
Ongoing Authorization: Changing how Government does Security Compliance


Jeff Eisensmith, CISO, DHS, Chief Information Security Officer (CISO) for the Department of Homeland Security, Mr. Eisensmith leads through collaboration with the DHS CISO Counci... More >>
The Department of Homeland Security is the steward of a great deal of information. Information used to support the department’s mission, personally identifiable information of the citizens we serve, and that of our employees must be safeguarded. Ongoing Authorization promises a new way to make quick, risk-based decisions on system security in near real-time.
“Our nation’s security and economic prosperity depend on ensuring the confidentiality, integrity and availability of Federal information and information systems”
Traditional security compliance has been driven typically by the Federal Information Security Management Act of 2002, which requires all information system security controls to be assessed every three years. Only then should a system be granted Authority to Operate by its Authorizing Official. The review involves a large paper-based compliance exercise and can be wasteful and time consuming. The cybersecurity threat landscape demands a faster time to market than that.
The federal government has now provided its departments and agencies a vehicle for making security authorization not only more efficient, but more effective in today’s evolving threat landscape. National Institute of Standards and Technology guidance and Office Management Budget memorandums include the requirements to move toward an “ongoing state of security” and perform “ongoing authorizations.” In this sense, DHS is now not only leading the federal government in this arena, but has also influenced how such programs can be established and their objectives achieved.
OMB Memorandum M-14-03, “Enhancing the Security of Federal Information and Information Systems,” states that, “Our nation’s security and economic prosperity depend on ensuring the confidentiality, integrity and availability of Federal information and information systems.” It directs NIST to publish guidance establishing a process and criteria for federal agencies to conduct ongoing assessments and ongoing authorization. DHS addresses this issue through its OA program.
OA is a risk-based security authorization process that provides the AO with near real-time insight into the security posture of an information system. Using data feeds from the department’s Continuous Diagnostics and Mitigation program; security officials maintain an ongoing state of awareness for their systems, resulting in an enhanced opportunity to make more informed risk-based decisions on the utilization of component and system information assets.
OA moves away from the three-year security authorization cycle. Instead of periodically reviewing cumbersome lists of security controls, ongoing assessments are driven by dynamic risk-based events.
OA implementation focuses heavily on evaluating and testing controls when security events or “triggers” occur. Upon notification of a trigger, an Operational Risk Management Board (ORMB) reviews the trigger to determine its impact on security controls and risk to the system. Following ORMB review, the Chief Information Security Officer prepares a formal letter to the Authorization Official recommending whether or not to maintain the authorization.
OA has been an area of interest at DHS and in the federal government for the past few years. In 2012, DHS drafted an Ongoing Authorization Methodology and planned its pilot program. As a leader in OA across the federal government, DHS faced the challenge of determining component and system eligibility criteria, establishing program processes, and creating metrics to review the implementation of OA.
To ensure compliance and collaboration, DHS worked closely with NIST and other federal organizations including the Government Accountability Office to gather key requirements for OA.
The DHS Ongoing Authorization Pilot program ran from May to August 2013. Three DHS components with a total of 12 systems participated. In the fall of 2013, DHS invited other interested components who met eligibility requirements to submit applications to enroll in the DHS OA Program. As of August 2014, there are seven DHS components participating in the OA program.
The DHS OA program continues to expand. The program enrolled 70 systems before the end of FY2014, exceeding the goal of 50. Currently, 80 DHS systems have been enrolled in the OA program since its inception.
ON THE DECK
Featured Vendors
THETA432: Performance, Precision, Efficiency, Visibility - The Key to Incident Response and Answer to the Talent Shortage
EveryCloud Technologies: Delivering Powerful Email Filtering Services" title="Graham O'Reilly, CEO & Co-Founder" style="float:left; margin-right:10px; margin-bottom:20px;" width="60px" height="50px">
EveryCloud Technologies: Delivering Powerful Email Filtering Services
Onepath: A Responsive Info-Security Management Framework – the easier way to dramatically improve your overall info-security posture
Covenant Security Solutions, Inc.: Revolutionary Solutions to Mitigate Security and Compliance Risks
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
What It Truly Means For IT Security To Bea Business Enabler
Digital Transformation 2 Requires a CIO v2.x
Leverage ChatGPT the Right Way through Well-Designed Prompts
Water Strategies for Climate Adaption
Policy is a Key Solution to Stopping Packaging Waste
Congestion-Driven Basis Risk, A Challenge for the Development of...
