The Defense Department is taking a hard look at the traditionally long and thorough processes in place to certify and accredit new commercial tools and services, and officials are looking to industry to play a major role to potentially reform the way certification and accreditation (C&A) is done.
"One of the things we are going to do — and you'll see an announcement out in a couple weeks — is get a team together of industry and government experts on security and accreditation processes," DoD CIO Terry Halvorsen told reporters on April 8.
A public-private team led by Richard Hale, deputy CIO for cybersecurity, and Marianne Bailey, principal director for DoD CIO cybersecurity, is set to evaluate how the Pentagon can better conduct security and accreditation in a way that makes tech-buying faster and more nimble — particularly when it comes to cloud services, Halvorsen said.
"I think we've reached a point where we no longer can do specific hardware or software accreditation…today if you're fielding a cloud environment, you're [updating] continually in a cloud environment," Halvorsen said. "Microsoft, Amazon — they change their cloud security process almost nightly. Our processes wouldn't sustain that."
Instead, Halvorsen said he hopes that a thorough review of C&A by process, and at some point possibly by vendor, will accelerate the purchase of services from companies that already have a solid track record with the office.
Ideally, that would allow DoD officials to look at a vendor and say, "'your process within your specific area is good. We like it. We're going to keep validating on a yearly basis, but yes it's good and we're going to accept your tools as you develop them.' If we don't do something like that, we can't keep pace," Halvorsen said. "I don't know that that will be the model, that's just an example, but that's where we are trying to get to."
He added that response to the project from industry has been "phenomenal…industry is all in."
