Organization and project team to-dos for compliance and accreditation

Cybersecurity is one of the most prominent risk factors for commercial companies, government agencies, and individual users of systems and services1. This is partly because cybersecurity faces multiple risk vectors such as insider threats, data spills, ransomware, hacking, supply chain risks, and human error. The potential consequences of such risks can be catastrophic, ranging from identity theft, privacy violations, revenue loss, and even violation of federal law.

To combat this, organizations rely upon many processes and tools to identify, track, and mitigate these risks across the technical and compliance landscapes. This article focuses on compliance: specifically, the National Institute of Standards & Technology (NIST) Risk Management Framework (RMF)2 and the Assessment & Authorization (A&A) process. Originally the RMF was designed for federal agencies, but private sector companies commonly use it to improve their security hygiene.

The RMF focuses on managing versus eliminating risk, which is accomplished through the RMF’s seven steps to formally track an asset through the accreditation process and eventually approve the asset to operate, in what is called an Authorization to Operate (ATO).

The seven stages of the NIST RMF Lifecycle
Figure 1: The NIST RMF Compliance Lifecycle manages verses eliminates risk.

While the process may appear simplistic, when adopted by different organizations with different missions, lines of business, types of data, and cybersecurity acumen, this framework can become convoluted, bloated, ineffective, and dangerous. This is especially true when project teams view the process as just “paperwork” or lack the security forethought needed to get their product to production with an ATO.

In cybersecurity, there are varying opinions on how to get to ATO “fast.” In a rapidly changing cyber environment, time is of the essence. But focusing on the speed of the process raises the question of whether the quality—and therefore effectiveness—will be reduced.

Case Study

The root of most ATO-related challenges for our customers stems from the lack of communication between security teams and the rushed nature of planning periods.

Often, the length of the ATO process is an afterthought in early development, with timelines not accounting for the near yearlong queues from project start to the granting of ATO certification for a system. By this point, requirements may have changed, iterations may have taken place, and even some projects scrapped by frustrated clients who were not anticipating the wait time.

Rigorous planning is key to achieving accreditation, as evidenced by our ATO approach supporting a defense customer. Before development work even started, our team set aside eight months of planning time focused on the ATO process.

Within that timeframe, the team created a static production environment and ensured no changes were made. This allowed the team to coordinate with all the ATO stakeholders while providing the resources to work on all the documentation required for the ATO package. By the end of the 8-month period, we were awarded ATO and had an established RMF process throughout the life of the accreditation, highlighting the importance of not cutting corners in the planning and review preparation process.

With extensive experience in private and public sectors, NT Concepts has put together the following series of generalized recommendations to improve both the timeliness and quality of our customers’ compliance processes.

First, we address what organizations can implement at the senior-leadership level to enable efficiency, shore up fundamentals, and build trust between our security bodies and project teams.

Following that, we supply recommendations for project teams that aid in building security during development, generating precise, complete documentation, and being the boots on the ground reporting upward to senior leadership.

“No one can whistle a symphony; it takes an orchestra to play it”.
– H.E. Luccock

Senior leadership cannot create secure systems on their own. It takes the entire organization working together in a symphony to manage organizational risk.

Organization To-Dos

Common Control Providers

One initiative that significantly impacts the efficiency and quality of accreditations is the identification and authorization of Common Control Providers (CCPs). CCPs are typically enterprise systems or services used by subordinate systems, applications, or services. CCPs get their name because they handle the implementation and configuration of security control requirements which their customers then inherit.

Organizations must identify and accredit their CCPs before any other system or service and revisit and re-validate their authorizations continuously. CCPs are the backbone of an organization’s ATO and are fundamental to the successful and secure continuation of mission operations.

Imagine that every time you used a credit card, you were asked to provide proof that:

  • the card is yours,
  • you have an online account with the provider,
  • the provider is the actual issuer of the card,
  • the provider employs security measures to protect against theft, and
  • the provider will pay the business even if you are unable to pay the credit card bill?

You would be frustrated that you are being put in the position of proving something that is the provider’s responsibility.

Now translate that over into security controls and the accreditation process. Say your organization requires all applications to use enterprise public key infrastructure (PKI), and there are ten security controls that relate to the implementation and configuration of PKI.

Graphic depicting exponential relationships in enterprise PKI
Figure 2: CCPs reduce time and effort across your organization.

Your organization has 2,000 unique accreditation records (including applications, systems, and services) required to answer those ten controls. A CCP is not identified and accredited, and those ten controls are not made available to be inherited by the other 1,999 records. You now have project teams and assessors spending time continuously answering and verifying 19,990 PKI security controls, versus an assessor performing the assessment once initially and then with periodic verification.

Now start to calculate the hours spent on work that neither the project team nor the assessor can prove or verify. CCPs not only add value and improve your security posture, but significantly reduce time and effort across your entire organization.

Communication

At the heart of our organizational approach is consistent and meaningful communication. Communicate early and often, ensuring the correct audience is reached. If you have a communications team or office, make certain they are in the loop on all compliance-related meetings, discussions, boards, or decision-making.

Where possible, allow the workforce at large to attend non-sensitive meetings about compliance issues for full transparency about the process and decision-making. As you and your project teams start to trust each other and work more closely together, communication will happen more organically. Watch for feedback from project teams that reference them not being aware of changes or decisions, and make sure the corresponding office is aware and the course corrects accordingly.

Experienced (and qualified!) subject matter experts

Cybersecurity presents an interesting challenge when gathering subject matter experts (SMEs). The topic itself has a low bar to entry, meaning there is an abundance of experts on the topic, but they may not be qualified in the specific domains required by your project. Further complicating the vetting of SMEs is the lack of cybersecurity expertise in the market to fill critical positions3, as well as open policy or governance slots. Organizations can miss the mark in generating position descriptions or hiring the correct personnel. Vague or misleading position requisitions can lead to mismatched roles and personnel, resulting in high turnover rates (increasing the anxiety over getting someone into the position) or worse, a disgruntled or unmotivated employee.

Organizations should use vetted and experienced employees or a third party to generate and review position requisitions against requirements. Personnel should not have a financial stake in successfully hiring or retaining an employee for the position(s). The outcome should be that you have the correct skillset matched to the job, and you are not paying for a senior-level expert where a junior-level would suffice. Make it a priority to staff full-time SMEs that can be called upon for their trusted ability in cyber security as needed, saving time and money overall while cultivating a full-time culture of excellence in the field.

Reduce redundant systems and services

The leaner you run your network, system, and services, the easier it will be to perform critical data management and meet security requirements. Does your organization have four data lakes with the same data in each? That may be an area where you could consolidate them down to one. Do you have two to three ticketing services in use across the organization? Consolidate them.

A&A-specific recommendations

Develop an A&A knowledge base

Where do new project team members find security controls with Organization-Defined Values (ODVs)? Where do they become educated on criticality and availability requirements? How do they find points of contact for assessors, Information System Security Managers (ISSM), or other A&A personnel? Where do they find documentation of acronyms or nomenclature specific to the A&A process?

Your organization should have an established knowledge base that encompasses anything a project team, project manager, information systems Security Engineer (ISSE), or ISSM would need to successfully prepare for the A&A process. If project teams must guess, rely on word-of-mouth, or fall back on how they did it in their last job, you may indirectly cause delay and inaccuracy, which is costly and poses a security risk. An expansive and up-to-date knowledge base will also greatly improve your overall communication with the workforce.

Develop Authoritative Templates

Develop organization-specific templates for critical documentation (such as Contingency Plans, Incident Response Plans, Configuration Management Plans, and Roles and Responsibilities Matrixes) and enforce their use. Ensure the contents of the documents include your organization’s identified security control requirements so project teams can create one document that potentially answers several to a dozen security controls, and that they can update without having to also update specific security control responses. This type of document allows project teams to “kill two birds with one stone,” in that it answers both security controls AND provides a supporting artifact in a singular reference.

Identify categorizations of systems according to risk (i.e., risk management)

Putting the same level of security effort and labor into a standalone laptop that you would put into an enterprise network is inefficient and adds no value. Mitigate this action by creating risk swim lanes, and use your cybersecurity SMEs on high-priority, critical assets that represent the largest risk to your organization, implementing stringent requirements for those assets. Lessen the documentation and security requirements for low-risk assets and put your money and expertise where it creates the most value.

Encourage constant feedback

“Criticism may not be agreeable, but it is necessary. It fulfills the same function as pain in the human body. It calls attention to an unhealthy state of things.”
– Winston Churchill

Organizations should continuously welcome and encourage feedback from employees and customers to motivate their workforce and realize the entire value spent on expertise. Security is a “dirty word” in many organizations, typically caused by the perception of security considerations being the “bad cop” who only says no and enjoys the power trip of decision-making.

Help change that perception by being genuinely interested and eager to hear feedback regarding security. Establish a transparent, repeatable process for collecting feedback, reviewing it, and providing a response that explains the decisions. If financially solvent, have monetary incentives for suggestions that improve your security posture. Overall, this will cost your organization significantly less than a data breach, which averages $9.44M4 in the United States.

Project team to-dos

Common sense security

You do not need to be assigned security controls to build strong, commonsense security practices that meet (or exceed!) control requirements. Most organizations are going to require the implementation of the following:

  • Access Control & User Management
    • Default Deny
    • Least Privilege
    • Privileged User Tracking
  • Auditing
    • System
    • User
  • Asset Inventory & Management
  • Encryption (at rest and in-transit)
  • Backups
  • Vulnerability Identification & Mitigation
  • Static & Dynamic code testing

If your organization is in the intelligence or defense communities, you need to account for additional requirements found in the recent Executive Order 14028, “Improving the Nation’s Cybersecurity5 and the National Security Memorandum 8,6 outlining that all government and military agencies must move to cloud-based services, enable zero-trust, and implement multi-factor authentication (MFA).

Automation, automation, automation!

Automating configurations and processes saves time while eliminating the possibility of human error, helping both operations and cost as well as improving overall security and cyber hygiene. Where possible, embrace automation, no matter how small your organization’s commitment. Get your workforce used to seeing automation in action, the benefits even just minor adaptations can provide, and regularly re-evaluate where to apply additional automation. Automation is key to achieving rapid or continuous ATO states and is a critical part of the security culture.

Explain it like I’m five

You cannot assume that an assessor, ISSE, ISSM, or even a Chief Information Security Officer has the same understanding or baseline knowledge that a project team has. Approach documentation and security control responses as if answering a question from non-technical, non-security personnel. For supporting artifacts, if a layperson cannot review it and understand it without added context or information, then that missing information must be included. Attempt to anticipate questions regarding both documentation and artifacts and answer them in advance where possible. This additional context will significantly speed up your time to ATO and generate trust between your team and your assessor or ISSM.

Accountability and the power of speaking up

Where possible, create incentives to encourage integrity and ideas from your project team. Diversity of experience and thought is a superpower, and when utilized correctly, it can minimize risk and increase employee morale. Encourage teammates to speak up when something is or feels wrong or if they know there is a better way of accomplishing mission objectives. When applicable and appropriate, submit feedback to senior management. Knowledge and understanding gaps will always be a risk, so facilitate open discussion without judgment or negativity.

Continuous ATO

It is likely your organization has discussed that going through accreditation every year (or two, or three), is not improving the overall security posture and snapshots in time are only valid until the next vulnerability is identified. While these concepts are accurate, how do we get to a more continuous awareness of our security posture and organizational risk? Is a continuous, rolling ATO achievable?

The answer is yes. But, to get there, your organization’s fundamentals must be established, repeatable, and meet success metrics. Without a solid foundation, your continuous ATO will only present a false sense of security, built on a shaky understanding and incomplete or inaccurate data.

NT Concepts has the experience and skill set to work with organizations and teams to establish or correct security fundamentals, build on that success, and create further efficiencies through continuous monitoring and, eventually, a continuous ATO.

Reach out to us to discuss how we can support your goals moving forward, and help you drive toward continuous ATO.

References

1. Jensen, R. (2022, September 7). Business leaders rank cybersecurity as most serious risk facing their company. Security Today. https://securitytoday.com/articles/2022/09/07/business-leaders-rank-cybersecurity-as-most-serious-risk-facing-their-company.aspx

2. Information Technology Laboratory, Computer Security Division. (2016, November 30). About the RMF – NIST risk management framework: CSRC. NIST CSRC. https://csrc.nist.gov/projects/risk-management/about-rmf

3. Lake, S. (2022, June 30). Companies are Desperate for Cybersecurity Workers. Fortune. https://fortune.com/education/business/articles/2022/06/30/companies-are-desperate-for-cybersecurity-workers-more-than-700k-positions-need-to-be-filled/

4. IBM. (n.d.).  Cost of a Data Breach 2022: A million-dollar race to detect and respond. IBM. https://www.ibm.com/in-en/security/data-breach

5. Biden, J. R. (2021, May 12). Executive Order on Improving the Nation’s Cybersecurity. The White House. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

6. Biden, J. R. (2022, January 19). Memorandum on improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems. The White House.  https://www.whitehouse.gov/briefing-room/presidential-actions/2022/01/19/memorandum-on-improving-the-cybersecurity-of-national-security-department-of-defense-and-intelligence-community-systems/

About the Author