Hi. I'm Whitney. I'm the student today and this is Denee, the teacher, and Denee's going to teach me and you about ATO, which is authority to operate. Denee, tell us about yourself. Denee: My name is Denee Lake and I am a modern compliance architect for VMware. And what we really do is we help clients get through the ATO process with our products, so we help provide that hardening guidance, we provide STIG checklists, we provide all that data with regards to how to use VMware products in a safe way, so you can get risk acceptance by your authorizing official. Whitney: That's amazing. I didn't understand a lot of what you just said, but I think I'm going to understand by the time this is over. Yeah, so let's start by talking about authority to operate (ATO) and what problem it's solving. Like, what is it exactly? So maybe a good definition and then why does it exist? Denee: So the authority to operate is really kind of like a type of authorization that you can get out of the risk management framework process. And what the risk management framework process is really trying to solve is, you know, how do I ensure that I'm protecting the confidentiality, the integrity, and availability of a system or the information or anything else you're trying to protect? Whitney: Excellent. So already, let's slow down a little bit and tell me that very first sentence, even though you used a term that you defined. Let's get that first sentence on the board. Denee: So yeah, authority to operate is an approval by an authorizing official to use a system in that authorizing official's live network. Whitney: Thank you. Denee: So essentially any technology you want to add or use, they have to look at it, evaluate its cybersecurity risk, and then that allows them to actually use it with your system, with your operations and everything else. Whitney: OK, I think I got that, but I have some questions. So an authority to operate is an approval by an authorizing official to use a system in that authorizing official's live network. So I guess what will help me understand this is can you give me an example of an authorizing example official and an example of a system? Denee: So usually that's a designated position as part of progress management framework process. OK, so I'm going to say my experience is very much like the Army. So for RPO, normally a one- or two-star general was the authorizing official government lead that gets designated that authority and then that says "Yes, I assume the risk for this system and its usage." Whitney: So this authority to operate is specific to governments? Denee: Yeah, it is definitely a federal DOD government process. There are some private companies that do leverage it because all the processes that you follow, the frameworks and stuff, are a good starting point to use. But it is definitely really focused on federal DOD military. Whitney: Fascinating. Super cool. So an authorizing official is a government lead who accepts the risk. Denee: Yes. Whitney: Cool. And then, a couple times now risk management framework has come up, so that's the next thing I'd be excited to define if that is OK with you. Perfect. OK, so we're cool. Denee: Framework is your process to ensure confidentiality, integrity, and availability of your system. ... Whitney: Confidentiality...is the order important? Integrity... Denee: CIA CIA: Confidentiality, Integrity, Availability. And I can go through each one. Whitney: Well, let's do confidentiality first and then I'll write the other ones because I might want some room on the board here. Denee: So confidentiality is the ability to ensure that only the right set of people can see your system's data and information and only the right set of people have access to it. ...ensures that only... ...right set of people... ...have access to a system. Cool. I'm going to write "your process to ensure in your system"... ...or "ensure your system has." That's better. Thank you for your patience. OK, so we got C for confidentiality, I for integrity. Denee: So integrity, that's ensuring that the data that you put into your system stays the same and it hasn't been changed, it hasn't been corrupted. Whitney: OK, the data is not tampered with? Denee: Yeah, it's not tampered with, that you can trust the data that's there, that if it says, you know, "This person's allergic to penicillin," yes, that person is allergic to penicillin. Or if it says that the person isn't it says that. You can see why this would be really important in certain applications, like health informations. Whitney: Oh my goodness, yes. Excellent. And A is availability. Denee: That's just making sure that you can access the system when you need to. Right? It's not blocked, you know you can get the information when you need to in order to do your job. Whitney: Ensures this system is always up and running. Denee: When needed. Whitney: Ah, I like that addition. Denee: Yeah, because there might be times where it doesn't need to be up and running. But when the operation calls for it, it needs to be there and available. Whitney: So the authority to operate. Someone wants to use a system in the authorizing official's network and that official gives permission, gives authority to operate to somebody. And then the risk management framework, how does that relate to authority to operate? Denee: So the process in order to get an authority to operate is to go through the risk management framework process. Whitney: OK.... And then to get ATO... Is it very very common to use this acronym? Denee: Yes. Whitney: So it almost is weird to say "authority to operate" all the time because people just say "ATO"? Denee: Yes, and there's also other types of authorizations you can get out of the risk management framework process. You can get a IATT, which is an interim authority to test. So sometimes you don't want to necessarily have it operate in the full live system but you want to test things and it's going to interact with the live system, it's just not going to perform actual operations. So you get that IATT because you don't want to put a system that could corrupt your live system when you're trying to test it and verify it and make sure it works. Whitney: Cool, so is that something you want to capture? Are the other things that go through risk management framework, is that related today? Or is that just kind of some bonus material? Denee: Let's go through the RMF process. That is really the bread and butter of how you get there. Whitney: So RMF is risk management framework. And is that something that people just say? RMF all the time? Denee: Yes. Whitney: That makes sense because "risk management framework" is quite a mouthful. Denee: But it's definitely the way to manage risk of your system and understanding the risk of your system. Whitney: This seems like good for any ... like I understand that it really comes into play for highly regulated stuff, but it makes sense for a lot of systems it seems like. Denee: Oh yeah, and like the RMF process and all the different steps and controls, I think it is just a good process that you could leverage. It can be lengthy, depending upon the organization and how they implement it and how mature they are at implementing it. But it is a good process. Whitney: All right, thanks, I'm drawing boxes now. So what are we talking about next please? We're talking more about RMF. Denee: Let's talk about the steps of RMF. Whitney: The steps of RMF... because it's a process and a process has steps. ... Denee: So the first steps that they just kind of added or they added within the last couple of years is a Prepare step. This was actually added on because the process is so ... it can touch so many parts of your organization. The Prepare step pretty much kind of prepares the organization for just starting the process, getting all the right people together, getting all the right people bought in, assigning various roles. Whitney: It's like when you're cooking you should like set out all your ingredients before you start because you don't want to get mostly through your recipe and realize you're out of something. Denee: Yeah, and I love that example because part of also Prepare is just understanding the recipe, understanding what is the system you're accrediting. So part of creating and that sort of accreditation boundary is also in that Prepare step. What am I acquiring? What are those systems? What is the edge of that accreditation boundary? So what's in the boundary and what's out of the boundary? Whitney: So ATO accreditation, is that a proper term? Denee: Yes. Whitney: Cool. I'm going to write that because it'll help it all stick together. ATO accreditation. Whitney: OK, so first you prepare by understanding the system that's seeking ATO accreditation. Denee: Yep. Whitney: Cool. And what next? Denee: OK, now you go through a process called Categorization. And so this stuff is where you look at what's going through your system, so what kind of information you have to protect. And then that's where you determine your CIA levels: Confidentiality, Integrity, Availability. Whitney: So you're looking at the data specifically that flows through your system. Denee: Correct. Either it's going to flow through, it's going to store, it's going to process. Whitney: So the data in your system regardless of what it's doing. Denee: Yep, and there's multiple processes in order to execute that, so I know when the DoD, we use what's called the Information Type Survey. And essentially it goes through some NIST policy, where they've looked at different information types and made a recommendation for what the CIA level should be. So, for example, if you have health-related data so let's say things that would be covered by HIPAA, your confidentiality might be like a high but your integrity and availability would be like a moderate, as it aligns to... Whitney: Oh fascinating. Denee: So yeah, depending on what the information is and those levels are in line with how you need to protect and what rules you use to protect that information. Whitney: I have a question. I think we need to unpack the last statement you just said. Like is that part of the Categorization step? But first, before that, what does the word Catarization mean? I feel like I've heard it like in relation to blood vessels like catarizing of... Denee: Oh category, like categorization. Whitney: Oh OK, I just totally thought it was a new vocabulary word I hadn't heard before, that's how far out of my knowledge level we are. So categorization. ... Denee: So you're just categorizing, like what information is going through my system? How should I protect it? Whitney: So first, look at what's in your system. Second, determine the CIA level for each type of data probably not for the whole system, right? Denee: Every single data that would go through your system, processed by your system. So there's a list that is based upon some of the NIST policies. And essentially you follow that list, so there's already been a group that has gone together, thought of different information types, and said "How should I categorize these?" so we understand how to protect it. You would fill out that and then you also have the choice to not use that categorization because you can go higher or you can go lower. So let's say you say, "Because of the environment I know I'm gonna be in I might want to make sure that I want to increase availability from low to moderate." So in that phase, that step of RMF, you kind of make those trades, discussion choices. Whitney: So for the categorization step, you look at the data in your system, you determine the level for each data type, and then you determine how you want to protect each data type. Denee: Yes. Whitney: OK, cool, this is fascinating. All right that's step two, right? Denee: Yep. Whitney: Cool, and what's step three? Denee: All right, now there is a whole bunch of controls and now you're going to select the controls that are tied to your CIA determination. So depending upon your CIA determination, that will trigger which controls apply to you. So let's say if you had a CIA level of High-High-High, those controls, there could be essentially almost 2,000 controls you'd have to implement. Whitney: Wow. Denee: Yeah. A lot of controls, a lot of control families, a lot of different piece parts of that. Whitney: So we're saying controls is step three. What's the verb for that? Is implementing controls step three? Denee: Well, no, no, we're just still at select. Whitney: Select controls. Denee: Yeah, because you're going to use your CIA from the categorization, you're going to select controls because now you're gonna tailor which controls might apply to your system or not. So for instance, let's say you have a completely virtual system. There's a whole family of controls that talks about media protection if your system with actual media doesn't have you know disk and you know other Hardware devices then that media protection set of controls may not apply to you um there are some controls that also talk about you know other kind of Hardware components that may not apply for you so when you're going through this select step you're kind of figuring out which ones don't apply to you so you take the CIA a determination and maybe the data type like media and what those two pieces input then you decide what control is appropriate yeah okay um I know in the dod it's more of a tailoring out because a lot of it is so [Music] um controlled with regards to um it's like where you enter a lot of this information is a system it's called EMASS in the dod once you put IA um um Set uh the CIA determination um it will really spit out here all the controls that apply to you then you have a step of this one doesn't apply this one doesn't apply this one doesn't apply you don't okay that flexibility of hey I'm going to choose not to do this one it is going to give you the full list of all the ones you have to do but that's how the dod does it other please do it slightly different uh fascinating so do you think it's more accurate so do you think my earlier statement of like you take your CIA determination and your data type and then determine what controls are appropriate it's still accurate okay um I'm Gonna Keep It consistent and then determination and then the CIA determination there's one for each data type in your system right yeah and then I mean at the end of categorization you will have a sort of summarized one so like you go through what's called you essentially like say I'm going to look at all of my um confidentialities and you take the high water mark of whatever your confidentialities were so if you had two confidentialities that were moderate but one was high then your system is High um and then that drives that gets into the selecting the controls that would drive which controls you have to apply um and then in select your your pretty much Tailoring those controls to your system I have can will you tell me what an example of a control is like give me an example of a control sure there are a lot of various families of control so there are there's a family of access controls and that really kind of goes into who has access how do they have access you know ensuring that only the right people have access um there's a whole family of controls that talks about auditing which is collecting data about your systems in order to determine um an also so that you have you know indicators of compromise um there's tons of different rules of what you can check for your system there's configuration management like how do you approve your system um but tons and tons of families and Security checks that all have to get sort of put together I like that and then if you have and if you have other types of information in your system let's say you have um Privacy Information let's say you have health information there are additional controls that even get added on top of that um so the amount of security controls those safeguards it can really multiply to be a lot well I imagine well at once we talk about the steps we'll we'll start to talk about how to manage that volume later yeah okay so cool so step three select the controls take the CIA determination and the data type and decide what controls are needed and then I think you kind of said step four is to then apply the controls is that correct um yeah now you're implementing so yes you're applying those controls how many steps are there um seven altogether okay how am I doing on board space based on what you want to tell me um I think we're okay okay all right so apply controls and tell me about apply controls um essentially um it's yeah doing the engineering work of going through the controls applying it making sure it's engineered in um making it part of your system so for instance like let's talk about auditing like hey I need to understand my system how it's going to be used and what data do I need to audit in order to determine indicators or compromise make sure that's documented make sure that auditing system works that's collecting the data the frequency that's required wow um so a lot of all those different things so like access control um you know hey I need to tie this to something that manages accounts that you know only the right people can access it and you know how do I integrate that with my system of systems because maybe that access control system is to be part of your system it could be not part of your system but all that needs to be you know engineered into your system and then you know documented into all of these controls and pretty much like every single one of those safeguards the you know the potentially up to like well over two thousand uh all of those are verbosely documented every single one um so can you tell me an example of when an ATO accreditation like what kind of system is it is seeking from this accreditation from whom what's an example of that it could be as simple as this as a laptop or it could be yeah as a you know a satellite system okay could be um all the command and control systems that you know that our military use um it could be you know your network infrastructure um it was amazing it could be pretty much anything that's going to hold and process data and information you care about so if it's a satellite system or something on the more complex side is it common for like a fully formed system to later after it's already created to then go and seek this this seems like so complex that it should be like built into the system as it's being built in the first place as opposed to taking a system that already exists and then trying to add this stuff to it well ideally yeah you definitely should shift security left right this should be of the requirements of what you're building into the system Azure and designing it but the art process was um created where it can be applied against new systems as well as existing systems um so you can always start at any of these processes that no matter what the stage of development your system's at excellent cool this is fun all right is this good for step four apply controls do the engineering work of applying controls yep great all right now you've applied it you've documented you know you have all your information because part of that is also like make sure your policies are documented so like not only on the thing but you've got how you do the thing right yeah um so now you're going to assess it I'm thinking about how I want to do five six seven I think I'll do this five assess controls or already assessing the system um yours you're assessing the system but you're assessing the system via the controls okay um excellent but essentially um usually what they would do is they would get an external organization hmm someone who is not under the authority of who owns the system um that's wise though sometimes it is kind of under the same org different organizations do it differently um but yeah an independent body comes in and looks at all your controls and reviews it and verifies it controls are viewed by an independent body yep reviewed by independent body almond you know that could be like a week-long process where they're sitting with the engineers they're sitting with the management they're sitting with operators and they're going through each part um some of it is they're looking at um technical details some of it is an interview so like um you know so let's say it's configuration management they might say okay like do you understand the configuration management process because they're true they're not only just trying to see like hey this had a specific setting and I need to verify as I'm studying a lot of it is also ensuring that you know people know the processes understand the processes I'm following it so it's it's like not only assessment but also kind of Education it's verifying education um there is an awareness and training family as well to make sure your your people uh to operate use and securely use your system um so you could you know you could pass the control for doing a certain thing but if you're people that are being interviewed during that assessment don't understand the process you could fail that part of the control okay fascinating yeah it's a mix so we said do the engineering work of Applied controls but it could also be training work yeah it's just making sure all that is there um um on this yeah this processes that you have processes documented and you teach them and people are following it because some of those controls like they're looking for evidence of following so like some of the training controls like okay I need to like you com you said that you're gonna train your people on this sure and that's literally their check like you have a process for this does your process have all of these parts to it um so this it's very granular um one of the things that we didn't go into about applying controls is that it's not just the controls there are some other piece parts to it as well um okay there's um hardening recommendations um that will come from vendors and the dod this specific to DND um will review it verify it um and those are stigs so that's your security technical invitation guidance so um operating systems will have stigs and so as a special file format and all that gets put together as part of the um so fast so as complex as it seems it's actually more complex than what we're representing here yeah it is more parts to it um because that that's more of a really technical like I need to make sure your operating system has this configuration set to zero and they're gonna go there like your assessor is going to go in look over that steak checklist and then look at every single little bitty part that that when there's stuff like medical records or people's you know like you said they're insulin I believe it's like is on the line like like you can't take any risks no you really can um or it's a firing system like you you really don't want a miscalculation there yeah all right what's our step six all right this one is easy it's the authorization step and essentially that's when the AO reviews the details that came out of the assessment review and then he signs off for you to have an authority to operate so a human the authorizing official reviews what do they review exactly um so the as part of that assessment process the validator will create a report summarizing their findings so like hey of the 2000 um checks and stigs here we we found that you know there's um 50 open findings and here's how they are and here's um you know here's how we evaluate them whether these are oh these are low findings you know it's not that big of a deal just fix them you know in your appropriate time or hey these are high findings or these are moderate findings um and that will drive when you should fix them the time frame that you should fix them but essentially that's the the that um authorizing officials getting a report he's looking at it he's analyzing it um and he's making that yes I can sign off on the risk for this um there are instances depending upon the agency and how they do rules I know in the army if your system has a risk of high um you're authorizing official may not have the ability to sign it ah so it could be too high of a risk and then that would drive where the someone else has to sign off as the authorizing official or evaluate it and there's like a separate process for that um so step six is authorization authorizing official reviews the assessment report this assess controls ends in a report yep um and then if they're happy they issue the ATO yep they sign it report is made yep cool and then you said there's a step seven there's seven steps right yep step seven is Monitor it's like I have the ATM it is the top there I got a mod to make sure that my system stays within that risk level that I just looked at and assessed and everything else that makes sense and who who monitors it um probably like it's it's basically like a list of everyone I mean the authorizing official will launcher it um then there's other roles that we can kind of talk about like the people who get involved in this work um above the authorizing official um so the people who make the baselines for the system so let's say you're doing an update um your new vulnerabilities come out every day you're doing new scans that gets analyzed on a regular basis so it could be engineers and then a group of folks um who I guess are the unsung heroes in my opinion of this process are the information system security operators and the sorry officers and information system security managers and I would love to talk about them next excellence this is fun okay so we have the steps of our MF yes so I'm gonna um kind of make delineate space on the board to do that okay and we're going to talk about the unsung heroes we're going to sing there will be some by the time this is over yes because this is where VMware these are the people that you know the VMware really helps and helpful support from there so we're talking about Job titles now so what um I'm trying to help think about the heading I want for this section so we're talking about two different job titles you said right and and what and tell me a little bit about them to help me make a heading um I mean they're the ones that put all the body of evidence and the data and pull all this together so the the leaders of of RMF the RMF process or ATO accreditation yeah I mean that's a good um way to kind of articulate them I mean they're the they're the executors they're the ones in charge of making sure it happens um I know in the dod we get appointment orders so you're uh this role and you're essentially responsible for making sure all these steps are being executed and documenting all of these steps um and you can imagine with um how many controls it is yeah um it is very um intense work um so having a human document you know 2 000 responses to 2 000 questions oh my goodness some and getting it all straight in their head um with all all of that um it is definitely a lot but they are the ones responsible for ensuring all of this is put together and different organizations have different ways they do that some people use databases some people use spreadsheets um but it is it is a lot of work to keep straight in your head and most issos have multiple systems so it's that many controls times how many systems and just being able to pull all that data together so so tell me those two job titles again and what they do if that's okay so the information system security officer is really the one that's doing a lot of the big data entry and working with the you know the system owners to ensure that these requirements are put into the system that it's being assessed they coordinate the activities of those validators um they help write some of the policies and processes um and then the information system security manager will work out do you want me to capture some of those job duties here I I guess I want your input since we're running lower on space or should we just write their titles they just write their titles okay cool right now okay and then what's the next one please um information system security manager um they're pretty much the ones in charge of the iso so they'll have multiple issues that could be working for them um so they kind of coordinate at the more of a higher level they'll review those packages um that gets put to that body of evidence they make sure that it's consistent um they just coordinate support for those efforts um but all of these roles are get are part of the set of people that have to review all the data and say that it's good before you even get to the authorizing official got it cool um so let's talk a little bit about um one of one of the key points of um my role as a modern compliance architect is that we provide support to the issos and issms our job is really to make sure they have the data they need um based upon the categorization based upon the controls they have to implement based upon um that security guidance and making sure they have the day they need to understand how our products might impact um you know this their system and their risk so we provide um Harding guidance which we have documented in a um stake checklist file as well as other documentation yeah so your title is a modern compliance architect yes and and our modern compliance Architects external to the organizations they're supporting um yes we are VMware we're not part of the client's org okay is it is this job title you need to VMware I'm not sure I know I've never heard of it before I got to VMware right on okay and there's only four of us in the company right now um but yeah the I think what created the concept of modern compliance architect is um VMware was working with these various clients they were crazy solutions for them and then all of a sudden they had this blocker where they were like oh sorry I can't use it I didn't get the ATO oh okay and it was literally like how do we solve this problem and then the concept of the amount of compliance architecture is like we're that helper to make sure you go from hey I'm showing you these great products in VMware I'm showing you how to use it how can make your operations you know easier um you know meet your requirements but then you can't actually put it into your live system um and you know we want to ensure that our products are sticky we want to make sure that our products get used and if you don't ATO your products don't get used so you know we definitely spend a lot of time and investment with regards to making sure that our products are compliant that we are able to articulate you know what's what findings there are and putting all that data together for our clients so they can put together their ATO package that can then buy a validator that can then go to an AO and get signed off and actually used I mean that's really the key is getting it to where you can use the products in your operational environment and that makes that makes a ton of sense to me because um once you go through this process you don't have to do it again so it's not like you have the same group of people going through this process over and over again right or do you yeah you gotta keep doing that yeah okay is that part of well monitoring just make sure it stays yeah there's monitoring um so I mean there's two aspects of that so there's the regular process so most atos um can be up to three years you have to get a lower amount if your system is riskier so let's have a lot of risk in your system they can say I'm not going to give you a three year ATO I'm gonna give you um a year ATO because I want a year I want to come back and reassess again and make sure you actually fix the things that you said you were gonna fix yeah but essentially um the ideal what everyone's trying to move towards is the concept of a continuous ATO and Dot without guidance for the concept of that um it's you're always looking at the data you're always providing scans you're creating this process where you know part of the development team is looking at those vulnerabilities and fixing them you know you're not waiting for the isso or M to tell you hey I found something wrong with your system and being able to kind of look at that and always make that hey we're still good and therefore I don't need an ATO that expires in three years my ATO never expires as long as I follow a documented process and I know DOD is starting to move forward that the Navy and the Army Marine Corps they all have initiatives driving toward that um they're they're getting there awesome that makes a lot of sense so do you want to say more I know you what you said with your words more specifically what you do as a modern compliant architect right now I just have very general things like support issos and issms and helper through the RMF process do you want to be more specific to think about what that means exactly um yes so I we go into this concept of like okay here's this VMware product here's how it's weird we'll walk through um you know either the security checks um and walk through those RMF controls and what's compliant and not compliant we'll provide them that data so that they and then have those conversations with the isos and issms so they understand it because you gotta realize the eyes is about Sims they have they probably have a multitude of systems and every technology is new having that set of people that can talk to them in their language that can help interpret you know this product and its compliance levels and what that means to the overall risk and architecture of your system um that's really the whole purpose of the modern compliance architect it's to help those unsung heroes that are pulling all this together um to be clear so you're taking a a VMware product that's doing something that's not related to this process and then you're talking about how it does that particular product does relate to this process is that correct or is there a particular VMware product that helps you get through the RMF process and that's what you're teaching um yeah there is no product that really okay tons of people that help pull together that body and hip and work towards um fixing products so like to a certain extent I mean we do look at the controls for all of our products we do look at how we're evaluated against each of those controls there's teams of people that do that and then say hey we're we haven't we need to make sure we're doing this part okay let's go back into the system and it gets added to the you know the backlog for our developers and they go in and fix things okay that great that helps me understand cool it sounds like a fun fun job is it fun do you have fun um I I to me the funnest part of this is like the I've been in isso issm and I understand how um painful it can be it often can be [Music] um siled in a lot of organizations because they say oh it's a it's ATO work this this team does it and they don't thoroughly involve everyone so being that person that can come in and say oh here I'm here to help I'm here to help you understand you know this technology and how it's hardened and how the security works and how it's compliant and how it integrates with the rest of your systems um because I mean if you have 10 systems and 2 000 controls each um yeah oh my goodness a lot of birds yeah folks so yeah yeah I'm definitely really happy that I get to sort of give back to that you know burnt out person who just says oh my gosh now I know the new technology is documented 2000 controls for what we have now why are you throwing this new thing at me um it could definitely be overwhelming to have that role they're really hard workers it's a lot of work to do um and especially and and if you're in a classified environment all this has to be online system so um not everyone's room looks nice um yeah cool what would you like to teach next well that's really the RMF process I mean there's probably some points that we really didn't get to um so we can talk about um one of the key things out of this process is um when you do your analysis um you do something called a poem a plan of action and Milestones and that's a set of actions that you have to do in order to fix vulnerabilities so like hey I'm going to assess this control but this control is open so let's say um you didn't have configuration management process you would create a plan of action and Milestone which would document all of the controls in your system sorry document all the open findings in your system uh I was like you didn't say Pam but you didn't I couldn't quite get it plan of actions and Milestones okay so I'm a little behind since I didn't get the very beginning so first let me write this down plan so will you define it for me again um plan of actions and Milestones and like what is it essentially it's your list of security to do for your system uh okay okay I I assessed this particular control I looked at it and for instance you don't have a configuration management plan or you don't have the roles for configuration managed for computation management allocated like you know who are decision makers who approves changes you know changes are distributed um so that would create a vulnerability in your system and you would then document that and a lot of a good portion of what you know the isso and issm execute is like that list of hey here's you know I would they would talk to their leaders and explain you know what's open what's and then that way that leader can put resources um against those poem items and actually go to fix it so this plan of action and Milestones does it get generated as part of the assess control step yeah and it can also be created when you're applying the controls and you realize oh I can apply these but I can't apply these yet or I'm not going to apply these until next quarter because that based upon my resources um it's like when you do that sort of self-assessment of all your controls um it definitely um it's where you just kind of like you're it's your grade of how well you've done all the controls okay so so I'm a highly regulated industry and I want to incorporate a new piece of software a beautiful piece of C uh VMware software into my system but before I'm allowed to do that I need an authority to operate correct and so to get that authority to operate I have to go through all of these steps which um can be vast and deep and hard and long and so um so as I go through these steps first first say uh prepare I understand the VMware system that's seeking the accreditation and I'm sure as a modern compliance architecture helping a lot with that piece and then you're categorizing the system and the data in the system so you're you're understanding okay this piece of new piece of software this is how the data is flowing through and these are the data types and this is like where each piece of data lives like where it's stored and you have a really deep understanding of that and then um you look at the CIA level to figure out how um sensitive each each piece of data is and so that's like the and how to protect it and so that's the CIA determination and then you have controls and those those controls are um specific like they seem like industry standard ways for how to type how to protect certain types of of those seem to be generated right and yes who or who or what is generating those controls so it follows um this policies um so it follows 800-53 um and so once you have your CI determination that will drive which of those in this policies apply okay wait who but who's generating it the list of controls is uh set by policy um the whole RMF process is came out of the office of management and budget saying we need to protect our systems and then um allocated an agency the nist agency to write how we should do it for all of our systems if you're federal or DOD and so the next policies drives you know okay this or president directives to so so when we say the controls are determined they're determined by a governing body of us like for like the Department of Defense or um generic set is made across the board and then your CIA level will determine which ones apply okay so it's it's more of like oh my CIA is high moderate moderate so here this control I will look someone if they were doing it manually would look through this 800-53 and then say oh this one applies this one applies this one doesn't apply this one applies um and then there's also overlays and that would also Drive which ones apply um but yes someone's looking through those policies and saying this is the this is the full list I need to implement cool and so then the so that's how you determine what controls are needed and you might remove some from the list that gets generated and then you need to do the engineering work or the training work of applying the controls and then document how they were applied yep and maybe during that step your plan of action and Milestones will get created of security to Do's in your system yeah you're always going to have a poem it's always kind of be kind of like a running thing you're going to have new things that are open new things that are closed um it's going to be a living document I mean as of most of your policies and controls should be a living document you should always be updating them um with regards to what your system Baseline looks like okay um I can add an extra little wrench in here too oh great so in addition to that um some things may not be truly controlled dependent like let's say you have your system out and about um you can have a specific threat of vulnerability that you know gets levied against your system um that wouldn't necessarily be a control that would just be an active threat those are your plan of actions and Milestones as well and so you know that um so that place to track hey this is my system I saw this thing happen in the field I now figure out how to fix it and prevent it and then um eventually close it out so it could be something as hey I need to upgrade to the new version so that this vulnerability is not there anymore um or it could be something else um but yeah your poem is your living document of hey this is what's open on my system and my actual list of things to do cool it makes me think of a punch list like for a construction like here are all the the construction things that still need to be done so um so once so a plug so this is a living document it might be especially related to steps four or five yeah once the controls are applied the engineering work's done it's documented then they're assessed by an independent body and a report is made and then that report is given to the authorizing official who can and that person if they like it they're happy they issue the ATO The Authority that operates so then then presumably maybe there's a technically a step six and a half where the software gets installed and used right yeah once you have your ATO then you can actually put on live Network and operate it yes yeah and then step seven is Monitor once it's live to make sure it's staying compliant yeah and there's some nuances in there like once you get that report from the validator um the iso issm takes that report they'll update their um listing of the controls and its statuses um they might like the assessor could find new findings that you didn't you know Implement that you didn't know about that would also get updated in the poem so there's definitely a lot of documentation of what's going on um in the system um before the AO finally signs off on it between a validator giving you a report and the AO actually be able to um sign off on it and depending upon the agencies um they might have other folks look at it and review it before it gets to the AO um so like this the validator team could look at it um there's also security control assessor organizations that might also look at it and then the AO will eventually sign off on it so yeah that makes sense ready to go um and it could be like a month or so before it actually gets signed by the AO for you to actually use from start to finish what's a normal like start to software gets installed what's it a year a year okay be six months um so it makes sense I mean so so if you there are some definitely some ways to sort of um help get this done faster if you're a mature enough organization um let's say you know that you have [Music] um you know you're always going to have like um a a high moderate moderate set of controls right and since some of the controls are very policy based and how my organization does things you could make a set of common controls and all of that work already um so if you do configuration management consistently across the board well ATO could leverage that same process I don't have to figure out how to do that it's just a matter of documenting it um from one ATO to the other there are some concept of um actually creating like a common control provider ATO so like everything I do common I can create a common ATO a common control provider ATO and then all of my other atos would you know can inherit those controls um and therefore the ATO process is really going to be focusing on the actual technical portions of this of it um as opposed to like the whole 2000 like maybe you're really looking at half um so we could talk about in the concept of inheritance a little bit so you could have multiple atos have relationships between one another where some of the risk or some of the controls are being satisfied in one ATO and the other ATO would point to it um you have instances where they both atos have the same AO or you're going to have instances where the AOS are completely different it really all depends upon your system which controls you're inheriting and how those relationships kind of pan out so this is interesting so I would like to capture this better so there's like first you were just saying there could be a common control provider ATO and more complex atos can inherit those atos maybe I should say those atos and then and then you went on to say like more about relationships between atos um so yeah so essentially the common control provider sets a set of what those control the answers for those controls um and then you would have a separate ATL that maybe it just has the VMware products and then they would inherit from that common control provider ATO cool um so they'd be two separate atos but they'd be a relationship between them is this accurate what I've written common control provider ATO like more complex atos can inherit those common control atos yeah that okay yeah that's exactly what's happening um now it doesn't even have to just be a common control provider right so let's say for instance um you have an organization that's in charge of the network and part of that Network components is your active directory like that system that um says you know that talk that gives you access control and talks about users and roles of people using your system um if your system is only an application um in your separate org well you'll get an ATO for your system but because your system is going to operate on that Network you would inherit controls from that other ATO and it would be specifically the access control control right okay so that's another good example of this concept of inheritance um another thing um another like an example of it another terminology they use for it is like the shared responsibility model um is cloud clouds have their authorizations right um so when you talk about there are controls that talk about um physical controls So Physical in your environment controls so there are controls that talk about you know making sure Heating and Cooling and fire suppression is there um but since if you have your system and it's in the cloud well you're not touching any of that um yeah inherit from the um provider um that's another interesting example of um inheritance and how we how we how you would use it um and how it all kind of come together inheritance um so what's interesting to me about that last example is that you're talking about inheriting an ATO from an entirely separate organization yeah and and that would that's and in the cloud instance that's definitely normal um and even in other instances that's completely normal because how the programs are split up honestly into um how they all operate and work together um so like you can have an organization that's in charge of the network and the firewalls and monitoring of the network but you know then you have another organization that's you know in charge of you know the radios that what that might touch that Network or you know the applications that would be in the computers and the server infrastructure that would be on the network and those could all be separate orgs um and so you definitely be inheriting different controls especially like access control and anything related to the network firewall rules which are security protection mechanisms all those would kind of all to come together and um via inheritance relationships because if your system is not doing that thing how it's getting those protections why would my organization trust an ATO that was that was uh like issued by some authorizing official that I don't know that's a good question um um ideally the whole the whole process is regulated so that you should um but yeah that's a hard question to ask so like there's definitely the that's ideally you should because that's how you're operating um is there some sort of governing body that that gives authority to the authorizing official that people agree on who gives the authorization authorizing official Authority um there is a designation process um I don't recall from my head like who the official who gives them that appointment but essentially everyone's kind of giving that appointment water um so everyone is designated to have that responsibility and the process is set up that you're supposed to do that and you're supposed to trust um everyone's atos um you're in the Army like the whole security controls assessor you are all falling under all of your atos are being assessed across the same way um again that's how the Army does it I don't know how other services do it I'm still learning to deal with other services um which is also a fun part of being an MCA yeah oh learning all the time oh yeah and everyone does this process slightly differently uh-huh um so it's like okay this these people use this database and these other organizations uses this database and um these or these organizations have um these steps in their process before it can get to the AO um and you know the these people allow the validators to be part of the organization these organizations the validator is a separate command um so it's all um a mix of who does what how um but what kind of all puts you know clusters them together is the steps in the RMF process are all the same the controls that are covered and defined by nist are all the same um but nist um in their Ingenuity like they said here are the basic steps but you have flexibility in how you choose to implement them that's wise that's will you tell me nist like that acronym and that those words and what that is um so nist is the National Institute of Standards and Technology and that was one I had to remind us to remember what the acronym was um I I and Institute sd-i-t-u-t um do we do you have thoughts what you want to do with the space or by okay writing this here um I mean okay I think there of the whole RMF process this is a good bulk of it like it's the steps some of these nuances that some of these key other points um it's a little bit of everything National Institute of Systems and Technology are standards and Technology standards and Technology yeah I mean they do a lot of the risk management framework standards but I know they do a bunch of others as well standards and Technology okay let's we and then the acronym is n-i-s-t yeah and tell me about nist please I'd like to write a definition um well they are an organization that essentially puts out standards um they write all the policies for RMF they do a lot of other policies as well um but pretty much the Office of Management and budget um their common they were the ones that were assigned the role of figuring out all of these processes and then they charge that to nist and this is pretty much that governing org of what what should the policies be and they there are tons of policies that are allocated that from like all these steps each have their own policy that nist has puts together um and a standardized of how to execute each one so there's a policy for how you do categorization there's various policies or controls um evens each control can have additional policies there's policies on you know how to do configuration management um there's um and then there's specialized policies um for how you secure different portions of the systems so they are literally the folks that write everything that we're expected to follow cool how did you did how to do each nist step and how to secure what um how to secure your system oh and do they do the controls they create the con they write the controls they write what those controls are and the definitions of them um 800-53 and then the categorization would be um 800-60 I believe thank you yep cool awesome is there anything you'd like to say to fill up this last little bit of space um I'm trying to think what do we miss um um let's just talk about common um misconceptions um and um one um a lot of people think this is just a paperwork drill it's really not it really should be integrated into your development process you should have everyone involved um um it is a long process um but you have to get everyone sort of included um another misconception is it's just that Izzo and ism's job to do this um I often will um sit in meetings or I have in the past where it's like hey let's talk about you know [Music] um let's say program management right um I mean the is or ISM they're not the program managers that's someone else um you know planning you know the instant response you know some Logistics of how you utilize and fix your system um a lot of that is just um it's not just the Cyber folks job to do um um that makes a lot of sense yeah and for the folks that just think that you know it's a it's just a paper drill um yeah I just think those are just the engineers who don't want to document what they're doing yes yes yeah which is a lot of them I believe but yeah but you need the fun part yeah that's not the phone for it but you need to understand your your system and your risk and what do you need to fix I mean if you don't have a place to start from you know how do you know what Improvement looks like absolutely absolutely any other common misconceptions um that your cyber people are going to be the ones that fix everything and that if something's broken in your ATO it's really their fault as opposed to ensuring that everyone has buy-in to owning the problems and fixing the problems um not just Securities job to fix problems yeah um and and they often get like um hey their fingers get pointed at like they're the people who tell us no I mean tells you how to get to yes like here's how here are the rules here's how you leverage them here's how you use them here's how you ensure your system is designed well um bring your cyber people in early like bring them into the development process um so they're you know that they're that that that point of view was brought in um because if you're bringing in after the system is designed um the ability to get any security it's almost impossible cool I it's just um Ultra anytime people are are pointing fingers at each other like it's so much better when everyone feels like a team and a community yes it definitely is I completely agree do you feel any more common misconceptions you want to add nothing I can think of I think that's a good thing so the way this has been really really fun and so fascinating and I learned so much um the way we're going to close this out is I'm just going to walk back through everything and do a recap of everything you've taught me and us today um does that sound good to you or are we ready for the recap that sounds great okay let's do it so authority to operate ATO is an approval by an authority authorizing official to use a system in that authorizing officials live Network and so um you talked about the authorizing official being a government lead who's willing to accept the risk um and then what I maybe didn't understand what right when I wrote this definition down that I understand now an hour later is that um the system that's being used in the live network is is likely to be a piece of software that's going to come into the network and so we need an authority to operate this piece of software the network is that accurate it could be a software it could be Hardware it could be um it could be anything like it could be a network um okay all right so it's not just a piece of software but okay so ability to operate literally anything new that you're bringing into your system at all you need to go through this process which makes a lot of sense so this um this process is called risk management framework so this is a process to ensure that your system has CIA which we use that acronym A Lot confidentiality which ensures only the right set of people have access to the system Integrity ensures that the data is not tampered with and availability the trading system is available whenever it's needed so to get this authority to operate you have to comply with the risk management framework and to comply with the risk management framework you have to go through these seven steps that we talked through and before I get to the steps I'll say they're the people in an organization who are the leaders of getting getting any new thing getting ATO approval for any new thing that once that needs to be added to the system these people are Information Systems security officers and infinite information secure system security managers so those are the job titles of the people within an org that do it and then we have a modern compliance architect such as yourself and you come in from VMware and you're uh you support these two job titles as they go through this RMF process which is pretty complex so so to go through the process the first thing you need to do is prepare by understanding the system that's seeking the ATO accreditation so in our case it would be a piece of VMware software but like you said it could be a server or network or yeah Hardware whatever yeah first I under under show where you put all of your ingredients out to make to make everything you need before you start cooking and then um step two is categorization so now especially the categorization of data so you're looking at all of the data in your system how is it being moved around where is it being stored and for each data type you're determining the CIA level and determining then using that CIA level will will help you determine how you protect each data type so that the CIA determination and so once you've made that CIA determination for each data type then you need to select the controls that are needed for each data type so you take that CIA determination and the data type and the and um the National Institute of Standards of Technology will tell you based on that that that information it will tell you what kind of controls you should be implementing for that data type now not every little thing that they uh output is something your system might need so you can like weed out some of those that aren't relevant for you but anything that's relevant you do need to implement and so examples of controls would be like access controls or maybe monitoring um or perhaps configuration managements so now you've now you've determined what controls you need so now you need to apply them and that's prob most often going to be engineering work to apply it but it could also be people training to apply it so you need to apply those controls and then you need to document how they're how they're applied how they're implemented like also maybe what might need you need to do to maintain the um the the control to keep it happy so it doesn't fall out of compliance later so once that step four is done then you need to assess the controls and that's usually done by a completely independent body so some orgs you said have have a governing body like within the com the org that will come do it or some orgs use like a completely external uh human to come in and do assess the controls and at the end or team okay great I you heard my hesitation before I said human yeah a team makes sense so then the the output of that step is that there's a report that's made that's um after the assessment and so that report then gets given to the authorizing official and the ATO definition and that authorizing official will review the reports and they can ask for changes at this step too and then once that report meets their satisfaction when they sign off on it and they issue the authority to operate and at that point the whatever it is they'll say via more software gets installed but whatever whatever it is that now now it's operating the operate part can happen and then once it's operating then step seven is to monitor it and make sure the system stays compliant and you'll have to go through this ATO process right on a regular basis to make sure whatever it is in your system that stays compliance and there you said there's a move toward um taking steps to make sure it's always in compliance instead of it being a manual process each time which is cool yeah continuous authorization process yeah and then um we talked about a plan of action in my and Milestones called a poem it's like a poem but it's poem and uh list so it's a list of security to Do's written in limericks no kidding for your system so it's it's a living document it's always a running thing and it's particularly pertinent to steps four and five when you're applying the controls and assessing the controls so now and um an ATO authority to operate is it uh uh one piece of one system that needs to get integrated into the larger system might be governed by lots of different atos it might not just be one big ATO and so we talked about the ATO inheritance so you might have um so a common control provider ATO where uh I like to hear like an active directory might have an ATO and then that active directory might get used in a lot of different pieces of software so the all the software that uses that app that uh active directory can then use that active directory ATL they'll have to redo it over and over again which is great so basically more complex atos can inherit the common control atos yes and then what was interesting to me too is that you can inherit an ATO from an entirely separate organization and you use cloud computing as an example of that your cloud provider will have atos that you can then lean on when you're getting permission to integrate whatever you need to into your system and part of what makes that trust for why you would trust someone else's atos is that everyone's following these National Institute of standard and Technology rules and so This Acronym is nist these nist rules and this is an organization that puts out the RMF processes and standards so they have policies for like how to do every step they have policies for how to secure your system they're the ones who who to Output the controls and tell you what controls those are standardized across organizations what the controls will be so nist is is really at the core of how all of this works everybody is trusting nist and complying with nist and finally we talked about some common misconceptions so this is not just a paperwork drill this is a very important thing we use an example of people's medical lives are at stake like someone's like insulin how much they need to take if that's the kind of records that are being stored here and there can't be there can't be any miscalculation or any mishandling or any vulnerability or or very bad things can happen so it's not just a paperwork drill it's really important and even though these two job titles issos and issms even though they're the ones in charge it's not just their job it's not just their problem to get all of this done like they're going to need to be able to ask stuff from other teams within the organization and the team should be happy to help and and be willing to pitch in to do their part so every it's a team effort and then it's also when there are problems that are security related it's not just Securities job to answer those problems like again like everyone should be helping out as much as they can and it's a really good idea to bring in security at the beginning so that you're um they can guide you as it goes you don't get too deep go too deep in the wrong direction security wise and I think that's everything is this field is there anything you'd like to add um there is one other common misconception that is like a I don't know pet peeve of mine um sometimes people misinterpret categorization with classification and they're not the same things okay um so classification could also Drive additional rules and regulations um like in the example we gave before about medical um you know you can have a high confidentiality um for medical information but that doesn't make it secret okay so having a high high system doesn't mean you have a classified system it just means that's how you have to protect the um information there are separate rules and regulations with regards to how you deal with classified information and systems um all of in the RMF process so it's just different security controls that we get added um to your system but they're different that makes a lot of sense categorization is not equal to classification yes yeah that makes ton of sense um excellent I think we did this is the end thank you so much to everyone who shared your time with us and thank you so much for teaching me today and teaching us today this has been wonderful I appreciate you thank you I appreciate you in this process and these are really cool