Professionalize the Authorizing Official role

Professionalizing Authorizing Officers is the most effective way to improve both the efficiency and effectiveness of Federal technical security within the current Framework.

Authorizing Officials play an equally important and critical role as more professionally accredited officials in the Federal government, such as Procurement or Consular Officers. They are responsible for making a final yes or no decision about issues of national security. They bear accountability and incur some liability, if not as much as they perceive they do. Despite that, there are no clear roles and responsibilities that are assigned to all Authorizing Officials. Training is not formalized and there are no professional certifications or warrants.

Without a clear position description, there is variability in the skills and experience of Authorizing Officials. Some are experienced security professionals while others are tasked with the authorizing responsibility as a secondary duty, sometimes outside of their primary role or expertise. Inconsistency undercuts the credibility of qualified officers and instills overconfidence in unqualified officers. This lack of support creates variability in authorizing decisions. It also fosters distrust among Authorizing Officials which undermines the proper scoping of boundaries, tailoring of controls, and the reuse of common controls.

Setting minimum professional standards for Authorizing Officials, in addition to subject matter-specific responsibilities, would ensure more reliable, replicable outcomes. In addition, instead of enforcing the entire, or nearly entire, set of security controls as a means of limiting their liability, officers could point to training materials and instructions for why they made decisions. Proper training, certification, and ongoing professional development would also allow the government the ability to update training materials to meet current advances in security best practices. Regular training would give the government the ability to adapt implementation practices much faster than updating the Risk Management Framework library.