We’ve gone from DoD Information Technology Security Certification and Accreditation Process (DITSCAP) to DoD Information Assurance Certification And Accreditation Process (DIACAP) to DoD Information Assurance Risk Management Framework (DIARMF).
DIACAP transition is mainly about going from certification and accreditation (C&A) to a Risk Management Framework process. The DIARMF is a Risk Manager Framework that comes from National Institute of Standards and Technology (NIST) NIST Special Publication 800-37, “Guide for Applying the Risk Management Framework to Federal Information Systems”.
The NIST standards have transitioned from certification and accreditation to risk management framework. The NIST has replaced its C&A documents, NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems, and NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.
The current NIST SP 800-37, Rev 1 includes a risk management process. Risk management is more in line with international standards, ISO 31000:2009, Risk management & ISO/IEC 31010:2009, Risk management
Some of the differences I have noticed have been:
More Flexible & Tailorable Boundaries. Risk management framework is more flexible & tailorable on security boundaries. RMF includes things like “dynamic subsystems” which allow you to do things like create a temporary subsystem and attach it to an existing system in the middle of its system life-cycle. I have seen that done with DIACAP but typically organizations had to make up a their own detailed process to manage the risk. Since DIACAP did not have that kind of flexibility so you ended up with 100’s of variations of DIACAP. The NAVY, Army, Air Force each had their own version of DIACAP and then even units within those branches had their own. For example, Space Command might have a different process than Euro Command and they could be in the same branch.
Focus of Security Factors. Risk management framework looks at risk according to the system’s confidentiality, integrity and availability separately and as a whole.
More Quantitative. With more controls and a focus on risk, risk management framework can be more quantitative as well as qualitative.
Tailorable Controls. risk management framework is built to make the controls fit the actual system. This probably one of DIACAPs biggest draw backs. It has a generic set of controls that are not applicable in some cases and lacking areas of security.
DIARMF is based on NIST standards (NIST 800-37, rev 1)
DIACAP is based on DoD 8500/8510