within that conceptual framework affects control variables like password and key characteristics.
The process of control selection will have other ramifications that allow for more targeted control management. Security policies, for example, will include potential enhancements to password elements. Beyond that, the selection of enhancements will be determined dynamically, with the process evaluating the system’s impact and its place within the matrix of system variables before implementing the appropriate policies. NIST plans to undertake regular revisions of the control library, basing those revisions on input from other agencies. Initially, revisions are expected to be effected on an 18-month cycle.
A similar dynamic approach will be applied to monitoring, so regular revisions of the control library will not be the only changes that impact system management. Controls and enhancements will be assigned refresh rates, with controls updated on a regular basis. Depending on the control and on the results of ongoing data analysis, refresh rates will vary from daily to yearly. The dynamic nature of the system is intended to bring new analytical capabilities to the task of assessing defenses and addressing system vulnerabilities on a large scale.