DISA announces new tools to manage system risk

The service product packages are designed to ease compliance with the Risk Management Framework.

The Defense Information Systems Agency on Jan. 23 announced the availability of service product packages to help mission partners ensure their programs and systems are compliant with the DISA Computing Ecosystem.

Each of the packages contains control correlation identifiers that have been validated and assessed as inherited or shared between DISA and mission partners. CCIs allow for “high-level policy” framework requirements to be “decomposed” and associated with low-level security settings to determine compliance with objectives of specific security controls.

The packages aim to give mission partners a holistic view of their information systems risk posture.

"We are also saving mission partners time and resources by leveraging our tested, validated, and compliant CCIs,” Stephanie Watt, chief of the DISA’s Cyber Controls Section in the cyber services line of business, said in the announcement.

DISA provides additional service product packages to help mission partners operate within the risk management framework.  The DISA Inherited Policy package contains Department of Defense and DISA policy and guidance controls that are shared between DISA and mission partners. The DISA Data Center package has common, physical and environmental controls for programs and systems hosted in DISA’s data centers and field activities. And the DISA Network package contains transport and network infrastructure controls for mission partners who transport and receive program and system information.

DISA moved from the Defense Information Assurance Certification and Accreditation Process to the National Institute of Standards and Technology’s Risk Management Framework in 2014.