Authorizing Officials lack skills & need training

The most common refrain from our interview participants was that Authorizing Officials do not have the basic technical and security skills to effectively understand threats, track technical improvements in the market, or manage risk.

“Most of the time the compliance folks just have no idea what they’re talking about. They’re getting asked to talk about tech they have no cognizance of, and then it just results in a combative relationship where neither side really wants to talk. It’s like pulling teeth on all ends.”*

“I’ve never met [an AO] that is actually technical.”

“If they don’t have good judgment or and are not empowered to use that judgment, then it’s not useful.”

“The guy who finally signed our ATO was not actually that competent.”

“The assessor had no idea. Lack of technical expertise.”

“The Federal government’s approach has been, ‘let’s just take unqualified people and put them in those positions.’”

“It would just work much better if you had people who had more technology experience or hands-on security experience.”

“I have [application developers] responding to facility controls and it’s like, ‘What do you mean’? I don’t control the building. This has nothing to do with me.’”

Despite a common belief that most Authorizing Officials lack the skills necessary to be effective at managing technical risk, interviewees spoke sympathetically about insufficient training and formalized skill development for AOs in the Federal Government.

“Our [Information Security Officer] was a complete stickler because he didn’t fully understand. He’s just a guy who had a job in another state and probably did a year of training or something. He wasn’t a cybersecurity expert and so he didn’t have the confidence in really being able to tell what deserved a waiver and what didn’t.”

“It speaks to a larger problem within the Federal government, which is how do we promote people, right? You take someone who’s a really good budget examiner and you promote them to be a manager of other budget examiners, but they’re not a good manager. They were just a really good budget examiner. And so, you know, then a lot of our SES of various agencies, which are typically the people that are getting assigned as an Authorizing Official, they’re not necessarily what we would call in the private sector ‘qualified executives,’ they just know how to do their thing really, really well. And no one has ever sat down with them and taught them about managing risk at an organizational level. So, asking them to do that job is a little bit like asking them to fly an F-14, like they’ve never been trained how to do it. They can be the smartest person in the world. If no one’s ever taught you how to do it, you’re definitely gonna crash.”

“A lot of those documents are written for lawyers. They’re not written for practitioners. Like even 800-53; I realize that NIST is well-intentioned and wants these to be documents that folks can action. But no non-lawyer can take this amount of data and do a meaningful thing with it. That’s not a skillset that the average person walking down the street has. [AOs] would have to say, ‘let me take this hundred page document and make it real’, right? That’s literally a lawyer’s skillset.”

Back to top

This site was last updated on 9 OCT 2023.