Show
FeaturesAuthor: Jo Anna Bennerson, CISA, CGEIT, CPA, ITILv3, PMP IT security professionals such as risk managers and information security managers maintain a US federal government agency’s information system using the Federal Information Security Management Act (FISMA) in a manner that is unique to the US federal government. To do so, they encounter the Authority to Operate (ATO) security authorization process, which is in place for the security of the agency’s information systems. The ATO is the authority to operate decision that culminates from the security authorization process of an information technology system in the US federal government, which is a unique industry requiring specialized practices. Figure 1 provides information about an ATO.This article discusses approaches to increase an information security professional’s knowledge about the US federal government ATO security authorization process and one’s duties in the narrow US federal government industry. The ATO security process is in place for the federal government agency to determine whether to grant a particular information system authorization to operate for a certain period of time by evaluating if the risk of security controls can be accepted. The ATO process:
ATO Process Steps and Knowing the IT Governance FrameworksTo understand the ATO process, one needs to understand the IT governance frameworks. The required steps for conducting the ATO security authorization process are:
The information security professional works to gather the documentation for the system project deliverables from the phases (planning, requirements, design, development, testing, implementation and maintenance) of the Software Development Life Cycle (SDLC)8 or System Engineering Life Cycle (SELC)9 frameworks. This information is needed as documentation in the ATO process and shows evidence of the categorize, select, implement and assess steps while simultaneously fulfilling the stated IT governance frameworks. Figure 2 is a brief overview of US federal government IT security governance. View Large Graphic. The key staff in the ATO process with whom one should quickly become acquainted are the authorizing official (AO), the information systems security officer (ISSO) and the security assessor.10 Often, the chief information security officer (CISO) and/or privacy officer serve as the authorizing official. This person is referred to as the senior agency information security official (SAISO) who is the point of contact within a federal government agency and is responsible for its information system security.11 View Large Graphic. The ISSO works with the system owner serving as a principal advisor on all matters involving the security of the IT system. The ISSO has the detailed knowledge and expertise required to manage its security aspects. The security assessor conducts a comprehensive assessment of the management, operational and technical security controls, and control enhancements employed within or inherited by an information system to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting its security requirements). Generally, the ISSO works with the IT team to prepare the required documents—system security plan (SSP), privacy threshold analysis (PTA), contingency plan (CP), etc. Then, the security assessor evaluates the information and prepares a security assessment report (SAR). When all is completed, the AO grants the ATO. Often, auditors can leverage this information for their audits. Securing With CIAThe overall objective of an information security program is to protect the information and systems that support the operations and assets of the agency via the security objectives shown in figure 3:
Comprehending the NIST Risk Management Framework (RMF)17 sets the foundation for understanding how the security life cycle of the IT system is being operated and evaluated. From the agency’s inventory of its IT systems, the agency will use its own criteria to determine what may be a system that could be part of a FISMA audit, hence a FISMA reportable system. These tend to be the financial reporting systems, general support systems (GSS) and major applications (MA). To accomplish an ATO security authorization, there are six steps in the RMF to be completed (figure 4):
Security ControlsFigure 6 shows the NIST RMF steps for ATO. There are three classes of security controls: management, operational and technical (MOT). These controls are divided into 18 control families. Figure 7 shows security control families and MOT controls. View Large Graphic. Engaging With the ATO ProcessThe assess step involves answering the following questions:
One should request or set a significant lead time to start collecting information for a preliminary or draft of what is historically termed an auditor’s request, the Provided by Client (PBC) list, of schedules, documents, questions, requested spreadsheets, or read-only access to certain repositories or systems. In summary, one should make full use of NIST 800-53, Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations,” which emphasizes security and privacy controls.34 Then, use NIST 800-53A, “Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans,” to assess the controls.35 In the federal government, there is usually:
These two teams get everything ready for the authorization package in the C&A or A&A security authorization process. The authorizing official reviews the package to make an ATO decision to grant or deny authorization of the system to operate for three years. If there is significant change to the system, it will need to be reauthorized.36 Remember continuous monitoring and think POAMs. ConclusionAs an information security professional, one can quickly navigate the US federal government’s industry-specific practices by understanding its ATO process. Using traditional IT security knowledge and becoming familiar with the IT governance of the US federal government, one can understand the process that results in an ATO decision. This is the decision that the information security professional’s federal agency AO makes to accept the risk of the IT system. The ISSO and security assessor teams have documentation that has been developed through the agency’s C&A or A&A security process. When undertaking work from a FISMA perspective, one should also learn more about the NIST RMF and how controls are planned and implemented to mitigate risk through use of NIST guidance—FIPS 199, FIPS 200, SP 800-53 Rev.4 and SP 800- 53A. This knowledge will not only build a sturdy introductory foundation, but will also serve as the baseline protocol for federal government IT security guidance. Endnotes1 Executive Office of the President of the United States, Office of Management and Budget, “M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002,” 26 September 2003 Jo Anna Bennerson, CISA, CGEIT, CPA, ITILv3, PMP What is a remediation liaison?Laws. (Company policy, Internal audit, Corporate culture) A remediation liaison makes sure all personnel are aware of and comply with an organization's policies.
What is the primary task of an organization's security administration team?A security administrator installs, administers, and troubleshoots an organization's security solutions. The security administrator will ensure the network's security, protect against unauthorized access, modification, or destruction, and troubleshoot any access problems.
Which of the following refers to the management of baseline settings for a system device?(T/F) The process of managing the baseline settings of a system device is the definition of configuration control.
Which tool can capture the packets transmitted between systems?Two of the most useful and quick-to-use packet capture tools are tcpdump and Wireshark. Tcpdump is a command line tool that allows the capture and display of packets on the network. Wireshark provides a graphical interface for capturing and analyzing packet data.
|