Despite the process improvements resulting from the Department of Defense (DoD) Information Assurance (IA) Certification & Accreditation (C&A) Process (DIACAP), obtaining the required Authorization to Operate (ATO) for simulation and training systems remains a lengthy and taxing chain of events. Though DIACAP has resulted in a more streamlined process and ensures more secure training systems are being fielded to the Warfighter, gridlocks associated with the elevation of validation activities and certification authorities remains a reoccurring encumbrance. In this day of expanding budget cuts, it is imperative to find a solution that achieves the same high level of security while still meeting U.S. and DoD legal requirements with fewer schedule delays and at lower costs.
This paper identifies how this can be accomplished through the utilization of an accredited IA Common Component (IACC). It identifies the fact that IA is still required for all DoD systems and will describe a straightforward process that can easily be adopted in any organization. The paper associates the Platform Information Technology (PIT) classification to training systems and explains the requirements for connecting to other systems, networks or PIT systems outside what is normally considered their accreditation boundary. Most importantly, the paper explains how this can be done without having to go through the formal C&A process.
The PIT system inherits IA controls from the IACC which remains static; therefore, as long as an acceptable risk posture is maintained, modifications can be made to simulation, training and test systems without having to repeat the entire accreditation process. This also relieves the system from annual FISMA and re-accreditation events as well.
This paper convincingly lays out a low-risk approach to fielding state-of-the-art simulation, training and test systems that meet DoD IA requirements in the most efficient manner, allowing the Warfighter to "Train to Fight…Fight to Win" securely.