Authorizing Federal Systems ContinuouslyAbolishing the Triennial Security Reauthorization Rule
Old habits are hard to break, and a number of CIOs and CISOs have been slow to adopt a process to assure continuously the security of their agencies' information system. A new NIST guide could help agencies in their transition from a 14-year-old requirement to reauthorize IT systems every three years.
The National Institute of Standards and Technology this week issued a 10-page guide, Supplemental Guidance on Ongoing Authorization: Transitioning to Near Real-Time Risk Management, which establishes processes U.S. federal agencies should follow to conduct continuous systems risk assessments and security authorizations.
"Agencies were a little bit hesitant to go off down that road of moving from the static, three-year process to the more dynamic one where they're pretty much looking at risk in near real-time," says NIST Fellow Ron Ross, one of the supplemental guide's authors.
In 2000, the Office of Management and Budget published Circular A-130, which required agencies to reauthorize the security of their IT systems every three years. In October 2012, OMB issued a memorandum no longer requiring agencies to reauthorize their systems triennially provided they implemented continuous monitoring programs (see OMB Waves Triennial Security Reauthorization Rule).
Ross says the combination of the 2012 OMB memo, the supplemental guidance issued this week and a slight modification expected next week to NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, should make the transition easier for agencies' chief information and chief information security officers.
"This guidance takes down any of the barriers that were either perceived or actually have been there," Ross says. "Folks can now move out in a more aggressive way toward a full, continuous monitoring program to feed the ongoing authorization process."
Timely Information on IT Risks
Continuous monitoring - continuous diagnostic and mitigation in today's government lingo (see Expanding Continuous Diagnostic Effort) - provides timely information about security risks IT systems face, which helps risk managers make decisions in a fast-moving threat environment that exists today. "When you've got a three-year static process set up, that information will either be too late or ineffective to make those almost real-time decisions they have to make," Ross says.
Moving to continuous authorization is long overdue. "The philosophy behind the system reauthorization had things backwards," says Allan Friedman, research scientist at the Cybersecurity Policy Research Institute at George Washington University and coauthor of Cybersecurity and Cyberwar: What Everyone Needs to Know. "The properties of the systems remained fairly constant, but the risk environment evolved. This meant that an effective assessment had to begin from scratch, rather than a basic sufficiency test. We have grown much more sophisticated in terms of what we expect of reasonably secure systems, with a better emphasis on architecture and interactions, rather than system-level assessments."
NIST, in the supplemental guide, concedes the transition isn't necessarily easy to implement. "Transitioning from a static authorization process to a dynamic, ongoing authorization process requires considerable thought and preparation," the supplemental guidance states.
Friedman picks up on that theme. "Real-time risk management is less about the technical systems, and more about the capacity for organizations to have the necessary incentives in place to drive effective security behavior through the entire organization and have the resources and capacity to respond dynamically to threats," he says. "This latter piece is hard enough in the private sector, but is very difficult in a resource-constrained agency, since it requires resources and manpower that can be redirected as threats and risks evolve."