ODNI, DOD agree on security certification processes

The intelligence community and the Defense Department have agreed to accept each other’s processes for certifying and accrediting (C&A) information technology systems, laying the foundation for more complete and faster information sharing. The reciprocity agreement was one of seven moves made by Dale Meyerrose, the  Office of the National Director for Intelligence’s chief information officer, and DOD CIO John Grimes to more closely align the two departments’ processes. As they begin to implement the new procedures, the effect on other intelligence agencies and civilian agencies will be significant, experts say.The new C&A policies could improve security while also reducing the burden of testing and preparing documentation, said Glenn Schlarman, a former Office of Management and Budget official who specialized in security and privacy issues.Meyerrose unveiled four of the seven areas to be covered by ODNI’s C&A review initiative in a speech at the FOSE trade show March 22 in Washington, D.C. Meyerrose’s and Grimes’ offices have been revamping these processes since June 2006, when they deemed the current C&A procedures obsolete.“Many elements on the surface seem like common sense,” Meyerrose said. “But they are tearing down walls and building up partnerships.”In addition to C&A reciprocity, working groups will tackle the other six areas. One will establish accepted criteria for systems accreditation between DOD and ODNI. DOD and ODNI have yet to sign off on the other three areas, Meyerrose said.Meyerrose also said the government will establish a single architecture for C&A and protection levels for handling classified data will be standardized across the government. The new C&A policies form the rules of the road for the new information superhighway, said James Carafano, a senior fellow at the Heritage Foundation. “This is the trench work that needs to be done,” he said.Director of National Intelligence Mike McConnell recently named Meyerrose as the information sharing executive for the entire intelligence community. This gives him seniority to Ambassador Thomas McNamara, program manager of the Information Sharing Environment.“We have to get past the idea of information sharing as ‘If you show me yours, I will show you mine,’ ” Meyerrose said. ODNI also will establish a Library of National Intelligence to help collect and evaluate existing information, regardless of classification.“Our job is not to improve the IT in the intelligence community… our job is to improve the intelligence community with IT,” Meyerrose said.Although experts agree that ODNI and DOD needed to take these steps, Congress will have to step up its oversight to ensure success. Carafano said oversight is one area that has been lacking because no single committee is responsible for monitoring information sharing issues. Schlarman echoed Carafano’s call for increased oversight. “I would want to see an independent third party verify actual performance on this,” Schlarman said, because some within DOD and the intelligence community have, from time to time, greatly overstated their state of security and their expertise.”