DOD switches to NIST security standards
- By Joey Cheng
- Apr 03, 2014
In a far-reaching move, the Pentagon has chosen to move all IT systems used by its organizational entities to a governmentwide set of IT security accreditation standards.
Announced in DOD instruction memo 8510.0, DOD is planning on switching out the military specific DOD Information Assurance Certification and Accreditation Process (DIACAP) for the National Institute of Standards and Technology’s Risk Management Framework. The document instructs how DOD program managers, security personnel, and components will implement the new policy.
RMF will now be DOD’s specialized risk management process for information systems, marking the first time defense and civilian agencies have matched standards. The new risk-based approach includes standards for dynamic continuous monitoring practices, risk management, risk assessment, and assessment and authorization.
The instruction applies to all DOD organizational components and any IT product that receives, processes, stores, displays or transmits DOD information. This means that the new regulations will apply to weapons, space systems, vehicles, aircraft and medical devices, with the exception of some specialized systems, reports Information Week.
The policy change represents a move from specific DOD standards to the broader NIST standards that are used by civilian agencies. Cost concerns have driven the change as companies often had to meet two different sets of standards.
“While in fact this may seem like a dramatic shift, we don’t see it so much as a dramatic shift as an evolution of where we want to go,” DOD CIO Teri Takai said April 2 at Intel’s Security Through Innovation Summit in Washington, as reported by C4ISR & Networks. “We’re very committed to the adoption of the NIST standards. Our intent was to not have a situation where you have to comply with…a set of NIST standards that are different from DOD standards.”
Despite this, vendors working on classified DOD networks will have to meet an extra set of DOD requirements. In terms of cloud services, the NIST standards are seen as the absolute minimum level of standards for protecting systems, said Takai.
The DOD transition timeline calls for ending new DIACAP accreditations within six months and fully transitioning all existing accreditations to RMF within three-and-a-half years from the effective date of the policy, March 12, 2014.
Joey Cheng is an editorial fellow with Defense Systems.