Resources

Making Independent Assessments Happen in the DOD Supply Chain

I began my “Cybersecurity” career around 1998 (it was called Information Security then) while in the US Air Force when I was assigned to the Electronic Systems Center under the AF Material Command. The program office I worked for was responsible for developing and fielding enterprise Information Security systems across the Department of the Air Force. I was responsible for documenting each system’s security compliance with the DoD Information Technology Security Certification and Accreditation Process (DITSCAP), which later evolved into the DoD Information Assurance Certification and Accreditation Process (DIACAP) which merged with the NIST Risk Management Framework (RMF) and NIST Special Publication 800-53.

I offer the following quotes from DOD Instruction 5200.40: DoD Information Technology Security Certification and Accreditation Process (DITSCAP) published December 30, 1997:

“E2.1.9. Certification Authority (CA). The official responsible for performing the comprehensive evaluation of the technical and non-technical security features of an IT system and other safeguards, made in support of the accreditation process, to establish the extent that a particular design and implementation meet a set of specified security requirements.”

“E4.2.3.3. The CA shall support the DAA [Designated Approving Authority] for the comprehensive evaluation of the technical and non-technical security features of the IT system.“…”The CA shall be independent from the organization responsible for the system. Organizational independence of the CA eases the potential of conflicts of interest and permits an impartial evaluation.”

The DOD recognized more the two decades ago that they couldn’t trust self-assessments within their own organization(s). It should come as no surprise that they don’t trust outside organizations…and they have proven it true over and over during that time. The only thing that should be surprising is it took this long to gain the political capital to make independent assessments (CMMC) happen within their supply chain!

Share