Accepting information risk: Knowing how much is too much

Patrick D. Howard CISSP, CISM, Kratos Technology & Training Solutions, was lead author of this peer-reviewed article, written by the (ISC)² U.S. Government Advisory Council Executive Writers Bureau.

The number and severity of recent data breaches has called into question the effectiveness of federal agency processes employed to secure government information systems. But the cybersecurity guidance issued by the White House last week fails to highlight the need for improvement in arguably the most important agency security process — System Security Authorization, which focuses on identifying and addressing risks to government information.

SSA is required by the Federal Information Security Management Act, and is documented by the National Institute of Standards and Technology, to increase management involvement in protecting government information systems. FISMA requires agencies to formally assign government executives or managers authority over the operation of each federal information system. These officials are responsible for considering information risks in their decision to allow an IT system to go live or continue to operate.

However, despite this mandate and clearly defined guidance, some agencies give system security authorization short shrift.

For instance, a July 2015 report on the Office of Personnel Management data breach from the Institute for Critical Infrastructure Technology indicated that a number of OPM information systems were working without an “authorization to operate” at the time of the breach. Additionally, the report casts doubt about the security of systems with ATOs, noting from unconfirmed “whistleblower” reports that numerous systems barely met compliance requirements or that security had been “shored up” merely for the purpose of passing inspection.

Since its inception in 2002, the viability of FISMA’s approach to the security of government systems has been questioned due to its focus on compliance with information security program requirements and its reliance on triennial assessments of security controls that does not lead to “real” security. Consequently, over time, government officials have decreased emphasis on SSA. This has led to a condition where critical systems that process highly sensitive data are permitted to operate without formal management authorization.

Similarly, agencies that de-emphasize the SSA process often abbreviate their certification methodology to save costs. This produces limited or faulty information for risk-based security decisions since they are merely “going through the motions” before authorizing systems to operate and accepting the risks entailed.

In these situations, agency authorizing officials are not only “non-compliant,” but are accepting a very high degree of risk, often exposing highly sensitive personally identifiable information to compromise or loss.

Because of disfavor with the burdens of SSA and in light of recent and numerous compromises of sensitive data in attacks on federal information systems, it is worth reconsidering how agency officials can best employ SSA to prevent data breaches similar to those we have recently witnessed.

Here are five recommendations to consider to improve the effectiveness of SSA to enhance agency security:

• Designate the right person as authorizing official. The best risk-based decisions are made by those who best understand the system and the need for protecting the data it processes. That is most often the manager or executive who has day-to-day responsibility for the business process that the system automates, and who has the authority to allocate funding for remediation of system weaknesses.
• Deny authorization to operate when warranted. The authorization decision should not be automatic. For instance, it should not be a foregone conclusion to allow continued operation of systems critical to the agency mission or legacy systems with major remediation costs. While formerly unimaginable, the impact of shutting down a major information system until critical controls are in place is now a serious consideration in light of recent data breaches. Case in point, nearly a month after being taken off line, OPM’s e-QIP system for online background check submissions was back up and running in July 2015. The system was shut down in late June after cybersecurity officials noticed a significant flaw that could be exploited by malicious actors.
• Base authorization decisions on rigorous certification. To properly identify vulnerabilities, testing of security controls must be thorough, comprehensive and well documented. Only the results of well-performed certification allows the authorizing official to develop an understanding of all weaknesses and their impact.
• Automate security posture assessments. Assessment of system security controls should be automated as fully as possible to reduce costs and increase real-time visibility. Agencies can leverage the Department of Homeland Security’s Continuous Diagnostics and Mitigation Program to achieve this goal
• Leverage the authorization process to obtain resources. Conditional authorization or authorizing operation under restricted conditions can allow linkage of resource identification with weakness mitigation efforts. Authorizing officials can use the structured SSA approach to increase senior management awareness of resources needed to mitigate vulnerabilities underlying these operational conditions.

In evaluating how much risk is too much to accept, it is important to not “throw out the baby with the FISMA bathwater.” SSA is a proven process that allows authorizing officials to know if they are accepting too much risk in the operation of an information system. Employment of a rigorous SSA process allows agency leaders to make sound risk management decisions based on accurate and timely information, facilitates due diligence, and can help prevent or lessen the impact of major data breaches.

Members of the (ISC)² U.S. Government Advisory Council Executive Writers Bureau include federal IT security experts from government and industry. For a full list of Bureau members, visit https://www.isc2.org/usgac-ewb.