I get people contacting me every week about jobs all around the US! Today, I am going to show you a couple that I received recently. I hope that it will give you some idea of what employers and contracts look for in security compliance professionals.
There are differences between the old DIACAP (being phased out), DoD RMF for IT and NIST RMF. What is “DIACAP”? It stands for Department of Defense Information Assurance Certification & Accreditation Process and it is based on the old DoDI 8510.01 and DoD 8500 documents. The process was designed to make absolutely sure federal systems have security on them.
With the constant exponential evolution of information technology this process has had to change to keep up with the times. DIACAP is being replaced with DoD Risk Management Framework for Information Technology (DoD RMF for IT). This process has more granularity, more detailed, more frequent and covers many new technology that was not covered by DIACAP. DoD RMF for IT is actually based fundamentally on NIST SP 800-37, Risk Management Framework.
This is an introduction to Step 1, Categorization of the NIST SP 800-37, Risk Management Framework process. Categorization consists of three primary steps:
1) Determining the Security Categorization of the information system. This is done by breaking down the primary information types on the system. You can get great guidance on this from FIPS 199 and NIST SP 800-60 (Volume I-II).
2) Create a System Description. This is really the first step to creating a System Security Plan and it leads to registering the systems.
3) Register the system. This means that you need to advertise the the system to all the stakeholders of the system in the organization. Organizations usually have a method of doing this with a database that can be seen by upper-level management.
Please review the job description below and let me know if this position is of interest to you. If it’s not a good fit for you currently, I’d still appreciate the opportunity to cultivate a working relationship with you. In getting to know you better, and in understanding your short-term and long-term career goals, it will certainly be a mutually beneficial relationship moving forward.
Title: Information Security Certification and Accreditation (C&A) specialist
Location: Raleigh, NC
Duration: 6 Months
The client seeks an Information Security Certification and Accreditation (C&A) specialist to perform C&A evaluations across multiple applications, ensuring continual compliance with federal and agency standards
Experience with the Information Resource Security Certification and Accreditation (C&A) processes
Must be certified in at least one of the following:
Certified Information Systems Security Professional (CISSP)
Certified Authorization Professional (CAP)
Certified Security Analyst (CSA)
Certified Information Security Manager (CISM)
Experience with assessing business system for sensitivity and criticality
Experience with recommending security requirements, based on generally accepted industry practices
Pass both a client mandated clearance process to include drug screening, criminal history check and credit check.
Once candidate’s resume is approved and interview passed, the agency is responsible for providing drug screening. Failure to submit the drug screening results will delay the security clearance process.
If a candidate is given an interim clearance, continuation of employment is then based on the candidate receiving a sensitive clearance.
DoDI 8510.01, DoD Information Assurance Certification & Accreditation (DIACAP) is being replaced/modified
DoD 8510, Risk Management Framework For DoD IT (The RMF)
NEW 8500 based on NIST SP 800 series
DIACAP to the RMF Authority
Teri M. Takai Defense CIO (former ASD(NII)), Is the authority behind the transition from DIACAP to The RMF
“The DON will continue to use the DoDI 8500.2 as the authoritative source for security controls until otherwise specified. However, understanding the changes represented in NIST SP 800-53r3 will be essential as DoD and the DON begin transitioning to this new set of security controls. To support the transition, the DON CIO developed this security control mapping document to demonstrate how existing DoD and IC security controls map to the security controls recommended by the NIST SP 800-53r3 publication.” —DON CIO
Future of DIACAP
DIACAP KS “C&A Transformation” pages that introduce some of the coming changes
DIACAP has “Risk Management Framework Transformation Initiative” underway
Provides information on use of NIST SP 800-53, NIST SP 800-37, CNSS Instruction 1253
Introduces changes being made to DoDD 8500.01, DoDI 8500.2, and DoDI 8510.01