Approval is relational
The security of Federal technology often comes down to factors that are unrelated to technical risk or system integrity. Poor guidance, a lack of knowledge and training, time constraints, and unintended incentives lead Authorizing Officials to make subjective decisions about risk. Many Authorizing Officials use trust or other factors as a proxy for security expertise.
“It comes down to your individual security organization and your authorizing official and what they feel comfortable signing off on.”
“That’s why the process is highly relational. The guy who ended up signing it is not somebody who was very good at cybersecurity. He just said ‘Okay, we’ve built up enough trust that, finally, I will cave and sign this for you.’”
“It’s very personality driven, especially on some of the more sensitive controls.”
“The idea around the authorizing official is having someone who has some skin in the game, who is going to be providing this oversight, and who’s going to be hopefully above any conflict of interest to say, ‘Wow, that’s not secure, let’s turn that off.’ Or, ‘We need to apply these resources to fix this problem.’ And that doesn’t really happen.”
“Typically it’s saying the right word, finding the right people, and hoping that you get through in a reasonable amount of time.”
“It depends on the people you’re dealing with in terms of how open minded they are and what you say to them.”
While most interview participants highlighted improving trust and interpersonal skills as the most effective path to approval, Authorizing Officials used any number of requests to ensure they were comfortable approving an Authority to Operate.
“The alternative implementation from [the Authorizing Official] basically amounted to encasing the cable in a foot and a half of concrete.”
“One of the security engineers we’re talking with suggested gluing shut the ethernet jacks on the laptops with epoxy to prevent them from wiring into the network because there were no cryptographic controls on the [agency] network at that time.”
“And this goes back to the ATO being highly relational. We got it signed on my birthday because we had a meeting with the signing official the day before my birthday. And I said tomorrow is my birthday and I would like this to be signed.”
While some requests seemed unreasonable at the time, interviewees recognized that, at the end of the day, the Authorizing Official could prevent systems from going live. If an Authorizing Official were adamant about a process or mitigation, the development team would have to meet their requests.
“They’re not bad people. They just get bad pressure. It’s not a psychologically safe org, the government. It’s not a very good place for them to say, ‘I don’t know,’ or ‘maybe we could do that.’ All of those things introduce danger for them. To put their neck out, there’s low, low incentive for them to do that.”
“Ultimately it’s your AOs butt on the line, right? They’re the one who’s going to have to go testify to Congress if your app gets hacked. So whatever they need to see in that ATO package to make them feel comfortable signing off on the risk is what needs to be in there.”
“From their perspective they’re acting totally rationally. Their incentives are purely to try to stop things and delay them as long as possible. There’s no benefit to them in allowing a new thing to go forward.”