Enable breadcrumbs token at /includes/pageheader.html.twig

The Responsibility of Reciprocity

At the heart of "DoD Information System Certification and Accreditation Reciprocity" is the policy that if a system owner from any service hands a certified and accredited system to the network owner from any other service, the network owner should have the confidence that putting that system on his or her network will not result in creating information assurance or related vulnerabilities. Can we handle this?

On 11 June, 2009 a DoD-wide memorandum entitled DoD Information System Certification and Accreditation Reciprocity in effect stated that one branch of the military should use another branch’s information system if it is accredited and certified “within the DoD Information Assurance Certification and Accreditation Process (DIACAP) Enterprise Governance structure.” After the memo was released there was likely a worldwide exclamation of “you want me to do what?!” That cry was equally matched by a chorus of system owners screaming, ‘It’s about time!” But what drowned out both was the exclamation from U.S. warfighters worldwide to “get your act together and give us the systems we need to get the job done, NOW!”

The core of this policy is that if a system owner from any service hands a certified and accredited system to the network owner from any other service, the network owner should have the confidence that putting that system on his or her network will not result in creating information assurance or related vulnerabilities. This will result in timelier implementation of mission-critical systems and save millions of dollars in redundant certification activities. There might be a few out there who worry that this policy emerged from an organizational environment that invented the terms SNAFU and FUBAR. However, this is a policy that is too important to be weakened by cynicism.

The memo also stated that, “Reciprocity requires a level of trust based upon transparency, uniform processes and a common understanding of expected outcomes.” While this aspect might ignite a few internal struggles of trust versus suspicion and cynicism versus optimism, no one can ignore the pragmatic 800-pound gorilla sitting at the table saying, simply, “We need to eliminate cross-service information system implementation delays for the sake of the warfighter.”

With reciprocity comes the need for a high level of responsibility, dedication and attention to detail in those who ensure that systems are secure no matter who deploys them. Certification and accreditation (C&A) professionals DoD-wide have accepted the mission to ensure the required transparency, uniform processes and a common understanding of expected outcomes. These elements that build trust and prevent the systematic failure of any policy, especially this one. A key underlying responsibility rests with system owners, who need to incorporate IA into system planning from day one. IA and C&A as afterthoughts are counter-productive. Finally, there is also the need for network owners across the military to accept this mission as well by laying their cross-service cynicism aside and working to make this policy successful. Ignoring or resisting the implementation of reciprocity ultimately hurts only the warfighter, because they are denied the timely implementation of information system tools they need to do their job.

The information assurance aspects of military data management are critical to mission success, not to mention protecting lives. Every single Designated Approving Authority accepts this responsibility as much as a front-line warfighter accepts the responsibility to defend a perimeter. In the U.S. military, the successes in this area far outweigh the rare lapse. It is on this record and legacy upon which acceptance of this policy must be based. While there will always be exceptions that need to be addressed, the advantages of reciprocity outweigh the shortcomings, and those concerns will be addressed as the process matures.

The On Cyber Patrol© cartoon and supporting articles are created and made available by the U.S. Army’s Office of Information Assurance and Compliance, NETCOM, CIO/G6. For more information on the OCP program or to submit ideas for upcoming cartoons/articles, contact oncyberpatrol@hqda.army.mil.