September 21, 2011

DIACAP's Certifying Authority and POA&Ms

DoD's IT certification program is known as the DoD Information Assurance Certification and Accreditation Process (DIACAP) published under DoD 8510.01. DoD 8510 is used in conjunction with the DIACAP Knowledge Service (DIACAP KS) to perform C&A for all DoD IT assets. The DIACAP KS is a web-based repository of information and tools for implementing the DIACAP that is maintained through the DIACAP Technical Advisory Group (TAG).

I could spend a week talking about the various aspects of the DIACAP process, but I have chosen today to focus on a commonly misunderstood area that ultimately leads to deadlines not being met, systems not being certified or funds being spent unnecessarily---the assignment of severity categories. The Certifying Authority (CA) has the responsibility to assign severity categories as part of a certification analysis. Severity Categories are expressed as CAT I, CAT II, and CAT III. The CA is traditionally the component Senior Information Assurance Officer (SIAO) which can also be the Chief Information Security Officer (CISO). The CA can not, and will not, be the Designated Approving Authority (DAA).

All too often, Information Assurance Professionals simply transcribe the open findings, and associated severity categories, from a vulnerability scanner (ie. RETINA) over to the IT Security Plan of Action and Milestones (POA&M). These scanners are not aware of network or system-level mitigating factors. The scanners simply rate the finding at the application-level. It is the CA's responsibility to take into account all mitigating factors before assigning the severity category on the IT Security POA&M. DoD 8510 states, "For instance, what may be a CAT I weakness in a component part of a system (e.g., a workstation or server) may be offset or mitigated by other protections within hosting enclaves so that the overall risk to the system is reduced to a CAT II."

Frequently, the C&A process is considered up front as a paper drill with no follow-through. The most important document produced as a result of the C&A process is the POA&M. Don't file it away for next year. Make 20 copies and paste them to everyone's desk until every vulnerability is mitigated to its furthest extent.

Mark Sullivan, MSCS, CISSP, CISM - President and CEO, Secured Cyber LLC

September 20, 2011

Defense-in-Depth Bronze Bullet

Defense-in-Depth is the protection of assets (traditionally data) utilizing layers of security. The reason why multiple layers must be constructed is there is no such thing as a "silver bullet" when it comes to protecting information technology assets. The installation of a firewall on your perimeter does not stop an insider from bringing in a virus or just plain stealing.

The most powerful countermeasure we have for defending our critical IT assets and data is TRAINING. The Department of Defense (DoD) has spent a number of years developing the Information Assurance Workforce Improvement Program, published under DoD 8570.01-M. Anyone working with, or around, DoD IT assets is required to have some form of training outlined in 8570. Most government agencies and contractors simply skim through 8570 and have decided that the only requirement is having a CISSP (Certified Information Systems Security Professional). When in fact, there is so much more to it… and for some, a CISSP is overkill.

Every single DoD agency and DoD contractor must first determine the specific IA/IT levels of all of its employees (ie. IAT I, IAM III, IASAE II). Once this is determined, you can easily find the corresponding training and civilian certification requirements (ie. A+, CISM, CISSP). In addition to this certification, a SECOND certification is required for those in technical IAT and CND-SP positions known as "computing environment" certification (ie. CCNA, MCSA). This 2nd certification is specific to the equipment/operating system. Lastly, there is a requirement to have On the Job Training (OJT) and certification for each IT position held. When you combine these 3 aspects of 8570 mandated training, you will have a very qualified IT technician. But what about the rest of your regular users?

It has been a long-standing fact that the most damaging adversary to IT is the "insider threat". This is traditionally the disgruntled, or under paid, employee who decides to commit espionage for profit. However, I contend that the GREATEST threat is the "unintentional insider threat." Just the Average Joe who doesn't know better and plugs his iPod into his work PC to charge it and unbeknownst to him, he has just transmitted a virus onto the company network and/or stolen data. DoD 8570 also mandates annual IA Awareness Training for ALL USERS. This is where I feel we need to step things up a bit. A simple powerpoint presentation, once a year, is not enough. We need to first train our users, then remind them frequently through creative means, then reward good behavior. Complacency will always lead to spillage.

Like it or love it….DoD 8570 has significantly improved DoD's ability to secure data. That is why I refer to TRAINING as the "Bronze Bullet" for securing our IT assets and data. Increasing funding on training is ALWAYS a good bet.

Mark Sullivan, MSCS, CISSP, CISM - President and CEO, Secured Cyber LLC