• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
The Authorizing Official And The Accreditation Decision
 

The Authorizing Official And The Accreditation Decision

on

  • 3,668 views

Accreditation of US Federal Government IT systems is one of many critical aspects of maintaining an Enterprise Security Program at a Federal Agency. It is a very public metric (think FISMA Report ...

Accreditation of US Federal Government IT systems is one of many critical aspects of maintaining an Enterprise Security Program at a Federal Agency. It is a very public metric (think FISMA Report Card.) This has led many to decry Certification and Accreditation (C&A) as strictly a paper exercise. However, when administered correctly, it is probably the best risk management tool available to government executives as it forces the agency to identify/classify systems according to criticality and perform an in-depth examination of every system identified.

Statistics

Views

Total Views
3,668
Views on SlideShare
3,370
Embed Views
298

Actions

Likes
1
Downloads
36
Comments
0

4 Embeds 298

http://www.guerilla-ciso.com 290
http://www.slideshare.net 4
http://translate.googleusercontent.com 3
https://mymasonportal.gmu.edu 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • The following presentation contains insights and opinions gathered from over 40 years of combined experience in the government INFOSEC space. It’s interspersed with some humor – security presentations can be pretty dry without it. We hope that this presentation will provide you with some insight and understanding of the role of the AO/DAA and the larger process of arriving at an accreditation decision.

The Authorizing Official And The Accreditation Decision The Authorizing Official And The Accreditation Decision Presentation Transcript

  • Making the Choice: ATO, IATO, or Denial The Role of the Authorizing Official/Designated Approving Authority and the Accreditation Decision
  • Who is Michael Smith?
    • 8 years active duty army
    • Graduate of Russian basic course, Defense Language Institute, Monterey, CA
    • DotCom survivor
    • Infantryman, deployed to Afghanistan (2004)
    • CISSP #50247 (2003), ISSEP (2005)
    • Former CISO, Unisys Federal Service Delivery Center
    • Currently a Manager in a Big Four Firm
  • Who is Joseph Faraone?
    • 7 years Active Duty Navy; last two+ years as program sponsor for key Navy communications programs
    • CISSP #20354 (2000)
    • 20+ years as a security contractor (DoD, Intel, State & Local, Commercial worlds)
    • Developed IV&V test methodology that became the precursor to current C&A methods
    • Currently acting as Chief Security Architect at a government agency
  • Who is Graydon McKee?
    • 10 years as a contractor performing C&A and compliance activities in many different environments (Federal Civilian, DoD, Intel, and private sector)
    • CISSP #68296 (2005)
    • Masters in Science – Information Assurance from Norwich University (2007)
    • Currently Vice President of Ascension Risk Management – a national consulting firm specializing in Information Security and Information Risk Management.
  • Why Worry About Accreditation?
    • One of the key concepts in how the Government does IT security
    • Supports IT security governance
    • Part of risk management
    • Ties IT security risks into agency mission
    • Security performance metrics are focused on accreditation
    • Completely misunderstood by people outside of Government
    • Somewhat misunderstood by people inside Government
  • But First, Some Definitions
    • Certification: A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
    --NIST SP 800-37
  • But First, Some Definitions
    • Accreditation: The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.
    --NIST SP 800-37
  • But First, Some Definitions
    • Authorizing Official (AO): Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.
    • The Authorizing Official is also known as the Designated Approving Authority (DAA)
    --NIST SP 800-37
  • Who Should the AO/DAA Be?
    • Highly placed within the organization
    • Primary stakeholder
    • Budget responsibility
    • System Owner’s Boss
  • Potential AO/DAAs
    • Assistant Secretaries
    • Division Directors
    • Classification Authorities
    • Program Manager
    • People to avoid:
      • CIO
      • CISO
      • Certifier
      • Contractors
  • AO/DAA Responsibilities
    • Works with system owners, security officers, and user representatives to understand weaknesses and improve the security of the information system
    • Reviews and approves the system security plan and the security controls therein
    • Establishes the acceptable level of risk to authorize a system to operate
    • Oversees corrective actions
    • Reviews security assessment reports
    • Makes the accreditation decision
    • Initiates re-accreditation
  • IT Security in the SDLC --NIST SP 800-64
  • Accreditation Challenges
    • Varying levels of expertise for Authorizing Officials in both IT and security
    • Dependency on certifiers and their level of skill
    • Tendency is to either avoid all risk or accept all risk
    • More than just security risks to consider:
        • Schedule risk
        • Scope creep
        • Sunken costs
        • Risk-adjusted costs
        • Mission hindrance
        • “ Washington Post Front Page Metric”
        • 5 layers of oversight
  • More Than Just “Yes” or “No”
    • Approval to Operate: Accredit the system if the risk is at an acceptable risk
    • Interim Approval to Operate: Short-term ATO
    • Denial: System re-design and re-implementation
    • Make accreditation contingent upon specific actions (ie, fix these 3 things and I’m happy)
    • Provide additional support to the project/program team in money, personnel, and expertise
    • Cancel the project in favor of low-risk alternatives
    • Revise the scope of the project
  • Accreditation Decision Scenarios Playing the “Armchair Authorizer”
  • There are no Right Answers!
    • Everybody will have a different answer
    • Yes, the scenarios are oversimplified and overly numbers-based—ambiguity creates conversation
    • Don’t be too worried if you decided differently than I did
    • If you can back up your decision with a rational explanation, then you are ready to be an Authorizing Official, tell your boss I said so
    • The key is to make a valid risk-based decision
  • But First, Some Definitions
    • GGA: Generic Government Agency
    • GSS: General Support System
    • POA&M: Plan of Action and Milestones
    • ATO: Approval to Operate
    • IATO: Interim Approval to Operate
    • Denial: Not an ATO or IATO
  • Scenario #1
    • The GGA GSS is a moderate-criticality system
    • The GGA GSS was assessed with 5 high risks, 12 moderate risks, and 25 low risks . Overall, this is a high risk to the system.
    • The System Owner has accepted 2 of the high risks because they are needed for functionality.
    • The other risks are on a 180-day POA&M .
    • Your Decision: ATO IATO Denial
    • Why did you make this choice?
  • Scenario #1—The Guerilla CISO Answer
    • This is the average system and risk assessment that you will find “in the wild”.
    • You could say that if it’s high-risk, has 2 accepted high risks, and it’s still in development, then it should be denied and the project team should redesign the system.
    • My tendency is to give them an IATO to get the system operational but I still have control over mitigation activity.
    • Most AO/DAAs would give the system an ATO for 1 year and make renewal contingent on completion of the POA&M items. This is to count as a completed C&A by OMB.
  • Scenario #2
    • Same as Scenario #1 with the following change:
      • The GGA GSS is a high-criticality system
    • Your Decision: ATO IATO Denial
    • Why did you make this choice?
  • Scenario #2—The Guerilla CISO Answer
    • Giving the system a high for criticality in conjunction with the risk puts it under my threshold for acceptance.
    • I would reject the system and make an ATO contingent upon mitigation of the high risks.
  • Scenario #3
    • The GGA GSS is a low-criticality system
    • The GGA GSS was assessed with 3 high risks, 5 moderate risks, and 10 low risks . Overall, this is a moderate risk to the system.
    • The System Owner has accepted 2 of the high risks because they are needed for functionality.
    • The other risks are on a 60-day POA&M .
    • Your Decision: ATO IATO Denial
    • Why did you make this choice?
  • Scenario #3—The Guerilla CISO Answer
    • The first thing you need to understand is that the system is low-criticality.
    • The level of risk seems acceptable to me.
    • I would give the system an ATO.
  • Scenario #4
    • Same as Scenario #3 with the following change:
      • The GGA GSS is a high-criticality system
    • Your Decision: ATO IATO Denial
    • Why did you make this choice?
  • Scenario #4—The Guerilla CISO Answer
    • Giving the system a high for criticality makes me have a second thought about giving the system authorization.
    • I would give the system an IATO for 180 days, and we will revisit the accreditation at that time.
  • Scenario #5
    • The GGA GSS is a high-criticality system and has been operational and providing mission-critical services without C&A for 5 years.
    • The GGA GSS was assessed with 10 high risks, 15 moderate risks, and 25 low risks . Overall, this is a very high risk to the system.
    • The System Owner has accepted 2 of the high risks because they are needed for functionality.
    • The other risks are on a 180-day POA&M .
    • Your Decision: ATO IATO Denial
    • Why did you make this choice?
  • Scenario #5—The Guerilla CISO Answer
    • This is another typical scenario that you see for legacy systems. The system has been operational for 5 years without C&A.
    • I need the system to still remain operational, so it’s hard for me to justify rejecting the system.
    • I would give the system an IATO for 1 year, and we will reassess the risk then.
    • This system is an enterprise-wide operational risk to me. It is critical to our operations but still is below standard.
    • I also would talk to the System Owner to see if they need additional personnel or funding because I need them to succeed.
  • Scenario #6
    • Same as Scenario #5 with the following change:
      • The GGA GSS is a low-criticality system
    • Your Decision: ATO IATO Denial
    • Why did you make this choice?
  • Scenario #6—The Guerilla CISO Answer
    • If the system is low-criticality, it changes my approach somewhat.
    • I can reject the system, have it shut down, and force the System Owner to reevaluate their need for the system and the design of their current system. It depends on if I think the system can be salvaged or not.
    • There needs to be a serious exploration of alternatives to this system.
  • Scenario #7
    • The GGA GSS is a low-criticality system.
    • The GGA GSS was assessed with 0 high risks, 5 moderate risks, and 35 low risks . Overall, this is a moderate risk to the system.
    • No POA&M exists for the system.
    • Your Decision: ATO IATO Denial
    • Why did you make this choice?
  • Scenario #7—The Guerilla CISO Answer
    • The level of risk is acceptable to me.
    • I would make an ATO contingent upon the System Owner addressing the risks by either accepting them or creating a POA&M.
  • Scenario #8
    • Same as Scenario #7 with the following change:
      • The GGA GSS is a high-criticality system
    • Your Decision: ATO IATO Denial
    • Why did you make this choice?
  • Scenario #8—The Guerilla CISO Answer
    • I would put the risk of this system as acceptable, but I still need some sort of answer on the risks in accepting the risks or a POA&M.
    • I would make an ATO contingent upon the System Owner addressing the risks by either accepting them or creating a POA&M.
  • Scenario #9
    • The GGA GSS is a moderate-criticality system
    • The GGA GSS was assessed with 5 high risks, 0 moderate risks, and 0 low risks . Overall, this is a high risk to the system.
    • The System Owner has accepted 5 of the high risks because they are needed for functionality.
    • Your Decision: ATO IATO Denial
    • Why did you make this choice?
  • Scenario #9—The Guerilla CISO Answer
    • No moderate or low risks? That seems highly irregular. I would look more closely at the risk assessment process that the system was given.
    • I would give the system a 90-day IATO to get it operational, but a full ATO is contingent upon a full reassessment of risk.
  • Scenario #10
    • Same as Scenario #9 with the following change:
      • The GGA GSS is a low-criticality system
    • Your Decision: ATO IATO Denial
    • Why did you make this choice?
  • Scenario #10—The Guerilla CISO Answer
    • I still don’t trust the certifiers on the assessment of risk.
    • I can reject the system until the risk is properly evaluated or I can give it an IATO.
    • My choice is the same as Scenario #9—give the system an IATO for 90 days and sent the certifiers back to reassess the risk.
  • What Have We Learned?
    • It is harder to deny ATO to a high-criticality system because by its definition, high-criticality means that you need the system to be operational
    • There is more to an accreditation decision than just ATO, IATO, and denial
    • As a C&A practitioner, you need to ask the Authorizing Official what their acceptable level of risk is
    • Sometimes the decision is made based on the trustworthiness of the System Owner, ISSO, and staff
    • In order to make a decision, the Authorizing Official needs thorough, valid data
    • The Authorizing Official needs to be highly-placed within the organization so that they can shift priorities to match up with the agency’s mission—the basic premise behind IT security governance
  • C&A: Where the Model Breaks
    • Legacy Systems: systems that have been operation pre-C&A and have serious vulnerabilities
    • Astuteness of Certification Team: Security Test and Evaluation is only as good as the people performing it
    • Dependencies: What to do with external dependencies that have not been assessed yet
    • Assumes GO-GO: Need workarounds for GO-CO, SAAS, and LoB
    • Organizational risk v/s personal risk
  • Keys to Success: Fixing Accreditation
    • AO/DAA education
    • Build a solid, dependable certification team
    • Basic program management skills work
    • Understanding of risk management concepts
    • Traceability of risks back to the agency’s mission
    • Questions, Comments, or War Stories?
    • http://www.guerilla-ciso.com/
    • http://www.ascensionriskmanagement.com/BlogOne/
    • rybolov(a)ryzhe.ath.cx
    • faraonej(a)gmail.com
    • gmckee(a)ascensionriskmanagement.com