Very nice article in Military Information Technology Magazine (Online edition in case you couldn’t figure it out) about the DITSCAP to DIACAP transition.
Just looking at the concepts behind DIACAP, they’re very sound. In some places, the article whines a bit too much. Me, I’m glad to see DITSCAP go the way of the flesh in favor of risk registers and sharing of risk information with “business partners”.
My favorite quote this week:
“The services face a number of other challenges in implementing DIACAP, not least of which is what Lundgren called ‘significant cultural issue’ in moving from the ‘paperwork drill’ characteristic of DITSCAP, to DIACAP, ‘where you’re expected to actually go out and do the testing.'”
How can that NOT be a good thing?
Some other good quotes in the article and my random thoughts:
“Training and education of personnel is another concern faced by DoD components, according to King. ‘They must make sure they have a cadre of information assurance professionals who are in full understanding of what DIACAP is and how it differs from DITSCAP,’ he said. ‘This includes the complete realm of IA professionals, including principle certification and accreditation personnel to program managers and IA managers. There is a significant training and education tail that need to be accomplished for DIACAP to be properly implemented.'”
Well, to be very honest, I think that this was a problem with DITSCAP, is a problem with NIST 800-37, and will continue to be a problem until I work myself out of a job because everybody in the government understands risk management.
“This is going to save money and time because it allows capabilities to be put out to the field without having to be certified and accredited three or four times.”
That’s a happy thing. Wait until DoD figures out how to do common controls, then they’ll find out how to save scads of money.
Now want to know the secret to why DIACAP will succeed? This is a bit of brilliance that needs to be pointed out. DIACAP became the standard in late 2007 after the DoD watched the civilian agencies go through 5 years of FISMA implementation and were able to steal the best parts and ignore the bad parts.
Future state: civilian agencies borrowing some of the DIACAP details, like scorecards and eMASS.
Future state: merging of DIACAP, DCID 6/3, and SP 800-37.
Future state: adoption of the “one standard to rule them all” by anybody who trades data with the Government.