Leveraging the CCRI Process to Support Ongoing Authorization within the Risk Management Framework
Editor’s Note: Former NetCentrics cybersecurity expert Marvin Marin wrote a paper, excerpted and linked below, that focuses on cybersecurity within the Risk Management Framework (RMF). Marin and his NetCentrics colleagues were part of the cybersecurity team that implemented the risk management framework at the U.S. Coast Guard.
In this paper, Marin proposes how to use the Defense Information System Agency (DISA) Cyber Command Readiness Inspection (CCRI) method to remove ambiguity, provide consistency across approving agencies and dramatically decrease the time between testing and approval/denial of a system to operate.
Leveraging the CCRI process to Support Ongoing Authorization within the Risk Management Framework
Risk analysts struggle to calculate, prioritize and communicate risks to the Authorizing Official (AO), who accepts or denies the risk in support of a system’s accreditation based on a risk report. A major problem not addressed by either the Defense Information Assurance Certification and Accreditation Program (DIACAP) or the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) is the difficulty of quantifying the level of risk an accredited system poses and the failure to provide a method to consistently reach the same conclusion given different analysts, agencies, or auditors. The key to providing consistency is in changing how the systems are evaluated and scored. The proposed new approach suggests using a well-known benchmark, such as the Defense Information System Agency (DISA) Cyber Command Readiness Inspection (CCRI) method, to remove ambiguity, provide consistency across approving agencies and also to dramatically decrease the time between the test event and approval/denial of the system to operate. This recommended approach can dramatically reduce response time and provide greater confidence in the conclusions of the analysts.
Download the full paper below.
Keywords: Assessment & Authorization (A&A), Certification & Accreditation (C&A), RMF, DIACAP, CCRI, Risk Management, Information Security Continuous Monitoring, Ongoing Assessment & Authorization.
DISA's Cyber Command Readiness Inspection (CCRI) method removes ambiguity and provides consistency across approving agencies
Learn more about Enterprise IT...View All
Going Digital: The Future of Defense Requires Modernization
NetCentrics Wins Best CEO Award in National Ranking
Recent Events Demonstrate More Machine Learning is Necessary for Security
Business Development Executive Revels in the Chase of New Technologies, New Opportunities
Spam, Phishing, and Ransomware: Easy Ways to Protect Yourself at Work
Continuous Learning Coast-to-Coast
Net-Centric Warfare in Battlefield Operations, Yesterday and Tomorrow
Aglio Named CFO of NetCentrics, Ushers in New Period of Expansion for Trusted Government Contractor
A Year in Business Development at NetCentrics