The Department of Commerce uses a system to encourage employees to report on the tools they’re using outside of the information security boundaries.
Steve Cooper, CIO of Commerce, said he created the “Authority to Use” (ATU) system to encourage employees to self-disclose the tools they’re using so that his team can ensure that the tools are secure.
“We’re trying to collaborate,” Cooper said. “Not shut things down.”
Cooper said that if Commerce employees are going outside the information security boundaries to perform their objectives, it’s because they need effective and alternative tools.
“No one is violating rules but there’s a risk involved,” Cooper said.
The ATU system increases communication with officials and the CIO’s office.
Cooper said the ATU system is quicker and more efficient for Commerce than the guidelines in the Federal Risk and Authorization Management Program (FedRAMP).
“The idea behind the ATU was not to replace FedRAMP but to address the speed,” Cooper said.
Cooper also said that CIOs and CISOs need the authority to accomplish information technology goals within their departments.
“Getting these tools to the agencies is only the first step,” Cooper said. “It requires empowered CIOs and CISOs to use these tools.”
Cooper used collaboration between the information technology professionals and the mission-oriented officials with Commerce to achieve a B grade on the Federal Information Technology Acquisition Reform Act (FITARA) scorecard, which is the best grade that any department earned.
Cooper also established a CIO review, using FITARA authority, which allows agency CIOs to discuss how they’re leveraging technology within their departments in an informal way in order to help one another improve. Cooper has used this process to identify shadow IT within Commerce.
“Without FITARA, I’m not sure I could have pulled this off,” Cooper said.
