Authorizing Officials
In practice, the Framework is managed by agency Authorizing Officials (AOs). Authorizing Officials are responsible for an overwhelming volume of work. Complicating matters further, security decisions made within the larger incentive structure of the Federal government are often driven by fear rather than security. AOs are often pressured from above and below; from development teams struggling to gain an Authority to Operate to senior executives and political appointees trying to meet deadlines and budget goals.
Authorizing Officials work at the functional end of a process that is continuously evolving and changing. These changes come from new policies, technological advances, personnel turnover, process updates, and other factors that contribute to a fluid work environment. They are, more often than not, less technically skilled than the development teams they govern. This combination of a fluid implementation environment and asymmetry in security expertise causes significant problems in the practical implementation of the Framework.
AOs have a difficult job. They must categorize, review, and continuously monitor hundreds, if not thousands, of technical systems. They must take into account their agency’s needs, mission, timelines, and budget costs. They must monitor and reevaluate the broadest risk environment, from malicious software, to social engineering, and physical building security. Finally, they must make decisions that could affect the data of millions of people, causing them to potentially make assessments based out of fear for their own personal liability.