The push for information assurance

When the Defense Department mandated adoption of the new DOD Information Assurance Certification and Accreditation Process (DIACAP) in November 2007, the goal was to ensure that all military information systems undergo a thorough, network-centric review before they go live, with ongoing monitoring to follow.

The only exceptions to DIACAP compliance are supposed to be reserved for systems whose initial implementation began during the previous process, known as the DOD Information Technology Security Certification and Accreditation Process (DITSCAP). During the transition to DIACAP, the military can continue to govern those systems using DITSCAP.

A key distinction between the two is that DIACAP aims to go beyond certifying systems in isolation and instead looks at their relationship to the military’s Global Information Grid, with an emphasis on protecting the entire network.

DIACAP has raised a new set of concerns. For example, given the comprehensive nature of the system reviews, many people feel that there is a need to better automate the collection and organization of information. Another concern is that DIACAP might generate more paperwork than practical ways of improving network security and reliability.

Nevertheless, the military is adopting DIACAP — albeit with variations among the services. The process is gaining advocates as more people see notable improvements in the management of information assurance through DIACAP compared to the prior process.

DIACAP is less paperwork-intensive than DITSCAP was, said Eustace King, chief of acquisition and technology oversight at the Office of the Deputy Assistant Secretary of Defense for Information and Identity Assurance.

DITSCAP certification documents often had dozens of appendices, whereas the DIACAP package for a system typically consists of only three documents — or four when there's a need to document a deficiency and the plan of action for correcting it, King said.

In addition, DIACAP puts the focus on the network rather than individual systems, King said.

One way that network centricity is starting to pay off is with “reciprocity, or the willingness of one organization to accept the certification and accreditation of another,” King said. In other words, if two organizations agree on the minimum requirements for connecting to the network, they are more likely to trust each other’s systems to connect across the network.

Roberta Stempfley, deputy chief information officer at the Defense Information Systems Agency, said the biggest improvement that came with DIACAP was moving away from “drawing thick black lines” around individual systems. DIACAP treats them as part of an interconnected network, in which one system can inherit security protections conferred by another while, on the other hand, vulnerabilities in one system can pose a threat to many others.

“It recognizes that we’re all connected to each other,” Stempfley said.

She agreed that DIACAP promotes the sharing of information resources across services and other DOD divisions because it allows them to speak a common language when negotiating to ensure they meet each other’s information assurance requirements.

“I wouldn’t say that’s a primary purpose of DIACAP, but it’s clearly a goal of the department to share resources so we don’t have to replicate them," she said. "DIACAP promotes that by enabling that transparency."

DIACAP's foundation is identifying the appropriate information assurance controls required to allow a system to connect safely and operate reliably.

Information assurance is not only about preventing unauthorized access, but also about making sure the right people have access to the data they need when they need it. So in addition to information security, the controls address other aspects of information assurance, such as provisions for backups and disaster recovery. Some controls are technological, such as implementing a firewall to protect network boundaries. Others define physical security and environmental procedures, such as making sure a data center is properly locked, guarded and air-conditioned.

Major categories for these controls include:

• Security design and configuration.
  
• Identification and authorization.
  
• Enclave and computing environment.
  
• Enclave boundary defense.
  
• Physical and environmental.
  
• Personnel.
  
• Continuity.
  
• Vulnerability and incident management.
  

An enclave is a physically and administratively separate segment of a network.

In evaluating a system, DIACAP also considers the Mission Assurance Category — the importance of the mission that the system supports — and its confidentiality level — whether it contains information that is top secret, secret or sensitive — to determine how strict the controls need to be. Because perfect security and reliability might be unobtainable in a system built and operated by humans, DIACAP applies risk management to whittle away the potential for a security breach or system failure. Those responsible for the system must prove that they have strived to minimize risks to system security and reliability as part of the certification process.

Although the process encompasses many participants, including program managers and user representatives, the two managers designated as the certifying authority and designated accrediting authority play central roles. The CA oversees the certification process, making sure all the appropriate technical and procedural controls are in place. The DAA then makes the management decision of whether to grant the system its authority to operate on the network. That means reviewing the risks posed by the system and how well they have been managed. As part of granting the system authority to operate on the network, the DAA formally takes responsibility for whatever risk remains.

Streamlining the process

DOD has developed templates for the critical documents that people must complete as part of a DIACAP submission, such as Excel spreadsheets that automatically populate lists of controls to consider based on the mission assurance category classification for a system. But “moving that paperwork manually today is somewhat of a chore,” King said. “That’s why we’re moving toward greater automation.” The services are gradually building systems to help automate DIACAP's administrative workflow and better monitor compliance with documented requirements, he said.

Stempfley said she hasn’t encountered a lot of resistance on DIACAP implementation, but she has frequently heard requests for better automation of the process of gathering all the required information.

Army National Guard information assurance officer Lt. Col. Avery Leider is trying to answer that concern by using network mapping software from NetCracker, which the Guard originally implemented to inventory its systems. “It’s just a tool, nothing more than a reporting tool, but we’re trying to get it to automate as many issues as we can for DIACAP,” she said. NetCracker generates graphical depictions of a network topology that show details such as inheritance relationships among network devices that help protect other elements of the network, she said. The tool can create adequate visualizations to present to a manager responsible for oversight, she said.

Beyond helping with the initial certification and accreditation process, Leider said she hopes to automate her way toward what she calls “Living DIACAP” — an automated means of scanning the systems she is responsible for monitoring on a daily or weekly basis and immediately alerting her if any one of those systems diverges from its approved configuration.

Keeping a handle on the information assurance status of the National Guard is a particular challenge because it means tracking connections to 54 independently operated networks that states and territories maintain, and their technical decision-making is highly decentralized. By maximizing the use of data gathered through Microsoft’s Systems Management Server (SMS) and fed into NetCracker for analysis, Leider said she hopes to eliminate a lot of manual data gathering and improve the accuracy of the reporting. “A machine is a lot more likely to faithfully and truthfully report to me its current patch status,” she said.

In addition to taking data from SMS, she is working on getting a feed from Cisco Systems’ network management tools.

In return for granting greater visibility into their networks, local network managers will get the benefits of other aspects of the inventory system, such as assistance with keeping their software licenses up-to-date, Leider said. She expects it to take about a year to deploy the technology across the National Guard network.

Call in the red team

DIACAP’s critics include Jeffrey Jaime, a retired Air Force captain who worked with the DOD Computer Emergency Response Team at DISA and now works as a consultant. He questions whether DIACAP is translating into better security or just a false sense of security.

“It has made organizations more aware of the need for security controls, but the security is not necessarily better,” Jaime said. DIACAP compels system managers to explain their approach to implementing dozens of required controls, but in some cases, their responses might be more “an exercise in creative writing” than anything meaningful, Jaime said. It also is unclear whether high scores on the DIACAP score card used to rate each system translate into better security, he said.

“Raising awareness is always good, and you wouldn’t get a good score if you weren’t aware you had to do something,” Jaime said. “But there’s a misperception that if a system has a good score card, it must be secure. And that’s not true.”

Jaime said the Consensus Audit Guidelines, which a coalition of information security experts are developing as a set of recommendations to the federal government, offer a better approach. The guidelines emphasize identifying the most serious real-world threats and prioritizing information assurance efforts based on them. The coalition developed them as a response to the Federal Information Security Management Act, which takes a similarly broad approach and includes its own score cards for federal agencies. DIACAP was developed partly to help DOD improve its compliance with FISMA requirements.

The chairman of the Consensus Audit Guidelines effort is John Gilligan, who was the Air Force's CIO from 2001 to 2005 and is now president of IT consulting firm Gilligan Group. One of Gilligan’s precepts is that the best way of measuring a system’s security is to have a team of friendly hackers actively try to defeat it. “I think that’s a far better predictor of how good your security is” than any certification and accreditation process, he said.

The draft of the guidelines includes a top-20 list of recommendations, and No. 17 is that agencies should conduct such exercises on a regular basis. Most of the other recommendations are derived from past penetration testing exercises or actual security breaches, which means they reflect real-world vulnerabilities, Gilligan said. For example, the No. 1 recommendation is to conduct a thorough audit of authorized and unauthorized devices on the network because hackers often exploit the presence of unauthorized devices, Gilligan said.

While acknowledging that he is not an expert on DIACAP, which was implemented after he left DOD, Gilligan said, “my understanding is that it is perhaps a step better than DITSCAP, but there is still an awful lot of bureaucracy going on.” He worries that it puts too much emphasis on inspecting documents and not enough on hands-on examination of the systems.

Another security expert and Consensus Audit Guidelines booster is Alan Paller, director of research at the SANS Institute. “There is nothing wrong with DIACAP; what is wrong is the people who try to audit everything when they should be focusing on the proper subset that matters,” he said. “Once that subset is done very, very well, they can go on to the next subset.”

DOD’s King said he has seen a presentation on the Consensus Audit Guidelines but wasn’t ready to comment on how well they compare with, or might be used in conjunction with, DIACAP.

DISA’s Stempfley said, “I don’t see them as mutually exclusive at all.” Although it’s valuable to focus on the biggest risks, it’s also valuable to take a comprehensive look at the risks, she said, in much the same way that compiling a complete budget can help you spend your money better.