DOD Makes Life Easier for All by Going to Common Security Standards
March 31, 2014 2 Comments
By Rick Antonucci, Analyst
In early March DOD CIO Teri Takai announced a DOD Instruction Memo that DIACAP would be replaced with NIST Risk Management Framework (RMF) standards – now, instead of three standards, there is one security standard across the whole federal government. This has been in the pipeline for quite a while, but is just now becoming a reality. Now more vendors can offer solutions as the costs associated with complying with the additional security framework is eliminated. Systems Integrators will also benefit as they will have more options when providing solutions to the government.
The DOD has decided to adopt the NIST security standards as part of an effort to cut costs. Part of NIST’s philosophy is that security should be designed into the product, not added on top. This philosophy will ensure that new DOD systems are designed with security in mind from the start, rather than security being an afterthought in order to pass accreditation.
To provide some background, DIACAP was the DOD’s certification process for ensuring that DOD information systems would maintain information assurance (IA) throughout the lifecycle of the system. It required a recertification every three years and was separate from the NIST standards that the rest of the government used for IA certification of information systems.
The upshot of all this is that some relief in the form of a common set of standards is headed our way. Approach the DOD with language around solutions that have had security as a priority throughout development. This will resonate with DOD personnel who may be nervous about the end of DIACAP and the adoption of common standards.
Government Sales Insider 
What you might be missing is that DOD was specifically excluded from being required to operate under NIST standards and directives because it was apparent (then) that DOD required a higher level of security and operational capabilities than other Federal organizations. So are we moving to lower requirements for DOD or enforce higher requirements across all Federal agencies?
My understanding of what this means is that Teri Takai feels that NIST standards are sufficient as a baseline and additional requirements will be instituted as necessary, with an example being milCloud. DISA provided its own solution that met DIACAP standards since a FedRAMP (which is not a DOD standard) due to enhanced security requirements. Private clouds are still the order of the day for secure information (in fact, I heard the Director of the IT Services Directorate within NGA say that they have no plans to go to a public cloud, this is an example of when an agency might use milCloud). Teri Takai said this week that the plan is to provide input on FedRAMP to get it to the point where it will become the standard across the government as RMF is now. 800-53 Rev. 4 came out about this time last year with more stringent security requirements, so there may be a rev. 5 coming out this year. In the memo Takai says that there will be special assessment to make sure that DOD policies are met and fulfill the security needs of the use. In short, my feeling is that additional requirements will be laid out as the situation dictates and, in some cases, the government will handle the need internally as they have done in the past.