What do bad brakes, invading termites, leaky dams and equally leaky military networks have in common? They are conditions that can result in significant damage if not addressed but are easily avoided through attention, upkeep and paying attention to Certification and Accreditation (C&A) Process, DIACAP, resulting in an Approval to Operate (ATO) or an Interim Approval to Operate (IATO). . There are a number of people who will tell you that keeping them in good IA order is too much work and/or too costly. These are usually the people who have “more important things to worry about” or MITT-WA.
Keeping a network up to IA standards is not simply a good idea from a security standpoint. It is also mandated by Army regulations (and other military and government regulations as well). When these standards are not maintained, commanders and network administrators are duly notified. Many however, don’t take immediate action because they have MITT-WA.
Unfortunately, focusing on MITT-WA’s while ignoring a notification of a pending expiration of the C&A often results in a circuit shut down- Hot-Plugged. This is not an arbitrary decision. It happens because a system and network is in danger of being compromised and, a risk to one is a risk to all in our networked DoD world. Anyone planning on acquiring, developing, or fielding an information system must comply with the C&A requirements, period! If the system is not in compliance, it will be barred from being added to Army networks or processing Army data. The Army C&A process is not just a cool thing to do- it’s required- by Federal, DoD and DA regulations .
The network administrators for a “Hot-Plugged” circuit usually take on an entirely different attitude about IA that ranges from quiet desperation to full-blown screaming fits of panic. Suddenly the task of keeping a networks certified takes on an entirely new level of importance, especially when the commanding officer can’t access email. The need for getting that circuit switched back on now becomes the lead MITT-WA. That’s when you call for a CAR or a Certification Authority Representative.
According to one perspective a CAR is part technical expert, part organizational psychologist, part conflict resolution specialist and part 2nd grade school teacher with the patience of a saint and the thick skin of a rhinoceros. While some network types – usually the ones in the screaming fits of panic – might suggest that a CAR is standing between them and a working network. They might suggest that they don’t have time to deal with CARs. However, when a circuit is turned off a CAR becomes a best friend because they are more than happy to guide a network administrator through all the steps necessary to get a circuit back in operation ASAP. Getting a circuit back up and running requires nothing more than making it safe from an IA standpoint. The CAR’s mission is to enable others to complete their mission through securing the systems that house and transmit military data.
Often it is worth talking to a CAR before a crisis point is reached because they can provide expert guidance and help coordinate C&A requirements to help comply with Federal, DoD and DA requirements. That’s why at the inception of the development or acquisition process, it is worth the time and effort of a CAR at the Army Office of Information Assurance and Compliance (OIA&C) to ensure that your system avoids the pitfalls of not being in compliance. The best way to contact an OIA&C CAR is by email at IACORA@us.army.mil you can simply register your system on-line in the Certification and Accreditation Tracking Database (C&A TdB) at https://armydiacaptdb.arl.army.mil doing so, you can keep your circuit availability from working its way to the top of your MITT-WA list.
The On Cyber Patrol© cartoon and supporting articles are created and made available by the U.S. Army’s Office of Information Assurance and Compliance, NETCOM, CIO/G6. For more information on the OCP program or to submit ideas for upcoming cartoons/articles, contact firstname.lastname@example.org.