DNI Home



ABOUT ODNI
About DNI-CIO Message From DNI CIO
Information
Venue Descriptions Terms of Use FAQ
Briefing Slides
Dr. Ron Ross, NIST [PPT] Re-vitalizing C&A [PPT]
CONTACT US
C&ARevitalization@dni.gov

Tiger Team Venues

Personnel Training & Certification:

This venue is about the particular training requirements levied on personnel directly and indirectly involved in the Certification and Accreditation processes.

These are just some of the questions that may be addressed within the Personnel Training & Certification venue.

  • Should they be "certified" in their duties?
  • Which training programs are acceptable?
  • What basic training should be required before a certifier or accreditor role is assigned or assumed?
  • How should training be conducted?
  • How often should training be required?

Certification Reciprocity and Reuse:

This venue examines the reciprocity and reuse of the certification processes between US Government entities and how previous certifications can be reused rather than re-invented from scratch.

These are just some of the questions that may be addressed within the Certification Reciprocity & Reuse venue.

  • How can certification be performed to be acceptable to all agencies and to our foreign partners?
  • How can a new certification process be efficient and economical across the entire US Government?
  • Can automation be incorporated without reducing the quality of the results?
  • Would automation improve the government-wide acceptance?
  • How do we gather the certification information for reuse elsewhere?
  • Where and how is it stored?

Secure Solutions and Architectures:

This venue examines the development of secure, "out-of-the-box" solutions and secure architectures, such as SOAs.

These are just some of the questions that may be addressed within the Secure Solutions and Architectures venue.

  • How do we implement secure coding techniques in code development?
  • How do we test solutions to ensure that they are secure?
  • Who should test them and certify their operation?
  • How do we ensure that C&A is integrated into the overall system life cycle?
  • How do we prepare now for the C&A of future architectures?

Risk Assessments and Risk Management

The lack of commonly accepted IA risk assessment methodologies, together with the absence of standard risk management governance impedes achieving the goal of well-informed and effective risk management. Some of these risks come from the increase in information sharing and increased net-centricity. In particular, the application of inconsistent risk assessment methodologies can result in risk assessments that are not repeatable.

These are just some of the questions that may be addressed within the Risk Assessments and Risk Management venue.

  • What are the advantages and shortcomings with existing risk assessment methodologies?
  • Can a single IA risk assessment methodology be defined for all environments?
  • If so, how extensible and/or tailorable should it be?
  • If not, what factors are relevant to the selection of a risk assessment methodology?
  • What relationships between IA risks, design decisions, and programmatic risks must be addressed in an IA risk model/methodology?
  • Between IA risks and risks to missions?

Requirements and Standard Documentation:

Certification and accreditation processes can be highly labor and time intensive. The information assurance controls may need to be updated to reflect new technologies and to achieve consistency with those used in other sectors of the government.

These are just some of the questions that may be addressed within the Requirements and Standard Documentation venue.

  • How can one minimize the amount of documentation required to support C&A?
  • What standard definitions should be used to promote communication?
  • What automated tools are available and where can they be employed to facilitate the certification process?
  • How can the amount of manual testing be minimized?
  • What form should the revised controls/requirements take?

Governance:

This venue will look at the governance issues associated with a successful C&A activity. Among the topics it may cover are the scope of the C&A activities, identification of roles and responsibilities, and accountability and objectivity of the accreditors.

These are just some of the questions that may be addressed within the Governance venue.

  • Should the revised C&A activity be limited to only SCI information?
  • Should it cover all national intelligence information?
  • Should it cover all information processed in a SCIF?
  • What is the minimum set of roles to support C&A and what are their responsibilities?
  • What constraints should be placed on delegation of responsibilities?
  • How does the new process ensure accountability of those performing C&A without inhibiting innovation?
  • What can be done in the governance process to ensure that the C&A decisions are independent of conflict of interests while still sensitive to mission needs?
  • Is certification separate from accreditation?
logos Air Force Army CIA USCG DIA DOE DHS DoS Treasury DEA FBI USMC NGA NRO NSA Navy
  HOME | EEO | NO FEAR Act | PRIVACY POLICY | FOIA