NIST Certification and Accreditation Process

October 30, 2016
Process Power and Control

An effort to align defense and federal civilian cybersecurity guidance culminated this month with the Defense Department jettisoning its specialized certification and accreditation process.

In a March 12 instruction (.pdf), DoD Chief Information Officer Teri Takai said that starting that same day, defense and military systems will henceforth go through the risk management framework outlined by the National Institute of Standards and Technology rather than through the now-defunct DoD Information Assurance Certification and Accreditation Process.

The change is an expected one that grew in likelihood as the DoD and NIST actively sought over the past few years through a joint task force common ground in their cybersecurity guidance documents.

At the top of the DOD-adopted pyramid sits the DoD CIO and senior information security officer and the DoD Information Security Risk Management Committee.The change will bring about a common cybersecurity terminology across defense and civilian networks and reduce the potential for an automatic need to re-certify a system that's shared across organizational boundaries.

The NIST risk management framework is governed by a handful of documents known as special publications, including SP 800-37 and SP 800-39. NIST publishes a catalog of security controls known as SP 800-53, to which defense components will now look to when implementing cybersecurity safeguards.

The heart of the risk management framework is a three-tiered pyramid, each level responsible for addressing the risk a system penetration would pose according to their hierarchical perspective, ranging from strategic down to tactical.

The framework also requires a six step process that begins with risk categorization and ends with monitoring the security controls to ensure they're effective – a step risk management framework proponents highlight in response to criticism that federal cybersecurity is pedantic rather than dynamic.

For more:
- download the new DOD instruction, 8501.01 (.pdf)
- go to the webpage for NIST special publications

Related Articles:
NIST to mine special publications for additional cybersecurity framework guidance
Q&A: NIST's Ron Ross on the fourth revision of SP 800-53

Share this Post