Ongoing Authorization: Changing how Government does Security Compliance
“Our nation’s security and economic prosperity depend on ensuring the confidentiality, integrity and availability of Federal information and information systems”
Traditional security compliance has been driven typically by the Federal Information Security Management Act of 2002, which requires all information system security controls to be assessed every three years. Only then should a system be granted Authority to Operate by its Authorizing Official. The review involves a large paper-based compliance exercise and can be wasteful and time consuming. The cybersecurity threat landscape demands a faster time to market than that.
The federal government has now provided its departments and agencies a vehicle for making security authorization not only more efficient, but more effective in today’s evolving threat landscape. National Institute of Standards and Technology guidance and Office Management Budget memorandums include the requirements to move toward an “ongoing state of security” and perform “ongoing authorizations.” In this sense, DHS is now not only leading the federal government in this arena, but has also influenced how such programs can be established and their objectives achieved.
OMB Memorandum M-14-03, “Enhancing the Security of Federal Information and Information Systems,” states that, “Our nation’s security and economic prosperity depend on ensuring the confidentiality, integrity and availability of Federal information and information systems.” It directs NIST to publish guidance establishing a process and criteria for federal agencies to conduct ongoing assessments and ongoing authorization. DHS addresses this issue through its OA program.
OA is a risk-based security authorization process that provides the AO with near real-time insight into the security posture of an information system. Using data feeds from the department’s Continuous Diagnostics and Mitigation program; security officials maintain an ongoing state of awareness for their systems, resulting in an enhanced opportunity to make more informed risk-based decisions on the utilization of component and system information assets.
OA moves away from the three-year security authorization cycle. Instead of periodically reviewing cumbersome lists of security controls, ongoing assessments are driven by dynamic risk-based events.
OA implementation focuses heavily on evaluating and testing controls when security events or “triggers” occur. Upon notification of a trigger, an Operational Risk Management Board (ORMB) reviews the trigger to determine its impact on security controls and risk to the system. Following ORMB review, the Chief Information Security Officer prepares a formal letter to the Authorization Official recommending whether or not to maintain the authorization.
OA has been an area of interest at DHS and in the federal government for the past few years. In 2012, DHS drafted an Ongoing Authorization Methodology and planned its pilot program. As a leader in OA across the federal government, DHS faced the challenge of determining component and system eligibility criteria, establishing program processes, and creating metrics to review the implementation of OA.
To ensure compliance and collaboration, DHS worked closely with NIST and other federal organizations including the Government Accountability Office to gather key requirements for OA.
The DHS Ongoing Authorization Pilot program ran from May to August 2013. Three DHS components with a total of 12 systems participated. In the fall of 2013, DHS invited other interested components who met eligibility requirements to submit applications to enroll in the DHS OA Program. As of August 2014, there are seven DHS components participating in the OA program.
The DHS OA program continues to expand. The program enrolled 70 systems before the end of FY2014, exceeding the goal of 50. Currently, 80 DHS systems have been enrolled in the OA program since its inception.