ODNI finalizing new C&A policy documents
Officials expect a series of new policies and manuals to improve IT security to come out in the next three months.
The Office of the Director of National Intelligence is moving closer to finishing the revision of the intelligence community and Defense Department’s certification and accreditation (C&A) policies.
ODNI will issue Intelligence Community Directive (ICD) 503 to replace Director of Central Intelligence Directive (DCID) 63, which details the C&A process and how intelligence agencies should perform the process. Sherrill Nicely, ODNI’s deputy associate director of National Intelligence for Intelligence Community Information Technology Governance, said Nov. 7 that the document is in the final approval stage and should be issued by Dec. 31.
“The C&A process is not very different from the National Institute of Standards and Technology’s risk management framework,” Nicely said after her keynote speech at the E-Gov Institute’s Security conference in Washington. The E-Gov Institute is owned by Federal Computer Week’s parent company, 1105 Media.
About six DOD and intelligence offices already are testing the new C&A processes, Nicely said. For instance, the Defense Intelligence Agency is using the new procedures for building A-Space, a social networking portal for intelligence analysts.
“DIA had already certified and accredited many of it systems that it is using to build A-Space so why not accept it?” she asked. “In the past we wouldn’t have accepted their C&A, but with the reciprocity we can.”
Nicely said the tests will help “shake things out” and help agencies understand what to expect from the new processes.
“We expect the number of pilots to increase quite a bit after Jan. 1 and then we will do more training,” she said.
While ODNI and DOD officials are awaiting final approval on ICD-503, another group is finalizing the updated security control catalog and impact assessment portion of the C&A process.
Nicely said she expects those to be released after Jan. 1.
In the meantime, she said, intelligence agencies still should follow the old manuals detailed in DCID-63.
“We still are working on the transition plan and will ask the community for a plan of action and milestone to move to the new process,” Nicely said. “We will not require systems to be reaccredited to the new process until they must be reaccredited.”
She also added that the Open Source Center would be a major beneficiary of the new C&A process.
NEXT STORY: Letter: Why delay the cybersecurity report?