Authorizing Officials are experts in paperwork, not security
There is no official position description for an Authorizing Official. The Cybersecurity and Infrastructure Security Administration does post recommended competencies on their recruiting website, but the job description of an Authorizing Official varies widely between agencies. Unlike roles with similar duties and responsibilities, such as Procurement Officers, there is no accreditation process to become an Authorizing Official. Training is sparse and inconsistent.
“There should be a certification process for it.”
Adding to the problem, there is a nationwide shortage of technical security professionals. Private industry has turned to higher salaries and aggressive recruiting efforts to fill gaps. The Federal government’s response has been slower and less effective. This means that many Authorizing Officials are not security professionals.
“We have so much complexity and very few people who understand it. The biggest risk factor to me is the breadth and depth of talent we have in the Federal government. It’s so hard to attract people, and then even when you can attract somebody, it’s just so hard to get them through the hiring process.”
“The Marine Corps has one AO right now; one Authorizing Official.”
To truly master the Risk Management Framework requires a significant understanding of policy, technology, and the risk landscape. While the technology and security expertise are hard to come by, the Risk Management Framework is readily available. In the absence of other security resources, Authorizing Officials often turn to the paperwork to make decisions.
“A lot of them kind of seemed to come up through compliance backgrounds, so they had a decent familiarity with the security landscape, but they definitely didn’t come from what I’d consider a real software engineering background. That could make it really difficult to have conversations about certain types of compensating controls.”
“Having a script is great. It helps you get repeatability but if you don’t understand why things are the way they are, maybe you should not be in that role.”
The Framework documentation is more than 3,500 pages of dense material. It is written at a college reading level or higher. It would take an average person approximately 80 hours to read through the policy and guidance just once. We spoke to several Authorizing Officials, both present and former, that had not read completely through the documents at all. Most had some familiarity with SP 800-53, the list of security controls, but almost no one had read SP 800-37, the Risk Management Framework itself.
“This was someone who was extremely well versed in the paperwork of the controls and not really in the underlying technical realities. And so that had a whole bunch of really bad consequences when it came time to decide how to apply flexibility from RMF.”
NIST states clearly that the Framework should not be used as a checklist, but it does so only two times throughout the entire library; 64 words out of 3,500. SP 800-53, the most commonly read and referenced document (see Appendix A), on the other hand, contains a list of more than 1,000 possible security tasks to be accomplished. NIST can say they recommend that Authorizing Officials should not use the Framework as a checklist, but, in the words of one official, “then they created all the checklists.”