Fear of liability leads to poor decisions

“It’s a fear based system and no one ever gets in trouble for following the status quo.”

Authorizing Officials believe they are held personally responsible for potential system failures and therefore enforce higher levels of categorization and apply more security controls than make sense from a security perspective. This feeling was more influential on Authorizing Officials than OMB or agency guidance instructing them to use as few controls as necessary to maintain security.

The concept of personal liability was brought up by each person we spoke to, with many saying they or an Authorizing Official they knew required additional paperwork or processes in order to avoid being “pulled in front of Congress,” “being fired,” or “sent to prison” if a system was found to be insecure. This perception was universal, mirrored by policymakers, agency teams, developers, and Authorizing Officials.

A sense of fear creates a desire for personal self-preservation that is not conducive to sound security decisions and practices. While people should feel invested in the success and security of the system they are putting in place, being fearful of losing your job or going to prison puts an unnecessary mental strain on all parties to the process.

Everyone we spoke to acknowledged that Authorizing Officials did not want to approve something, have it fail, and be punished. The most commonly cited reason for this fear was the data breach at the Office of Personnel Management (OPM) in 2015, in which stolen employee records compromised the identities of more than 22 million people. In that instance, the OPM Chief Information Officer was asked to appear before Congress but retired days before she was scheduled to testify. She was never subpoenaed and, ultimately, did not testify. Following several hearings, a Congressional report was released.

“It’s just the OPM example I’m sure, which is what everyone brings up. And that is a failure of such catastrophic proportions that it is so easy for members of Congress and their staff to understand it. It is truly a unicorn in all of this stuff, right? It is not normal.”

During our research, we were unable to find a single instance of an Authorizing Official being fined or going to prison even in the most dire security incidents.

“No one’s ever been to FISMA jail.”

That does not mean that fears of routine oversight lack merit, only that the most commonly cited, and extreme, cases are untrue. Congress, either directly or via the General Accountability Office (GAO), does conduct security oversight and routinely relies on the Risk Management Framework to determine if decisions were made correctly.

In addition to Congress and the GAO, interview participants cited Inspectors General, The Office of Management and Budget, and the press as forms of oversight that incentivised Authorizing Officials to apply most or all of the security controls listed in SP 800-53 to systems, even when those controls were not relevant to system security.

“They’re always scared of what their IGs might say or what Congress might say, or what folks at OMB might say, if they take what they presume to be a measured and thoughtful risk or to move quickly in authorizing a new IT system or a cloud service or digital service within their environment.”

Several practitioners expressed sympathy for Authorizing Officials. They noted that AOs were overworked, underprepared, and acknowledged that they were trapped inside the same Framework as system developers and program managers.

“The element of fear is there because there’s too much to do, not enough money, not enough tech capabilities, no one documents what they do, and the processes are outdated.”

Ultimately, interview participants felt that fear of oversight was both unnecessary and detrimental to security and agencies’ missions.

“The fear about getting pulled in front of Congress or someone losing their retirement because they would get in trouble for what we had built because a security incident would happen: That, unfortunately, was kind of the driving incentive for a period of time.”

“If executives who are either political leaders or senior career professionals who have worked for 15 or 20 or 25 or 30 years who have moved themselves up to the top ranks of a very large public sector organization, if THEY are scared of a bunch of 25 year olds and a bunch of Congressmen… that’s kind of ridiculous in my opinion.”

“It’s bewildering to me that some thoughtful CIO or CISO or tech executive somewhere in an agency would worry that Congress, which can’t even focus on things like the debt limit or appropriations bills or the NDAA for any significant period of time, that they could possibly make some big story or some big example of an IT failure.”

Participants who had served in both policy and oversight roles cited the need for better storytelling from security officials. By leaving the narrative solely in the hands of oversight bodies, they argue, Federal employees face a daunting, and growing, record of negative press that paints them as incompetent.

“I think a lot of IT leaders and procurement leaders and security leaders inside agencies are just not good storytellers…. Most of them are not capable of connecting what they do from a technology standpoint, a risk management standpoint, security, or privacy standpoint to why that matters to Congress, to the public, to agency leaders, to folks in the White House or anything else.”

“So the public data all lean towards information that signifies that someone did not follow the rules or did not do what they were supposed to do, or did not do what some policy that was written by some analyst at OMB told them to do. And then they do not do a good job of countering that with their own public narrative or their own public data to say, here is what we did and why we did it. So I think they’re sort of just operating with a couple of arms tied behind their back when it comes to the prevailing narrative that has been around for decades.”

The unintended consequence of such overly negative oversight is a culture of fear within the Federal security community. That fear changes the risk analysis for individual Authorizing Officials. Fear makes them more conservative and shifts the focus from appropriate security toward self-preservation, to the detriment of mission outcomes.