1. i
MILITARY INFORMATION SYSTEMS RISK MANAGEMENT
by
Thomas G. Ewert
A Capstone Project Submitted to the Faculty of
Utica College
August 2015
in Partial Fulfillment of the Requirements for the Degree of
Master of Science in
Cybersecurity

2. ii
© Copyright 2015 by Thomas G. Ewert
All Rights Reserved

3. iii
Abstract
In 2015, cybersecurity is a common concern across all industries around the globe. Cyber
incidents are in the news on a regular basis. From teenagers exploring the cyber domain with free
downloadable software to more sophisticated state sponsored actors wielding innovative
technology. Attackers are making the headlines by breaking into government agencies and
stealing sensitive information. Large corporations and banks are also targets for the large
databases that contain personal identifiable information and money. Cyber security professionals
are in high demand to combat cyber incidents.
The Department of Defense (DoD) relies on the United States technical advantage in air,
land, sea, and space to protect national security interests. The Defense Information Systems
Agency (DISA) is responsible for securing information systems for the United States military.
The DISA implemented the Risk Management Framework (RMF) in 2012 to improve the
Defense Information Assurance Certification and Accreditation Process (DIACAP). The primary
purpose of the RMF is to provide the DoD and the federal government a common standard for
information security. The RMF introduces reciprocity to the DoD and the federal government so
both agencies can share approved information system documentation. The DISA sponsors
several vulnerability management tools to secure systems with industry best practices and
national vulnerability databases to meet the RMF requirements.
The DISA plans full operations for the RMF in 2017. The DISA is currently transitioning
from DIACAP to the RMF. The purpose of this research is to evaluate the RMF to see if it
improves cybersecurity for the DoD. Keywords: Cybersecurity, Professor Cynthia Gonnella,
FISMA, C&A, A&A, information security.

4. iv
Acknowledgements
First, I would like to thank my children, Chris and Hannah, for being patient with me the
last two years while I pursued my educational goals. I hope I set a great example for you and
taught you that you should never give up for any reason to reach your goals; you never stop
learning. To my mother and father, thank you for your love and support. I do not know how I
would have made it the last 8 years without you. Thank you for your inspiration and always
pushing me to be a better person. Most of all, thank you for always being there for us. Bill, Lee,
and Steve thank you for your support and helping with the kids when I needed a break so I could
concentrate on my courses. To my colleagues, especially Mark Watson, Martin Colon, and
Bobby Eucker, thank you for listening to my crazy ideas and helping me choose this topic from
thoughts from many discussions at work. To Mark Low and Rhett Thomas, thank you for
volunteering to make sense of my thoughts and keeping me on track. To the Utica staff, thank
you for your time, dedication, and support during the program. For my second reader, Ismael
Morales, thank you for taking time out of your busy schedule to make sure I stayed true to the
subject. Finally, to Professor Gonnella, thank you for your guidance and time. Thank you for
being patient with me and motivating me to continue with the capstone.

5. v
Table of Contents
List of Illustrative Materials........................................................................................................... vi
Military Information Systems Risk Management........................................................................... 1
Literature Review............................................................................................................................ 7
DoD Information Security Standards ......................................................................................... 9
DITSCAP.............................................................................................................................. 10
FISMA. ................................................................................................................................. 11
DIACAP................................................................................................................................ 11
RMF. ..................................................................................................................................... 13
Vulnerability management................................................................................................ 17
Security Technical Information Guides (STIGs).......................................................... 18
Gold Disk...................................................................................................................... 19
Security Content Automation Protocol (SCAP)........................................................... 19
Information Assurance Vulnerability Management (IAVM) patches. ......................... 20
Retina............................................................................................................................ 20
Assured Compliance Assessment Solution (ACAS). ................................................... 21
Vulnerability Remediation Asset Manager (VRAM)................................................... 21
Vulnerability Management System (VMS). ................................................................. 22
Continuous Monitoring and Risk Scoring (CMRS). .................................................... 22
Enterprise Mission Assurance Support Service (eMASS). .......................................... 22
DIACAP vs. RMF................................................................................................................. 23
Discussion of Findings.................................................................................................................. 25
Future Research Recommendations.............................................................................................. 32
Cleaner Code............................................................................................................................. 32
Improved Cyber Awareness Training....................................................................................... 32
The Human Element ................................................................................................................. 33
Conclusion .................................................................................................................................... 33
References..................................................................................................................................... 37
Appendices.................................................................................................................................... 44
Appendix A – Operational Risk Management for Low Risk Systems..................................... 44
APPROVAL ............................................................................................................................. 44
1.1 Purpose............................................................................................................................ 47
1.2 ORM Request Process. ................................................................................................... 47
1.3 ORM Process. ................................................................................................................. 48

6. vi
List of Illustrative Materials
Figure 1 – Defense Department IT Budget FY 14 to FY 20 ...............................................8
Figure 2 – DITSCAP Phases .............................................................................................11
Figure 3 – DIACAP Phases ...............................................................................................13
Figure 4 – RMF and Acquisition System Activities..........................................................16
Figure 5 – RMF Process ....................................................................................................17

7. 1
Military Information Systems Risk Management
How safe is the Department of Defense Information Network (DoDIN) and the
specialized systems and applications developed for the warfighter? Cybersecurity incidents are
steadily on the rise, and the World Wide Web has opened a new target vector for terrorists,
hacktivists, and state-sponsored actors. The Federal Information Security Act Annual Report
listed over 640,000 cyber incidents for the fiscal year 2014 (Office of Management and Budget,
2015). The cost to the defense sector was almost 22 million dollars in damage (Statista, 2014).
On June 5, 2015, CNN White House producer, Kevin Liptak, CNN political reporter, Theodore
Schleifer, and Chief National Security Correspondent, Jim Sciutto reported hackers attacked the
United States government and over four million personnel files compromised (2015). The
purpose of this research was to evaluate the certification and accreditation process for the
Department of Defense (DoD) to determine if it is adequately identifying system vulnerabilities
to meet military information technology (IT) requirements.
As the reliance on IT increases in people’s lives and in the defense of the United States,
the opportunities for criminals and hackers increases. The following examples are attacks against
military networks from 2010 to 2015. Noah Schachtman, a journalist covering crime,
intelligence, and technology, published an article on the agent.btz worm. In the article, Noah
references a quote from Deputy Defense Secretary William Lynn that the worm entered the
military’s systems “when an infected flash drive was inserted into a U.S. military laptop at a base
in the Middle East…” (2010, p. 1, para. 2). The malware on the drive exploited both the
classified and unclassified networks and led to the ban of Universal Serial Bus (USB) drives in
DoD because of the risk it presents to information security (Schachtman, 2010).

8. 2
In 2013, Wall Street Journal national security reporters Julian Barnes and Siobhan
Gorman wrote an online article indicating unknown hackers broke into the United States Navy’s
unclassified network (2013). It took several months for the Navy to recover applications and
information from the incident. According to a Georgetown security study written by master’s
candidate and active duty officer Jason Rivera, hackers probed the DoDIN approximately 360
million times a day for weaknesses (Rivera, 2014). It is difficult to determine how many attacks
are successful or if the enemy is hiding in the DoDIN collecting information.
For enemies of the United States, developing a cyber force is much easier than
developing new weapon systems to counter the United States armed forces. According to PC
Gamer hardware editor, Wes Fenlon, building a high-end computer system costs around two
thousand dollars (2015). Staff Sergeant Jarrod Chavana, a writer for the 3rd Combat Camera
Squadron interviewed the commander of Air Force Space Command, General John Hyten about
the cyber domain. General Hyten stated, “… the cost for cyberspace is a laptop and an internet
[sic] connection, and then you can be a threat to anybody” (2014, p. 1, para. 6). In comparison to
current weapon systems, a new Abrams tank costs roughly 7.5 million dollars, according to the
Unites States Army (Associated Press, 2013). Jane Wells, a CNBC business news reporter,
reported on Loren Thompson’s statement on the cost of the F-16 fighter. Thompson, Chief
Operating Officer of the Lexington Institute, estimates the cost of a new F-16 fighter costs
approximately 60 million dollars (2010). Due to the high cost of building or acquiring weapons
systems, the United States’ enemies invested in tactics and procedures to attack the United States
on a level playing field: the cyber domain.
Training a cyber-force to attack has also become much more inexpensive and efficient.
Hacking tools are available on numerous sites that offer free downloads. Most of the software

9. 3
only requires an Internet Protocol (IP) address to launch an attack. Forbes magazine journalist,
Parmy Olson, wrote an article on hacking websites with free programs. In the article, Rob
Rachwald, security strategy director at Imerpva, said, “The tools are getting smarter,” and, “the
pool of hackers is increasing” (2012, p. 1, para. 4). Rob Rachwald also taught his 11-year-old
how to launch a System Query Language (SQL) attack in 15 minutes (Olson, 2012).
The DoD implemented three programs to assess the risk a system or application presents
to the warfighter mission. The DoD Information Technology Security Certification and
Accreditation Process (DITSCAP) was the first program implemented to address certification
and accreditation (C&A) of information systems in 1997 (Department of Defense [DoD], 1997).
The DoD Information Assurance Certification and Accreditation Process (DIACAP) replaced the
DITSCAP in 2007 with the goal of streamlining the C&A process (DoD, 2007). The biggest
change was moving the designated approval authority to one entity in each service to uphold
standards. In 2014, the Risk Management Framework (RMF) for DoD Information Technology
(DoD, 2014) replaced the DIACAP.
The RMF standardizes the requirements in DoD and the United States government to
approve the use of a system or application. DoD is using a phased approach over three years to
transition from the DIACAP (DoD, 2014). The latest certification date will determine when the
system enters the new RMF process. How could the implementation of RMF reduce the amount
of time to deliver a system to the warfighter? How can DoD ensure the RMF will manage risk at
acceptable levels to meet mission requirements?
The greatest change with the RMF is the sharing of authority to operate under reciprocity
between DoD and federal agencies (DoD, 2014). If the system or application completes
assessment and authorization under the RMF, another agency can use the authority to operate

10. 4
(ATO) information to approve a system. Reciprocity can save an agency money, time, and labor
costs by using the artifacts from an existing approved package (DoD, 2014). What best practices
can DoD and the government rely upon to implement reciprocity?
The United States relies heavily on technology and creates weaknesses in national
security with the systems and applications used to defend the nation. “Why are we failing?” asks
Eric Johnson, senior security consultant and the application security curriculum product manager
at Systems Administration, Networking and Security (SANS) Institute (2015, p. 1, para. 2).
Computer security is an afterthought in the design phase of an application or system due to
changes to meet customer demands on rigid deadlines (Johnson, 2015). The statement of work
(SOW) should include all the standards the product and cybersecurity personnel needed to
provide a product or service to DoD. CNET cybersecurity writer, Laura Hautala, stated
approximately 80 to 90 percent of code in software applications is from third parties. The poor
code is used and passed on to new programs, which exponentially increases the problem in
applications (2015). In 2002, Scott Bradner, an information systems consultant with Harvard
University, wrote an article on trustworthy computing for NetworkWorld. In the article Bradner
quoted Bill Gates’ message to employees, “When we face a choice between adding features and
resolving security issues, we need to choose security” (2002, p. 32, para. 3).
The United States’ cybersecurity forces are not prepared to defend against cyber-attacks.
In April 2015, Russia Today reported the Pentagon continues to build the cyber-force under
Cyber Command, but the Pentagon had only have half of the required staff. By 2018, the
command will grow to 6,200 personnel including forces from the Reserves and National Guard
(2015). DoD Directive 8570.01-M, Information Assurance Workforce Improvement Program,
required information technology personnel to earn and maintain a certification based on the level

11. 5
of access or oversight of a system. Personnel with elevated privileges to information systems are
required to earn a certification based on their role. The directive has two main categories of
certification: information assurance technical (IAT) and information assurance management
(IAM). Both categories are further broken down into three levels based on personnel’s
experience and the level of support provided to a system (DoD, 2012).
System owners have a mission to accomplish, yet do not understand the information
security requirements. Kathryn Farrish, a Certified Information Systems Security Professional
and consultant at The DIACAP Resource Center, wrote that it would take time for system
owners to understand the new requirements and the revised responsibilities under the RMF
(2012). Personnel and budgets continue to decrease in the DoD. Jamie Crawford, National
Security Producer at CNN, published an article in July 2015 about the United States Army
cutting 40,000 troops by 2017 (2015). The easiest way to make up for a decrease in personnel is
by automating processes with an application or system. Navy Captain Scott Hoffman, Space and
Naval Warfare Systems Command (SPAWAR) Deputy Director for Contracts, submitted an
article on the IT acquisition process in the October-December 2012 edition of the Navy’s IT
magazine, CHIPS. The United States Navy implemented the Information Technology
Acquisition Approval Process to provide technical reviews of IT requests and to save money
because system owners were making purchases without IT procurement approval (2012).
Purchasing a system without a technical review creates a potential risk to DoD because the
vulnerabilities of the system are unknown. Since the system owner does not understand the RMF
process to receive an authority to operate (ATO) and they did not receive approval to purchase,
the system operates with no authorization and an unknown level of risk to the organization and
the DoDIN.

12. 6
By evaluating the certification and accreditation process for the DoD, all cybersecurity
professionals, system owners, and system developers will have a better understanding of the
challenges of keeping up with technology and fielding approved systems to meet warfighter
requirements. System developers need to understand why it is important to address security
requirements in the design of a system. DoD contracting officers need education on information
security requirements and they should enforce those standards in the SOW. If contracting
officers do not hold defense contractors to the security standards in the SOW, contracting
officers are enabling the vulnerability in the system. Defense contractors that develop
information systems and applications should review DoD and federal guidelines for computer
security. The RMF and Federal Information Processing Standard (FIPS) publications will
provide the contractor the standards that are required to achieve an authority to operate (Farrish,
2012). Berman Associates, Incorporated, an information security consulting firm, highly
recommends all personnel and contractors involved in the system life cycle learn the new RMF
process for DoD (2014).
In the Battle of Gettysburg, General John Buford secured the high ground and provided
the Federal infantry a strategic advantage to win the battle. He stated before the battle, “…The
enemy knows the importance of this position and will strain every nerve to secure it…”
(Wittenberg, n.d., p. 1, para. 13). The United States’ enemies may not have the armed forces and
weapon systems to match the United States, but they do have the resources to build and maintain
a cyber-force to challenge us. In a recent BBC article written by Dave Lee and Nick Kwek,
Professor Kim Heung-Kwang, warned that North Korea’s cyber-force is equipped with around
6,000 trained hackers and have the capability to kill people (2015). Professor Kim taught
computer science at Hamheung Computer Technology University before defecting from North

13. 7
Korea in 2004. Professor Kim stated, “…if the computer system controlling the nuclear reactor
was compromised, the consequences could be unimaginably sever and cause extensive
causalities” (Lee & Kwek, 2015, Stuxnet clone, para. 4). The cyber domain is today’s ultimate
high ground – and the war is on for control.
Literature Review
How did cybersecurity, also known as information assurance, become such a hot topic for
the DoD? Published author for Information Today, Reid Goldsborough, stated the Internet
became mainstream in the United States in the mid-1990s (2014). In 1996, Bob Brewin, a
defense journalist for FCW, reported the Defense Information Systems Agency (DISA) planned
to move the Nonclassified Internet Protocol Router Network (NIPRNet) to the Sprint network
because of the explosion of traffic on military installations and the demand for bandwidth growth
to support military World Wide Web pages before the end of the year (1996). In April 2015,
Russia Today reported the Pentagon continues to build the cyber-force under Cyber Command,
but the Pentagon had only have half of the required staff. By 2018, the command will grow to
6,200 personnel including forces from the Reserves and National Guard (2015). Admiral
Michael Rogers, commander of Cyber Command, said in his statement to the House Committee
in March 2015, that there are approximately 1,100 people serving at Cyber Command (2015).
From mainframes to smart phones, the DoD IT budget increased to $36 billion in fiscal
year 2015, and will continue to stay close to that figure into fiscal year 2020, see Figure 1 below
(Sternstein, 2015). Aliya Sternstein, cybersecurity reporter for DefenseOne, concluded that only
$546 million is dedicated to the United States Cyber Command and that funding will decline by
approximately $100 million in fiscal year 2016 (2015).

14. 8
Figure 1. Defense Department IT Budget FY 14 to FY 20 (Sternstein, 2015, “The Cyber Command line,” para. 5)
In 1971, Intel launched the world’s first microprocessor. According to Moore’s Law,
microprocessor speed doubles approximately every 2 years. Computers are significantly more
powerful in 2015 than in the 1970s. The microprocessor can multitask, execute larger requests
and is mobile due to a significant decrease in size (Intel, 2012). In 2015, powerful
microprocessors in smart phones operate in the palm of a hand compared to a huge computer
room to house mainframes. The United States military operations rely on seven million IT
devices throughout 15,000 networks across the globe (DoD, 2011). According to Michael
Morgan, a graduate student at the National Defense University, Adolph Hitler commanded over
7 million members and 300 divisions during World War II (2002). Carl von Clausewitz, warned
Hitler about span of control and that it was necessary to maintain for all commanders to meet
political objectives (Morgan, 2002).
Bob Butler and Jim Gosler, writers for War on the Rocks, discussed the United States
military dependence since the end of the Vietnam War on IT-based strategies on the battlefield,
from supplying troops to guiding a bomb to a precise target. The millions of IT devices, and the
multiple networks connecting to the DoDIN and the World Wide Web, present a large target for
adversaries to disrupt, deny, or destroy information systems (Butler & Gosler, 2015).

15. 9
In 1983 Fred Cohen, a University of Southern California graduate student, defined the
term computer virus; a computer program capable of reproducing itself and causing harm to files
or programs (Bassham & Polk, 1994). National Institute of Standards and Technology (NIST)
computer scientists, Lawrence Bassham and Timothy Polk, list Elk Cloner as the first computer
virus and type of malicious code introduced to computer users on the Apple II in 1981 (1994). In
2015, computer users face more than just a computer virus. There is a plethora of malicious code
used to infect or disrupt information systems. The payloads embedded in malicious programs are
more complex and harder to detect. In 2010, Symantec software engineers, Nicolas Falliere,
Liam Murchu, and Eric Chien released a dossier on the first computer threat used as a cyber-
weapon, the Stuxnet worm (2011). The payload exploited four unknown vulnerabilities,
compromised digital certificates, and injected hidden code into the control system, which caused
serious damage to the Iranian nuclear program (Falliere, Murchu, & Chien, 2011). In a trusted
network environment, such as the DoDIN, the weakest link is an IT vulnerability, and the
vulnerability is a shared risk to all DoDIN systems (National Institute of Standards and
Technology [NIST], 2012). The United States military’s reliance on IT, and the size of DoD’s IT
footprint around the globe make an attractive target for adversaries to attack with malicious code
(DoD, 2011).
DoD Information Security Standards
DITSCAP was the first program to implement a C&A process to evaluate a system before
it was operational and connected to a DoD network. The designated approving authority (DAA),
also known as the accreditor, was a senior operational commander with the authority and ability
to evaluate the system operations in view of the security risks (DoD, 1997). In 2007, DISA
transitioned to the DIACAP to comply with the Federal Information Security Management Act

16. 10
(FISMA). Each service rolled up the certification and authorization process to the general officer
level to standardize the certification and accreditation process (DoD, 2007). DoD started
transitioning to RMF in 2014 to align with commercially accepted standards to make it easier for
defense contractors to meet information security requirements (DoD, 2014).
DITSCAP. The DoD’s goal of DITSCAP is to implement policy, assign responsibilities,
and prescribe procedures for C&A of all IT systems in DoD. The process stresses the importance
of a life-cycle management approach to C&A and to establish a DoD standard infrastructure-
centric approach that protects and secures the global information grid (GIG) (DoD, 1997). There
are four phases to the DITSCAP; Definition, Verification, Validation, and Post Accreditation,
see Figure 2 below. Phase 1 documents the system mission, environment, architecture, and
threats. The result for this phase is a documented DoD agreement with all parties involved in the
process on security requirements for the system. Phase 2 includes activities to verify compliance
of the documented agreement from Phase 1 and to evaluate vulnerabilities. Phase 3 evaluates the
system to validate system operation with an acceptable level of risk. Completion of Phase 3 is
receiving an ATO and connecting to the DoD network. Phase 4 includes activities to monitor
system management and operation to ensure an acceptable level of risk through security
management, change management, and periodic compliance reviews (DoD, 1997).

17. 11
Figure 2. DITSCAP Phases (DoD, 1997, p. 17, para. 1)
FISMA. President George W. Bush signed the FISMA in 2002 and established security
and annual reporting requirements for United States government IT systems. FISMA is a risk-
based policy for cost-effective security and is the overarching guidance for maintaining IT
systems. The act mandates the C&A of IT systems, annual tests of security controls, annual test
of continuity of operations, and annual cybersecurity awareness training for all personnel. All
federal agencies and DoD report metrics to the Office of Management and Budget (OMB) to
measure compliancy of the act at the end of the fiscal year (Office of Management and Budget
[OMB], 2015).
DIACAP. In 2007, DISA updated DITSCAP to DIACAP to meet new FISMA security
requirements and to protect the GIG. Each service provided network services at the lowest level,
normally at the installation. For fiscal reasons, the services started regionalizing assets for

18. 12
network-centric operations and to meet joint interoperability requirements. DISA controls the
C&A process, sets the standards for an ATO, and determines if the system can operate, not a
DoD component. The designated approving authority moved from the local installation to a
senior regional commander. As shown in Figure 3, DIACAP consists of 5 Phases; Initiate and
Plan IA C&A, Implement and Validate Assigned IA Controls, Make Certification Determination
and Accreditation Decisions, Maintain Authorization to Operate and Conduct reviews, and
Decommission, Validation, and Post Accreditation (DoD, 2007).
Phase 1, the system owner registers the system with the DoD component IA program,
assigns IA controls, assembles a DIACAP team and initiates a DIACAP implementation plan
(DIP). Phase 2, the DIACAP team executes the DIP, conducts validation activities, prepares a
plan of action and milestones, and compiles the validation results. Phase 3, the DAA reviews all
artifacts from Phase 1 and 2 to make a certification determination and issues an ATO if the
system operates at an acceptable level of risk. Phase 4, the DIACAP team maintains situational
awareness, maintains the IA posture of the system, conducts periodic reviews for compliancy,
and initiates re-accreditation packages before the ATO expires or if there are significant changes
to the systems that introduces new risk. In the last phase, the DIACAP team submits required
artifacts to the DAA to retire the system (DoD, 2007)

19. 13
Figure 3. DIACAP Phases (DoD, 2007, p. 13, para. 1)
RMF. In March 2014, DoD released an instruction on the Risk Management Framework
(RMF) for DoD Information Technology. The RMF replaces DIACAP and incorporates NIST
standards to align DoD and federal agencies under the same policy and guidance. The risk values
low, moderate, and high replace mission assurance category (MAC) Levels 1, 2, and 3. The
mission and type of information the system processes determine MAC levels in DIACAP (DoD,
2014).
The DoD can reduce the amount of time to deliver a system to the warfighter by
leveraging reciprocity. The DoD defines reciprocity as a “mutual agreement among participating
enterprises to accept each other’s security assessments in order to reuse IS resources and/or
accept each other’s assessed security posture in order to share information” (2009, pg. 1, para. 3).
According to Jeremy Galliani, systems engineer for Degue Technologies, the average time to
complete the DIACAP can take around 6 months (2010). For the C&A process, DoD
components and the federal government can share ATOs under reciprocity. If an organization

20. 14
has an ATO, organizations can share the artifacts in the C&A repository without duplicating the
work. System administrators have to provide current Security Content Automation Protocol and
Assured Compliance Assessment Solution scans to verify the system meets security controls.
Reciprocity can also save money, time, and labor for the DoD and the federal government (DoD,
2014).
Deploying systems with valid authorizations from a DoD organization or other federal
agency under reciprocity must meet certain requirements before connecting the system to the
DoDIN. The C&A team for the system must coordinate with the approving organization and
complete required assessments and analysis. The organization that approved the system must
provide a complete security authorization package to the C&A team to determine the security
impact of the system. The C&A team will evaluate the risk of the system and document an
agreement with the approving organization if the risk is acceptable. If the risk is unacceptable,
the receiving organization can refuse deployment of the system. The DISA recommends
resolving any disputes between the fielding of the system at the lowest level possible (DoD,
2014).
The DoD and the federal government can use the DISA approved products list (APL) and
the RMF that aligns with the acquisition process as best practices for reciprocity. The DISA
maintains an approved products list (APL) to maintain a single DoD consolidated list of products
that meet joint interoperability standards and information assurance certification. The DoD can
make purchases and operate the systems from the APL on the DoDIN without testing and
evaluation (Defense Information Systems Agency [DISA], n.d.). The APL is the only listing of
equipment by DoD to be fielded in DoD networks without having to go through DIACAP or
RMF for an ATO. DISA recommends using the APL prior to purchasing a system or product. If

21. 15
the APL does not meet an organization’s needs, the organization must follow the DIACAP or the
RMF for an ATO before connecting to the DoDIN (DISA, n.d.).
The Joint Interoperability Test Command (JITC) field element provides DoD test
services to meet the DIACAP and the RMF security requirements through three unique roles;
joint interoperability certifier, operational test center, and warfighter and coalition
interoperability support (DISA, n.d.). The JITC is the only agency that certifies a system meets
joint interoperability requirements for the warfighter. As an operational test agency, JITC
evaluates a system to determine the operational impact of the system on mission accomplishment
(DISA, n.d.). The JITC also works closely with the warfighter during exercises and contingency
operations to provide coalition interoperability support. The JITC evaluates systems for
vulnerabilities and provides solutions to mitigate the risk (DISA, n.d.).
The RMF is designed to align with the DoD’s acquisition management system activities.
Security should be imbedded as early as possible in the DoD acquisition process to decrease cost
and develop a secure system. All DoD components should apply the RMF to meet C&A
requirements in all DoD IT purchases. Aligning the RMF and the acquisition process will allow
system owners and the C&A team to mitigate threats during the development cycle. The synergy
gained will improve the security posture of the system during testing and evaluation. Figure 4
illustrates the alignment of RMF steps to the acquisition life cycle (DoD, 2014).
Navy financial management analysts, Amira Tann and Danny Chae, discuss the benefits
of applying the RMF during the acquisition process (2015). The system owner meets security
controls for the RMF and ensures systems meet financial audit readiness standards under a single
framework. Audits for cybersecurity and financial requirements will ensure system owners meet

22. 16
the confidentiality, availability, and integrity requirements for data in one process (Tann & Chae,
2015).
Figure 4. RMF and Acquisition System Activities (DoD, 2014, p. 39, para. 1)
The DoD can manage risk at acceptable levels with the information security tools
described in the vulnerability management section. System administrators can scan and patch
known vulnerabilities and report the results as required by the RMF (DoD, 2014). Maintaining
the systems with the RMF will also provide information to OMB for the annual FISMA report
(OMB, 2014). Networked systems that use CMRS will not have to submit for a new ATO after
three years if the system administrators maintain the system at an acceptable level of risk for the
DA, saving system owners’ time and labor on reaccreditation (DoD, 2014).
The RMF has six steps in the process; Categorize, Select, Implement, Assess, Authorize,
and Monitor. Figure 5 shows the steps and the activities within each step. In the first step the
system owner and information security officer analyze the information system and the data the

23. 17
system processes, stores, and transmits to determine the category. The C&A team select security
controls in step two for the information system based on the system category. The third step
implements the selected security controls to prepare for assessment. The C&A team scans and
tests the information system to ensure security control implementation. The approving official
reviews the artifacts and the results from security testing to determine if the risk is acceptable for
authorization. In the last step, the C&A team monitor the health of the system by scanning for
vulnerabilities and reviewing security guidelines. Vulnerability management is a critical part of
monitoring security controls and maintaining an authorization to operate (NIST, 2014).
Figure 5. RMF Process (DoD, 2014, p. 28, para. 1).
Vulnerability management. “Vulnerability management is the cyclical practice of
identifying, classifying, remediating, and mitigating vulnerabilities” (Foreman, 2009,
“Introduction to Vulnerability Management,” para. 1). In Park Foreman’s book, Vulnerability

24. 18
Management, he discusses how vital vulnerability management is to harden defenses and
identify weaknesses to systems, processes, and strategies in all organizations. System
administrators cannot eliminate all risk with a vulnerability management system, but
administrators can reduce or mitigate risk to make it harder for an adversary to exploit a system
(Foreman, 2009). After weak and stolen credentials, the second most common cause of a data
breach is the lack of a good vulnerability management system. Application vulnerabilities
accounted for 44% of the cyber incidents investigated by Verizon in 2012 (DARK Reading,
2013).
The DISA publishes security technical information guides (STIGs) and Information
Assurance Vulnerability Management (IAVM) patches as part of DoD’s vulnerability
management system. The STIGs and IAVM patches notify system owners and IT professionals
of known vulnerabilities with corrective actions to mitigate the risk. The DISA and Cyber
Command work together to provide fix actions to known vulnerabilities to DoD IT managers to
maintain an authorization to operate. DoD uses the following tools to meet the FISMA and
Cyber Command IAVM policies; STIGs, Gold Disk, Security Content Automation Protocol
(SCAP), IAVM, Retina, Assured Compliance Assessment Solution (ACAS), Vulnerability
Remediation Asset Manager (VRAM), Vulnerability Management System (VMS), and the
Enterprise Mission Assurance Support Service (eMASS). The main difference between STIG
and IAVM patch is a STIG modifies system configuration settings and the IAVM patches fix
known operating system and application vulnerabilities (DISA, 2015).
Security Technical Information Guides (STIGs). STIGs are the configuration standards
for all DoD IT devices. Since 1998, DISA has provided STIGs to improve the security posture of
DoD networks and devices. The STIGs contain technical guidance to prevent adversaries from

25. 19
attacking known vulnerabilities in operating system, network devices, and application
configurations (DISA, 2015).
In 2015, DISA has over 400 STIGs to configure operating systems, network devices, and
applications. The STIG automated tools DISA recommends are Gold Disk and SCAP.
Automating STIG compliance reduces the amount of work and time required for manual checks
and provides a view of IT system compliance (Byrne, 2015). DISA published STIG content in
PDF documents and XML files. XML files replaced PDF documents to easily populate a
spreadsheet or database with STIG content. STIGs are available as a downloadable ZIP file on
the DISA website. DISA STIGs and validation tools are available at https://iase.disa.mil (Farrish,
n.d.).
Gold Disk. Gold Disk was the method of choice for DoD compliance validation for
Windows systems. Gold Disk contains a powerful scan engine with recommended setting for
Windows devices and a reporting mechanism for C&A documentation review (Farrish, n.d.).
Gold Disk is a system administrator tool that scans a system for vulnerabilities and automates the
system configuration to meet DISA STIGs. The system administrator manually runs a scan on
each individual system with a disk. The DISA Gold Disk project terminated in December 2012.
The last updated version of the tool released in October 2012 when DoD transitioned to
assessing STIG compliance with the SCAP (DISA, 2012).
Security Content Automation Protocol (SCAP). The SCAP is a collection of best
practices from the security automation community for compliance standards, remediation
actions, and network monitoring (NIST, 2014). The SCAP tool scans Unix and Windows
information systems and provides a vulnerability report with suggested mitigation actions to the
system administrator. The report lists vulnerabilities of the operating system and application

26. 20
configurations. The system administrator mitigates the vulnerabilities by changing settings in the
registry or computer security policies. The SCAP report is an artifact required in the C&A
documentation for the validator overseeing the authorization of a system. The current list of
SCAP Content and Tools are located on the DISA website (DISA, n.d.).
Information Assurance Vulnerability Management (IAVM) patches. Cyber Command
reviews the patches and fix actions published by vendors for DoD and issues an information
assurance vulnerability alert (IAVA) or an information assurance vulnerability bulletin (IAVB).
An IAVA addresses severe network vulnerabilities resulting in immediate and potentially severe
threats to information systems. IAVAs are high priority due to the severity of the vulnerability
risk and normally have a suspense of two weeks. An IAVB addresses new vulnerabilities that do
not pose an immediate risk to information systems. The IAVB are significant enough that
noncompliance could escalate the risk, and the bulletin is normally due a month from
notification. Organizational information systems security officers (ISSOs) are responsible for
monitoring IAVM notifications and must acknowledge receipt or select not applicable when the
alert or bulletin posts in the VRAM or the VMS. ISSOs notify the system administrator to
implement applicable alerts and bulletins for the system. The system administrator tests the
corrective action before implementing to all systems. After all alerts and bulletins are complete,
the system administrator uses ACAS to verify the patches, and the ISSO updates VRAM or VMS
notifying the DoD component and Cyber Command of completion (Department of Navy, 2005).
Retina. Oliver Kaven, an editor for PC Magazine stated, “the scanner module is one of
the best we have seen, in terms of both speed and accuracy” (Kaven, 2003, “The scanner module
is,” para. 6). eEye Digital Security’s Retina Network Security Scanner is available for Unix and
Windows platforms to check compliance for software, patches, and registry entries (Kaven,

27. 21
2003). Retina was DISA’s network security scanner of choice to analyze information systems for
IA compliance since 2004 (Vigil, 2009). Cyber Command issued a task order to install ACAS
for IAVM in fiscal year 2013 (DISA, n.d.).
Assured Compliance Assessment Solution (ACAS). The ACAS is an integrated software
solution that replaced the Retina Network Security Scanner. ACAS is scalable to any network,
including a network centric environment reaching out to other locations. There are five
components to ACAS; security center, Nessus, Xtool, 3D tool, and the passive vulnerability
scanner (PVS). The security center automates and quickly scales vulnerabilities and compliance
infrastructure. The security center also produces required monthly reports from scans and
assessments. Nessus is the scanning tool that checks the selected vulnerability plugins by the
system administrator. The scanning tool can operate in a Windows and Unix environment. The
X-tool allows the user to convert reports into different formats and is easy to customize to meet
DoD reporting requirements. The 3D tool maps network and protocol maps, communications
paths, and vulnerability maps based on the Nessus scans. PVS continuously monitors network
traffic. It sends alerts to the security center when it finds vulnerabilities. PVS also looks for new
systems and applications then sends alerts if they are not compliant to the security center (DISA,
n.d.).
Vulnerability Remediation Asset Manager (VRAM). SPAWAR developed VRAM, a web
portal, to assist the Navy fleet with IAVM. An information security team evaluates
IAV compliance, password policy and various security checks on a ship’s systems. System
administrators upload the results to VRAM for evaluation. Each ship must complete a baseline
assessment every 24 months or within 60 days following a systems upgrade or major
configuration change to the network. System administrators scan and patch systems monthly to

28. 22
ensure all IA vulnerabilities are complete in accordance with Cyber Command alerts and
bulletins (Vigil, 2009). For shore-based systems, the approved repository is the DISA
Vulnerability Management System (VMS) (Department of the Navy, 2013).
Vulnerability Management System (VMS). VMS is the current standard for DoD IT
systems to upload completed scans to identify security vulnerabilities and track known issues
through the lifecycle of the system. The C&A team monitors VMS to ensure the system operates
under an acceptable risk level. If the system administrator cannot apply a patch to the
vulnerability, the system administrator documents the risk in the C&A artifacts for the DAA’s
situational awareness. If the C&A team determines the risk is unacceptable, the DAA could issue
an order to disconnect the system. The C&A team also uses VMS in the C&A process to
evaluate the system for an ATO. (Mell & Inverso, 2008).
Continuous Monitoring and Risk Scoring (CMRS). CMRS is a web-based system that
provides DoD security compliance reports for software inventory, antivirus configuration,
STIGs, and IAVM. The CMRS risk dashboard receives data from the ACAS and host based
security systems (HBSS). The CMRS dashboard also provides an automated tool to publish
required FISMA reports (DISA, n.d.). The FISMA requires a continuous monitoring tool to
evaluate and report the health of the DoDIN. Cybersecurity professionals can monitor DoD
assets and notify decision makers if a security posture of an asset is operating an unacceptable
risk level (FISMA, 2002).
Enterprise Mission Assurance Support Service (eMASS). eMASS is a government-
owned, commercial off-the-shelf based solution that automates life cycle risk management for an
information system. eMASS is the DoD recommended tool and repository for C&A artifacts for
all information systems. eMASS automates the C&A process from registering a system to

29. 23
decommissioning at the end of the life cycle (DISA, n.d.). The C&A team uploads all required
artifacts in accordance with the DIACAP or the RMF. Information security professionals manage
security controls based on the information sensitivity level and mission impact of the system.
eMASS manages workflow among user roles by notifying the next individual in the process that
action is required on a specific item. eMASS also generates a variety of reports required by the
DIACAP, the RMF and FISMA to accredit a system and maintain an authority to operate (DISA,
n.d.).
DIACAP vs. RMF. Ben Tchoubineh, CEO for Phoenix TS Information Technology,
highlights the 10 major improvements moving from DIACAP to RMF; certification and
accreditation (C&A) to assess and authorize (A&A), new roles in the A&A process, stronger
integration with system development life cycle (SDLC), renewed focus on reciprocity,
continuous FISMA reporting, common lexicon, improved system categorization, one standard
process, continuous monitoring and authorization, and a standard control set (2013). The new
nomenclature for an ATO under RMF aligns with the actual role of the approving official. The
approving official authorizes a system and does not accredit the system. The validator assesses
the risk and the approving official authorizes the operation of the system. The new roles in the
RMF align with a NIST publication to transition DoD and the federal government to the same
standards (Tchoubineh, 2013).
RMF also integrates security into the development of the system so that is not an
afterthought. Stronger integration strengthens security when the system owner induces security
in the system development life cycle (Tchoubineh, 2013). The RMF also renews the focus on
reciprocity. As covered earlier, reciprocity can save time, money and labor by using existing
documentation for systems with an ATO with the same security standards. All federal agencies

30. 24
and DoD can utilize this information to field a system or application quicker. ACAS and CMRS
will allow continuous monitoring and authorization to meet FISMA standards (Tchoubineh,
2013). If system administrators maintain the health of a system, there is no need to reaccredit the
system under the RMF. The authorization will continue until the health of the system is not
sustainable because it reaches the end of the SDLC, or if the system operates at unacceptable risk
level. RMF uses NIST security control standards for the federal government and DoD. The DoD
published a conversion chart to match the DIACAP security controls to the RMF security
controls (Tchoubineh, 2013).
Glen Taylor is the Vice President of Technology, Architecture and Security, Parks and
Resorts for the Walt Disney Company (2010). Taylor championed the adoption of ITIL for the
company to integrate service management with ITIL best practices (Taylor, 2010). ‘It means we
have to ensure that widespread change does not result in incidents; that we are sure-footed and
confident with our release management and new capabilities” (Taylor, 2010, Disney’s ITIL
Journey, para. 3). Employee buy in to the process is essential in meeting the organization’s
strategy and goals (Taylor, 2010).
All government personnel are required to complete initial and annual cyber awareness
training to meet FISMA requirements (2002). The DoD and the federal government can secure
the network with every best practice and all known patches but will still come up short if users
neglect to follow instructions and learn from training. John McAfee declares death to the
antivirus because vendors can provide software for protection but they cannot stop users from
clicking on malicious links or inserting an unknown thumb drive (2015). Social engineering is
75% of a hacker’s toolkit (McAfee, 2015).

31. 25
Discussion of Findings
The purpose of this research was to evaluate the certification and accreditation process
for the Department of Defense (DoD) to determine if it is adequately identifying system
vulnerabilities to meet military information technology (IT) requirements. The three main
questions asked were; How could the implementation of RMF reduce the amount of time to
deliver a system to the warfighter? What best practices can DoD and the government rely upon
to implement reciprocity? How can DoD ensure the RMF will manage risk at acceptable levels
to meet mission requirements?
The research found no white papers or previously published research papers on the RMF
to answer the research questions. The analyst reviewed government directives and articles from
professional analysts in IT, business, crime, and finance. The DISA plans on full implementation
of the RMF in 2017. The RMF needs further research after full implementation to evaluate how
DoD implements reciprocity and if aligning the RMF with IT industry best practices reduces the
time to provide the warfighter an information system with acceptable risk. There are studies on
the DITSCAP and DIACAP but with the changes to industry best practices, it is not practical to
make comparisons to the RMF at this stage.
The DoD transitioned to the RMF in 2014. The RMF is a new process and Farrish is
correct – it will take time for all participants in the SDLC to learn. Evaluating the transition
period for the time it takes to deliver a system to the warfighter is not obtainable at this time.
According to Galliani the average time to complete the DIACAP can take around 6 months.
Personal experience and knowledge indicates the DIACAP can take 6 to18 months depending on
the complexity of the system.

32. 26
System owners and IT supporting staff need time to become familiar with the RMF
documentation available through NIST. All personnel need time to understand the organizational
impact on roles and responsibilities. However, if the DoD can find a way to leverage reciprocity
quickly, the RMF process can save time, money, and labor. One recommendation is creating a
web-based tool, similar to the DISA APL, that potential system owners can search to find
approved DoD and federal products that will meet mission requirements and DoD security
standards (DISA, n.d.).
The DISA APL is a great example of how this can improve the time of deploying a
system with an existing ATO. The DoD components can share documentation for testing and
evaluation and reduce time and labor considerably to the receiving unit. The C&A team can take
the ATO and apply the established security controls to the system. After all the controls are in
place, the system administrators can scan the system with SCAP and ACAS to provide their
respective AO the amount of risk the system poses to the mission. The easiest way for DoD and
the federal government to save money, time, and labor is to implement a tool to share all ATOs
in both organizations.
The DoD and federal government should use a website similar to the DISA APL as a best
practice for reciprocity. The DoD and federal government are wasting time, money, and labor
buy not establishing a tool to share ATOs. In the analyst’s opinion, the DoD and federal
government should place the greatest emphasis on providing a tool for reciprocity under the new
RMF. With the number of systems both agencies rely on, this is the quickest solution to start
saving money and reducing time to a system owner that is trying to meet a mission requirement
for a commander. If an organization has an ATO, organizations can share the artifacts in the
C&A repository without duplicating the work. System administrators have to provide current

33. 27
SCAP and ACAS scans to verify the system meets security controls. Reciprocity will save
money, time, and labor for the DoD and the federal government. The RMF incorporates NIST
standards that are industry best practices.
Attacking in the cyber domain is an inexpensive and efficient way for adversaries to
influence their political will on the United States. The DISA is on the third program to secure
information systems to ensure the confidentiality, integrity, and availability of military
information. The RMF makes significant progress by providing the same standards for DoD, the
federal government and civilian organizations. The RMF incorporates NIST standards that are
best practices throughout the IT industry. The analyst agrees with Tchoubineh on the 10 major
improvements moving from DIACAP to RMF to improve the certification and accreditation
process to meet FISAM reporting requirements. Aligning the RMF with NIST standards and
providing one process for all government agencies is a significant move to streamline
information security standards in all organizations. If DoD and the federal government follow the
RMF directives, information system security will improve on the DoDIN.
The DoD spent approximately 36 billion dollars on IT in fiscal year 2015. As Sternstein
reported, only half a billion of that allocated to manage the security of 7 million IT devices with
a cyber force that is growing to 6,200 personnel. The funding and labor seems inadequate for
6,200 personnel to manage 7 million devices across the globe. Rogers said in his statement to the
House Committee in March 2015, that there are approximately 1,100 people serving at Cyber
Command. According to those numbers, Cyber Command is less than 20 percent manned.
Additionally, the size of the DoDIN with 15,000 networks makes it a challenge to enforce
standards. The span of control is significantly large, even with allowing each DoD component to
have an approving official (AO), formerly known as the DAA. As Morgan reminded, Adolph

34. 28
Hitler commanded over 7 million members and 300 divisions during World War II. From an
organizational perspective, this was a difficult task to maintain orders to his tactical
commanders.
The DISA has a similar issue with enforcing information security standards to the lowest
ranks of the military. There is a huge gap between the strategic and tactical commanders.
Tactical commanders are busy with daily tasks to meet mission requirements. Strategic leaders
have the luxury of looking ahead and creating policy to steer units in the right direction. The
strategic commanders are not at the lowest level to understand the labor and fiscal constraints to
support a bureaucratic system with vulnerability scans and a plethora of information on a system
configuration without trained personnel in the system development life cycle. The tactical
commander’s main concern is completing the mission. Commanders at the tactical level have not
embraced the cyber domain to understand what effects it can have on completing a mission.
Rogers stated, “Cyber is now a central part of their ability to execute their mission. It is
commander’s business. A successful intrusion, or severance of connectivity, can result in a direct and
immediate impact to successful mission accomplishment” (2015, p. 5, para. 3). All military
personnel should understand the significance of the cyber domain, as it is the ultimate defensible
point and can cause direct effects to air, land, sea, and space.
Two recommendations to deal with a large span of control is implementing a program to
rank systems from the least to the highest amount of risk. The higher the risk a system presents,
the higher up the chain of command the approval to operate should be. Additionally, AOs should
consider the number of components using the same system during the ranking process. For
example, the system could represent a medium risk but due to the large footprint it presents on
the DoDIN, the system is a higher risk because there is a greater chance of adversaries attacking
the system. The second recommendation is to have lower echelons in the command approve low

35. 29
risk systems, especially systems that do not connect to a network or Internet service provider.
These systems are isolated and the only real threat besides natural disasters is the insider threat.
The United States Air Force uses a module within the Theater Battle Management Core
System to prioritize target nominations from each DoD component. That module would make a
great model for prioritizing information systems in the RMF. An information system would
replace a target and DoD components would assign a risk value to the information system using
the RMF. As stated above in the discussion of findings, the upper echelons evaluate the higher
risk systems and lower echelons evaluate lower risk systems. Dividing the responsibility at
different levels spreads the workload to other agencies and reduces the span of control of all
systems under a few AOs. DoD components can use the module to champion a system and
spread the evaluation of systems throughout DoD. After the program matures, DoD can add the
federal government and further the synergy of evaluating systems which prevents duplication in
effort for approving a system. The ATOs evaluated by this system could be added to a website,
like the DISA APL, for the federal government and DoD to leverage reciprocity.
This research culminated in the development of a local policy based on the RMF and the
DIACAP for low risk systems. The policy formalizes IA controls for low risk systems that do not
connect to the DoDIN. The instruction covers systems that currently have no certification and
accreditation but are operational to meet a Navy mission requirement. The system owner,
installation information systems security officer, and installation IT director discuss the
feasibility of a system to enter the process versus the DIACAP. A program office must sponsor
the system to cover fiscal responsibility for the system development life cycle and the IT director
must agree to maintain the IA security controls. The information system cannot process
classified information, connect to a network, extend beyond the installation boundaries, or

36. 30
process personally identifiable information. The regional IT director convenes a configuration
control board to approve the operation of the information system under local policy. System
owners use the region SharePoint site to input system information and monitor the IA posture to
meet federal and DoD directives. Appendix 1 is a draft copy of the policy and the security
control checklist for the instruction is Appendix 2. The security control checklist includes the
DISA STIGs and the DIACAP security controls for Microsoft Windows 7 Enterprise edition.
The DoD can ensure the RMF will manage risk at acceptable levels to meet mission
requirements by following the new DoD instruction on the RMF and industry best practices
incorporated into NIST special publications. Additionally, C&A teams using the vulnerability
tools recommended by DISA will ensure an information system is meeting information security
standards in accordance with the RMF. However, the biggest concern discovered during research
is the lack of training in several areas.
One of the areas is training on the vulnerability tools recommended by DISA. In the past
decade, government organizations implemented computer based training from the user level all
the way to the AO. Computer based training is a great tool for individuals to gain basic
knowledge of a tool but personnel need more training on the job or in a class room to apply the
skills in the work center.
The ACAS is a good example of 32 hours of computer based training that meets
knowledge level requirements but insufficient when it comes to training key personnel on how to
use the system. The ACAS product suite does not easily provide the required automated network
vulnerability scanning, configuration assessment, application vulnerability scanning, device
configuration assessment, and network discovery it needs. The ACAS suite is a very difficult

37. 31
system to work with compared to Retina. Additionally, as most products today, the ACAS is
focused on networks and does not account for standalone systems.
The greatest challenge in implementing the RMF is training all stakeholders in the
process. All personnel involved in the process need training on the overview of the RMF and
individual responsibilities based on the role they play in the process. The DoD implemented the
RMF instruction in 2014. The RMF instruction is only a year old and it will take time for the
stakeholders to understand the new process and learn their new role (Farrish, 2012).
Management support and proper funding for training will help DoD personnel in the SDLC buy
in to the new RMF process (Farrish, 2012). A great example DoD can use as a model is the Walt
Disney implementation of ITIL case study.
Taylor championed the adoption of ITIL for Walt Disney to integrate service
management with ITIL best practices (Taylor, 2010). DoD and the federal government should
review Disney’s ITIL Journey as an example for implementing the RMF and gaining employee
support for the new process. Employee buy in the process is essential in meeting the
requirements of the information security directives to secure the DoDIN.
The DoD Directive 8570.01-M outlines the requirements for the cybersecurity work
force. The directive establishes the minimum requirements for IA technical and management
levels (DoD, 2012). However, the directive should require IA personnel to complete job
qualification standards based on their technical or management level. The job qualification
standards should list objectives and the level of skill required as knowledge, comprehension, and
application of each task. A certificate proves an individual has knowledge of the principles on
the subject. A job qualification standard will ensure IA personnel know how to apply the
principles and will give managers the information they need to recommend personnel for a

38. 32
promotion to the next level in the IA field. IA management can use the job qualification standard
to certify personnel on the vulnerability management tools recommended by the DISA.
Additionally, current security governance should be included at each level with the same criteria
of knowledge, comprehension, and application. A job qualification standard with a certification
will improve the CSWF and the security posture of the DoDIN.
Future Research Recommendations
Cleaner Code
Hautala stated approximately 80 to 90 percent of code in software applications is from
third parties. The poor code is used and passed on to new programs, which exponentially
increases the problem in applications. How can the DoD and federal government ensure vendors
are not passing this poor code to the DoDIN and federal networks? What incentives can the
government provide to vendors for software assurance? A recommended starting point is
researching companies Veracode and Sonatype. Sonatype reviewed the third-party code and
noticed the software contained vulnerabilities for the Healthcare.gov website. Bill H.R. 5793
proposed a fix to third party software sold to the government but never made it a vote.
Improved Cyber Awareness Training
The DoD and government personnel are always a target for a cyber threat. Computer
users only receive two hours of computer based training annually to meet FISMA requirements.
In contrast to the time spent training on computers, chemical warfare, a much less likely of a
threat, requires military personnel to spend up to 80 hours a year in training for a danger the
United States has not seen since World War II. How can the DoD and federal government
improve cyber awareness training for users? How can the DoD and federal government prepare
for an EMP type of event that takes out all IT devices?

39. 33
The Human Element
The DoD and the federal government can secure the network with every best practice and
all known patches but will still come up short if users are not trained or do not pay attention to
cyber awareness training. John McAfee stated 75% of a hacker’s toolkit is social engineering
(2015). Antivirus can only protect computer users from known vulnerabilities and if computer
users avoid malicious websites and attachments from unknown sources. Government computer
users receive annual cyber awareness training on authorized usage of the government network
and the computers users still fail to comply with rules. Information systems security personnel
handle cyber incidents daily for government personnel plugging in an authorized USB device.
How can the DoD and the federal government protect the DoDIN from the human element?
Conclusion
How safe is the DoDIN and the specialized systems and applications developed for the
warfighter? Cybersecurity incidents are steadily on the rise, and the World Wide Web has
opened a new target vector for terrorists, hacktivists, and state-sponsored actors. The Federal
Information Security Act Annual Report listed over 640,000 cyber incidents for the fiscal year
2014. The cost to the defense sector was almost 22 million dollars in damage. On June 5, 2015,
Liptak, Schleifer, and Sciutto reported hackers attacked the United States government and over
four million personnel files compromised. The purpose of this research was to evaluate the
certification and accreditation process for the DoD to determine if it is adequately identifying
system vulnerabilities to meet military IT requirements.
As the reliance on IT increases in people’s lives and in the defense of the United States,
the opportunities for criminals and hackers increases. The following examples are attacks against
military networks from 2010 to 2015. Schachtman references a quote from Deputy Defense

40. 34
Secretary William Lynn that the worm entered the military’s systems “when an infected flash
drive was inserted into a U.S. military laptop at a base in the Middle East…” (2010, p. 1, para.
2). The malware on the drive exploited both the classified and unclassified networks and led to
the ban of USB drives in DoD because of the risk it presents to information security. Kim stated,
in reference to the North Korean cyber force, “…if the computer system controlling the nuclear
reactor was compromised, the consequences could be unimaginably sever and cause extensive
causalities” (Lee & Kwek, 2015, Stuxnet clone, para. 4). The cyber domain is today’s ultimate
high ground – and the war is on for control.
The DoD spent approximately 36 billion dollars on IT in fiscal year 2015. Only half a
billion of that allocated to manage the security of 7 million IT devices with a cyber-force that is
growing to 6,200 personnel. The funding and labor seems inadequate for 6,200 personnel to
manage 7 million devices across the globe and with the large number of personnel assigned to
Cyber Command, the organization is under 20 percent manned. Additionally, the size of the
DoDIN with 15,000 networks makes it a challenge to enforce information security standards.
The span of control is significantly large for one organization to manage, even with allowing
each DoD component to have an AO.
The DISA, the DoD, and the federal government face challenging adversaries to protect
the United States from cyber incidents. The size of the organizations and the number of managed
devices makes it very difficult to secure all vulnerabilities. The RMF sets high standards based
on industry best practices to evaluate systems for the risk they present to the military operations
and governance of the nation. The DoD and federal government cannot eliminate risk by the
RMF, but the risk can be reduced to acceptable levels for daily operations. The RMF strongly
encourages the DoD and the federal government to use reciprocity.

41. 35
Reciprocity can save the DoD and the federal government time, money, and labor. Every
day that passes by the United States government is losing money because there is no tool to share
ATOs between the DoD organizations and the federal government. Reciprocity has the ability to
make a major impact on reducing the amount of risk on the DoDIN and federal government
networks. Organizations can divide and conquer the workload as a team for approving
information systems instead of working alone and duplicating effort on the information systems
that are the same. The DISA APL should be a benchmark for sharing ATOs. The DoD and
federal government should share current ATOs with the DISA to publish on a searchable
website.
The DoD and federal government can rank systems based on the amount of risk they
present to operations. The higher the risk a system presents, the higher up the chain of command
the approval to operate should be. The DoD and federal government should consider the number
of organizations using the same system during the ranking process. For example, the system
could represent a medium risk but due to the large footprint it presents on the network, the
system is a higher risk because there is a greater chance adversaries attack the system. The DoD
and federal government should be delegate lower risk systems to the lower echelons, especially
systems that do not connect to a network or Internet service provider. These systems are isolated
and the only real threat besides natural disasters is the insider threat.
The DoD Directive 8570.01-M outlines the requirements for the cybersecurity work
force. The directive establishes the minimum requirements for IA technical and management
levels. IA personnel are integral to risk and vulnerability management on the network. A basic
certification is not enough for an IA professional to defend the cyber domain. IA professionals
need to build their knowledge and skill set through job qualification standards. As personnel

42. 36
progress through the job qualification standards, managers should promote personnel to the next
IA level. A certification is a good start to gaining knowledge in cyber security but IA technicians
and managers need to build a solid foundation to help secure information systems and train
computer users on enemy capabilities that users may encounter on the network.
The DISA is on the third program to secure information systems to ensure the
confidentiality, integrity, and availability of military information. Aligning the RMF with the
NIST standards and providing one process for all government agencies is a significant move to
streamline information security standards in all organizations. The DISA and DoD made
significant changes to information security practices with implementing the RMF in 2014. Are
the changes to the RMF enough to face today’s challenges with countering state sponsored
actors, terrorists, and hacktivists? If DoD and the federal government follow the RMF directives
and find a best practice to share ATOs under reciprocity, information system security will
improve on the DoDIN and in the federal government.

43. 37
References
Associated Press. (2013, April 28). Army Says No to More Tanks, but Congress Insists.
Retrieved from
http://www.foxnews.com/politics/2013/04/28/army-says-no-to-more-tanks-but-congress-
insists/
Berman Associates, Incorporated (2014). RMF in the Department of Defense (DoD).
Retrieved July 11, 2015, from
http://www.rmf.org/index.php/what-is-rmf/65-rmf-dod.html
Barnes, J., & Gorman, S. (2013, September 27). U.S. Says Iran Hacked Navy Computers.
Retrieved from
http://www.wsj.com/articles/SB10001424052702304526204579101602356751772
Bassham, L., & Polk, T. (1994, March 10). Threat Assessment of Malicious Code and Human
Threats. Retrieved from
http://csrc.nist.gov/publications/nistir/threats/subsubsection3_3_1_1.html
Bradner, S. (2002, January 28). A Trustworthy Computer Company? Network World, 32-32
Brewin, B. (1996, July 7). DISA moves NIPRNET to Sprint -- FCW. Retrieved from
http://fcw.com/articles/1996/07/07/disa-moves-niprnet-to-sprint.aspx
Butler, B., & Gosler, J. (2015, March 9). Military Superiority in an Interconnected World.
Retrieved from http://warontherocks.com/2015/03/strategic-imperatives-for-military-
superiority-in-an-interconnected-world/?singlepage=1
Byrne, D. (2015, May 14). Beyond compliance: DISA STIGs' role in cybersecurity. Retrieved
from http://gcn.com/articles/2015/05/14/disa-stig-compliance.aspx
Chavana, J. (2014, October 13). Airmen Train for ‘New Wild, Wild West’ in Cyber Domain.

44. 38
Retrieved from http://www.af.mil/News/ArticleDisplay/tabid/223/Article/503474/airmen-
train-for-new-wild-wild-west-in-cyber-domain.aspx
Crawford, J. (2015, July 9). Army announces force reduction of 40,000 troops –
CNNPolitics.com. Retrieved from http://www.cnn.com/2015/07/09/politics/army-
announces-force-reduction-40000-troops/
DARK Reading. (2013, May 22). The Eight Most Common Causes Of Data Breaches. Retrieved
from http://www.darkreading.com/attacks-breaches/the-eight-most-common-causes-of-
data-breaches/d/d-id/1139795
Department of Defense. (2011, July 1). Strategy for Operating in Cyberspace. Retrieved from
http://www.defense.gov/news/d20110714cyber.pdf
Defense Information Systems Agency. (n.d.). APL Testing and Certification. Retrieved from
http://www.disa.mil/network-services/ucco
Defense Information Systems Agency. (n.d.). Assured Compliance Assessment Solution
(ACAS). Retrieved from http://www.disa.mil/Cybersecurity/Network-Defense/ACAS
Defense Information Systems Agency. (n.d.). Continuous Monitoring and Risk Scoring (CMRS).
Retrieved from http://www.disa.mil/Cybersecurity/Analytics/CMRS
Defense Information Systems Agency. (2012, September 19). DISA Windows Gold Disk
Program Phased Out. Retrieved from http://www.disa.mil/news/stories/2012/gold-disk
Defense Information Systems Agency. (n.d.). Enterprise Mission Assurance Support Service
(eMASS). Retrieved from http://www.disa.mil/Cybersecurity/Certification-
Accreditation/EMASS
Defense Information Systems Agency. (2015, May 21). Security Technical Implementation
Guides (STIGs). Retrieved from http://iase.disa.mil/stigs/Pages/index.aspx
Defense Information Systems Agency. (n.d.). Testing/Interoperability Certification. Retrieved

45. 39
from http://www.disa.mil/Mission-Support/Testing/Testing-Interoperability-Certification
Department of Defense. (2009, July 23). DoD Information System Certification and
Accreditation Reciprocity. Retrieved from
https://aplits.disa.mil/docs/DOD_CA_Reciprocity_Memo.pdf
Department of the Navy. (2013, February 26). Commander’s Cyber Security and Information
Assurance Handbook. Retrieved from
https://www.cool.navy.mil/usn/ia_documents/5239_NCF_Cybersecurity_IA_HANDBO
OK.pdf
DoD Directive 8570.01-M, Information Assurance Workforce Improvement Program. (2012,
January 24). Retrieved from http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf
DoD Instruction 5200.40, DoD Information Technology Security Certification and Accreditation
Process (DITSCAP). (1997, December 30). Retrieved from
http://csrc.nist.gov/groups/SMA/fasp/documents/c&a/DLABSP/i520040p.pdf
DoD Instruction 8510.01, DoD Information Assurance Certification and Accreditation Process
(DIACAP). (2007, November 28). Retrieved from
http://www.public.navy.mil/spawar/PEOEIS/NEN/NGEN/Documents/CertificationandA
ccreditationProcess_rel.pdf
DoD Instruction 8510.01, Risk Management Framework for DoD Information Technology.
(2014, March 12). Retrieved from
http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf
Falliere, N., Murchu, L., & Chien, E. (2011, February 1). W32.Stuxnet Dossier. Retrieved from
https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepaper
s/w32_stuxnet_dossier.pdf

46. 40
Farrish, K. (n.d.). DISA Revamps STIGS and Validation Tools. Retrieved from
http://www.diacap.net/2102/march-2012/97-disa-revamps-stigs-and-validation-
tools.html?src=proso.com
Farrish, K. (2012, March). Top 10 Reasons to Start Preparing for C&A Transformation.
Retrieved from http://www.rmf.org/2102/march-2012
Fenlon, W. (2015, March 18). PC Build Guide: High-end Gaming PC. Retrieved
from http://www.pcgamer.com/pc-build-guide-high-end-gaming-pc/
Foreman, P. (2009, January 1). Introduction to Vulnerability Management. Retrieved from
http://www.infosectoday.com/Articles/Intro_Vulnerability_Management.htm
Galliani, J. (2010, November 9). Understanding the DIACAP Monster. Retrieved from
http://www.seguetech.com/blog/2010/11/09/understanding-diacap-monster
Goldsborough, R. (2014, November 15). Loving Our Devices Too Much. Retrieved from
http://www.infotoday.com/LinkUp/Loving-Our-Devices-Too-Much-100537.shtml
Grimes, J. (2012, January 24). DoD 8570.1M, Information Assurance Workforce Improvement
Program. Retrieved from http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf
Hautala, L. (2015, June 23). Programmers Are Copying Security Flaws Into Your Software,
Researchers warn - CNET. Retrieved from http://www.cnet.com/news/programmers-are-
copying-security-flaws-into-your-software-researchers-warn/
Hoffman, S. (2012, December 1). CHIPS Articles: Information Technology Acquisition
Approval Process. Retrieved from
http://www.doncio.navy.mil/chips/ArticleDetails.aspx?ID=4211
Intel. (2012). Intel Timeline: A History of Innovation. Retrieved from
http://www.intel.com/content/www/us/en/history/historic-timeline.html

47. 41
Johnson, E. (2015, February 16). Developer Security Awareness: Is Security Your Top Priority?
Retrieved from http://software-security.sans.org/blog/2015/02/16/developer-security-
awareness-is-security-your-top-priority
Kaven, O. (2003, December 30). Retina Network Security Scanner. Retrieved from
http://www.pcmag.com/article2/0,2817,1400326,00.asp
Lee, D., & Kwek, N. (2015, May 29). North Korean hackers 'could kill', warns key defector –
BBC News. Retrieved from http://www.bbc.com/news/technology-32925495
Liptak, K., Schleifer, T., & Sciutto J. (2015, June 5). U.S. Government Hacked; Feds Think
China is the Culprit.
Retrieved from http://www.cnn.com/2015/06/04/politics/federal-agency-hacked-
personnel-management/index.html
McAfee, J. (2015, June 22). John McAfee: The death of antivirus. Retrieved from
http://www.ibtimes.co.uk/john-mcafee-death-antivirus-1507388
Mell, P., & Inverso, P. (2008, September 22). NIST and DISA SCAP. Retrieved from
https://nvd.nist.gov/scap/docs/2008-conf-presentations/day1/NVD-VMS-SCAP-
Integration-v7.pdf
Morgan, M. (2002). Clauewitz on Civil-Military Relations: What Hitler Should Have Known.
Retrieved from http://www.dtic.mil/dtic/tr/fulltext/u2/a441816.pdf
National Institute of Standards and Technology. (2014, April 1). Risk Management Framework
(RMF) Overview. Retrieved from http://csrc.nist.gov/groups/SMA/fisma/framework.html
National Institute of Standards and Technology. (2012, September 1). Special Publication 00-30,
Guide for Conducting Risk Assessments. Retrieved from
http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf

48. 42
Office of Management and Budget. (2015, February 27). Annual Report to Congress: Federal
Information Security Management Act. Retrieved from
https://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/final_fy14_fisma_r
eport_02_27_2015.pdf
Olson, P. (2012, April 25). Now Anyone Can Hack a Website Thanks to Clever, Free
Programs. Retrieved from http://www.forbes.com/sites/parmyolson/2012/04/25/now-
anyone-can-hack-a-website-thanks-to-clever-free-programs/
Rivera, J. (2014, May 9). Georgetown Security Studies Review – Tipping the Scales: How to
Combat Cyberthreats to the U.S. Defense Industrial Base. Retrieved from
http://georgetownsecuritystudiesreview.org/2014/05/09/tipping-the-scales-how-to-
combat-cyberthreats-to-the-u-s-defense-industrial-base/
Rogers, M. (2015, March 4). Statement of Admiral Michael S. Rogers, Commander United
States Cyber Command. Retrieved from
http://docs.house.gov/meetings/AS/AS26/20150304/103093/HHRG-114-AS26-Wstate-
RogersM-20150304.pdf
Russia Today (RT). (2015, April 15). Pentagon Drafting Thousands of 'Cyber Forces' in Prep for
Cyber Emergency. Retrieved from http://rt.com/usa/249721-pentagon-recruiting-cyber-
pros/
Shachtman, N. (2010, August 25). Insiders Doubt 2008 Pentagon Hack Was Foreign Spy Attack
(Updated). Retrieved from http://www.wired.com/2010/08/insiders-doubt-2008-
pentagon-hack-was-foreign-spy-attack/
Statista. (2014, July 1). Average Annual Costs Caused by Cyber Crime in the United States.

49. 43
Retrieved from http://www.statista.com/statistics/193436/average-annual-costs-caused-
by-cyber-crime-in-the-us/
Sternstein, A. (2015, March 16). The Military's Cybersecurity Budget in 4 Charts. Retrieved
from http://www.defenseone.com/management/2015/03/militarys-cybersecurity-budget-
4-charts/107679/
Tann, A., & Chae, D. (2015, July 1). Risk Management Framework and Financial Audit
Readiness. Retrieved from
http://www.doncio.navy.mil/CHIPS/ArticleDetails.aspx?ID=6670
Taylor, G. (2010, October 1). Disney's ITIL Journey. Retrieved from
https://www.axelos.com/case-studies-and-white-papers/disneys-itil-journey-case-study
Tchoubineh, B. (2013, August 5). Transitioning from DIACAP to RMF. Retrieved from
http://www.phoenixts.com/blog/diacap-vs-rmf/
Trapp, J. (2012). The Nine Types of Ground. In The Art of War: A New Translation (p. 96). New
York, New York: Chartwell Books.
Vigil, R. (2009, June 1). Information Assurance Vulnerability Compliance Tracking and
Reporting for U.S. Navy Ships. Retrieved from
http://www.doncio.navy.mil/chips/ArticleDetails.aspx?ID=2683
Wells, J. (2010, April 21). How Much Does a Jet Fighter Really Cost? Retrieved from
http://www.cnbc.com/id/36692113
Wittenberg, E. (n.d.). An Analysis of the Buford Manuscripts. Retrieved from
http://www.gdg.org/Gettysburg Magazine/devil.html

50. 44
Appendices
Appendix A – Operational Risk Management for Low Risk Systems
APPROVAL
This document was prepared in accordance with the scope and content consistent with guidance
and recommendations promulgated by Federal and Department of Defense Guidance. The
format and information content located in this document follows the recommendations and
guidance of the J-644, Plans, Procedures, and Assessments office.
Submitted by: ______________________________________ __________
Date
INFORMATION ASSURANCE OFFICER
************************************************************************
I hereby approve.
Reviewed by: ______________________________________ __________
Date
INFORMATION ASSURANCE MANAGER
Reviewed by: ______________________________________ __________
Date
CHIEF INFORMATION OFFICER
Reviewed by: ______________________________________ __________
Date
CHIEF OF STAFF
Approved by: ______________________________________ __________
Date
COMMANDER

51. 45
RECORD OF CHANGES
Section Number Change Comment Date of Change Signature

52. 46
Table of Contents
1.0 Introductions
1.1 Purpose
1.2 ORM Request Process
1.3 ORM Process
Encl: (1) ORM Request Workflow
(2) ORM Process Workflow
(3) ORM Request Form

53. 47
1.0 Introduction
 The objective of risk management is not to eliminate risks, but to manage them. Effective risk
management assesses risks, reduces them to acceptable levels (mitigates risks), and continually
evaluates and assesses the use of DoD IA controls (countermeasures, safeguards) to mitigate
risks.
 The risk assessment checklist for a system will evaluate the environment, assess threats, and
determine potential loss from certain events based on an estimated probability of threats being
exercised.
1.1 Purpose.
 The purpose of the Risk Assessment is to ensure legal and regulatory requirements are met.
These requirements may include, but are not limited to, the Federal Information Security
Management Act (FISMA) and the Office of Management and Budget (OMB) Circular A-130.
 Provide a foundation for the development of an effective risk management program and save the
Navy funds and manpower for systems that are low risk to mission operations.
1.2 ORM Request Process.
 The system owner will contact the installation N64 to verify if the system meets the criteria for
Operational Risk Management. The first quality factor N64 will check is if the system is a valid
requirement that is supported by CNIC or the Regional N-code. If the system is not a valid
requirement supported by CNIC or the Regional N-code, the system owner shall obtain approval
before pursuing ORM or DIACAP. See Enclosure (1) for the ORM Request Workflow.
 The five key questions the system owner and installation N64 will discuss are:
1. Is the system FIPS compliant?
2. Does the system process classified?
3. Does the system connect to the GIG?
4. Does the system transmit data off the installation?
5. What MAC level is the system?
 If a system is not FIPS compliant the system owner must pursue compliancy.
 If a system processes classified, connects to the GIG, or transmits data off the installation the
system must complete the DIACAP process.
 The table below will help determine the MAC level of the system. Systems that are considered
MAC I or process PII must complete the DIACAP process.

54. 48
MAC 1 Systems handling information that is determined to be vital to the operational readiness or mission
effectiveness of deployed and contingency forces in terms of both content and timeliness. The consequences
of loss of integrity or availability of a MAC I system are unacceptable and could include the immediate and
sustained loss of mission effectiveness. Mission Assurance Category I systems require the most stringent
protection measures. 8
MAC II Systems handling information that is important to the support of deployed and contingency forces. The
consequences of loss of integrity are unacceptable. Loss of availability is difficult to deal with and can only be
tolerated for a short time. The consequences could include delay or degradation in providing important support
services or commodities that may seriously impact mission effectiveness or operational readiness. Mission
Assurance Category II systems require additional safeguards beyond best practices to ensure assurance. 8
MAC III Systems handling information that is necessary for the conduct of day-to-day business, but does not materially
affect support to deployed or contingency forces in the short-term. The consequences of loss of integrity or
availability can be tolerated or overcome without significant impacts on mission effectiveness or operational
readiness. The consequences could include the delay or degradation of services or commodities enabling
routine activities. Mission Assurance Category III systems require protective measures, techniques, or
procedures generally commensurate with commercial best practices. 8
 If the system passes the 5 questions, the system owner will complete the ORM Process Request
Form, enclosure (3) which shall include mission description, mission statement, and the topology
with a list of equipment attached; servers, clients, network devices and additional peripherals.
The completed ORM Process Request Form will be forwarded to the installation N64.
 The installation N64 will review the ORM Process Request Form and make sure all information
required is complete. Additionally, the N64 will discuss the manpower tax that the installation
will incur by allowing the system in the ORM process with the IPD. IPDs will be responsible for
all IA monthly and annual requirements for the system. After validation and IPD approval, the
installation N64 will forward the request to the Regional N64.
 The Regional N64 will review the request to ensure the system meets Operational Risk
Management and will confer with N62 on FIPS compliance as required. MAC level
determination can be subjective and will be the critical item reviewed. If the Regional IAM
disagrees with the MAC level, they will request further discussion and/or justification from the
system owner and installation IAM.
 After reviewing the ORM Process Request Form, the Regional N64 will notify the installation
N64 if the system will be accepted for ORM or if it needs to go through the DIACAP process.
1.3 ORM Process.
 The system owner will complete the ORM checklist and submit it to the installation N64. The
installation N64 will ensure the ORM checklist is complete and that the system is compliant with
information assurance requirements

55. 49
 Once determination is made by the installation N64 that the system meets ORM requirements,
they will verify the system has not changed in mission or scope prior to forwarding to the
package to the Regional N64. See Enclosure (2) for the ORM Process Workflow.
 The Regional N64 will review the checklist, if the package meets all requirements will schedule
the system for CCB.
 If the system meets all IA requirements and the CCB determines the system vulnerabilities are an
acceptable risk, the system owner can submit their purchase request through NAV-IDAS. If the
system does not meet IA requirements the package will be sent back with vulnerabilities
identified that will not be accepted risk. The system owner will have the opportunity to mitigate
the risk and resubmit for further consideration.

56. 50
Appendix B – Change Control Sheet

57. 51

58. 52

59. 53