Implications of Aggregated DoD Information Systems for Information Assurance Certification and Accreditation

摘要

The challenges associated with securing U.S. Department of Defense (DoD) information systems (ISs) have grown as the department's information infrastructure has become more complex and interconnected. At the same time, the potential negative consequences associated with cyber intrusions have become more severe, as demonstrated by the recently publicized breach of computer networks at defense contractors involved in the development of the F- 35 aircraft (Gorman, Cole, and Dreazen, 2009). An important question to consider is whether current information assurance (IA) policies and procedures are sufficient to address this growing threat and well suited to address vulnerability issues associated with highly networked ISs. Presently, all DoD ISs must individually satisfy the certification and accreditation (C&A) requirements outlined in DoD Instruction (DoDI) 8510.01, DoD Information Assurance Certification and Accreditation Process (DIACAP) (2007), prior to receiving authorization to operate (ATO). As written, the DIACAP is focused on conducting C&A for a single system.