CISO Perspectives | Authorization as the new approach to C&A
By members of the (ISC)2 U.S. Government Advisory Board Executive Writers Bureau
The National Institute of Standards and Technology is working with the Office of the Director of National Intelligence, the Defense Department and the Committee on National Security Systems to develop a common information security framework for the federal government. In March 2008, NIST, ODNI, DOD, and CNSS established an interagency working group to develop a common security authorization process for federal information systems.
The new authorization process will change the current, traditionally focused process from the stovepiped, static-based approach of certification and accreditation to one emphasizing continuous monitoring. Two initiatives, the Federal Desktop Core Configuration (FDCC) and the Security Content Automation Protocol (SCAP), are directly related to moving toward the continuous-monitoring model.
The Certification and Accreditation Transformation Initiative project will produce a series of new CNSS policies and instructions that address risk management, security categorization, security control specification, security control assessment and security authorization. This initiative will closely parallel the NIST security standards and guidelines developed during the past six years in response to the Federal Information Security Management Act.
NIST has more than three decades of lessons learned from C&A guidance and is attempting to put those lessons to use, as well as bring the authorization process closer to the ISO 27001 standard. It should be noted that some agencies, faced with authorizing both classified and unclassified systems, have developed hybrid approaches ahead of the theorists.
The revision embodied in NIST Special Publication 800-37 is an evolution from the current C&A process in that continuous monitoring, systems development life cycle (SDLC) and the authorization process are emphasized. The new process is designed to be integrated into enterprise architectures and SDLC processes. The authorization process promotes the concept of near real-time risk management and capitalizes on previous investment by agencies in automated support tools. The new authorization process is meant to promote a more efficient and effective security stance by agencies. The desired result is the shifting of funds from the current labor-intensive process to a more streamlined investment approach that allows information assurance staffs to take advantage of better information technology tools.
The new authorization process is designed to be tightly integrated into enterprise architectures and existing SDLC processes. Part of this change is the de-emphasis of C&A on applications and the reliance on controls at the base operating system that can be applied using the FDCC controls.
The NIST SP 800-37 revision has four main changes in the authorization process. It begins by developing the security authorization process by vesting the responsible official with decision-making based upon the content of the authorization package. It ends the practice of an interim authority to operate and allows for only two decisions, authorization to operate or denial of authorization (authorization rescission). The authorization decision provides for terms and conditions for which the system shall be operated with an authorization termination date. Second, it integrates the process of authorizing systems with the SDLC (NIST SP 800-64) and the new Risk Management Framework (NIST SP 800-39). Third, it ensures appropriate entities are responsible and accountable for managing system-related security risks. And finally, it incorporates a risk executive function (NIST SP 800-39) to ensure that risks are managed consistently across the organization.
The post-authorization period involving continuous monitoring of an information system’s security controls is critical and should be well integrated into the SDLC process. The continuous monitoring program emphasizes strong configuration management and mature control processes. Security impact analyses on actual or proposed changes and environments of operation are to be documented and approved through the defined control processes. When the operational environment changes, assessment of selected security controls based on the continuous monitoring strategy should be performed. Agency authorizing officials responsible for the management of information systems must be actively involved in the management of risk and must be informed by reports of security status in a timely manner.
These transformational changes to the C&A process represent a significant move toward convergence of information security standards, guidelines and best practices across the civilian, defense and intelligence communities. These changes are meant to provide the right information to senior agency officials so they can intelligently manage the security risks across their operational environment, including interconnected systems, arising from the operation information systems.Members of the (ISC)2 U.S. Government Advisory Board Executive Writers Bureau include federal information technology security experts from government and industry. For a full list of bureau members, visit www.isc2.org/ewb-usgov.