DIACAP Says “So Long”

On March 12, 2014 the DoD released a new policy that makes it official that the DoD Information Assurance Certification and Accreditation Process (DIACAP) is being put to bed in favor of a “new” Risk Management Framework (RMF).  The news is not a revelation as it has been in the works for a few years now.

The new framework will be mapped to the already established principles defined in the NIST Risk Management Framework.

One expected benefit from this transition is a harmonization in terminology between the private and government sectors.

The NIST risk-based approach follows a 6-step process that includes:

  1. Categorize – Based upon an impact analysis, categorize an information system and the information is woks with (processes, stores, transmits, etc.)
  2. Select – Based on step 1, select baseline security controls appropriate for the needs of the organization.  NIST Special Publication 800-53 provides guidance on this.
  3. Implement – Put the controls into use (i.e implement them) and document, document, document.
  4. Assess – Make sure the controls are correctly implemented and are performing as anticipated.  NIST Special Publication 800-53 A provide guidance on this.
  5. Authorize – authorized the system to operate based on the risk evaluation.  Check out NIST Special Publication 800-37 Rev. 1 for information on authorizing federal systems to operate.
  6. Monitor – Monitor and assess in an ongoing fashion to make sure systems and controls continue to work effectively.  Check out NIST Special Publication 800-37 Rev. 1 for information on monitoring.

ITdojo now has three courses to help with the transition if your organization has not already made it.  They are:

Risk Management Framework (RMF) for DoD IT Training

Risk Management Framework (RMF) for FISMA IT Training

Information Security Continuous Monitoring (ISCM) Training


Colin Weaver

About the Author

Colin Weaver

Colin Weaver is co-owner and lead instructor at ITdojo, Inc., a network security and information assurance training center and consulting firm located in Virginia Beach, VA. His passion for technology, networks, and security has led him to become enthralled with the idea of IPv6 and its implementation. In this blog he will share with you glimpses of what he has learned and a hint at what you’ll learn in his classes.