the authorizing official and the accreditation decision

Making the Choice: ATO, IATO, or Denial

The Role of the Authorizing Official/Designated Approving Authority and the Accreditation Decision

Who is Michael Smith?

• 8 years active duty army• Graduate of Russian basic course,

Defense Language Institute, Monterey, CA

• DotCom survivor• Infantryman, deployed to Afghanistan

(2004)• CISSP #50247 (2003), ISSEP (2005)• Former CISO, Unisys Federal Service

Delivery Center• Currently a Manager in a Big Four Firm

Who is Joseph Faraone?

7 years Active Duty Navy; last two+ years as program sponsor for key Navy communications programs

CISSP #20354 (2000) 20+ years as a security contractor (DoD,

Intel, State & Local, Commercial worlds) Developed IV&V test methodology that

became the precursor to current C&A methods

Currently acting as Chief Security Architect at a government agency

Who is Graydon McKee?

10 years as a contractor performing C&A and compliance activities in many different environments (Federal Civilian, DoD, Intel, and private sector)

CISSP #68296 (2005) Masters in Science – Information Assurance

from Norwich University (2007) Currently Vice President of Ascension Risk

Management – a national consulting firm specializing in Information Security and Information Risk Management.

Why Worry About Accreditation?

One of the key concepts in how the Government does IT security

Supports IT security governance Part of risk management Ties IT security risks into agency mission Security performance metrics are focused

on accreditation Completely misunderstood by people

outside of Government Somewhat misunderstood by people inside

Government

But First, Some Definitions

Certification: A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.--NIST SP 800-37


Accreditation: The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.

--NIST SP 800-37


Authorizing Official (AO): Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.

The Authorizing Official is also known as the Designated Approving Authority (DAA)

--NIST SP 800-37

Who Should the AO/DAA Be?

Highly placed within the organization Primary stakeholder Budget responsibility System Owner’s Boss

Potential AO/DAAs

Assistant Secretaries Division Directors Classification Authorities Program Manager People to avoid:

CIO CISO Certifier Contractors

AO/DAA Responsibilities

Works with system owners, security officers, and user representatives to understand weaknesses and improve the security of the information system

Reviews and approves the system security plan and the security controls therein

Establishes the acceptable level of risk to authorize a system to operate

Oversees corrective actions Reviews security assessment reports Makes the accreditation decision Initiates re-accreditation

IT Security in the SDLC

2 3 4 5

1 - 1

1 - 1

· Security Categorization

· Preliminary Risk Assessment

· Perception of a need

· Linkage to mission and performance objectives

· Assessment of alternatives to capital assets

· Preparing for investment review and budgeting

Needs Determination

SD

LC

Sec

uri

ty C

on

sid

erat

ion

s

3 - 43 - 4 3 - 4 4 - 5 4 - 54 - 5 4 - 5 4 - 5

· Fun. Stmt of Need· Market Research· Feasibility Study· Req. Analysis· Alt. Analysis· Cost Ben. Analysis· Software

Conversion Study· Cost Analysis· RM Plan· Acquisition

Planning

· Risk Assessment· Sec. Funct. Req.

Analysis· Sec. Assurance

Req. Analysis· Cost

Considerations and Reporting

· Sec. Control Dev.· Dev. ST&E· Other Planning

· Inspection and Acceptance

· System Integration· Security

Certification· Security

Accreditation

· Configuration Management and Control

· Continuous Monitoring

· Information Preservation

· Media Sanitization· Hardware and

Software Disposal

· Installation· Inspection· Acceptance Testing· Initial User Training· Documentation

· Appropriateness of Disposal

· Exchange and sale· Internal

Organization screening

· Transfer and Donation

· Contract Closeout

· Performance Measurement

· Contract Modification

· Operations· Maintenance

InitiationAcquisition/

Development ImplementationOperations/ Maintenance Disposition

--NIST SP 800-64

Accreditation Challenges

• Varying levels of expertise for Authorizing Officials in both IT and security

• Dependency on certifiers and their level of skill• Tendency is to either avoid all risk or accept all risk• More than just security risks to consider:

• Schedule risk• Scope creep• Sunken costs• Risk-adjusted costs• Mission hindrance• “Washington Post Front Page Metric”• 5 layers of oversight

More Than Just “Yes” or “No”

• Approval to Operate: Accredit the system if the risk is at an acceptable risk

• Interim Approval to Operate: Short-term ATO• Denial: System re-design and re-implementation• Make accreditation contingent upon specific

actions (ie, fix these 3 things and I’m happy)• Provide additional support to the

project/program team in money, personnel, and expertise

• Cancel the project in favor of low-risk alternatives

• Revise the scope of the project

Accreditation Decision Scenarios

Playing the “Armchair Authorizer”

There are no Right Answers!

• Everybody will have a different answer• Yes, the scenarios are oversimplified and

overly numbers-based—ambiguity creates conversation

• Don’t be too worried if you decided differently than I did

• If you can back up your decision with a rational explanation, then you are ready to be an Authorizing Official, tell your boss I said so

• The key is to make a valid risk-based decision


• GGA: Generic Government Agency• GSS: General Support System• POA&M: Plan of Action and Milestones• ATO: Approval to Operate• IATO: Interim Approval to Operate• Denial: Not an ATO or IATO

Scenario #1

The GGA GSS is a moderate-criticality systemThe GGA GSS was assessed with 5 high risks, 12 moderate risks, and 25 low risks. Overall, this is a high risk to the system.The System Owner has accepted 2 of the high risks because they are needed for functionality.The other risks are on a 180-day POA&M.

Your Decision: ATO IATO DenialWhy did you make this choice?

Scenario #1—The Guerilla CISO AnswerThis is the average system and risk assessment that you will find “in the wild”.You could say that if it’s high-risk, has 2 accepted high risks, and it’s still in development, then it should be denied and the project team should redesign the system.My tendency is to give them an IATO to get the system operational but I still have control over mitigation activity.Most AO/DAAs would give the system an ATO for 1 year and make renewal contingent on completion of the POA&M items. This is to count as a completed C&A by OMB.

Scenario #2

Same as Scenario #1 with the following change: The GGA GSS is a high-criticality system


Scenario #2—The Guerilla CISO AnswerGiving the system a high for criticality in conjunction with the risk puts it under my threshold for acceptance.I would reject the system and make an ATO contingent upon mitigation of the high risks.

Scenario #3The GGA GSS is a low-criticality systemThe GGA GSS was assessed with 3 high risks, 5 moderate risks, and 10 low risks. Overall, this is a moderate risk to the system.The System Owner has accepted 2 of the high risks because they are needed for functionality.The other risks are on a 60-day POA&M.


Scenario #3—The Guerilla CISO AnswerThe first thing you need to understand is that the system is low-criticality.The level of risk seems acceptable to me.I would give the system an ATO.

Scenario #4

Same as Scenario #3 with the following change:

The GGA GSS is a high-criticality system


Scenario #4—The Guerilla CISO AnswerGiving the system a high for criticality makes me have a second thought about giving the system authorization.I would give the system an IATO for 180 days, and we will revisit the accreditation at that time.

Scenario #5The GGA GSS is a high-criticality system and has been operational and providing mission-critical services without C&A for 5 years.The GGA GSS was assessed with 10 high risks, 15 moderate risks, and 25 low risks. Overall, this is a very high risk to the system.The System Owner has accepted 2 of the high risks because they are needed for functionality.The other risks are on a 180-day POA&M.


Scenario #5—The Guerilla CISO AnswerThis is another typical scenario that you see for legacy systems. The system has been operational for 5 years without C&A.I need the system to still remain operational, so it’s hard for me to justify rejecting the system.I would give the system an IATO for 1 year, and we will reassess the risk then.This system is an enterprise-wide operational risk to me. It is critical to our operations but still is below standard.I also would talk to the System Owner to see if they need additional personnel or funding because I need them to succeed.

Scenario #6

Same as Scenario #5 with the following change: The GGA GSS is a low-criticality system


Scenario #6—The Guerilla CISO AnswerIf the system is low-criticality, it changes my approach somewhat.I can reject the system, have it shut down, and force the System Owner to reevaluate their need for the system and the design of their current system. It depends on if I think the system can be salvaged or not.There needs to be a serious exploration of alternatives to this system.

Scenario #7

The GGA GSS is a low-criticality system.The GGA GSS was assessed with 0 high risks, 5 moderate risks, and 35 low risks. Overall, this is a moderate risk to the system.No POA&M exists for the system.


Scenario #7—The Guerilla CISO AnswerThe level of risk is acceptable to me.I would make an ATO contingent upon the System Owner addressing the risks by either accepting them or creating a POA&M.

Scenario #8

Same as Scenario #7 with the following change: The GGA GSS is a high-criticality system


Scenario #8—The Guerilla CISO AnswerI would put the risk of this system as acceptable, but I still need some sort of answer on the risks in accepting the risks or a POA&M.I would make an ATO contingent upon the System Owner addressing the risks by either accepting them or creating a POA&M.

Scenario #9

The GGA GSS is a moderate-criticality systemThe GGA GSS was assessed with 5 high risks, 0 moderate risks, and 0 low risks. Overall, this is a high risk to the system.The System Owner has accepted 5 of the high risks because they are needed for functionality.


Scenario #9—The Guerilla CISO AnswerNo moderate or low risks? That seems highly irregular. I would look more closely at the risk assessment process that the system was given.I would give the system a 90-day IATO to get it operational, but a full ATO is contingent upon a full reassessment of risk.

Scenario #10

Same as Scenario #9 with the following change: The GGA GSS is a low-criticality system


Scenario #10—The Guerilla CISO AnswerI still don’t trust the certifiers on the assessment of risk.I can reject the system until the risk is properly evaluated or I can give it an IATO.My choice is the same as Scenario #9—give the system an IATO for 90 days and sent the certifiers back to reassess the risk.

What Have We Learned?

• It is harder to deny ATO to a high-criticality system because by its definition, high-criticality means that you need the system to be operational

• There is more to an accreditation decision than just ATO, IATO, and denial

• As a C&A practitioner, you need to ask the Authorizing Official what their acceptable level of risk is

• Sometimes the decision is made based on the trustworthiness of the System Owner, ISSO, and staff

• In order to make a decision, the Authorizing Official needs thorough, valid data

• The Authorizing Official needs to be highly-placed within the organization so that they can shift priorities to match up with the agency’s mission—the basic premise behind IT security governance

C&A: Where the Model Breaks

• Legacy Systems: systems that have been operation pre-C&A and have serious vulnerabilities

• Astuteness of Certification Team: Security Test and Evaluation is only as good as the people performing it

• Dependencies: What to do with external dependencies that have not been assessed yet

• Assumes GO-GO: Need workarounds for GO-CO, SAAS, and LoB

• Organizational risk v/s personal risk

Keys to Success: Fixing Accreditation AO/DAA education Build a solid, dependable certification

team Basic program management skills

work Understanding of risk management

concepts Traceability of risks back to the

agency’s mission

41

Questions, Comments, or War Stories?

http://www.guerilla-ciso.com/ http://www.ascensionriskmanagement.com/BlogOne/

rybolov(a)ryzhe.ath.cxfaraonej(a)gmail.com

gmckee(a)ascensionriskmanagement.com

http://www.guerilla-ciso.com/

http://www.ascensionriskmanagement.com/BlogOne/

the authorizing official and the accreditation decision

Technology