The Department of Homeland Security’s mission is to protect the privacy of citizens, and with Ongoing Authorization there are new ways to make quick, informed decisions regarding system security.
The Federal Information Security Management Act of 2002 has typically been what drives security compliance – it requires all information system security controls to be tested every three years. The review involves a large paper-based compliance exercise which can be both wasteful and time-consuming, and only after passing that could a system be granted authority to operate… but with the quickly-evolving landscape of cybersecurity and online threats, there needed to be a quicker way to get these assessments done.
Now, the federal government is providing its departments and agencies with a tool aimed at making security authorizations more effective and efficient. National Institute of Standards and Technology guidance and Office Management Budgets memos refer to the new requirements as an “ongoing state of security”.
Ongoing Authorization is a risk-based security process that provides near real-time insight into the security of an information system. Security officials can maintain an ongoing sense of awareness regarding their systems by using data feeds from the department’s Continuous Diagnostics and Mitigation program. That will result in an enhanced opportunity to make decisions based on risk levels.
The three-year security cycle is done away with in Ongoing Authorization – instead, ongoing assessments will be driven by risk-based events. The process relies on evaluating and testing controls when triggers or security events occur. An Operational Risk Management Board will review triggers when they occur to determine their impact on security controls as well as the overall risk to the system. Following the review, the Chief Information Security Officer will prepare a formal letter recommending whether or not to maintain authorization.
The DHS has worked closely with federal organizations including the Government Accountability Office to gather key requirements for OA to ensure compliance is met.
The Ongoing Authorization program is continuing to expand – 70 systems were enrolled before the end of 2014, exceeding early expectations.
For more information on security and compliance, turn to Outsource My IT. We’ll keep you up to date and ensure you’ll always in the know about important technology news and updates – reach out to us at firstname.lastname@example.org or by phone at (973) 638-2722.