Department of Defense Replaces DIACAP with DIARMF

In 2006, the Department of Defense (DoD) initiated a certification and accreditation (C&A) process for its information technology programs known as the DoD Information Assurance C&A Process (DIACAP). Only one year after implementation, DIACAP was criticized for being slow and inefficient, which could delay important projects for up to full year with no significant improvement in security.

Now, after the collaborative efforts of the DoD and National Institute of Standards and Technology (NIST), a new assessment and authorization (A&A) process has been developed with efficiency and effectiveness in mind using what is known as the risk management framework (RMF). This new process has been dubbed the DoD Information Assurance Risk Management Framework (DIARMF), and several major elements differentiate it from its predecessor.

DIARMF Nomenclature and Processes
Through DIARMF, the RMF process of NIST has been merged with current security controls already in place in federal civilian agencies. This warrants an entirely new set of processes and a new set of nomenclature to reflect the steps.

The first step in DIACAP, initiate and plan C&A, has been split into two separate parts in DIARMF. The first step is to categorize the system while the second step is to select controls. The next process remains the same in both systems: implement the controls.

The third step in DIACAP has again split into two parts for DIARMF. Making the certification determination and accreditation decision is now the two-part process of assessing controls and authorizing the system. The fourth step in DIACAP is in line with the fifth step in DIARMF, but the nomenclature has changed from maintaining authorization to monitoring controls.

DIARMF Assessment and Roles
Aside from the change in names, the actual process of DIARMF A&A is very similar to DIACAP C&A, especially at high levels. Assessment produces a checklist of results that are in compliance with the security controls, and the authorization step is an acceptance or rejection of the risk detailed in the assessment.

In addition, most of the roles in DIARMF are similar to those in DIACAP, and most changes have been made only to reflect the new RMF terminology. However, DIARMF adds one important role that is not present in DIACAP: the common control provider (CCP). The CCP is a manager who deals with inherited controls for systems such as virtualized environments, enclave networks and server clusters. For example, a small system residing in a data center operated by the DoD includes several factors that have already been authorized through the data center. These factors are labeled as inherited and do not need to be reauthorized for the particular system. However, the process of inheritance can be quite complicated, thus the need for the CCP.

Security Controls and Continuous Monitoring
Security controls in DIARMF are more specific than the controls available in DIACAP. One example of this would be passwords. In DIACAP, password policy would normally be a single control, but in DIARMF, a separate control exists for password-policy enforcement with individual controls for each element of the password, such length, characters and complexity.

In addition, requirements for continuous monitoring are stricter in DIARMF than they are in DIACAP. Each control is assigned a refresh rate, and the status at each refresh is uploaded to a federal system called CyberScope for risk analysis and management.

Anyone who is currently still using the DIACAP process should consider preparing for the switch as soon as possible because some of the changes are profound, and it can take considerable time before they become familiar.

DIACAP and DIARMF TrainingDepending on which branch of the Military or Government agency you are with, DIACAP training, now DIARMF training must be tailored to the specific function of that organization. Ce