Presenter

Presentation Notes

© 2016 Maze & Associates Revision 10 (April 2016) Images from Microsoft Clipart unless otherwise noted, Other Sources: NIST and Donald E. Hester Picture: Muir Beach, North of San Francisco, CA, Photo by Donald E. Hester all rights reserved

Categorize

Select

Implement

Assess

Authorize

Monitor

Presenter

Presentation Notes

RMF Step 5 Authorize Information System Plan of Action and Milestones (POA&M) Prepare the plan of action and milestones based on the findings and recommendations of the security assessment report excluding any remediation actions taken Security Authorization Package Assemble the security authorization package and submit the package to the authorizing official for adjudication Risk Determination Determine the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation Risk Acceptance Determine if the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation is acceptable

Presenter

Presentation Notes

Picture: Battle site Bull Run; Photo by Donald E. Hester all rights reserved

Categorize

Select

Implement

Assess

Authorize

Monitor

The purpose of this POA&M is to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and systems.OMB M-02-01

“The POA&M describes the measures that have been implemented or planned to correct any deficiencies noted during the assessment of the security controls and to reduce or eliminate known system vulnerabilities.” NIST SP 800-100

By reflecting the enterprise security needs of an agency, a consolidated POA&M provides a roadmap for continuous agency security improvement, assists with prioritizing corrective action and resource allocation, and is a valuable management and oversight tool for agency officials, Inspectors General, and OMB.- OMB M-02-01

Presenter

Presentation Notes

Remediation plan Applicability of the remediation plan Not needed if the certification process found all controls in place and working as expected The remediation plan is a list of items that need to be done to correct those deficiencies Responsibility System owners have ultimate responsibility May assign authority to remediate to others such as ISSO Cannot transfer responsibility, accountability remains with the system owner You can transfer authority not responsibility

Presenter

Presentation Notes

Risk Remediation Plan Risk remediation plan scope Should include all vulnerabilities detected Should also include vulnerabilities that the risk is likely to be accepted Plan Format At a minimum it should include A weakness A fix A milestone (date) Responsible person Optional inclusion Cross-referencing numbering Risk ranking For a more detailed description of POA&M see OMB Memorandum 02-01 Guidance for Preparing and Submitting Security Plans of Action and Milestones http://www.whitehouse.gov/omb/memoranda_m02-01/

Presenter

Presentation Notes

Items to include in POA&M Column 1 - Describe the weaknesses Column 2 - Responsible office or person Column 3 - Estimated cost Column 4 - Scheduled completion date Column 5 - Key milestones Column 6 - Updates or changes Column 7 - How was the weakness found Column 8 - Status (Ongoing or Completed) This is the required minimum information and suggested format from the OMB (Office of Management and Budget) Agencies or organizations may have additional requirements The following instructions explain how the POA&M should be completed. Attached is one example POA&M for a program and one for a system. Each illustrates the appropriate level of detail required. Once an agency has completed the initial POA&M, no changes should be made to the data in columns 1, 5, 6, and 7. The heading of each POA&M should include the unique project identifier from the exhibits 300 and 53, where applicable. (4) Column 1 -- Type of weakness. Describe weaknesses identified by the annual program review, IG independent evaluation or any other work done by or on behalf of the agency. Sensitive descriptions of specific weaknesses are not necessary, but sufficient data must be provided to permit oversight and tracking. Where it is necessary to provide more sensitive data, the POA&M should note the fact of its special sensitivity. Where more than one weakness has been identified, agencies should number each individual weakness as shown in the examples. Column 2 -- Identity of the office or organization that the agency head will hold responsible for resolving the weakness. Column 3 -- Estimated funding resources required to resolve the weakness. Include the anticipated source of funding, i.e., within the system or as a part of a cross-cutting security infrastructure program. Include whether a reallocation of base resources or a request for new funding is anticipated. This column should also identify other, non-funding, obstacles and challenges to resolving the weakness, e.g., lack of personnel or expertise, development of new system to replace insecure legacy system, etc. Column 4 -- Scheduled completion date for resolving the weakness. Please note that the initial date entered should not be changed. If a weakness is resolved before or after the originally scheduled completion date, the agency should note the actual completion date in Column 9, "Status." Column 5 -- Key milestones with completion dates. A milestone will identify specific requirements to correct an identified weakness. Please note that the initial milestones and completion dates should not be altered. If there are changes to any of the milestones the agency should note them in the Column 7, "Changes to Milestones." Column 6 -- Milestone changes. This column would include new completion dates for the particular milestone. See example. Column 7 -- The agency should identify the source (e.g. program review, IG audit, GAO audit, etc.) of the weakness. Weaknesses that have been identified as a material weakness, significant deficiency, or other reportable condition in the latest agency Inspector General audit under other applicable law, e.g., financial system audit under the Financial Management Integrity Act, etc. If yes is reported, also identify and cite the language from the pertinent audit report. Column 8 -- Status. The agency should use one of the following terms to report status of corrective actions: Ongoing or completed. "Completed" should be used only when a weakness has been fully resolved and the corrective action has been tested. Include the date of completion. See example. Source: OMB M-02-01

Presenter

Presentation Notes

System Level POA&M Source: OMB M-02-01 1. Please see OMB M-01-24 of June 22, 2001, "Reporting Instructions for the Government Information Security Reform Act." 2. OMB Circular A-11 requires that agencies develop capital asset plans for all capital asset acquisition projects and report to OMB, via an exhibit 300, those plans for all major acquisitions. For information technology projects, plans for both major and significant projects must be reported to OMB. Agencies assign a unique identifier to each project and apply it to the exhibit 300 and 53. 3. OMB Circular A-11 requires that agencies report via an exhibit 53, an estimated percentage of the total investment for associated IT security costs. 4. OMB Circular A-11 requires that agencies develop and submit to OMB capital asset plans (exhibit 300) for major acquisition projects. For information technology projects, plans for both major and significant projects must be reported to OMB on an exhibit 300 and 53. The agency assigns a unique identifier to each project and applies it to both exhibits. Source: OMB M-02-01

Presenter

Presentation Notes

Agency or Program Level POA&M Source: OMB M-02-01

Presenter

Presentation Notes

The Plan Using the plan It is a living document and may need regular updates Measure progress When to create the plan Don’t wait for the certification As soon as a vulnerability is found, add it Append additional as needed It will be in a continuous state of update Should not be excessively detailed It will be in close relationship with the CPIC (Capital Planning and Investment Control) Risk mitigation meetings Ongoing like the plan

Presenter

Presentation Notes

Risk Based Remediation A risk assessment will help guide in the prioritization of remediation activities Higher risk vulnerabilities should be addressed before lower risk vulnerability Take into consideration ‘low hanging fruit’ – easy low cost solutions

Presenter

Presentation Notes

POA&M Problems Often items are not addresses on the POA&M The never-ending POA&M items Don’t have the resources (money, staff, etc…) to remediate Items stay on the POA&M indefinitely (in effect ignoring the risk) Agencies are being pressured to remediate POA&M items IG and Assessors look at outstanding items on POA&M to see if items are being addressed in a timely manner (progress) Becomes an audit finding if they are not Solution Risk accept the items if there is no plan to remediate rather than let it stay on the POA&M indefinitely

Presenter

Presentation Notes

Summary The plan lays out what needs to be corrected Ensure that vulnerabilities are not forgotten Used to track corrections Ensures proper documentation of remediation efforts Used in conjunction with capital asset planning and budgeting

Presenter

Presentation Notes

Class Discussion: Remediation Plan What is the purpose of the remediation plan? You have a limited budget and cannot afford to remediate all the missing controls. How do you select which controls to remediate? Do you complete all the inexpensive ‘low hanging fruit’ or do you tackle fewer, more expensive high impact controls? Which way is risk-based? Why do auditors want to see you past remediation plans?

Presenter

Presentation Notes

Essential RMF Documentation Picture: Mt. San Jacinto, Palm Springs, CA; Photo by Donald E. Hester all rights reserved Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 6 pg 257-269

Presenter

Presentation Notes

Authority CISO will determine the minimum requirements for the C & A package The package is everything that is submitted for Accreditation System owner compiles the package for review Authorizing official reviews for accreditation

Presenter

Presentation Notes

Security Authentication Package contents At minimum (NIST RMF) Approved System Security Plan (SSP) Security Assessment Report (SAR) Plan of Actions and Milestones (POA&M) Take a minimalist point of view Avoid becoming a paper exercise Exclude unnecessary artifacts Agency defined list NIST SP 800-100

Presenter

Presentation Notes

Additional documents (Standard Artifacts) The certification statement Statement, at a high level, the results of the certification test Prepared by the certifying agent Transmittal Letter Coversheet for the entire package Concise Who prepared the package Why it was prepared Who it goes to What is to be done Contains

Presenter

Presentation Notes

DIACAP Package Comprehensive DIACAP Package System Identification Profile (SIP) DIACAP Implementation Plan (DIP) Supporting documentation for certification (artifacts) DIACAP Scorecard IT Security POA&M Executive DIACAP Package System Identification Profile (SIP) DIACAP Scorecard IT Security POA&M

DoDI 8510.01, November 28, 2007

Presenter

Presentation Notes

NIACAP Package System Security Authorization Agreement (SSAA) Security Test and Evaluation (ST&E) Penetration Test Results TEMPEST and Red-black Verification Communication Security (COMSEC) compliance validation System Management Analysis Site Evaluation Contingency Plan Evaluation Risk Management Review System Certification Statement Authorization to Operate (ATO)

Presenter

Presentation Notes

Administration A copy will be submitted to the Authorization Official System owner should maintain a copy Central repository is an excellent idea Label the package with appropriate categorization level E.g. Unclassified but Sensitive Controlled Unclassified Information (Since Nov 2010) On November 4, 2010, President Obama signed Executive Order 13556 "Controlled Unclassified Information", which establishes a program for managing this information. It requires a conversation between the Executive Agent (EA), departments or agencies, other stakeholders, and the general public to consolidate and standardize CUI terms and practices.

Presenter

Presentation Notes

Document Update and Control “Providing orderly, disciplined, and timely updates to the security plan, security assessment report, and plan of action and milestones on an ongoing basis, supports the concept of near real-time risk management and ongoing authorization” - NIST SP 800-37 Rev 1 You must maintain strict version control on all documents in the package The package should be updated as needed Database, automation and workflow systems can help facilitate near real-time updates and status

Presenter

Presentation Notes

Summary Documents included depend on the need of the authorizing official Approving authority can require all controls to be in place before authorizing operation Documents showing that management has exercised due diligence The C & A package is designed to provide the authorizing official with the necessary information to make an informed decision Should not overwhelm the authorizing official

Presenter

Presentation Notes

Class Discussion: Documentation If you were an authorizing authority, what documentation would you like to see before you made a decision on a system? An authorizing authority does not have questions about the accreditation package, what might this indicate?

Presenter

Presentation Notes

Assessing Risk Picture: Sea Lions, Pier 39, San Francisco, CA; Photo by Donald E. Hester all rights reserved Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 3 pg 149-167

balance the operational and economic costs of protective measures and achieve gains in mission capability

Presenter

Presentation Notes

Multiple levels of Risk NIST SP 800-37 Rev 1, § 2.1

NIST SP 800-39 (March 2011)

Presenter

Presentation Notes

Risk Assessment in RMF Support the proper selection of controls To make sure the controls “fit” (tailoring controls) Ensure the controls selected are not excessive Based on realistic need for protection Cost-effective implementation Ensures controls are applicable Control Justification

Presenter

Presentation Notes

Risk Management How do you justify a new firewall? Is it more than you need? Is it less than you need? How does someone outside of IT know it was the right choice? How do you demonstrate due care?

Presenter

Presentation Notes

Risk Management Definitions Risk: the potential for any loss Asset: something of value Probability: the likelihood of an event Control: something that reduces risk (countermeasure, safeguard) Threat: event that has an undesirable impact, potential danger Vulnerability: weakness Exposure: open to threat Residual risk: risk left over after controls are put in place Acceptable risk: risk accepted by management Risk: the potential for any loss Asset: something of value Probability: the likelihood of an event Safeguard: something that reduces risk (countermeasure) Threat: event that has an undesirable impact, potential danger Vulnerability: weakness Exposure: open to threat

Presenter

Presentation Notes

Risk Management Definitions Risk Management: process of reducing risks because it cannot be eliminated Risk Analysis: identify assets and potential losses Risk Assessment: determination of recommended controls that would reduce risk to an acceptable level Vulnerability Assessment: used for the risk analysis, determines vulnerabilities MOF has 5 steps Identify, Analyze, Plan, Track, Control.

Risk Management

Risk Assessment

Risk Mitigation

Evaluation &

Assessment

Presenter

Presentation Notes

Risk Management Process not a goal SDLC (Systems Development Life Cycle) Any change in environment changes your risk level Is never ending – process not goal SDLC Systems Development Life Cycle Any change in environment changes your risk level Risk terrain is like waves in the ocean ever changing

Presenter

Presentation Notes

Risk Management Management’s role Balance cost with operational goals Acceptable levels of risk (risk apatite) Use the risk analysis process for decision-making Cost benefit analysis (ROI) Determine if controls are in place Sign-off forms to take responsibility Risk analysis team

Presenter

Presentation Notes

Risk Management can choose how to deal with risk once they have all the information and recommendations. After they have the results form the risk analysis they can determine how they want to mitigate risks. Mitigating risks to an acceptable level. Any risk remaining is residual risk.

Presenter

Presentation Notes

Risk Analysis Purpose 1st step in Risk Management Ensure that the security program (controls) are adequate and appropriate for the real risks Goals Identify assets Identify risks Connect risks and assets Determine impact Cost vs. benefit Prioritize control selection/implementation Control objectives Impact of occurrence vs. Probability of occurrence

Presenter

Presentation Notes

Risk “Risk is a function of the likelihood of a given threat-sources exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.” NIST SP 800-30

“Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.” NIST SP 800-30

“Threat: The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.” NIST SP 800-30

“Threat-Source: Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.” NIST SP 800-30

Presenter

Presentation Notes

Risk Assessment Countermeasure & Safeguard are different words for Control

Presenter

Presentation Notes

Typical Risk Analysis Phases We need to determine what we have, what it is worth, what could happen to it, how often it could happen, what the impact would be if it did happen, so that we could determine what controls should be used based on cost, and document everything we discovered. NIST RA Process Systems characterization Threat identification Vulnerability identification Control analysis Risk determination Control recommendations Results documentation CISM Guide pg 97-104

Presenter

Presentation Notes

Phase 1 Identify assets, determine their value and classify them.

Presenter

Presentation Notes

Phase 2 Identify the risks associated with the assets. Threat / Vulnerability pair

Presenter

Presentation Notes

Phase 3 Impact analysis Impact of occurrence vs. Probability of occurrence

Presenter

Presentation Notes

Phase 4 Determine what controls can be used, what the cost associated with each control and recommend controls.

Presenter

Presentation Notes

Phase 5 Documentation Protect yourself, due diligence

NIST SP 800-30

Input

• Hardware• Software• System interfaces• Data• People• Mission• Reputation

Output

• System boundary• System functions• Criticality• Sensitivity

System Characterization

Presenter

Presentation Notes

Types of Assets Physical Hardware Buildings Information Data Software Documentation Human Resources Reputation

Presenter

Presentation Notes

Value of Assets

Input

• History of attacks

• Intelligence• Media• Advisories

Output

• Threat statement

Threat Identification

Presenter

Presentation Notes

Types of Threats Physical Loss Theft Environmental Errors and Omissions Humans Software Malfunction Equipment failure Misuse Attacks Internal or External Intentional or unintentional Action or inaction What controls do we have in place now? How well have they been working? What vulnerabilities do we have? What threats can we identify?

NIST SP 800-30

Input

• Prior risk assessments

• Audit comments• Security test results• Know

vulnerabilities

Output

• List of potential vulnerabilities

• Natural• Environmental• Man-made

Vulnerability Assessment

NIST SP 800-30

NIST SP 800-30

Input

• Current controls

• Planned controls

Output

• List of current and planned controls

Control Analysis

Input

• Threat-source motivation

• Threat capacity• Nature of

vulnerability• Current controls

Output

• Rating

Likelihood Determination

NIST SP 800-30

Input

• Mission impact analysis

• Asset criticality assessment

• Criticality• Sensitivity

Output

• Impact Rating

Impact Analysis

“Risk management is a comprehensive process that requires organizations to: (i) frame risk (i.e., establish the context for risk-based decisions); (ii) assess risk; (iii) respond to risk once determined; and (iv) monitor risk on an ongoing basis using effective organizational communications and a feedback loop for continuous improvement in the risk-related activities of organizations.”

NIST SP 800-30

Low Medium High

Confidentiality Limited Serious Grave or Catastrophic

Integrity Limited Serious Grave or Catastrophic

Availability Limited Serious Grave or Catastrophic

Presenter

Presentation Notes

Risk Analysis Quantitative Formal Numeric Monetary Statistical Qualitative Informal Rating Gut feeling Educated guess Delphi method In some organizations management prefers monetary values to make decisions. In other organizations where money is not focused on as much by management, such as a school, you will not want to use the monetary values. Schools tend to respond to intangible values to students, faculty, and others. Know the business and what is important to them. Used to justify implementation of controls Quantitative Can’t put everything into dollars. Purely quantitative is impossible. Qualitative Need to get experts or professionals, come up with scenarios, determine possible outcomes, how serious is the outcome, rank outcomes. Delphi method is anonymous where participants input ideas

Presenter

Presentation Notes

Impact Analysis Impact What is the asset worth; AV (Asset Value) How bad would it be; EF (Exposure Factor) One time loss; SLE (Single Loss Expectancy) How many times a year; ARO (Annualized Rate of Occurrence) How much loss in a year; ALE (Annualized Loss Expectancy) AV * EF = SLE; SLE * ARO = ALE Must know! Probability When you look at impact don’t forget Potential Loss Delayed Loss

NIST SP 800-30

Presenter

Presentation Notes

Prioritize Risks Select Risks with the highest probability and the highest impact potential. Meteorite to hit the data center would be a low probability with a high impact Virus would be a high probability with a potential for a high impact

Presenter

Presentation Notes

Step 8: Control Recommendations Control Recommendations What controls are needed to reduce risk to an acceptable level Need more or fewer controls than the minimum security baseline Consider the following factors Effectiveness of recommended options (e.g., system compatibility) Legislation and regulation Organizational policy Operational impact Safety and reliability Safeguard identification Determine what controls can be used, what the cost associated with each control and recommend controls.

Presenter

Presentation Notes

Risk Based Controls should focus on addressing High probability attack High impact attacks Consistent implementation Automated and continuously monitored Additional technical activities should be used to defend systems

Presenter

Presentation Notes

Control Selection Mitigates the risk ALE before the control ALE after the control Control complexity Cost / Benefit Comparison ROI (Return on Investment) Hidden costs Productivity Maintenance

Presenter

Presentation Notes

Control Selection (cont.) Limited resources Time Funding Resources Personnel With limited resources choices have to be made about which security controls are most important A prioritized approach in implementing controls is required Prioritized by greatest risk first

Presenter

Presentation Notes

A Prioritized Baseline of Controls How do we prioritize controls Intelligence Knowledge of actual attacks Controls that can prevent know attacks should be given a higher priority A consensus report has been developed to document 20 critical controls

NIST SP 800-30

NIST SP 800-100

Presenter

Presentation Notes

Step 9: Results Documentation “Once the risk assessment has been completed (threat-sources and vulnerabilities identified, risks assessed, and recommended controls provided), the results should be documented in an official report or briefing. “ NIST SP 800-30 Helps senior management make an educated decision on risk acceptance Management may wish to accept residual risk Documentation Risk Assessment Report (RAR) Report on Risk (ROR)

See NIST SP 800-30 Appendix B

Presenter

Presentation Notes

Documented Risk Assessment

Presenter

Presentation Notes

How can you react to risks? Reduce the risk (Risk Limitation & Risk Avoidance) Apply countermeasures and controls (mitigation) Don’t do the actions that have the risks (avoidance) Accept the risk (Risk Assumption) Accept the risk with or without controls Transfer the risk (Risk Transference) Buy insurance (mitigation) Reject the risk Denial of Authorization to Operate (DATO) Ignore the risk Pretending the risk is not there does not protect you from the potential outcome Mitigation ongoing effort to reduce the impact of risk Risk Mitigation Options (NIST SP 800-30) Risk Assumption. To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level Risk Avoidance. To avoid the risk by eliminating the risk cause and/or consequence (e.g., forgo certain functions of the system or shut down the system when risks are identified) Risk Limitation. To limit the risk by implementing controls that minimize the adverse impact of a threat�s exercising a vulnerability (e.g., use of supporting, preventive, detective controls) Risk Planning. To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls Research and Acknowledgment. To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability Risk Transference. To transfer the risk by using other options to compensate for the loss, such as purchasing insurance.

NIST SP 800-100

Presenter

Presentation Notes

Evaluation and Assessment OMB A-130, Appendix III Risk assessment is usually repeated at least every 3 years There is a movement to continues monitoring With continuous monitoring comes continuous risk management

Risk Monitoring

Risk Response

Risk Assessment

Risk Framing

NIST SP 800-39

NIST SP 800-39 Appendix E (March 2011)

NIST SP 800-39 Appendix E (March 2011)

NIST SP 800-39 Appendix E (March 2011)

NIST SP 800-39 Appendix E (March 2011)

NIST SP 800-39

NIST SP 800-39

Presenter

Presentation Notes

Ongoing Risk Determination and Acceptance Threats changes almost daily New vulnerabilities are found daily Systems constantly change Controls fail All of these lead to a change in the risk to the system We must determine if the change to the system is material (significant) A material change in risk requires corrective actions to lower that risk to an acceptable level

Continuous Risk

Management

Control Failure

Assessment Results

Incidents System Changes

Industry Advisories

Business Objective Change

Presenter

Presentation Notes

Continuous Risk Analysis

Presenter

Presentation Notes

NIST SP 800-37 Rev 1

Presenter

Presentation Notes

Supply Chain Risk Products and services in the domestic and international supply chain include, for example: Hardware Software, and firmware components for information systems Data management services Telecommunications service providers Internet service providers Risks Introduction of exploitable vulnerabilities or malicious code Availability of services, software, hardware etc… Determining the trustworthiness of information systems Determining the trustworthiness of service providers

Presenter

Presentation Notes

Summary Risk assessment determines and/or verifies requirements for a system A process to value assets Determine potential threats to those assets Determine potential weaknesses in system Determine the impact of a threat vulnerability exploitation Determine what controls will reduce risk to an acceptable level Acceptance of residual risk Document results

Presenter

Presentation Notes

Class Discussion: Assessing Risk What is the objective of a risk assessment? Can we completely remove risk? An authorizing authority is having a difficult time with the concept of residual risk. How would you explain it to him/her? What information do we need in order to start the risk assessment? How do you determine likelihood that threat-agent will exploit a vulnerability? What is the benefit and the danger of using a risk assessment template?

Presenter

Presentation Notes

Documenting the Authorization Decision Picture: Redwoods, Muir Woods, CA; Photo by Donald E. Hester all rights reserved Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 6 pg 248-257

“By accrediting an information system, an agency official accepts the risks associated with operating the system and the associated implications on agency operations, agency assets, or agency individuals. Completing a security accreditation ensures that an information system will be operated with appropriate management review, that there is ongoing monitoring of security controls, and that reaccreditation occurs periodically in accordance with federal or agency policy and whenever there is a significant change to the system or its operational environment.”NIST SP 800-100

Presenter

Presentation Notes

The Authorization Decision Document AKA “Accreditation Letter” Contains the authorization decision Authorized to operate (ATO) Not authorized to operate Denial of authorization to operate (DAO or DATO) Should clearly reflect the stipulations of the authorizing official (terms and conditions) Are there any conditions which are excluded Authorization Termination Date Generally limited to a 3 year life span Must understand Personal consequences Operational consequences You may have seen the terms Interim Authorization to Operate (IATO) or Conditional Authorization to Operate (CATO). Note: IATOs and CATOs are not recognized by OMB. In reality they are ATOs with special terms and conditions enumerated or a earlier than normal authorization termination due dates. “An interim authorization to test is a special type of authorization decision allowing an information system to operate in an operational environment for the express purpose of testing the system with actual operational (i.e., live) data for a specified time period. An interim authorization to test is granted by an authorizing official only when the operational environment or live data is required to complete specific test objectives.” NIST SP 800-37 Rev 1 “Some organizations may choose to use the term interim authorization to operate to focus attention on the increased risk being accepted by the authorizing official in situations where there are significant weaknesses or deficiencies in the information system, but an overarching mission necessity requires placing the system into operation or continuing its operation.” NIST SP 800-37 Rev 1

Presenter

Presentation Notes

Conditional and Interim authorization Full accreditation may not be possible Conditional or interim may be used Conditional would state that system could operate under certain circumstances Only if certain controls are in place Interim is often used when the system needs to be in place and functional for business reasons and still lacks all the necessary controls Usually has an expiration date, typically within 6 months

Presenter

Presentation Notes

Conditional and Interim authorization Full accreditation may not be possible Conditional or interim may be used Conditional would state that system could operate under certain circumstances Only if certain controls are in place Interim is often used when the system needs to be in place and functional for business reasons and still lacks all the necessary controls Usually has an expiration date, typically within 6 months

Presenter

Presentation Notes

Typically granted only when an operational environment or live data is required to complete specific test objectives Typically expires at the completion of testing (90 days) The system is not used for operational purposes during the IATT period DoDI 8510.01 Mar 12, 2014 Not considered an authorized system for OMB reporting

Source: www.disa.mil

Presenter

Presentation Notes

Organizations Abuse IATOs Use the IATO process to avoid the full RMF (certification and accreditation) process IATO expiration date is not a reasonable period of time IATOs often go on indefinitely Agencies don’t have policies or don’t enforce policies on the use and limitations of IATOs Overstate the number of systems that are authorized IATOs should not be included in an agency’s count of its systems that are certified and accredited OMB does not recognize IATO as a fully authorized system There are no exceptions to the requirements to certify and accredit all Federal Information Systems

“A type authorization is an official authorization decision to employ identical copies of an information system or subsystem (including hardware, software, firmware, and/or applications) in specified environments of operation. This form of authorization allows a single authorization package (i.e., security plan, security assessment report, and plan of action and milestones) to be developed for an archetype (common) version of an information system that is deployed to multiple locations, along with a set of installation and configuration requirements or operational security needs, that will be assumed by the hosting organization at a specific location.”– NIST SP 800-37 Rev 1

Presenter

Presentation Notes

Leveraged Authorization Accepts the existing authorization of a shared system Review the existing package Determine if the risk is acceptable Consider your risk tolerance Provides opportunities for significant cost savings

Presenter

Presentation Notes

Designation of Approval Authorities Organization must designate who the AOs will be Must be senior officials Must be able to commit resources to the system (budget authority) Each organization will have multiple AOs, usually by business unit or department Joint Authorization Security authorization involving multiple authorization officials. NIST SP 800-37 Rev 1

Presenter

Presentation Notes

Approving Authority Qualifications

“To ensure that the agency's business and operational needs are fully considered, the authorizing official should meet with the system owner prior to issuing the security accreditation decision. In this meeting, the certification and accreditation authorities should clearly explain the rationale for their risk-based decision and, where appropriate, fully explain the terms and conditions of the authorization.”NIST SP 800-100

The Continuous Monitoring phase is an essential component in any security program. During this phase, the status of the security controls in the information system are checked on an ongoing basis. … At a minimum, an effective monitoring program requires the following: •Configuration management and configuration control processes for the information system; •Security impact analyses on changes to the information system; and •Assessment of selected security controls in the information system and reporting of information system security status to appropriate agency officials.

Presenter

Presentation Notes

DoDI 8510.01 Mar 12, 2014

Presenter

Presentation Notes

Reauthorization Time-driven When you have reached the authorization termination date Event-driven Occurs when there is a significant change to the information system or its operational environment Significant (material) change to the risk to the system Change in authorization official New authorization official can review the package (if the documents are up-to-date) and sign off to accept the risk If the new authorization official does not accept the risk the reauthorizing process begins

Presenter

Presentation Notes

Authorization Rescission AO may wish to terminate an active ATO or IATO and issue a DATO AO can do it at any time They often have reasons for rescission Policies, procedures, directives, laws etc… are not being followed Violation of the terms and conditions of the ATO Change resulting in a significant change in risk to the system Continuous Monitoring Control failures Assessment results AO should consult with Risk Executive Function

Presenter

Presentation Notes

Summary The final event? Ongoing process! Approval for senior management to operate the system Fixed responsibility and accountability Authorization official may have had little or no interaction with the process up until this point Should not delegate this process This process demonstrates due care has been exercised Establishes accountability

Presenter

Presentation Notes

Class Discussion: Authorization Decision Can an authorizing official sign an accreditation letter before the system has been certified? A signed accreditation letter demonstrates what? What types of conditions might an AO have with an authorization to operate? Why have a time period on conditional or interim authorization to operate?�Why should the system owner and AO meet before the accreditation letter is signed? Why is it a good idea to have the business unit manager or information owner as the AO?