A controversy concerning the information security policies at the US Department of Veterans Affairs was reported by Federal News Radio last week, and while it is dangerous to draw conclusions from leaks that precede scheduled congressional hearings, and doubly dangerous when those leaks are associated with an inflammatory audit report that is more than a year old, the substance of the controversy reflects the barriers that stand in the way of effective implementation of NIST’s Risk Management Framework by federal agencies.
The Federal News Radio story reports on charges and counter-charges about pressure being brought on VA IT security officials to sign Authorization to Operate (ATO) documents for systems that had not completed certification. The most striking feature of the controversy is the fact that the VA has security officials approving ATOs in the first place. The latest draft revision of OMB Circular A-130 is emphatic on this point: “Authorization is not a decision that should be made by the security staff, but rather by the appropriate authorizing official – an agency manager responsible for the associated missions or business functions.” The CISO (or equivalent security officer) is responsible to manage a risk assessment activity that must be independent of the business unit that owns the system. By definition, the security officer does not have the authority to balance business need against residual risk and cannot sign an ATO.
When these roles are confused, the ATO itself can become a fixation – system owners demand one, because it is a talisman that shields them from criticism; auditors want to know how old it is, as though such a thing had a “use by” date like milk in a grocery store. Both notions miss the point that authorization is an ongoing process that has to be supported by continuous monitoring of vulnerabilities and threats to the system. The ATO merely signifies that all parties are engaged in the risk management process.
The fixation on the ATO is usually accompanied by the erroneous idea that the sheer number of known vulnerabilities (identified in the system Program of Actions and Milestones, or POAM) is a measure of risk, and that risk is mitigated by “closing the POAM items.” This illusion – fostered by Congressional pressure, auditors, and misguided media reporting – undermines the ability of senior officials to accept and manage risk on an ongoing basis.
The Federal News Radio story reports on charges and counter-charges about pressure being brought on VA IT security officials to sign Authorization to Operate (ATO) documents for systems that had not completed certification. The most striking feature of the controversy is the fact that the VA has security officials approving ATOs in the first place. The latest draft revision of OMB Circular A-130 is emphatic on this point: “Authorization is not a decision that should be made by the security staff, but rather by the appropriate authorizing official – an agency manager responsible for the associated missions or business functions.” The CISO (or equivalent security officer) is responsible to manage a risk assessment activity that must be independent of the business unit that owns the system. By definition, the security officer does not have the authority to balance business need against residual risk and cannot sign an ATO.
When these roles are confused, the ATO itself can become a fixation – system owners demand one, because it is a talisman that shields them from criticism; auditors want to know how old it is, as though such a thing had a “use by” date like milk in a grocery store. Both notions miss the point that authorization is an ongoing process that has to be supported by continuous monitoring of vulnerabilities and threats to the system. The ATO merely signifies that all parties are engaged in the risk management process.
The fixation on the ATO is usually accompanied by the erroneous idea that the sheer number of known vulnerabilities (identified in the system Program of Actions and Milestones, or POAM) is a measure of risk, and that risk is mitigated by “closing the POAM items.” This illusion – fostered by Congressional pressure, auditors, and misguided media reporting – undermines the ability of senior officials to accept and manage risk on an ongoing basis.
Properly understood, risk is a function of severity times duration: it isn’t how many POAM items you have open, it’s how much risk you are carrying and how long you are carrying it that counts. If you are managing risk with continuous monitoring, the more POAM items you have, the more likely you are to be secure. The VA seems to have grasped the idea of continuous monitoring and ongoing authorization at the policy level. One hopes this controversy doesn’t induce “compliance-itis” in the agency management.