The Department of Defense (DoD) is embracing virtualization as a way to cut costs and embrace the government mandate toward greener computing. But the DoD is also subject to regulation and control that is affected by virtualization’s transformation of the traditional data center. The DoD Information Assurance Certification and Accreditation Process (DIACAP) ensures that risk management is applied on information systems in the DoD and National Security Agency (NSA) agencies. While these agencies are also subject to FISMA compliance rules, the DoD has taken it one step further with DIACAP, prescribing defense-in-depth tactics which combine technology, along with processes, people and operations.
One specific concern of DIACAP is network protection, as enemy attacks are increasingly cyber-based. For virtualization projects within the Department of Defense, ensuring compliance with DIACAP is mandatory. But the complexities of DIACAP compliance are compromised by some of the very benefits of virtualization. With the right processes and tools, however, building a DIACAP-ready virtualized data center can be easier than traditional data centers. Catbird is specifically designed to pave the way.
Virtualization’s Impact on DIACAP
A number of security and compliance gaps specific to DICACAP are introduced in the move from physical to virtual infrastructure. Such gaps include:
- A change in Access Control with the introduction of the virtual administrator: virtualization and virtualization management layers collapse traditional access controls and separation of duties, creating significant control failures.
- An additional monitor test and audit of the new hypervisor layer: virtualization creates additional layers to the IT infrastructure, particularly the hypervisor and the virtualized network. This impacts DIACAP best practices and auditing/reporting.
- Change in DIACAP scope: network virtualization significantly broadens the assessment scope because virtualization deployments may flatten networks and increase the scope to include all virtualization hosts.
- New tests for security systems and processes as physical devices become software: our research has identified and analyzed new risks which are introduced in the data center of federal agencies as a consequence of virtualization. Virtualization impacts over 25 DIACAP Controls, nearly half of which are considered critical.
To stay compliant, the virtualized data center in the DoD must adapt to address these major changes that have transformed IT.
How Catbird Helps DICAP Compliance
Catbird Insight and Catbird Secure address all DIACAP controls that are negatively affected by virtualization. Catbird goes beyond monitoring and audit by instantly identifying compromised assets, alerting appropriate personnel, and optionally quarantining offending virtual machines. No other vendor can deliver the breadth and depth necessary for DIACAP compliance from within the virtual infrastructure.
- Catbird Secure includes default DIACAP-specific policies and reports built upon Catbird security controls that are automatically mapped to the appropriate severity. Catbird monitors, audits, and enforces more affected controls than any other vendor.
- Catbird includes default Compliance, Security, and Operations dashboards that summarize control status. Catbird significantly reduces the effort required to achieve and maintain operational DIACAP compliance on virtual systems.
DIACAP compliance takes a combination of trained staff, strong policies, and industry leading technology. Catbird is an essential component in realizing this, delivering the DIACAP security controls and reporting required by Information Assurance and IT Operations Professionals to adapt to the challenges of virtualization.
Catbird Features to ease compliance with DIACAP by:
- Analyzing virtual (and physical) infrastructure against DIACAP requirements, identifying any out-of-compliance settings.
- Instantly taking “offline” any virtual machine deemed out of compliance with DIACAP policy via Catbird’s automated quarantine mechanism.
- Alerting IT to unauthorized or improper changes to virtual infrastructure that will negatively impact DIACAP compliance.
- Providing detailed, real-time reporting on DIACAP compliance posture for agency directors, government regulators and IT staff.
- Delivering third-party, documented proof of DIACAP compliance for auditing purposes.