SlideShare a Scribd company logo

The Authorizing Official And The Accreditation Decision

Download as PPT, PDF
Michael Smith
Michael Smith

Accreditation of US Federal Government IT systems is one of many critical aspects of maintaining an Enterprise Security Program at a Federal Agency. It is a very public metric (think FISMA Report Card.) This has led many to decry Certification and Accreditation (C&A) as strictly a paper exercise. However, when administered correctly, it is probably the best risk management tool available to government executives as it forces the agency to identify/classify systems according to criticality and perform an in-depth examination of every system identified.

Technology
1 of 41
Making the Choice: ATO, IATO, or Denial The Role of the Authorizing Official/Designated Approving Authority and the Accreditation Decision
Who is Michael Smith? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Who is Joseph Faraone? ,[object Object],[object Object],[object Object],[object Object],[object Object]
Who is Graydon McKee? ,[object Object],[object Object],[object Object],[object Object]
Why Worry About Accreditation? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
But First, Some Definitions ,[object Object],--NIST SP 800-37
But First, Some Definitions ,[object Object],--NIST SP 800-37
But First, Some Definitions ,[object Object],[object Object],--NIST SP 800-37
Who Should the AO/DAA Be? ,[object Object],[object Object],[object Object],[object Object]
Potential AO/DAAs ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
AO/DAA Responsibilities ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
IT Security in the SDLC --NIST SP 800-64
Accreditation Challenges ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
More Than Just “Yes” or “No” ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Accreditation Decision Scenarios Playing the “Armchair Authorizer”
There are no Right Answers! ,[object Object],[object Object],[object Object],[object Object],[object Object]
But First, Some Definitions ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Scenario #1 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Scenario #1—The Guerilla CISO Answer ,[object Object],[object Object],[object Object],[object Object]
Scenario #2 ,[object Object],[object Object],[object Object],[object Object]
Scenario #2—The Guerilla CISO Answer ,[object Object],[object Object]
Scenario #3 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Scenario #3—The Guerilla CISO Answer ,[object Object],[object Object],[object Object]
Scenario #4 ,[object Object],[object Object],[object Object],[object Object]
Scenario #4—The Guerilla CISO Answer ,[object Object],[object Object]
Scenario #5 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Scenario #5—The Guerilla CISO Answer ,[object Object],[object Object],[object Object],[object Object],[object Object]
Scenario #6 ,[object Object],[object Object],[object Object],[object Object]
Scenario #6—The Guerilla CISO Answer ,[object Object],[object Object],[object Object]
Scenario #7 ,[object Object],[object Object],[object Object],[object Object],[object Object]
Scenario #7—The Guerilla CISO Answer ,[object Object],[object Object]
Scenario #8 ,[object Object],[object Object],[object Object],[object Object]
Scenario #8—The Guerilla CISO Answer ,[object Object],[object Object]
Scenario #9 ,[object Object],[object Object],[object Object],[object Object],[object Object]
Scenario #9—The Guerilla CISO Answer ,[object Object],[object Object]
Scenario #10 ,[object Object],[object Object],[object Object],[object Object]
Scenario #10—The Guerilla CISO Answer ,[object Object],[object Object],[object Object]
What Have We Learned? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
C&A: Where the Model Breaks ,[object Object],[object Object],[object Object],[object Object],[object Object]
Keys to Success: Fixing Accreditation ,[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Recommended

Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessmentaeaguinot
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessmentaeaguinot
 
Pragmatic CyberSecurity and Risk Reduction
Pragmatic CyberSecurity and Risk ReductionPragmatic CyberSecurity and Risk Reduction
Pragmatic CyberSecurity and Risk ReductionBruce Hafner
 
Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security InvestmentRoger Johnston
 
Risk Management Methodology - Copy
Risk Management Methodology - CopyRisk Management Methodology - Copy
Risk Management Methodology - CopyRabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
 
Pa awwa2006 presentationrev1fin_feb
Pa awwa2006 presentationrev1fin_febPa awwa2006 presentationrev1fin_feb
Pa awwa2006 presentationrev1fin_febWivenhoe Management Group
 
when minutes counts
when minutes countswhen minutes counts
when minutes countsMartin Lindgren
 
Enterprise security management II
Enterprise security management IIEnterprise security management II
Enterprise security management IIzapp0
 

Recommended

Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessmentaeaguinot
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessmentaeaguinot
 
Pragmatic CyberSecurity and Risk Reduction
Pragmatic CyberSecurity and Risk ReductionPragmatic CyberSecurity and Risk Reduction
Pragmatic CyberSecurity and Risk ReductionBruce Hafner
 
Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security InvestmentRoger Johnston
 
Risk Management Methodology - Copy
Risk Management Methodology - CopyRisk Management Methodology - Copy
Risk Management Methodology - CopyRabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
 
Pa awwa2006 presentationrev1fin_feb
Pa awwa2006 presentationrev1fin_febPa awwa2006 presentationrev1fin_feb
Pa awwa2006 presentationrev1fin_febWivenhoe Management Group
 
when minutes counts
when minutes countswhen minutes counts
when minutes countsMartin Lindgren
 
Enterprise security management II
Enterprise security management IIEnterprise security management II
Enterprise security management IIzapp0
 
Unraveling the Confusion Surrounding the Purpose of Penetration Tests
Unraveling the Confusion Surrounding the Purpose of Penetration Tests Unraveling the Confusion Surrounding the Purpose of Penetration Tests
Unraveling the Confusion Surrounding the Purpose of Penetration Tests Bo Birdwell
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Samuel Loomis
 
Penetration Testing Guide
Penetration Testing GuidePenetration Testing Guide
Penetration Testing GuideBadawy Abd El-Aziz
 
Sensible defence
Sensible defenceSensible defence
Sensible defenceKoen Maris
 
MISO L008 Disaster Recovery Plan
MISO L008 Disaster Recovery PlanMISO L008 Disaster Recovery Plan
MISO L008 Disaster Recovery PlanJan Wong
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyRapidSSLOnline.com
 
Prevent & Protect
Prevent & ProtectPrevent & Protect
Prevent & ProtectMike McMillan
 
10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and ReponseEMC
 
2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deck2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deckElaine Axum
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
 
Pragmatic Device Risk Management
Pragmatic Device Risk Management Pragmatic Device Risk Management
Pragmatic Device Risk Management Seapine Software
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management ProgramDennis Chaupis
 
There’s No Such Thing as a Cyber-Risk
There’s No Such Thing as a Cyber-RiskThere’s No Such Thing as a Cyber-Risk
There’s No Such Thing as a Cyber-RiskPriyanka Aash
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementJim Piechocki
 
Experion Data Breach Response Excerpts
Experion Data Breach Response ExcerptsExperion Data Breach Response Excerpts
Experion Data Breach Response ExcerptsPeter Henley
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and RemediationCarahsoft
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Security vulnerability assessment & liability(li)
Security vulnerability assessment & liability(li)Security vulnerability assessment & liability(li)
Security vulnerability assessment & liability(li)Wivenhoe Management Group
 
Massbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaMassbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaJames McDonald
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessmentHappiest Minds Technologies
 
The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider ThreatMurray Security Services
 
Digital Transformation at the ATO
Digital Transformation at the ATODigital Transformation at the ATO
Digital Transformation at the ATOMel Edwards
 

More Related Content

What's hot

Unraveling the Confusion Surrounding the Purpose of Penetration Tests
Unraveling the Confusion Surrounding the Purpose of Penetration Tests Unraveling the Confusion Surrounding the Purpose of Penetration Tests
Unraveling the Confusion Surrounding the Purpose of Penetration Tests Bo Birdwell
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Samuel Loomis
 
Sensible defence
Sensible defenceSensible defence
Sensible defenceKoen Maris
 
MISO L008 Disaster Recovery Plan
MISO L008 Disaster Recovery PlanMISO L008 Disaster Recovery Plan
MISO L008 Disaster Recovery PlanJan Wong
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyRapidSSLOnline.com
 
10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and ReponseEMC
 
2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deck2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deckElaine Axum
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
 
Pragmatic Device Risk Management
Pragmatic Device Risk Management Pragmatic Device Risk Management
Pragmatic Device Risk Management Seapine Software
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management ProgramDennis Chaupis
 
There’s No Such Thing as a Cyber-Risk
There’s No Such Thing as a Cyber-RiskThere’s No Such Thing as a Cyber-Risk
There’s No Such Thing as a Cyber-RiskPriyanka Aash
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementJim Piechocki
 
Experion Data Breach Response Excerpts
Experion Data Breach Response ExcerptsExperion Data Breach Response Excerpts
Experion Data Breach Response ExcerptsPeter Henley
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and RemediationCarahsoft
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Security vulnerability assessment & liability(li)
Security vulnerability assessment & liability(li)Security vulnerability assessment & liability(li)
Security vulnerability assessment & liability(li)Wivenhoe Management Group
 
Massbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaMassbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaJames McDonald
 

What's hot (20)

Unraveling the Confusion Surrounding the Purpose of Penetration Tests
Unraveling the Confusion Surrounding the Purpose of Penetration Tests Unraveling the Confusion Surrounding the Purpose of Penetration Tests
Unraveling the Confusion Surrounding the Purpose of Penetration Tests
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016
 
Penetration Testing Guide
Penetration Testing GuidePenetration Testing Guide
Penetration Testing Guide
 
Sensible defence
Sensible defenceSensible defence
Sensible defence
 
MISO L008 Disaster Recovery Plan
MISO L008 Disaster Recovery PlanMISO L008 Disaster Recovery Plan
MISO L008 Disaster Recovery Plan
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategy
 
Prevent & Protect
Prevent & ProtectPrevent & Protect
Prevent & Protect
 
10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse
 
2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deck2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deck
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program
 
Pragmatic Device Risk Management
Pragmatic Device Risk Management Pragmatic Device Risk Management
Pragmatic Device Risk Management
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management Program
 
There’s No Such Thing as a Cyber-Risk
There’s No Such Thing as a Cyber-RiskThere’s No Such Thing as a Cyber-Risk
There’s No Such Thing as a Cyber-Risk
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability Management
 
Experion Data Breach Response Excerpts
Experion Data Breach Response ExcerptsExperion Data Breach Response Excerpts
Experion Data Breach Response Excerpts
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and Remediation
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize Risk
 
Security vulnerability assessment & liability(li)
Security vulnerability assessment & liability(li)Security vulnerability assessment & liability(li)
Security vulnerability assessment & liability(li)
 
Massbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaMassbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed Proba
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessment
 

Viewers also liked

Digital Transformation at the ATO
Digital Transformation at the ATODigital Transformation at the ATO
Digital Transformation at the ATOMel Edwards
 
Strategic Management Group Assignment 1
Strategic Management Group Assignment 1Strategic Management Group Assignment 1
Strategic Management Group Assignment 1KyleL1
 
2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShare2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShareSlideShare
 
What to Upload to SlideShare
What to Upload to SlideShareWhat to Upload to SlideShare
What to Upload to SlideShareSlideShare
 
Getting Started With SlideShare
Getting Started With SlideShareGetting Started With SlideShare
Getting Started With SlideShareSlideShare
 

Viewers also liked (6)

The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider Threat
 
Digital Transformation at the ATO
Digital Transformation at the ATODigital Transformation at the ATO
Digital Transformation at the ATO
 
Strategic Management Group Assignment 1
Strategic Management Group Assignment 1Strategic Management Group Assignment 1
Strategic Management Group Assignment 1
 
2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShare2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShare
 
What to Upload to SlideShare
What to Upload to SlideShareWhat to Upload to SlideShare
What to Upload to SlideShare
 
Getting Started With SlideShare
Getting Started With SlideShareGetting Started With SlideShare
Getting Started With SlideShare
 

Similar to The Authorizing Official And The Accreditation Decision

Risk Assessment And Mitigation Plan PowerPoint Presentation Slides
Risk Assessment And Mitigation Plan PowerPoint Presentation SlidesRisk Assessment And Mitigation Plan PowerPoint Presentation Slides
Risk Assessment And Mitigation Plan PowerPoint Presentation SlidesSlideTeam
 
Risk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachRisk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachGraydon McKee
 
Round 1, Part BTeam MembersRobert AntisTerry Martin B.docx
Round 1, Part BTeam MembersRobert AntisTerry Martin B.docxRound 1, Part BTeam MembersRobert AntisTerry Martin B.docx
Round 1, Part BTeam MembersRobert AntisTerry Martin B.docxjoellemurphey
 
safety-instrumented-systems for cbemical
safety-instrumented-systems for cbemicalsafety-instrumented-systems for cbemical
safety-instrumented-systems for cbemicalJosh Jay
 
safety-instrumented-systems-summers.ppt
safety-instrumented-systems-summers.pptsafety-instrumented-systems-summers.ppt
safety-instrumented-systems-summers.ppteditorschoice1
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSathishKumar960827
 
Safety instrumented systems angela summers
Safety instrumented systems angela summers Safety instrumented systems angela summers
Safety instrumented systems angela summers Ahmed Gamal
 
DeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without ItDeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without ItEmerson Exchange
 
Analyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceAnalyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceRobert E Jones
 
Prevention And Control Strategies PowerPoint Presentation Slides
Prevention And Control Strategies PowerPoint Presentation SlidesPrevention And Control Strategies PowerPoint Presentation Slides
Prevention And Control Strategies PowerPoint Presentation SlidesSlideTeam
 
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docxChapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docxwalterl4
 
Cybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsCybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsRobert E Jones
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
Enterprise incident response 2017
Enterprise incident response 2017Enterprise incident response 2017
Enterprise incident response 2017zapp0
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceRobert E Jones
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesRyan Faircloth
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-SessionRyan Faircloth
 
Meta-Metrics: Building a Scorecard for the Evaluation of Security Management ...
Meta-Metrics: Building a Scorecard for the Evaluation of Security Management ...Meta-Metrics: Building a Scorecard for the Evaluation of Security Management ...
Meta-Metrics: Building a Scorecard for the Evaluation of Security Management ...Michael Smith
 

Similar to The Authorizing Official And The Accreditation Decision (20)

Risk Assessment And Mitigation Plan PowerPoint Presentation Slides
Risk Assessment And Mitigation Plan PowerPoint Presentation SlidesRisk Assessment And Mitigation Plan PowerPoint Presentation Slides
Risk Assessment And Mitigation Plan PowerPoint Presentation Slides
 
Risk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachRisk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational Approach
 
Round 1, Part BTeam MembersRobert AntisTerry Martin B.docx
Round 1, Part BTeam MembersRobert AntisTerry Martin B.docxRound 1, Part BTeam MembersRobert AntisTerry Martin B.docx
Round 1, Part BTeam MembersRobert AntisTerry Martin B.docx
 
safety-instrumented-systems for cbemical
safety-instrumented-systems for cbemicalsafety-instrumented-systems for cbemical
safety-instrumented-systems for cbemical
 
safety-instrumented-systems-summers.ppt
safety-instrumented-systems-summers.pptsafety-instrumented-systems-summers.ppt
safety-instrumented-systems-summers.ppt
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdf
 
Safety instrumented systems angela summers
Safety instrumented systems angela summers Safety instrumented systems angela summers
Safety instrumented systems angela summers
 
DeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without ItDeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without It
 
Analyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceAnalyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity Compliance
 
PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)
PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)
PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)
 
Prevention And Control Strategies PowerPoint Presentation Slides
Prevention And Control Strategies PowerPoint Presentation SlidesPrevention And Control Strategies PowerPoint Presentation Slides
Prevention And Control Strategies PowerPoint Presentation Slides
 
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docxChapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
 
Cybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsCybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government Contracts
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
Enterprise incident response 2017
Enterprise incident response 2017Enterprise incident response 2017
Enterprise incident response 2017
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity Compliance
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use Cases
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session
 
Meta-Metrics: Building a Scorecard for the Evaluation of Security Management ...
Meta-Metrics: Building a Scorecard for the Evaluation of Security Management ...Meta-Metrics: Building a Scorecard for the Evaluation of Security Management ...
Meta-Metrics: Building a Scorecard for the Evaluation of Security Management ...
 

More from Michael Smith

Building A Modern Security Policy For Social Media and Government
Building A Modern Security Policy For Social Media and GovernmentBuilding A Modern Security Policy For Social Media and Government
Building A Modern Security Policy For Social Media and GovernmentMichael Smith
 
Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09
Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09
Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09Michael Smith
 
Security Content Automation Protocol and Web Application Security
Security Content Automation Protocol and Web Application SecuritySecurity Content Automation Protocol and Web Application Security
Security Content Automation Protocol and Web Application SecurityMichael Smith
 
Why Care About Government Security
Why Care About Government SecurityWhy Care About Government Security
Why Care About Government SecurityMichael Smith
 

More from Michael Smith (7)

Barcodes
BarcodesBarcodes
Barcodes
 
Building A Modern Security Policy For Social Media and Government
Building A Modern Security Policy For Social Media and GovernmentBuilding A Modern Security Policy For Social Media and Government
Building A Modern Security Policy For Social Media and Government
 
Dojo Con 09
Dojo Con 09Dojo Con 09
Dojo Con 09
 
Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09
Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09
Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09
 
Security Content Automation Protocol and Web Application Security
Security Content Automation Protocol and Web Application SecuritySecurity Content Automation Protocol and Web Application Security
Security Content Automation Protocol and Web Application Security
 
Backtrack 3 USB
Backtrack 3 USBBacktrack 3 USB
Backtrack 3 USB
 
Why Care About Government Security
Why Care About Government SecurityWhy Care About Government Security
Why Care About Government Security
 

Recently uploaded

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 

The Authorizing Official And The Accreditation Decision

  • 1. Making the Choice: ATO, IATO, or Denial The Role of the Authorizing Official/Designated Approving Authority and the Accreditation Decision
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12. IT Security in the SDLC --NIST SP 800-64
  • 13.
  • 14.
  • 15. Accreditation Decision Scenarios Playing the “Armchair Authorizer”
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.

Editor's Notes

  1. The following presentation contains insights and opinions gathered from over 40 years of combined experience in the government INFOSEC space. It’s interspersed with some humor – security presentations can be pretty dry without it. We hope that this presentation will provide you with some insight and understanding of the role of the AO/DAA and the larger process of arriving at an accreditation decision.