Staying Compliant with DIACAP After Virtualization
The Department of Defense (DoD) is embracing virtualization as a way to cut costs and embrace the government mandate toward greener computing. But the DoD is also subject to regulation and control that is affected by virtualization’s transformation of the traditional data center. Catbird can help these organizations stay compliant as they transition from physical to virtual.
The DoD Information Assurance Certification and Accreditation Process (DIACAP) ensures that risk management is applied on information systems in the DoD and National Security Agency (NSA) agencies. While these agencies are also subject to FISMA compliance {link to fisma page} rules, the DoD has taken it one step further with DIACAP, prescribing defense-in-depth tactics which combine technology, along with processes, people and operations.
One specific concern of DIACAP is network protection, as enemy attacks are increasingly cyber-based. For virtualization projects within the Department of Defense, ensuring compliance with DIACAP is mandatory. But the complexities of DIACAP compliance are compromised by some of the very benefits of virtualization. With the right processes and tools, however, building a DIACAP-ready virtualized data center can be easier than traditional data centers. Catbird vSecurity is specifically designed to pave the way.
Virtualization’s Impact on DIACAP
A number of security and compliance gaps specific to DICACAP are introduced in the move from physical to virtual infrastructure. Such gaps include:
- A Change in Access Control with the Introduction of The Virtual Administrator
Virtualization and virtualization management layers collapse traditional access controls and separation of duties, creating significant control failures - An Additional Monitor Test and Audit of the New Hypervisor Layer
Virtualization creates additional layers to the IT infrastructure, particularly the hypervisor and the virtualized network. This will impact DIACAP Best Practices and Auditing/Reporting. - Change in DIACAP Scope: Virtual Networks
Virtualization significantly broadens the assessment scope because virtualization deployments unavoidably flatten networks and increase the scope to include all virtualization hosts. - New Tests for Security Systems and Processes as Physical Devices Become Files
Catbird’s extensive research has specifically identified and analyzed new risks which are introduced in the data center of federal agencies as a consequence of virtualization. Virtualization impacts over 25 DIACAP Controls, nearly half of which are considered critical. (Log into the Catbird Compliance Center for detailed reporting on which controls are affected and the severity, white papers and “how to” guides)
To stay compliant, the virtualized data center in the DoD must adapt to address these major changes that have transformed IT.
Get DIACAP Compliant with vSecurity
Catbird is the only product that can address all DIACAP controls that are negatively affected by virtualization. Catbird goes beyond monitoring and audit by instantly identifying compromised assets, alerting appropriate personnel, and optionally quarantining offending virtual machines. No other vendor can deliver the breadth and depth necessary for DIACAP compliance from within the virtual infrastructure.
- Catbird vSecurity includes default DIACAP-specific policies and reports built upon Catbird security controls that are automatically mapped to the appropriate severity. Catbird monitors, audits, and enforces more affected controls than any other vendor.
- Catbird vSecurity includes default Compliance, Security, and Operations dashboards that summarize control status. Catbird significantly reduces the effort required to achieve and maintain operational DIACAP compliance on virtual systems.
DIACAP compliance takes a combination of trained staff, strong policies, and industry leading technology. Catbird is an essential component in realizing this, delivering the DIACAP security controls and reporting required by Information Assurance and IT Operations Professionals to adapt to the challenges of virtualization. Catbird Features to Ease Compliance with FISMA
- Analyze virtual (and physical) infrastructure against DICACAP requirements, identifying any out-of-compliance settings.
- Instantly “offline” any virtual machine deemed out of compliance with DIACAP policy via Catbird’s automated quarantine mechanism
- Alert IT to unauthorized or improper changes to virtual infrastructure that will negatively impact DIACAP compliance
- Provide detailed, real-time reporting on DIACAP compliance posture for agency directors, government regulators and IT staff
- Deliver third-party, documented proof of DIACAP compliance for auditing purposes