Defense Department information systems (IS) are routinely deployed across the globe, embedded in host enclaves and connected to naval operational networks. Command and control, logistics, intelligence — regardless of the function, all information systems must be assessed to meet security requirements prior to connection.
Reciprocity is the mutual agreement among participating enterprises to accept each other's security assessments to reuse IS resources and/or accept each other's assessed security posture to share information. Without reciprocity, the receiving activity must conduct a security certification and accreditation process (C&A) from square one.
Air Force Maj. Gen. Michael J. Basla, then Vice Director, Command, Control, Communications and Computer Systems for the Joint Staff, reflected on the negative impact of reciprocity delays on the warfighter, "From the warfighting mission area perspective, we have witnessed the protracted delay of fielding capability to the warfighting community due to lack of comprehensive security review criteria and an executable, repeatable process."
On July 23, 2009, reciprocal acceptance of information systems certification and accreditation documentation within the DoD took a giant leap forward with the issuance of a groundbreaking memorandum.
The memorandum, "DoD Information System Certification and Accreditation Reciprocity," seeks to ensure the rapid and secure fielding of DoD information systems by providing clear communication of the reciprocity policy and implementing guidance to establish a systematic, repeatable process.
The memorandum was endorsed by the four DoD mission area (MA) principal accrediting authorities (PAAs) responsible for resolving accreditation issues within their respective mission areas working with other PAAs to resolve issues among mission areas as needed.
The PAAs and their associated MAs are:
• Assistant Secretary of Defense (Networks and Information Integration)/DoD Chief Information Officer, ASD (NII)/DoD CIO; Enterprise Information Environment MA
• Under Secretary of Defense for Acquisition, Technology and Logistics, USD (AT&L); Business MA
• Chairman of the Joint Chiefs of Staff; Warfighting MA
• Under Secretary of Defense for Intelligence, USD(I); Defense Intelligence MA
In the memorandum, the principal accrediting authorities state that the timely deployment of information systems is critical to attaining the department's strategic vision of netcentricity. They also stress that reciprocity of accreditation decisions and the artifacts contributing to the accreditation decision will advance information sharing; reduce rework and cycle time when establishing combined and joint information systems and networks; and support DoD mission accomplishment.
The memorandum reaffirms that each DoD information system has one, and only one, assigned designated accrediting authority (DAA), who is responsible for issuing an accreditation decision based on achieving an acceptable risk posture, and it requires due diligence in complying with the DoD Information Assurance Certification and Accreditation Process (DIACAP). However, it also recognizes that DoD components receiving and deploying DoD information systems are also stakeholders, and therefore must be provided situational awareness and access to C&A data to make informed connection and net-worthy decisions.
The PAAs recognize that reciprocity requires a level of trust based on transparency, uniform processes and a common understanding of expected outcomes, and the memo provides for continuous visibility of information assurance C&A packages, deployment milestones and transparency of risk management decisions.
Connection and net-worthy requirements for other than IA can also have an impact on a DoD component’s decision to accept deploying information systems. These requirements include
interoperability and supportability issues other than security and may have an impact on network operations.
In order to ensure that these requirements are not addressed at the last minute and become limiting factors in information systems deployment, the memorandum facilitates early visibility and active involvement in the net-worthiness and connection approval processes.
The memorandum provides terms and conditions for accomplishing timely reciprocity within DoD for the two types of information systems deployments: enterprise-wide and non-enterprise-wide.
An enterprise-wide deployment occurs when a Defense Department information system is deployed to multiple components across the DoD information enterprise.
A non-enterprise-wide deployment occurs when a Defense Department information system is deployed to two or more DoD components, but is not designed to satisfy a DoD-wide requirement.
Governance responsibilities for the Defense Information Assurance/
Security Accreditation Working Group (DSAWG) and the Defense Information System Network/Global Information Grid (DISN/GIG) Flag Panel are identified.
The DSAWG is tasked to conduct the enterprise security reviews and make recommendations
to the Flag Panel. The Flag Panel is responsible for making final reciprocity decisions that are binding upon both the deploying and receiving communities.
Reciprocity within DoD has been a tough issue to resolve. The reciprocity memorandum, when fully implemented, will be an important tool in achieving rapid and secure fielding of DoD information systems.
As Maj. Gen. Basla said, “The expectation over time is that the reciprocal acceptance of accreditation decisions will cease to be one of the systemic problems impeding the effective and timely delivery of information systems across all the mission areas.”
The DoD Reciprocity Memorandum is available for download from the DON CIO Web site at www.doncio.navy.mil under the Policy and Guidance link.
Mr. Eustace King is assigned to the Office of the Deputy Assistant Secretary of Defense for Cyber, Identity and Information Assurance. As the principal authority within DASD/CIIA for ensuring successful implementation
of the DIACAP, King provides oversight and community outreach to ensure understanding and adherence to DIACAP policy. He also chairs the DIACAP Technical Advisory Group with responsibility for DIACAP configuration management.