×
JOIN US TODAY CONTRACT VEHICLES CONTACT US

Blog

Leveraging the CCRI Process to Support Ongoing Authorization within the Risk Management Framework

Written July 7th, 2016

Editor’s Note: Former NetCentrics cybersecurity expert Marvin Marin wrote a paper, excerpted and linked below, that focuses on cybersecurity within the Risk Management Framework (RMF).  Marin and his NetCentrics colleagues were part of the cybersecurity team that implemented the risk management framework at the U.S. Coast Guard.

In this paper, Marin proposes how to use the Defense Information System Agency (DISA) Cyber Command Readiness Inspection (CCRI) method to remove ambiguity, provide consistency across approving agencies and dramatically decrease the time between testing and approval/denial of a system to operate.

Leveraging the CCRI process to Support Ongoing Authorization within the Risk Management Framework

Risk analysts struggle to calculate, prioritize and communicate risks to the Authorizing Official (AO), who accepts or denies the risk in support of a system’s accreditation based on a risk report. A major problem not addressed by either the Defense Information Assurance Certification and Accreditation Program (DIACAP) or the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) is the difficulty of quantifying the level of risk an accredited system poses and the failure to provide a method to consistently reach the same conclusion given different analysts, agencies, or auditors. The key to providing consistency is in changing how the systems are evaluated and scored. The proposed new approach suggests using a well-known benchmark, such as the Defense Information System Agency (DISA) Cyber Command Readiness Inspection (CCRI) method, to remove ambiguity, provide consistency across approving agencies and also to dramatically decrease the time between the test event and approval/denial of the system to operate. This recommended approach can dramatically reduce response time and provide greater confidence in the conclusions of the analysts.

Download the full paper below.

Keywords: Assessment & Authorization (A&A), Certification & Accreditation (C&A), RMF, DIACAP, CCRI, Risk Management, Information Security Continuous Monitoring, Ongoing Assessment & Authorization.