Automated Authorization: A New “Streaming” Service for Federal IT

Before you say “no,” Federal cybersecurity professionals, hear us out. To borrow a line from Riggs in Lethal Weapon 2, “C’mon, say yes! Be original, everyone else says ‘no.’”

Even with all the discussion around efficiency and modernization, the typical Certification and Accreditation (C&A) process takes six months and costs more than $100,000 to complete. For larger IT systems, doubling those totals isn’t out of the norm. With a large number of organizations, this process is updated every six months and then redone every three years for each system. So, over a five-year-period, certifying and accrediting a system can cost more than $500,000. Wow, that’s a lot of money!

With an increasing attack surface resulting in millions of new threats every year, partially updating C&A documents every six months, re-mediating a few Plan of Action and Milestones, and updating all docs every three years, won’t, and doesn’t, keep the bad guys out of Federal networks.

This compliance process, designed and refined over the past 15 years, was sorely needed when conceived–and still remains the primary means of governing Federal IT systems. Mainframes, client server, and early three-tier architectures ruled the day, with an eventual light sprinkle of this new tech called virtualization. Cybersecurity was an afterthought, meaning build everything and bolt on cyber at the end of the process. Moving typical systems from procurement to implementation took years. Now a server, and even an application, can be provisioned in minutes and the first release can happen in one month. The times and technology have changed, yet updates and adoption have lagged significantly.

Depressed? Don’t be, there’s some help on the way. The latest Risk Management Framework was released for comment and some of the 800 NIST publications are also being revised. The Department of Homeland Security led Continuous Diagnostics and Mitigation program is rolling out across Federal agencies, providing an opportunity to increase visibility and analytics capabilities for applications and systems on their networks. And since we started writing this article, 20 new cyber companies have entered the U.S. market that will help better identify cyber threats, quantify, and qualify risks based on threats, vulnerabilities, and cost to mitigate. The greatest minds are collectively updating the guidance and the conversations grow in numbers…so why are we still not broadly considering the idea of automating security controls and authorizations?

From a technology perspective, the Lego pieces are in the box to get started building the Millennium Falcon. In terms of FISMA compliance, today’s Federal CIOs, CISOs, and Program Managers have access to more than 70 FedRamp Certified FedRamp providers, including a few with high controls. Early adopters of DevSecOps have worked alongside assurance professionals and shifted cybersecurity left in the process and embedded cyber into the DNA of secure automation workloads, from development to production. Automation at every level is possible and can be utilized to achieve assurance and reliability previously unavailable with human implemented processes.

Is it perfect? Nope. Nothing is. This is not about perfection, rather risk management and responsible evolution. The tools are in the toolbox.

So, how do agencies get started? How about a mission-critical mainframe? Ah, no. Well then how about a FIPS moderate back office system on a few virtual servers? Close, but not quite. Let’s instead start with a “net new,” moderate-level data system. Even better, if you can take advantage of the incoming Modernizing Government Technology (MGT) Act to actually rethink a business process/application, rather than carry the same less-than-optimized processes to a new environment and call it modernization.

Some of the criteria to qualify: this is a new project, not a bolted-on enhancement to an old system. Must be hosted in a FedRamp cloud provider. Automate as much as possible, including your security controls, in partnership with your security operational and policy professionals. The development environment should be provisioned using good DevSecOps best practices. Make sure you embed cyber hygiene and analytics at the lowest level of code possible. Lather, rinse, repeat for testing. Then once satisfied the app and cyber is implemented correctly, light up production. Repeat, the key to success is a collaborative and transparent partnership among all stakeholders that include operational and policy professionals…stakeholder engagement.

Beta was overtaken by VHS. VHS got smoked by Blockbuster. Blockbuster got rolled by RedBox. Netflix, Amazon, and Hulu, took out RedBox using mobile phones and broadband. Traditional Federal C&A process, meet Automated Authorization. So, for the traditional certification and accreditation process, “we are getting to old for this.” We couldn’t agree more Sgt. Murtaugh.

Rob Palmer is the executive vice president and CTO for ShorePoint, a privately held cybersecurity services firm serving both private and public-sector customers. Palmer is a former senior executive with the Department of Homeland Security (DHS) where he most recently held the position of deputy CTO and executive director for strategic technology management.
Keith Trippie is a retired DHS IT executive and entrepreneur. He is the founder of Shop4Clouds, digital marketing platform and urMuv, a neighborhood discovery app. He has also launched GotUrSix TV, a digital media platform to share the personal stories of active duty, veterans and military spouses.
  1. Anonymous | - Reply
    Seriously? this article is based on information that is very dated. While it's true some organizations have been slow in actually putting together a security program some have made leaps in bounds applying the RMF. The RMF has been around for over 10 years and has been through 4 revisions but this article would have you thinking it's brand new. The only organizations still doing re certifications every 3 years are ones that haven't implemented the RMF. One last thing if leaders would get serious about cyber security instead of acting like it then the government would see huge improvements.
  2. Anonymous | - Reply
    Not correct. Coninious Monitoring is not rolled out. Without Continius monitoring, STEP 6, of the RMF process agencies and services are still doing re certifications every 3 years.
  3. Anonymous | - Reply
    Not correct. Continuous Monitoring is not rolled out. Without Continuous monitoring, STEP 6 of the RMF process, agencies and services are still doing re certifications every 3 years.
  4. Anonymous | - Reply
    C&A is a jobs program for low skill INFOSEC workers, most of whom have no practical knowledge around threats, attack methodologies, or defense operations, but can make lovely spreadsheets. Until those spreadsheets can defend a network, it is an low value exercise, which consumes the system owners' time and taxpayers' money.
  5. Anonymous | - Reply
    The fact that you are making statements like the above proves that you fail to understand what continuous monitoring and continuous authorization are and how one relies on the other. The very nature of CA (OA) is that you have full insight into your system and Enterprise and how different dependencies propogate through the system. Saying C&A, ST&E, and IV&V professionals are low skill positions is like are going that a farmer is low skill. Understanding how systems are built from a security perspective and how each control relies on another control for enforcement and support helps decision makers make strategic investment in their security. Referring to security as a network exercise is also a terrible stance in that the very nature if security is shifting away from the perimeter and into the application.

Leave a Reply