Issue: Risk analysts struggle to calculate, prioritize and communicate risks to the Authorizing Official (AO), who accepts or denies the risk in support of a system’s accreditation based on a risk report. A major problem not addressed by either the Defense Information Assurance Certification and Accreditation Program (DIACAP) or the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) is the difficulty of quantifying the level of risk an accredited system poses and the failure to provide a method to consistently reach the same conclusion given different analysts, agencies, or auditors. The key to providing consistency is in changing how the systems are evaluated and scored. The proposed new approach suggests using a well-known benchmark, such as the Defense Information System Agency (DISA) Cyber Command Readiness Inspection (CCRI) method, to remove ambiguity, provide consistency across approving agencies and also to dramatically decrease the time between the test event and approval/denial of the system to operate. This recommended approach can dramatically reduce response time and provide greater confidence in the conclusions of the analysts.
Keywords: Assessment & Authorization (A&A), Certification & Accreditation (C&A), RMF, DIACAP, CCRI, Risk Management, Information Security Continuous Monitoring, Ongoing Assessment & Authorization.
Complete the form below to download the white paper.