DNI Home



ABOUT ODNI
About DNI-CIO Message From DNI CIO
Information
Venue Descriptions Terms of Use FAQ
Briefing Slides
Dr. Ron Ross, NIST [PPT] Re-vitalizing C&A [PPT]
CONTACT US
C&ARevitalization@dni.gov

The Office of the Associate Director of National Intelligence and Chief Information Officer (ADNI CIO) is progressing toward the goal of transforming Certification & Accreditation (C&A). Seven transformational goals comprise the ADNI CIO's strategic vision for the "C&A Transformation" effort:

  • Reduce the varying numbers of IC Protection Levels and DoD Mission Assurance Categories (MAC) by defining a common set of trust levels the IC and DoD can jointly apply to systems eliminating conflicting criteria used to apply security controls that currently prohibit systems' interconnection and information sharing.
  • Adopt reciprocity, in the sense of cooperation, as normal business rather the exception to facilitate re-use of systems developed and approved by other organizations. This transformation will reduce duplicative expenditures on multiple systems development efforts.
  • Define common security controls, using NIST Special Publication 800-53 as a starting point, enabling the IC and DoD to develop systems to the same protection standards. In doing so, this facilitates reciprocity of approvals and reuse of systems across the IC and DoD communities.
  • Define a common lexicon (common language and common understanding), using the Committee on National Security Systems (CNSS) 4009 glossary as a baseline, for establishing reuse and reciprocity across the IC and DoD.
  • Look broader than individual systems or events when making risk decisions. Therefore, a senior risk executive function, bases decisions on an "enterprise" view of risk considering all factors, including mission, IT, budget, and security. This view of risk enables Approval Authorities to make informed decisions.
  • Design and operate Information Assurance within the enterprise operational environments, as a coherent whole across the IC and DoD, enabling IA situational awareness and command and control.
  • Institute a common process for the IC and DoD incorporating security engineering within "lifecycle" processes. This eliminates current security-specific processes. The common process will be adaptable to various development environments. Coupled with an ongoing validation process based on strict configuration management, continuous risk assessment, continuous monitoring, and periodic and/or ad-hoc audits this change eliminates the need for "re-accreditation" as a paperwork exercise. This process reduces the existing redundant C&A activities, unnecessary documentation, and shortens the overall process of approving systems.

To achieve the seven transformational goals, the C&A Transformation team will establish Tiger Teams to draft policies, guidance, and procedures related to the following topics:

  • Common Intelligence Community (IC)/Department of Defense (DoD) Trust Levels and Security Controls
  • Common Lexicon - Modifications to the Committee on National Security Systems (CNSS) 4009
  • Common IA Service Candidates and Automated Tools
  • Common Risk Management Framework

Each Tiger Team effort will consist of two initial phases:

  • Phase I - Tiger Team I (three to five people) will create the draft policies/guidance/procedures corresponding to the Tiger Team's topic area.
  • Phase II - Tiger Team II (eight+ people) will review and comment on the proposed drafts. Once Tiger Team II has approved the drafts, they will promulgate the drafts to the wider IC for review and comment.

Updated news and information regarding the C&A Transformation effort can be found at https://www.intelink.gov/mypage/c&a. If you cannot access the C&A Transformation page on DNI-U, please complete a blank RA Request form and attach it to an e-mail addressed to C&ATransformation@dni.gov. After meeting the security requirements, a Remote Access account will be created for you to access the DNI-U.

logos Air Force Army CIA USCG DIA DOE DHS DoS Treasury DEA FBI USMC NGA NRO NSA Navy
  HOME | EEO | NO FEAR Act | PRIVACY POLICY | FOIA