Reciprocity has been a hill the government has tried to climb for decades. From security clearances to cybersecurity to financial management systems, the “review once and use many” mantra has been as popular as a bear at a picnic —everyone runs in different directions, yelling and screaming.
The Federal Risk Authorization and Management Program (FedRAMP) cloud cybersecurity program has probably come the closest to successfully taking on this issue of “trust but verify” across the government. But even FedRAMP hasn’t made climbed the Mount Everest of federal culture change.
So the Defense Department is taking a different approach specifically around cybersecurity.
Terry Halvorsen, the DoD chief information officer, signed a memo on Oct. 18 mandating reciprocity of all authorization and accreditations of systems in use across the military.
“Components will maximize reuse of assessment and authorization evidence developed by prior system authorization and deployments within sister DoD components,” the memo stated. “Any such cybersecurity assessment, authorization and testing conducted by another component shall be evaluated before additional assessment or testing is undertaken. Assessments, authorizations and tests by another DoD component shall be presumed to have been correctly completed, and that assessment, authorization and testing, and the resultant test evidence, will be accepted by all DoD components as a basis for assessment and authorization.”
In a nutshell, Halvorsen is strongly encouraging trust and speed over doubt and protracted reviews.
“Cybersecurity reciprocity is the default for assessment and authorization of an IT system already deployed in the Department of Defense,” the memo stated. “Accordingly, any DoD component undertaking an assessment and authorization effort will determine if the system being assessed has already been assessed, authorized and tested, and will proceed based upon existing assessment evidence.”
Halvorsen said if the military service or agency may conduct additional testing of an existing system if they have unique requirements, but cannot retest the pieces and parts already approved.
“In the case where a component organization asserts that the assessment, authorization and testing completed by another component was performed incorrectly, or was deficient in some other manner, approval must be obtained from the DoD CIO prior to any additional assessment, authorization and testing,” the memo stated. “Achieving this balance requires that scarce security resources be spent on due diligence and analysis, rather than redundant and unnecessary testing or bureaucratic documentation.”
Janice Haith, the Navy Department’s deputy CIO, said at a recent AFCEA Washington, D.C. chapter breakfast the memo was a big win for DoD.
“With our cloud access points, we can move faster and the process will be quicker,” she said. “This is where changing the culture of people comes in. Accreditors were struggling with the old policy because they wanted to read everything. We said, ‘You don’t have to if our substantiation is as good as the Army’s, then just put it in.’ The Chief of Naval Operations has said several times that if it’s good enough for the Army or the Air Force, why wouldn’t it be good enough for the Navy? You can still look at the documentation, but not go through a six-month process of review.”
Haith added she believes the time it will take to accredit and authorize systems should be shortened to weeks instead of months.
Ken Bible, the deputy CIO of the Marine Corps, said when using another services’ systems, the key is the quality of the documentation. Bible said any service can accept another’s testing as long as they can see how it was completed.
Bible’s comments sound reasonable enough as long as that review doesn’t take six or nine months. It should take a few weeks at most as the ever-changing nature of cyber threats requires organizations to move at an unusual velocity.
This isn’t the first time DoD has tried to address the reciprocity issues. In March 2014, the Pentagon issued a risk management framework that included an appendix focused solely on cybersecurity reciprocity.
It’s unclear why Halvorsen decided a new memo was necessary, but one could assume the services and Defense agencies were not following the directive well enough.
No matter the reason, the fact that DoD is pressing for trust and verification is a good sign as both cyber resources and time are of the essence. And hopefully, civilian agencies will follow suit beyond FedRAMP and the assorted interagency systems.