Inconsistencies exist even within agencies

In attempting to outline every situation and technology that could be delivered in all of government, the Risk Management Framework creates inconsistent outcomes across the Federal government. Inconsistencies exist even between different offices inside a single agency. This has a direct effect on everything from system performance to the ability to collaborate within and across agencies. This is true regardless of whether or not software is off the shelf or custom built.

“If DHS is doing it, why is FEMA doing it differently if [FEMA is part of] DHS? It’s another operational division. They own their process, it’s their own people. I mean it’s always, in my mind, politics and fiefdoms.”

Most participants commented on the unpredictable length of time it takes to complete the Authority to Operate process. According to our interviewers, the average time it took to receive an initial ATO for systems categorized as moderate or high was over one year. On a few occasions, however, participants stated that they had received an ATO in days or weeks.

Receiving an ATO in a short period of time was more likely when a number of factors aligned. Combined, a strong sense of urgency, an Authorizing Official with prior knowledge of the system under review, and a willingness to accept uncertainty often led to quicker approvals. But because such alignments are rare, there is little consistency in how long it takes to receive approval.

“So to fix the situation, a high industrial control system, we put together all of the paperwork for that in about two weeks. The person doing the work on that was not ready for their assessment, that was happening in two weeks. So, we dropped everything and it was me and two other people. And this was probably easy because we already had background on the system…. So we were very, very familiar, more familiar than we wanted to be. So it was fairly easy for us to knock that out and, sure, we ended up with a lot of POAMs. There were a lot of them. We just didn’t know the right answer when we were documenting it.”

Some agencies have developed streamlined or “lightweight” ATO processes that improve both efficiency and consistency for certain types of systems. Some, for example, prioritize areas of focus and associated SP 800-53 controls in their agency authorization process so that developers and Authorizing Officials know where to focus their attention. For systems categorized low and moderate, some agencies have developed Lightweight Authority to Operate processes that authorize systems for a short period of time based on a reduced number of controls. At the end of the trial period, systems must still receive a traditional Authority to Operate, but the process provides developers an opportunity to put systems into production in a way that is more closely aligned with modern software development. This lightweight approach also encourages teams to think about security during development rather than applying controls only at the end.

For commercial, cloud based Software as a Service that does not contain personally identifiable information, the FedRAMP program has a lightweight approval process called Li-SaaS. This process applies a tailored set of controls and, more importantly, allows companies to attest to many of the controls rather than submitting detailed security paperwork, making the process much faster.

In all of these cases, agencies are still constrained by the Risk Management Framework, including categorization and the application of specific security controls. Even so, agencies can encourage a more restrained use of the Risk Management Framework and communicate areas of concern that can speed up development.

These examples show that as agencies strive to make the Authority to Operate process faster and more consistent, they become applicable to fewer technologies. Lightweight agency processes only apply to systems categorized with lower overall security requirements. Li-SaaS applies to an even narrower band of applications that do not collect personally identifiable information. Both processes still require a significant number of controls. Li-SaaS, for example, contains more than 200 controls and in all cases, Authorizing Officials can and do add additional controls as they see fit.

In some large agencies, even the agency CIO has limited control over how security decisions are made. They can narrow the scope of the authorization stage with agency-wide guidance but must continue to rely on individual Authorizing Officials to manage the process.