In my last blog, I reviewed the Risk Management Framework (RMF), the unified information security framework replacing the legacy Certification and Accreditation (C&A) processes within Federal government departments and the Department of Defense.
Old school C&A processes determine if security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the agency. The C&A process results in a collection of documents that describe the security posture of the systems, an evaluation of the risks by risk score, and recommendations for correcting deficiencies in a Plan of Action and Milestones (POAM). The number of CAT 1, 2, and 3 findings measures an organization’s compliance with respect to published IA controls (no findings indicates full compliance).
With any CAT 1or CAT 2 findings, or a large number of CAT 3 findings, an Authority to Operate (ATO) or Certificate of Net Worthiness (CON) wouldn’t be issued until remediation was completed. If there were any CAT 1 findings, the system would at most be granted an Interim Authority to Operate (IATO) until the high-risk findings were addressed.
If an organization scores high, then a false sense of security manifests. “If I have a low risk score and I’m fully compliant with patching and polices, then I shouldn’t be held liable if/when something goes wrong." This is termed the “Cover Your A$$” strategy. As an example is a history lesson–the RMS Titanic was the largest and most compliant ship of its time. We all know what happened. Tragedy.
Titanic had advanced safety features such as watertight compartments and remote activated watertight doors. Though there weren’t enough lifeboats to accommodate all of those aboard due to the maritime safety regulations of the day, it didn’t matter much to passengers because Titanic was thought to be “unsinkable.” The ship received a series of warnings of drifting ice in the area, but continued to steam at full speed, standard practice at the time. It was generally believed that ice posed little to no danger to large vessels if they were compliant with safety standards. Risks were considered to be low because the compliance was high.
Risk Management Framework has introduced more meaningful and efficient processes across the board. Compliance can provide a framework for success, but simply complying with federal or industry rules doesn’t always adequately protect you from security dangers and breaches. It can be difficult to show management the need to assess mitigation strategies that extend beyond regulatory requirements, but the security leader must do just that in order to help avoid a “Cover Your A$$” moment and another Titanic.
Kevin Tighe & Greg Boudah