What you will learn:
- Overview of Step 3, Implementation
- Where to go for technical help on implementation
In Step 3 of the DIARMF, the organization implements the security controls specified in the security plan. Implementation relies heavily on the Security Plan documented Step 2, Selecting the security controls.
Who Does the DIARMF Implementation?
Although the primary responsibility of implementation is in the hands of the Information System Owner or Common Control Provider it is delegated to a system administrator, information system security officer and/or system engineer.
Whatever their title, the most important thing is that they know HOW to do it and perhaps have experience doing it. The organization usually is bound by regulations to only select qualified technicians to do the work. US Department of Defense (DoD) Directive 8570.1-M, Information Assurance Training, Certification, and Workforce Management, is the policy that the DoD uses to determine what is “qualified”. This policy identifies specific certification & training that IT professionals need to be considered to do certain work.
Realistically, a certification is a poor substitute for real world experience, but most seasoned employers that know about their companies needs recognize this.
How is DIARMF Implementation done and When?
The Managers (information assurance managers, systems/program managers) are the key to getting things done. And for managers, the most important parts of implementation are planning and resources. An organization needs these managed well to be successful.
Resources: resources are qualified personal to do the work, funding to keep the work going, material/software/hardware to get the job done. These resources need to be managed appropriately. One of the hardest parts of a managers job is making sure there are enough resources to get the work done.
Timeframe & Planning: planning and planning of limited resources is a must! Assuming there is a requirement for the work to be done, not much can be done efficiently without a plan. Managers (information assurance managers, systems/program managers) main job is to get the most effective use out of resources provided.
Managers are the center piece to getting the job done. Without good management, its very hard for the system administrators, information system security officers, technicians and engineers to do their jobs. Because they must either take the time to manage themselves which takes away from doing the work by attending back to back meetings with higher ups, completed documentation that has nothing to do with the project and make critical decisions that are outside the scope of their job. All of this puts them and the project itself at risk.
A good manager runs interference for his team, provides the team with all the tools they need to be successful and make realistic milestones that are tracked diligently from start to finish of the project.
A bad manager is self-serving, lazy and goes out of their way to sabotage the project by being an asshole. They so mistrust by absorbing all the credit for good work and deflect all the blame for bad work. They are mostly ignorant of what is going on. They make everyones life harder by breathing.
DIARMF Documentation & Implementation
Its important to document what security controls are implemented. This helps continuity especially since some security controls break functionality but also it helps with DIARMF Assessment since part of DIARMF Assessment.
DOD Resources for DIARMF Implementation
Where you will have to go for guidance on certain technical security controls are actual vendor documentation, online knowledge databases, technical manuals, and even actual support technicians on specific products if necessary. Other places that are helpful are:
Hello Rob. Nice article. I’ve been involved w/the DoD/DISA for over a decade and lived thru the transition from DITSCAP to DIACAP to the 800-37 for C&A. And I’ve also authored a DISA STIG (or 6). While true that a cert is not a good substitute for experience, the DoD still requires them, assuming that experience is what enables the individual to attain certification. While I have a CISSP that was part experience and part (book) study driven, it was the experience that enabled the rest.
Interesting “commentary” on the “bad manager”. I’ll assume you’ve had at least one! I certainly have.
Rob Elamb says
Having the CISSP has been great for my career. I noticed more and more people that don’t know what they are doing have it which kinda waters its value down.
Yeah, have had some bad managers and some great ones. If you have written STIGS then I am sure I have definitely read them lol.