The recent instruction directive, issued on March 12, 2014, by the Department of Defense (DoD), defines the restructured IT systems compliance security standards and guidelines for the DoD and civilian agencies. These new, renamed, and reissued compliance standards DoDI 8510.01, developed by the National Institute of Standards and Technology (NIST), establish the groundwork for change based on a security approach that's centered on risk management framework (RMF).
The timeline set for the DoD transition establishes a six-month window that calls for an end to new accreditations under the legacy DoD Information Assurance Certification and Accreditation Process (DIACAP). Moving forward, the complete transition is slated to take place within three-and-a-half years from March 12, 2014, which is the policy's effective date.
What are the Implications for Organizations?
If properly handled at all appropriate management levels, the DoD transition does not have to become a major challenge for agencies. In fact, with detailed personnel training and systematic preparation for change, the transition from DIACAP to NIST RMF can almost be seamless.
Take Advantage of the Existing Support Resources
It is important for management to understand that there will be a time period during the transition when accreditation packages must be managed under both DIACAP and the NIST RMF in order to include differences in documentation and security controls. During this period, the primary goal should not focus on the differences, but to effectively concentrate on a smooth transition.
From a management perspective, it is advantageous that numerous federal agencies have been closely following this process for many years. As a result, there are support resources staffed by trained professionals who can provide agencies with information, cybersecurity guidance, and information security recommendations for the transition.
Fortunately, there are no reasons for any agencies to even consider attempting to handle this transition without support. Simply put, there is thorough documentation that is readily available including tested templates, and widely available training. That being the case, there's nothing for organizations to recreate — it already exists.
To learn more visit:
http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-fin...
