How eMASS, RMF and DIACAP All Connect
March 25, 2016
So many acronyms, so little time. Well here is the quick breakdown on the differences and the connection between eMASS, RMF and DIACAP to get you up to speed and on your merry way.
DIACAP Improves Risk Management
The DoD Information Assurance Certification and Accreditation Process (DIACAP) was a process created by the Department of Defense to ensure that organizations apply proper risk management to the information systems they use.
The idea is that if organizations, especially DoD agencies, follow this set of standards and management activities, it will increase awareness of and improvements made to the security posture of these information systems. All information systems should continually move through what is called the SDLC or Systems Development Lifecycle, a process that follows the requirements for effectively planning, creating, testing, and deploying the hardware and software configurations of information systems.
Additionally, these systems should be continually reviewed and maintained. In terms of DIACAP, this review and maintenance process should include an added concentration on the system’s security posture for risk management purposes.
The DIACAP interim version was first signed in July 2006.
eMASS Automates the Process
DIACAP makes a lot of sense in terms of its goals for monitoring and improving information system security. However, the process for reviewing each system became long and time consuming in terms of monitoring it and developing a report on the various points the process required.
This is how eMASS came to life. DISA created the Enterprise Mission Assurance Support Service (eMASS) in order to automate the DIACAP process and improve efficiency of its employees involved in DIACAP’s Certification & Accredidation process. However, eMASS was not required to be used under DIACAP.
Today, this computer application is owned by the DoD and managed by DISA. eMASS evolved to support the Risk Management Framework (RMF) and help automate the transfer of outdated DIACAP reports into the new RMF format to improve efficiency. Additionally, it became a tool required for use during the RMF process.
RMF Improves and Replaces DIACAP
In March of 2014 it was decided that Risk Management Framework (RMF) replaced DIACAP.
The main difference between DIACAP and RMF is that a new Assessment & Authorization (A&A) process replaced the Certification and Accreditation (C&A) process of DIACAP. The underlying purpose of the standard remained the same in that the process should help improve the security posture of information systems. The restriction that C&A brought about was that it seemed too definitive and there is no way to truly eliminate security risks from any system.
The A&A process establishes a more realistic range of risk tolerance for a system instead of a concrete yes it is secured or no it is not. RMF reigns as the information security framework of choice for the entire federal government.
What is the Process Followed Now?
So today the process is this:
- All systems need to be transitioned to and reviewed by the RMF standard, which follows the process below:
- Categorize the Information System
- Select the Security Controls
- Implement the Security Controls
- Assess the Security Controls
- Authorize the Information System
- Monitor the Security Controls
- Repeat as needed
- The process for doing so is automated with the help of eMASS. The computer application either transfers existing DIACAP documentation to the RMF format or a new system is processed directly through the RMF standard.
Are you ready to run or manage an A&A?
Make sure you are prepared for your next A&A by training on RMF and eMASS. Register now by calling a Training Consultant at 240-667-7757!