“Rather than waiting for us to deal with every vulnerability or risk that comes up with a particular application or system, we allow it, the system or application, to get on the network sooner. So as soon as we can find a way to mitigate the high vulnerabilities, let’s get it on the network. We can give it a year to clean everything up and mitigate it,” Zangardi said on Ask the CIO. “At the end of the year, if we did, we give it a regular ATO and put it into the continuous monitoring process and off it goes. We’ve done this in a way that hopefully will help us speed things up because that’s the key.”
DHS is not alone in its need to speed up the ATO process. The General Services Administration’s 18F organization and the National Geospatial Intelligence Agency are among the departments that have made progress in shortening the time it takes to receive an ATO, but ensuring it applies the appropriate amount of rigor. And the Office of Management and Budget made streamlining the ATO process apart of the IT modernization cross-agency priority goal. OMB says it wants to “replace drawn out compliance-based system authorization processes with nimble, risk-based decision-making to drive effective and cost-effective utilization of commercial technology.”
For DHS, improving the ATO process is even more critical since the agency’s inspector general found shortcomings across the department. In the fiscal 2018 Federal Information Security Management Act (FISMA) report to Congress the IG said, “components continue to operate systems without ATOs, use unsupported operating systems that may expose DHS data to unnecessary risks, ineffectively manage the plans of actions and milestones process to mitigate identified security weaknesses, and do not apply security patches timely. The continuing deficiencies are contrary to the President’s Cybersecurity Executive Order and clear indicators that departmental oversight of the enterprisewide information security program needs to be strengthened.”
Zangardi said one way to reduce the burden of the ATO process is through the emphasis on reciprocity. He said mission leaders want the cyber oversight and compliance processes to be more agile and nimble so they can get the applications to the field quicker.
“If an ATO was granted by one component, why should we hesitate in accepting that ATO if it was done in a way that was well done and doesn’t have flaws in how it got there?” he asked. “How do you encourage it? You have to keep talking about it. There is a reticence out there not to trust the work of others. So you have to stay on top of it.”
Moving toward a risk management posture
Zangardi said risk management is at the core of reciprocity and a better, faster ATO process.
“This all comes back to probability of occurrence and consequence of occurrence and understanding what that means in context of your mission and the risk you take,” he said.
At the same time, DHS’s chief information security officer Paul Beckman is reviewing and updating the agency’s cybersecurity instructions, known as the 4300A.
“How do we write it in a way that is easier for a consumer to read it? Part of it is how to make it smaller,” Zangardi said. “As you look at this, you start building in a philosophy of risk management, of understanding the risk you are taking on and leadership encouraging people to take advantage of reciprocity within that context. A 4300 guidance and instructions in how you approach this in a more readable and understandable way, you begin moving down the right path.”
The need for a better, faster, more agile ATO becomes more important as DHS moves more and more applications to the cloud, especially as Zangardi ramps up the agency’s efforts to use the Enterprise Infrastructure Solutions (EIS) contract to move voice, data and network modernization forward.
“Policy will emanate from DHS CIO, whether it comes to ATOs or things like that. We want to leverage the expertise of the other components. We’re going to bring them in, and like I said earlier, plagiarism is the highest form of flattery, so I’m not going to reinvent the wheel. We’re going to see what they did and look for best to breed,” he said. “Modernization is not exclusive to EIS. EIS is a means by which you continue to modernize. Modernization must be the key to everything. If you get stuck on legacy and running an unsupported operating systems, you’re setting yourself up for failure and for security violations. You need to refresh your hardware. You need to make sure you have the latest software going. When we do patches, we are pushing them hard. It’s really important for modernization to be fundamental in everything you do.”
As for EIS, Zangardi said he brought together the component CIOs in June to agree on a strategy. DHS still is developing its EIS request for proposals with a goal of releasing a draft in the next few months.