Certification & Accreditation Re-vitalization

Thanks to the newest SANS NewsBites (link will work shortly), I learned of the Certification & Accreditation Re-vitalization Initiative launched by the Chief Information Officer from the office of the Director of National Intelligence. According to this letter from retired Maj Gen Dale Meyerrose, the C&A process is too costly and slow, due to "widely divergent standards and controls, the lack of a robust set of automated tools and reliance upon manual review." He wants to "move from a posture of risk aversion to one of risk management, from a concept of information secuirty at all costs to one of getting the right information to the right people at the right time with some reasonable assurance of timeliness, accuracy, authenticity, security, and a host of other attributes."

That all sounds well and good, but it misses the key problem with C&A -- it doesn't prevent intrusions. It may be seen as a necessary condition for "securing" a system (which is not really possible anyway), but it is in no way sufficient. The forum set up to foster discussion of this initiative contains an insightful thought: Why do we have C&A at all? It's unfortunately that Gen Meyerrose didn't acknowledge that C&A doesn't provide much in the way of "security" at all, but that would admit that .gov and .mil have spent billions to no end. Woops.