INTRODUCTION
For over three decades, the authors of this book have been deeply involved in developing C&A policy, but more importantly in actually providing hands-on help to organizations, ranging from large federal agencies to commercial entities, to successfully navigate the C&A process. We continue to be directly and intensely involved in the C&A transformation, including the transition in terminology from C&A to authorization. We share a driving thought: to do whatever is necessary to protect the information systems of our clients.
Purpose and scope
This basic purpose of this book is to provide a definitive guide to authorization for persons with knowledge of information systems and/or information systems security, but not necessarily the same level of expertise with certification and accreditation (C&A) standards and best practices; it points to references for further knowledge.
It is scoped to present the information needed to meaningfully recognize, implement, and manage authorization requirements and achieve compliance with federal, local and agency laws and policies.
This book cannot, of course, enumerate all of the knowledge needed in order to secure information systems against all threats. Nor does it seek to do so. Our real motivation is more clearly defined below.
Motivation – what do we hope to accomplish with this book?
It has been 20+ years since certification and accreditation (C&A) – referred to as authorization by the National Institute of Standards and Technology (NIST) – has been part of the regulatory landscape. In this time the federal government – which includes the US Department of Defense (DOD) – has easily spent billions (that’s right – billions) of dollars in meeting compliance requirements. The demonstrated return on investment, however, has been less than encouraging. Richard Bejtlick, President & CEO of TaoSecurity stated: “Millions of dollars and thousands of hours are spent on C&A … In reality, C&A is a 20-year old paperwork exercise which does not yield improved security.”
Historically, the C&A process was introduced as a means to ensure the information systems security posture of information technology (IT). In fact, under FISMA, C&A evolved into one of the primary measures used to evaluate the success of an organization’s information systems security posture. Properly executed, C&A can actually go a very long way towards improving and maintaining a high standard of information systems security.
But, over the years, the C&A process has become “bureaucratized.” It has manifested itself as cumbersome, laborious, and costly – with the final output consisting of thousands of pages of documentation and often little else. Some have even termed it a mind-numbing, picayune process generating reams of security documentation on an agency’s IT systems and infrastructure with little real relevance to the true state of the organization’s information system security. The true value of C&A will only be realized when both organizations and individuals focus the process on more directly addressing security concerns, while concurrently minimizing complexity and redundancy – and unnecessary paperwork.
Today’s information environment demands a workforce skilled in the implementation and management of a secure information systems environment. Vulnerabilities2 in our information systems are open to discovery – and potential exploitation – by unauthorized, unethical, criminal, or even uneducated individuals. While an information systems security incident can have a serious impact upon an organization’s ability to process essential information, the effects can also be seen in the form of heavy costs for recovery and remediation and a negative impact on the organization’s reputation.3
The optimal approach to addressing the challenges of this environment and obtaining a real return on investment from authorization is a re-evaluation of the way in which the authorization process is addressed. The most effective approach to authorization involves standardization and simplification, resulting in a tailorable, repeatable, and cost-efficient process. The second requirement is a trained and experienced work force. And there are efforts in the US federal government and the DOD to make this a reality.
In a best case scenario, there would be one single standard that would apply to all federal agencies, the DOD, and the Intelligence Community (IC). But this is unfortunately not yet the case – although it is the goal of the ongoing effort across the federal government to revitalize the C&A process. Until that wondrous day finally arrives, however, this book seeks to provide readers with a comprehensive handbook for authorization across the US federal government and DOD – as well as for commercial entities – that is focused on practical and proven solutions that are both cost and time efficient.
While the content of this guide provides broad coverage of the authorization landscape, readers interested in gaining an even
2 ‘Vulnerability: Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.’ [NIST FIPS 200].
3 A study in the Journal of Computer Security measured the results of security breaches in several ways. The results indicated that relying only on an analysis of the cash cost can be misleading; rather, the impact on their reputation can be even more devastating. Additional information on this study can be obtained at: http://brief.weburb.dk/archive/00000130/01/2003-costs-security-on-stockvalue-9972866.pdf .
deeper knowledge of security laws, standards, requirements, and best practices are encouraged to read the references provided throughout this document and to refer to documents on the accompanying CD.
Who is the target audience?
Simply stated, the target audience is anyone concerned with, responsible for, or associated with the security of information systems. We intend this book to benefit the senior leadership chartered with making difficult security decisions, as well as the systems administrators responsible for implementing and managing many of the security measures needed to protect the operation of the information system. And the audience is not limited to those within the US federal government – commercial entities who want to sell to the government or who just want more secure information systems – can also benefit from an understanding of the authorization process.
C&A does not apply only to the federal government. Approximately 90 percent of the nation’s critical infrastructure is on private networks that are not part of any US federal department or agency. The nation’s critical infrastructure includes information technology systems that run electrical systems, chemical systems, nuclear systems, transportation systems, telecommunication systems, banking and financial systems, and agricultural and food and water supply systems. These private organizations can also take advantage of these same methodologies to mitigate risks on their information systems and networks.
We have personally witnessed a definite increase in non-government interest in the authorization process, either because commercial entities see it as a value-added process for security, or because they have a desire to add the US government to their existing client base.
Terminology
In any work of this nature, it is important to establish a context and a vocabulary. Like most environments, an entire vernacular has evolved in the field of security. So, in order to ensure clarity, we would like to establish a few definitions and the specific terminology we will be using.
Several terms are used interchangeably to refer to the security requirements specific to automated information systems (AIS): INFOSEC, computer security, information assurance, and information systems security.4 For the purposes of this book, we will use the term “information systems security,” since we feel that it is much more comprehensive and best expresses the goals of the authorization process.
Three other terms are directly relevant to the context of this book: certification and accreditation. The National Information Assurance Glossary, CNSS Instruction 4009, provides the following definitions:
Certification: Comprehensive evaluation of the technical and nontechnical security safeguards of an IS to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements. The terminology is changing to “Security Controls Assessment” in some of the recent doctrinal releases; but we will continue to use certification in this book.
Accreditation5 : Formal declaration by an authorizing official or designated accrediting authority (DAA)6 that an IS is approved to operate at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards. Although the terms certification and accreditation have been traditionally used to refer to this process, we have chosen to use the term “Authorization” in the book
4 See the glossary for definitions of each of these terms.
5 Most recently referred to as “authorization” by NIST.
6 Senior official executive with the authority to formally accept responsibility for operating an information system at an acceptable level of risk.
except for those cases where the term C&A is still a part of the official designation.
Authorization7 : The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls. Under the C&A transition, “authorization” will be the term used to refer to this official decision.
Certification is still a critical part of the authorization process. Certification provides the needed level of assurance to the decision making authorizing official that the technical and non-technical security features of an information system meet a set of specified security requirements or controls. It standardizes the activities leading to an authorization to operate.
But someone has to make the final decision to accept the risk and allow an information system to operate – and that individual – the authorizing official or designated accrediting authority (DAA) – makes the authorization decision. Without the foundation of a solid certification process, the DAA would not have the essential understanding of the real security of an IS and would not be able to realistically make a risk-based decision.
Overview of the contents
Chapter 1 provides a quick outline of the evolution of information technology from the mainframe to today’s global network of interconnected systems and considers how technological progress was accompanied by a co-evolution in security policy. We take a deep dive into the most influential legislation, regulations, policy and guidance in the information systems security landscape. There
is a focus on those documents that have a close or direct relationship to the authorization process.
Chapter 2 introduces an authorization framework, based on a consistent set of processes that emphasizes the value of standardization in the authorization process.
We really start to discuss the “how” of authorization in Chapter 3. Here, the activities – such as establishing an information systems security program – that are necessary for establishing the foundation for a successful authorization process are discussed in detail.
Chapter 4 looks at essential pre-authorization activities, such as establishing your security authorization team, determining the authorization boundary, and training.
Chapters 5 through 8 present a “deep dive” into an authorization approach that will meet the needs of any organization, whether a federal agency, a DOD component, or an industry partner.
In Chapter 9, we address the authorization package and its required contents. In addition, we provide extensive guidance to the preparation of supporting evidence, such as configuration management, contingency planning, incident response, etc.
Chapters 10 and 11 present the C&A/authorization processes currently in use in the Department of Defense (DOD) and the federal government agencies. These processes have been the most influential; consequently, we do not have a specific chapter on the processes used by the US Intelligence Community.
The Federal Information Security Management Act (FISMA) has had a major influence on information systems security, and most specifically, the C&A/authorization process. Chapter 12 provides an overview of FISMA and how organizations might move from understanding to compliance.
Integration of security into the system (development) life cycle (SLC) has been a resounding cry across the federal government. In Chapter 13, we take a quick look at C&A/authorization and the SLC.
Chapter 14 looks at current initiatives to formalize requirements for information systems security training, education and certification. In particular, we look at the DOD’s efforts as published in the DOD 8570.1-M, which provides DOD requirements for information assurance (IA) workforce training and certification.
Last, but certainly not least, we introduce the ongoing effort to revitalize C&A/authorization across the federal government in Chapter 15. The results of this effort will have far-reaching effects and we are enthusiastic to continue to be contributing members of the revitalization process.
In addition to the above chapters, we have also produced a companion CD to this book. This CD is a valuable reference tool and a resource. It contains the documents referenced in this text, as well as templates and samples of the documentation required as part of the C&A process. There is an index to the contents of the CD at the end of this book.