Why your access control vendor needs to be familiar with DIACAP
As you may be aware, the Department of Defense Information Assurance Certification and Accreditation Process, better known as DIACAP, regulates the implementation of risk management for information systems. What you may not know is that not all DIACAP certifications are created equal. Understanding this accreditation process, how the certification is achieved and what it signifies -- or working with an integration specialist who has this expertise -- will help your agency make the best possible decision in choosing an access control or other security solution.
The government’s network is potentially vulnerable to outside threats, since without sufficient security measures in place it can be entered by using any vendor’s networked software or hardware. For any product that will be integrated with the government’s network, both end-users and integrators can depend on DIACAP certification as an indication of extremely high security. More important, DIACAP-knowledgeable integrators know that a product that carries this certification along with the ATO, or Authority to Operate, that is awarded to DIACAP-certified products, is in full compliance with any DoD agency nationwide. In other words, no additional validation would be necessary before specifying one of these products to be installed in any government facility.
When an integrator finds traction in DoD projects by working with a provider who has DIACAP certification, they can obtain a Certificate of Net worthiness, or CON by sharing their ATO document with an agency. This is the flip side of an ATO; it communicates to all DoD agencies that this product or provider has been tested and vetted and certified. It enables other agencies to work immediately with that integrator to deploy the provider’s products without re-testing or the need to obtain an individual ATO from each additional agency. The ATO is not transferrable, but once a provider has an ATO for one agency, it can participate in projects across all of that agency’s locations and bases.
The ATO provides tremendous value to users and integrators alike even beyond the DoD community. For example, when looking to deploy an access control solution, security personnel at the Department of Energy utility CenterPoint Energy became aware that Galaxy Control Systems holds an ATO from the DoD. While CenterPoint is subject to NERC compliance laws, the ATO requirements are even more stringent than NERC -- which made their choice of Galaxy a simple one to make.
It is important to note that most providers are certified with caveats, for example that they may deploy their system but only if there is a separate firewall installed, or with some other form of exception. Integrators should be aware of each of these caveats and how they relate to providers and potential deployments, to help keep the process free from complications or delays. Galaxy planned for this possibility by sending their software and hardware engineers to the lab during the testing process. The team literally re-developed the software on-site that same day so that it could be rescanned and pass with a clean report. Based on this, Galaxy was awarded their ATO with no caveats.
Some providers, like Galaxy, may be sponsored by a government agency, providing additional advantages. Under their sustainment program, every new piece of Galaxy hardware or software will be tested automatically. This assures both users and integrators that they always have access to the newest technology from Galaxy under their ATO. Some providers who must pay for their ATOs may not choose to update them for each new innovation, meaning government users would not always have their newest offerings.
For integrators, working with any provider who can attain this level of certification delivers a significant competitive advantage. Galaxy has current projects with a number of major defense contractors. Knowing that Galaxy has the ATO assures contractors that they can bring Galaxy in on the most complex and demanding project knowing they will have a positive outcome. The fact that Galaxy has this ATO -- with no caveats and high level personnel with Top Secret and Program Level Clearances -- creates even more confidence both for their resellers and for end-users. It’s a tremendous validation of quality to bring to government applications.
Robert Laughlin is president of Walkersville, MD-based Galaxy Control Systems, a manufacturer of integrated access control, video, and security solutions.