System and Common Control Authorizations (NIST 837)

[Music] hi everybody this is Denise - web today I&#39;m coming to you to discuss or to talk about system and common control authorizations according to NIST 837 which is the risk the NIST risk management framework what we&#39;re going to cover today will be the types of authorizations the authorization package the types of authorization decisions the information that&#39;s included with an authorization decision and special authorization types then in a second video because I&#39;m going to split this up because it&#39;s really long we&#39;ll go into ongoing authorization and reauthorizations and things that can trigger an authorization after a reauthorization after an authorization is a granted so again this comes from NIST special publication 808 on revision 2 which is in draft form is slated to be released the final in November of 2018 but they&#39;ve added a prepare step but for today&#39;s purposes we&#39;re looking at the authorized step this happens after you&#39;ve implemented your controls you sess them and now the system is ready to be authorized by the authorizing official so I had that outlined in red the authorized step so that&#39;s what we&#39;ll be talking about today before I get into it there are five core documents for federal risk management and all federal organizations use these documents or a-movin to using these documents if they haven&#39;t done so already so if you&#39;re looking at doing risk management for the federal government or for organizations that are required to implement the risk management framework because they&#39;re working on government projects then you&#39;ll want to be familiar with these documents 839 is the highest level document it talks about managing security information security risk at the three levels of the organization 830 is for risk assessments 37 is a risk management framework which is what today&#39;s presentation is coming from 853 is a catalog of security controls for you to implement and 853 a is guidance for assessing those security controls once you have had them implemented so that&#39;s just FYI a set of core documents that you might want to familiarize yourself with so let&#39;s get into the meat of what we&#39;re doing today we&#39;re talking about system and common control authorizations system and common control authorization again occurs as part of the risk management authorized step authorization is the process by which a senior official called the authorizing official reviews the security and privacy related information that describes the current security and privacy posture of an information system or a set of common controls that are going to be inherited by systems within your organization the privacy part is a new addition in 837 rep - if you&#39;re looking at an older version of 837 you won&#39;t see the emphasis on privacy this is this has been part of the revision of that document the authorizing official uses information to determine if the business risk of operating a system or of providing common controls is acceptable and if that business risk is acceptable that then the authorizing official explicitly accepts the risk Security and Privacy related information is presented to the authorizing official in an authorization package which may consist of a report from an automated security management and reporting tool if you look at NIST 801 37 it will talk more about automation and reporting tools there are three types of system or common control authorizations there&#39;s the initial authorization ongoing authorization and reauthorization and we&#39;ll talk about each of those in turn the initial authorization is the first startup risk determination and risk acceptance decision is based on a complete zero based review of a system or of some common controls the initial authorization includes an assessment of all the implemented system level controls including any hybrid controls and a review of the security status or the inherited common controls as specified in your security and privacy plans you know what are your security and privacy man privacy requirements are they met in the system and as the system is implemented the review of the common controls includes an assessment of all applicable controls that contribute to the provision of a common control or a set of common controls so you&#39;re looking at everything you&#39;re looking at policies and procedures you&#39;re not just looking at you know bolts and screws you&#39;re looking at documents as well do we have a security policy do we have operating procedures so forth and so on okay the zero-based review that comes with an initial authorization doesn&#39;t require a zero-based review of the common controls that are available for inheritance by the system say for example you are inheriting the personnel security from as a set of common controls somebody else is in charge of handling all that but you&#39;re inheriting that as part of your system you don&#39;t have to start from scratch evaluating those controls those common controls will be authorized under a separate authorization process with a separate authorizing official accepting the risk associated with providing those common controls the review of the security and privacy plans containing common controls is necessary to understand the current state of the controls that you&#39;re inheriting and so you can factor this information into your risk-based decision that&#39;s associated with authorizing the system that&#39;s inheriting those controls I know that sounds like a lot but stay with me and it&#39;ll become clear the next type of authorization is ongoing authorization and ongoing authorization is the follow-on risk determinations and risk acceptance decisions taken and agreed upon and documented frequencies after the initial authorization happens and this is in keeping with your these business requirements and your organization&#39;s risk tolerance ongoing authorization is either time driven or event-driven where the AO which is the authorizing official is provided with the necessary and sufficient information about the security and privacy posture of the system to determine whether the continued use of that system poses a risk to the organization and acceptable risk to the organization the ongoing authorization is fundamentally related to the ongoing understanding and acceptance of security and privacy risk and it depends on having a robust continuous monitoring program which is something that we will discuss much later the third type of authorization is called a reauthorization and reauthorization is the static single point in time risk determination and risk acceptance decision that occurs after you initially authorized the system in general reauthorization actions are time driven or event-driven however if you&#39;re using ongoing authorization then reauthorization is mostly going to be an event-driven action in response to some event that results in your security and privacy risk escalating above the level of risk that was previously accepted by the authorizing official so if you&#39;re doing ongoing authorization and you have an event that happens immediately a reauthorization is triggered so that you can go ahead and and manage that escalated level of risk reauthorization consists of a review of the system or the common controls is similar to the review that&#39;s carried out during the initial authorization these reauthorizations are initiated by the authorizing official or directed by the senior official who&#39;s accountable for risk management or by what this calls the risk executive function the reauthorization is different from the initial authorization because the AO can choose to initiate a complete ground-up review of the system or the common controls or the AO can choose to initiate a review based on the type of event that happened to trigger the reauthorization reauthorization is a separate activity from the ongoing authorization process because if you&#39;re doing automated monitoring of your system and continuous monitoring you&#39;re looking at the security and privacy posture of that system on an ongoing basis all the time reauthorization then happens if there&#39;s some event that escalates that security or privacy risk and you&#39;re not going to stop your ongoing authorizations while you undertake a reauthorization action so those two are separate activities security and privacy related information generated from the continuous monitoring program can be used to support your reauthorization reauthorization actions might make it necessary for you to change or review the organization&#39;s information security and privacy continuous monitoring strategies and this in turn could affect your ongoing authorization so what we&#39;ve talked about so far is the types of authorizations next up we&#39;re going to go into what&#39;s included in an authorization package so the oculars asian package provides a record of the results of the controlled assessments and it provides the authorizing official with the information that&#39;s needed to make a risk-based decision about whether to authorize the operation of a system or the use of common or the provision of common controls authorization packages for common controls that are not system based may not include a security or privacy plan but they do include a record of common control implementation details the system owner or the common control provider has a responsibility for developing compiling and submitting the authorization package so the system owner or the common control provider develops compiles and submits the authorization package this includes information from reports that are generated by your automated system as well sources of data that go in the authorization package there many the system owner common control provider sieves input from many sources while preparing the authorization package and this could include from the senior agency information security officer so that&#39;s the chief person in charge of security your senior agency official for privacy so that&#39;s your chief privacy officer a senior accountable official for risk management or the risk executive function control Assessors those people who come in to assess your controls whether they&#39;ve been implemented properly and operating intent as intended and meeting the requirements laid out in your security or privacy plan so your control assesses Assessors provide information your system security or privacy officer also are involved and the continuous monitoring program is also a source for data that goes into the authorization package ok the contents of authorized authorization package that&#39;s a tongue-twister includes the following an executive summary security and privacy plans security and privacy assessment reports and your plans of action and milestones the authorization official will also make a determination as to whether additional supporting information or references will need to be included in the authorization package but at a minimum you will need to include an executive summary security and privacy plans and those are covered in this - 818 security plans our privacy plan information will be included in a revision of 837 is what I&#39;ve been told security and privacy assessment reports have to be included and those are covered in this 853 a and plans of actions and milestones and we&#39;ll talk about each of these in turn first of the executive summary the executive summary gives you a consolidated view of the security and privacy related information in the authorization package it helps to identify and highlight risk management issues that are associated with protecting the systems and the environment in which the systems operate the executive summary provides necessary and sufficient information needed by the authorizing official to understand the security and privacy risks to the organization&#39;s operations assets individuals other organizations and the nation and to use that information to make informed risk-based decisions about the operation and use of the system or the provision of common controls that can be inherited by systems then you have your security and privacy plans your security and privacy plans provide an overview of the security and privacy requirements they describe the controls that you&#39;ve put in place or plan to put in place for meeting those requirements and they give you sufficient information to understand the Intendant or the actual implementation of all the controls that are implemented within the system so that&#39;s where your implementation details come in that&#39;s where they&#39;re stored in the security and privacy plans security and privacy plans indicate the controls that are implemented via inherited common controls and the privacy plans specifically describe the methods and metrics that will be used to assess the privacy controls so that&#39;s your security and privacy plans so you have your executive summary your security your executive summary your security and privacy plans and then you have supporting appendices or references that are attached to your security and privacy plans because a lot goes into those documents your security plan will have a lot of detail and so you&#39;ll probably attach as references your privacy impact assessment any interconnection security agreements your security and privacy configurations the contingency plan the configuration management plan incident response plan and your system level continuous monitoring strategy so that&#39;s a lot of work that has to happen before a system is authorized updates to the security and privacy plans are event-driven your plans are updated whenever events dictate that the controls change whether it&#39;s the implemented controls controls that are directly implemented in the system or controls that are inherited by the system any time those secure or privacy controls change then the related plan has to be updated next up in your authorization package you will have a security and privacy assessment reports you&#39;ll have a security assessment report and a privacy assessment report and that will be those will be prepared by the control Assessor so whoever that is that&#39;s assessing the implementation of your controls or it could be generated by an automated security privacy management tool the security and privacy assessment reports give you the findings and the results of assessing the implementation of the security and privacy controls that were identified in the security and privacy plans the assessment reports determine the extent to which the controls are implemented correctly operating as intended and producing the desired outcome with respect to the specified security and privacy requirements so the Assessor is looking at the each control the spin implemented has it been done correctly is it operating as it as intended and is it giving us is it meeting the requirements that were stated in the security and privacy plans security and privacy assessment reports me may also contain recommended corrective actions if any deficiencies have been identified in the security and privacy controls the security and privacy assessment reports have an executive summary attached to them as well and this an executive summary gives the authorizing official an abbreviated version of the security and privacy assessment reports focusing on highlights of the assessment a synopsis of the findings and recommendations for addressing deficiencies in the security and privacy controls for updates the security and privacy assessment reports support near real-time risk management those the objective of the authorisation process is near real-time risk management and so those assessment reports support that they&#39;re updated on an ongoing basis whenever changes are made to the security and privacy controls and within or inherited by the system so anytime those controls change you need to update your security or prior and or privacy assessment reports the updates help to ensure that the system owners the common control providers and the authorizing officials maintain awareness of control effectiveness because you can in fact have controls implement it and not have them implement it correctly or not have them performing in the way that you thought they would maybe because they&#39;re misconfigured or maybe because they&#39;re not appropriate for what it is that you&#39;re trying to do but either way you want ongoing awareness of the control effectiveness and you get that by updating your security and privacy assessment reports the effectiveness of the security and privacy controls will directly affect the security and privacy posture of the system which will directly affect the risk-based decisions that are being made about whether to accept the risk of authorizing those systems finally in your authorization package you will need what&#39;s called a plan of action and milestones also known as poems POA AMS if the system and environments of operations have more vulnerabilities than available resources can realistically address organizations develop and implement poems that facilitate a prioritized approach to risk management and that is consistent across the organization was that mean what that means is when your money does not meet your wish list you have to prioritize what&#39;s going to happen first okay so you have some controls that need to be implemented you don&#39;t have enough money to do everything and I think all of us will find ourselves in that position you don&#39;t have enough money to do everything then you have to make some prioritized decisions about what are we going to do first what do we do immediately what will we do next year what will we do year after you have to phase it in and that&#39;s documented in your plan of action and milestones the poem is prepared by the system owner or the common control provider and it describes specific measures that are planned to correct deficiencies identified in the C and privacy controls during the assessment the poem describes specific measures plan to address known vulnerabilities or privacy risk in the set in the system as well the plan of action and milestones is based on the security categorization of the system and privacy risk assessment the specific deficiencies that are in the controls the criticality of the control deficiencies meaning you know how much will we be hurt if we don&#39;t install this control and something happens what is the impact the risk mitigation approach of the organization to address the identified deficiencies will impact your poem and the rationale for accepting certain deficiencies in the controls because when you&#39;re doing a poem you&#39;re basically saying we know we need this we&#39;re not implementing it now and here&#39;s why and so you want to be able to demonstrate that you are very much aware of what is required and to the best of your ability and budget in conjunction with meeting any compliance requirements that you have you have you&#39;ve implemented this set of controls you&#39;ve got this set of controls coming and you accept the risk of operating that system okay I&#39;m gonna say stop at that okay the content and structure of a poem are informed by the risk management strategy that your high-level officials develop specifically the risk executive function whatever that looks like in your organization the content and structure of the poems are consistent with poet the poems process established by the organization which will include any specific requirements that are defined in federal laws executive orders policies directives or standards remember in this 837 is targeted toward federal organizations but the the non-federal world is using it as well but you&#39;ll hear a lot of talk about federal this and that if it doesn&#39;t apply to you just let it go over your head but I have to include it in this training implementation information about mitigation actions from the poem is you minute in the system security plan again all of your implementation information is going in your system security plan organizational strategies for poems are going to be guided and informed by the categorization of the systems that are affected by your risk mitigation activities let me give you an example your organization may be may decide to allocate your risk mitigation resources your money initially to the highest impact systems or high-value assets because of failure failure to correct the known deficiencies in those systems or assets could potentially have the most significant adverse effects on the mission or business functions so you&#39;re going to protect the high impact systems and the high-value assets first that makes sense organizations prioritized efficiencies using information from risk assessments and the risk mitigation strategy developed as part of the risk executive function and all of that happens the risk assessment or risk mitigation strategy all of that development all of that happens in what&#39;s being called the preparer step which is another video so an a high impact system would have a prioritized set of deficiencies for that system and similarly a moderate impact and a low impact system all right here&#39;s where we are we&#39;ve looked at authorization decision the authorization package next up I want to talk about the four types of authorization decisions authorization to operate command control authorization the authorization to use and denial of authorization so again authorization decisions are based on the content of the authorization package and you have four types of possible authorization decisions that can be rendered by the authorizing officials first up authorization to operate the authorization to operate reviews the author the the AO reviews the authorization package and determines that the risk is acceptable that the risk of operating that system or providing those common controls is acceptable right at that point the AO issues what&#39;s called an authorization to operate for the information system under the ATO the author to operate the systems authorized to operate for a specified period in keeping with the terms and conditions set by the authorizing official the ATO includes an authorization termination date established by the AO as a condition of the authorization the AO can adjust the authorization termination date at any time to reflect an increased level of concern about the security and privacy posture of the system so basically the authorizing official can can give a no-go decision at any point in time even after after issuing the authorization so here&#39;s an example of an authorization to operate the the AO may authorize the system to operate only for short time just to test the system in an operational environment before all the security and privacy controls are fully in place so if the system is ready to be tested and this is a system under development if it&#39;s ready to be tested in the live environment then many of the controls should already be in place and the AO will consider results from the assessment of the controls that are fully or partially implemented the ATO is strictly in that case the ATO is strictly limited to just the time needed to complete the testing objectives so you&#39;ve got a system under development it&#39;s not ready to go online but now you need to test it in a live environment you can&#39;t just spin it up and test it you actually have to get an authorization to operate the AO may choose to include some operating restrictions in that case restrictions could include limiting the number of users who can access the system restricting the time periods in which you can operate this system live employing enhanced or increased audit logging scanning or monitoring requirements or restricting the functionality that you can actually test life requiring that you only test what is needed you only run what is needed for the objectives of the testing got the next type of authorization after your authorization to operate as what&#39;s called a common control authorization the common control authorization is similar to an ato for your systems so again after looking at the authorization packet submitted by the common control provider the AO determines if the risk is acceptable and then issues a common control authorization if the risk is acceptable the common controls are authorized for a specific time period in keeping with the terms and conditions set by the AO and the organization and authorization termination date is established by the AO as a condition of the initial common control authorization the authorization termination date can be adjusted at any time again to reflect the level of concern that the AO has regarding the security and privacy posture of the common controls that are now available to be inherited by systems within the organization if the controls are under ongoing authorization then a time driven authorization frequency is specified within any authorization type including the common control authorization and any adverse event could trigger a need to review the common control authorization alright when you&#39;re looking at common controls you have responsibilities for the common control provider the common control provider is responsible for indicating that the common control selected by the organization have been implemented assessed and authorized and that they are available for inheritance by the organizational systems the common control provider also ensures that the system owners who use those common controls will have access to appropriate documentation and any tools that are needed alright sometimes you have controls that you inherit from other organization systems that may not be officially designated as quote/unquote common controls system owners inheriting controls from other than approved common control providers must ensure that the system that&#39;s providing those controls has a valid authorization to operate so you can&#39;t just inherit controls and say oh yeah we getting that from system a without also knowing that system a has a valid authority to operate authorization to operate the AO of the system inheriting the controls is also made aware of the inheritance okay the next type of authorization is the authorization to use an authorization to use applies to cloud and shared system services and applications so when you&#39;re looking at moving stuff to the cloud and using shared systems services or applications you&#39;re not looking at issuing an authorization to operate you need an authorization to use this is employed when an organization called the consumer organization chooses to accept the information in an existing authorization package generated by a whole nother organization called the provider organization it&#39;s issued by a designated AO from the customer organization in lieu of an authorization to operate an authorization to use is going to be based on a need by the customer organization to use some shared information technology resources like cloud services of some kind the ATU provides opportunities for significant cost savings and avoid a potentially costly and time-consuming authorization process by the customer organization so you&#39;re providing this this organization is providing cloud services this is great but how do we authorize their system how do we know that it&#39;s that is safe to use their systems will they give us an authorization package we take that authorization package and look and we look at it but and we match it against our security requirements and the AO will issue an authorization to use if he or she deems that the risk is acceptable based on what&#39;s in the authorization package provided by the cloud organization a customer organization can issue an authorization to use only after a valid authorization to operate has been issued by the provider organization that&#39;s what I just said they have to give us an authorization to operate that they generated in-house so that we can evaluate it and determine whether we can authorize the use of their systems the provider organizations ATO is a statement of the acceptance of risk for the system service or application being provided the customer organizations that&#39;s ours as buyers of cloud services our ATU authorization to use is a statement of the customers acceptance of risk for the system service or application being used with respect to the customer&#39;s information alright when you&#39;re looking at authorization to use let&#39;s talk about risk management the AO who issues an authorization to use still has the same level of risk management responsibility and accountability as an authorizing official who&#39;s issuing an ATO or a command control authorization so even though you&#39;re just doing an authorization to use and you didn&#39;t create the authorization package at the at the cloud provider organization you still are responsible for a risk management risk-based decisions related to control selection and baseline tailoring actions by organizations providing cloud or shared systems should consider the protection needs of the customer organizations that that may be using those cloud or shared systems so if I&#39;m providing for instance cloud services for federal government organizations then I want to set up my controls in keeping with what they&#39;re going to require if I am providing cloud services for people who are handling PII personally identifiable information or people who are processing credit card information I have to make sure that the controls that are in place as a cloud service provider I have to be sure that that those controls match what the customers I&#39;m targeting are going to need as it relates to security and privacy controls organizations hosting cloud or share systems should consider the shared risk of operating in those types of environments so let&#39;s talk about evaluating the authorization package when you&#39;re when you&#39;re an AO looking at an authorization to use an authorization to use requires the customer organization to review the authorization package from the provider organization as the fundamental base is for determining risk this is the information that you get to determine whether is it&#39;s worth it from a risk standpoint the sharing of the authorization package including any security and privacy plans security and privacy assessment reports poems and the authorization decision document is going to be accomplished under some terms and conditions that you you agree upon with the cloud provider so the customer organization and the service provider organization agree on what information is going to be shared in the terms and conditions under which they that information will be shared some risk factors that you want to consider with an authorization to use the customer organization is going to look at the time that&#39;s elapsed since the authorization results were produced is this a report this current the environment of operation that the cloud provider has if their environment of operation is very different from your organization&#39;s environment of operation then that&#39;s going to impact the effectiveness of the controls and so it must be considered you also need to consider the impact level of the information that you&#39;re going to be processing storing or transmitting you have to look at the overall risk tolerance of the customer organization what is your risk tolerance do they have a similar risk tolerance if the customer organization plans to integrate the shared system application or service with one or more of its internal systems then the customer organization that would be you as the buyer must consider the risk in doing so you also must mitigate the risk of attaching to a cloud or shared system who wanna just you okay here&#39;s an example of an authorization to use FedRAMP it&#39;s a very famous example FedRAMP well it&#39;s famous to me and I may just be too deep in the weeds to know that it&#39;s not famous and the rest of the world I&#39;ll just hit my hand so a provisional authorization to operate can be issued by the GSA the General Services Administration as part of the FedRAMP program and that authorization to operate is considered a valid authorization to operate for customer organizations who want to issue an authorization to use for cloud-based system services or applications so if a cloud service provider wants to provide their services to the federal government they have to go through a FedRAMP process they go through federal risk and authorization management program where they get an authorization to operate issued by the GSA and independent auditors are involved so independent people come in and assess their systems to make sure that their controls meet the FedRAMP requirements and in that case they&#39;re issued an authorization to operate and now all the federal agencies who want to use that cloud provider can use that authorization to operate issued by GSA and they don&#39;t have to each individual agency do an authorization of the of the provider organization because it&#39;s handled you know in a centralized FedRAMP program I hope that makes sense okay authorization to use when there is insufficient information or inadequate controls if the customer organization determines that there is insufficient information in the providers authorization package or they have inadequate controls in place for establishing an acceptable level of risk for the customer organization then you&#39;ve got some options you can negotiate with the provider organization and request additional controls or security and privacy related information this could include supplemental controls for reducing risk implementing some compensating controls conducting additional or more rigorous assessments or establishing constraints on how you use the system application or service that&#39;s provided when the provider organization does not provide the requested controls then the customer organization can choose to implement implement additional controls to reduce the risk to an acceptable level or they can choose to forego using the services altogether if that&#39;s an option sometimes it is sometimes it isn&#39;t alright the issuance of an authorization to use once the customer organization is satisfied with security and privacy posture of the shared or cloud systems application or service as reflected in the current authorization package and the risk of using the cloud system application or service has been sufficiently mitigated then the customer organization issues and authorization to use ok under an authorization to use the customer organization also has responsibilities their responsibility is to explicitly understand and accept and be responsible and accountable for the security and privacy risk incurred by using the shared system service or application you can look at OMB circular a-133 have a document called circular a dash 130 that goes into more detail about your responsibilities and accountability for shared systems the the customer organization is responsible for ensuring that information from the monitoring activities that are conducted by the provider organization that that information is shared on an ongoing basis and to ensure that the provider organization the cloud provider notifies the customer organization when there are any significant changes to the system application or service that could affect the security and privacy posture of the provider the provider organization in an authorization to use situation also has responsibilities they must notify the customer organization when there are significant changes to the system application or service that may affect the security and privacy posture of the provider they also must notify the customer organization if there&#39;s an event that compromises the customer organizations information so if there&#39;s a data breach if there&#39;s something that compromises your information then the cloud provider or the shared system provider has to let you know the authorization to use doesn&#39;t require an authorization termination date like the other authorization types the ATU remains in effect while the customer organization continues to accept the security and privacy risk of using the shared or cloud system and while the ATO that was issued by the provider continues to meet the requirements established by federal or organizational policies the a - you can be specific and specify time or event event-driven triggers for review of the security and privacy posture of the provider organization so you don&#39;t have a termination date but you can can write in you know every 12 months six months every court or whatever we will review the security and privacy posture of the provider the authorization frequency if the system this is again we&#39;re still talking about authorization to use if the system is under ongoing authorization then a time driven authorization frequency is specified so we say once a year we&#39;re going to look at this authorization if worst case is usually once a year it used to be every three years with any authorization type an adverse event could occur that triggers the need to review the authorization to operate okay so here&#39;s a graphic that&#39;s that&#39;s looking at the types of authorizations to use there&#39;s authorizations authorization to operate authorization to use and the common control authorization okay finally you have a no-decision which is called a denial of authorization this is when the AO determines that the risk to organizational operations and assets individuals other organizations and the nation that is a NIST that&#39;s that&#39;s NIST wording and so you&#39;ll hear it a lot in my presentations when the AO determines that the risk is unacceptable and immediate steps can&#39;t be taken to reduce the risk to an acceptable level then the authorization is not granted a denial of operation means that the information system is not authorized to operate and is not placed into operation if you&#39;re looking at common controls the denial means that common controls are not authorized to be provided to systems or that the provider system is not authorized for use by the customer organization if the system is currently in operation all activity stops failure to receive an authorization means that there are significant deficiencies in the controls you can and will get an authorization to operate without having everything in place as it relates to security and privacy but if there are significant deficiencies that that in that caused the risk of operating that system to be above the risk tolerance of the organization then you&#39;re definitely going to get a denial the AO the AO or designated representative works with the system owner or the common control provider to revise the poem to help ensure that measures are taken to correct the deficiencies a special case of authorization denial is an authorization rescission the AL can resend a previous authorization decision in situation where there is a violation of federal or organizational policies directives regulation standards or guidance remember ongoing monitoring is happening so at any point where the AL says you know we&#39;re not complying here we&#39;ve got a problem then they can resend authorization or a violation of any terms and conditions of the authorization an example is your failure to maintain an effective continuous monitoring program that could be grounds for resending an authorization decision okay finally we&#39;re gonna well not finally we&#39;re just going to talk about next up the authorization decision information what&#39;s included in the authorization decision okay the authorization decision is transmitted from the AO to system owners common control providers and other key organizational officials the authorization decision includes the following it includes the authorization decision document terms and conditions for the authorization time driven authorization frequency or the authorization termination date you know how frequently are we gonna look at this authorization or when does this authorization end it contains a list of events that could trigger a review of the authorization decision if any for common controls the FIPS 199 impact level supported by those controls meaning it doesn&#39;t support high low or moderate impact levels the authorization decision indicates if the system is authorized to operate or authorized to be used or if the common controls are authorized to be provided to system owners and inherited by organizational systems the terms and conditions for the authorization gives any limitations or restrictions that are placed on the operation of the system that have to be followed by the system owner or alternatively limitation or restriction placed on the implementation of common controls that must be followed by the common control provider if the system or common controls are not under ongoing authorization then the termination date for the operation established by the AO indicates when the authorization expires and reauthorization is required the authorization decision document is transmitted with the original authorization package to the system owner or the common control provider and authorization decision documents can be digitally signed upon receipt of the authorization decision in the authorization package the system owner and the common control provider will acknowledge implement and comply with the terms and conditions of the authorization the system income and control provider retained the authorization decision and the authorization package and the organization ensures that the authorization documents are available to organizational officials when requested some organizations may choose to use automated tools to support the development distribution and archiving of risk management information to include artifacts that are associated with the authorization process the contents of authorization packages including a sensitive information about system vulnerabilities privacy risk and control deficiencies are marked and protected in accordance with federal and organizational policies this is going to be some of sometimes some highly sensitive information so you do want to market and and make sure that it&#39;s controlled that I&#39;m sorry that the distribution of that information is control authorization decision information is retained in keeping with your record retention policy the AO verifies on an ongoing basis that the terms and conditions established as part of the authorization are being followed by the system owner and the common control provider so the long and short of it is you can&#39;t just spin up a system and use it in an environment where risk management is happening and information security risk management is happening the authorization to use is a streamlined version of the ATO and includes a risk acceptance statement and time or event-driven triggers an authorization to use decision is issued by an AO from a customer organization in lieu of an of an ATO the AO again has the same level of risk management responsibility and authority as an AO who issues the ATO or a common control authorization the risk acceptance statement in the the authorization to use decision indicates the explicit acceptance of the security and privacy risk incurred from the use of a shared system with respect to the customer organization information that&#39;s processed stored or transmitted by or through this shared or cloud system okay all right finally we want to talk about other authorization types so there are some other special authorization types type and facility authorizations and your traditional and joint authorizations first up is your type authorization a type authorization is an official authorization decision that allows for a single authorization authorization package to be developed for an archetype or a common version of a system this includes hardware software or firmware components that are deployed to many locations for use in a specified environment of operation a type authorization is appropriate when the deployed system is comprised of identical instances of software identical information types functionally identical hardware information that is processed in the same way identical control implementations or identical configurations a type authorization is used in conjunction with authorized site-specific controls or with a facility authorization which we&#39;ll talk about next site-specific controls are typically implemented as common controls some examples of that would be your physical and environmental protection controls and your personnel security controls the type authorization is issued by the authorizing official responsible for developing for development of the system and it represents an authorization to operate so our type authorization is an ATO typically type authorizations are you issued by organizations responsible for developing turnkey solutions for instance restaurant systems banking systems where you&#39;ve got the system but you&#39;re using it in multiple locations you don&#39;t want to have to authorize it in every location you want to authorize it at the development level and then as its rolled out each facility has an authorization to use based on the the type author&#39;s ation so the senior leaders issuing type authorizations may be referred to as developmental authorizing officials at the site or facility where the system is deployed there the authorizing official is responsible for the system at the site and that AO accepts the risk of deploying the system and issues and authorization to use so a type authorization works in conjunction with an authorization to use made by the AO at the facility where it&#39;s deployed where the system is deployed the authorization to use uses the information and the authorization packages for the archetype system so it uses the information in the type authorization package and the facility common controls and again an example of a type authorization would be authorization of hardware and software applications for a standard financial system that&#39;s deployed in multiple locations or authorization of a common workstation or operating environment that&#39;s going to be deployed to all operating units within a business then you have facility or authorizations a facility authorization is an official authorization decision that is focused on specific controls implemented in a defined environment of operation to support one or more systems residing within that facility facility authorizations address common controls within a facility and they allow systems that reside in the defined facility to inherit the common controls facility authorizations allowed the effective system affected system security and privacy plans to reference the authorization package for the facility the common controls are provided at a specified impact level to facilitate risk decisions on whether it is appropriate to locate a given system in the facility I worked for a company for example where they had I worked in the R&amp;D department and the buildings that could house Rd had to have a set level of controls and restrictions as to just access in order to be able to house R&amp;D operations so in that case all of the facilities that were designated as R&amp;D facilities they had a specific set of controls in place and they had facility authorizations associated with them if the facility is categorized as moderate impact it wouldn&#39;t be appropriate to locate for example a high impact system or system components in that environment of operation physical environmental controls are addressed in a facility authorization but other controls could also be included for example boundary protection contingency plans and instant incident response plans for the facility or security training and awareness and personnel screening for facility staff the facility authorizing official issues a common control authorization to describe the common controls available for inheritance by systems that will be located within the facility then the other special type of authorization you have are traditional and joint authorizations so there are notices that a business can take two approaches when planning for in conducting authorizations traditional or joint authorization a traditional authorization is what we&#39;ve been talking about for the most part it&#39;s a single authorizing official in a senior leadership position who is responsible for an accountable for a system or for common controls the organizational official accepts the security and privacy related risks that may adversely impact the organization and I think I&#39;ve emphasized if I haven&#39;t again your your authorizing officials do have to be senior leaders because they are accepting responsibility and being held accountable for the risk associated with systems and common controls so that&#39;s the traditional or authorization you have one AO making the decision and accepting the responsibility in joint authorizations you have multiple AOS multiple authorizing officials this is used when multiple AOS either from the same organization or different organizations have shared interests in authorizing a system excuse me I guess they excuse me the AOS collectively are responsible and accountable for the system and they jointly accept the security and privacy related risk that may adversely adversely impact their organization okay so they come together as a group and they are collectively responsible and accountable for the system the joint authorization process is very similar to a traditional optimisation process and it differs mostly by the number of authorizing officials now when you&#39;ve got that many people working together in a joint authorization then the organizations who choose this approach are expected to work together on planning and executing the risk management framework tasks and to work together to document their agreement and their progress in implementing the they collaborate on security categorization control selection and tailoring a plan for assessing the controls to determine the control effectiveness a plan of action of milestones continuous monitoring strategies all of that is necessary for a successful joint authorization the specific terms and conditions of the joint authorization are established by the participating parties including the process for ongoing determination and acceptance of risk the joint authorization remains in effect only while there is a grant is agreement among the authorizing officials and so that&#39;s the basics of authorization as covered in NIST special publication 800-53 other topics that I&#39;m going to cover in another recording but I think this one is long enough the three topics are ongoing authorization reauthorization and event event-driven triggers and significant changes I&#39;m going to cover that next but we&#39;re gonna stop here for now and I thank you so much for joining me if you have any questions please include them in the content check underneath this video for any links that I may have included but again please like subscribe send me questions I will engage and be very happy to work with you and to answer your questions you

[Music] hi everybody this is Denise - web today I&amp;#39;m coming to you to discuss or to talk about system and common control authorizations according to NIST 837 which is the risk the NIST risk management framework what we&amp;#39;re going to cover today will be the types of authorizations the authorization package the types of authorization decisions the information that&amp;#39;s included with an authorization decision and special authorization types then in a second video because I&amp;#39;m going to split this up because it&amp;#39;s really long we&amp;#39;ll go into ongoing authorization and reauthorizations and things that can trigger an authorization after a reauthorization after an authorization is a granted so again this comes from NIST special publication 808 on revision 2 which is in draft form is slated to be released the final in November of 2018 but they&amp;#39;ve added a prepare step but for today&amp;#39;s purposes we&amp;#39;re looking at the authorized step this happens after you&amp;#39;ve implemented your controls you sess them and now the system is ready to be authorized by the authorizing official so I had that outlined in red the authorized step so that&amp;#39;s what we&amp;#39;ll be talking about today before I get into it there are five core documents for federal risk management and all federal organizations use these documents or a-movin to using these documents if they haven&amp;#39;t done so already so if you&amp;#39;re looking at doing risk management for the federal government or for organizations that are required to implement the risk management framework because they&amp;#39;re working on government projects then you&amp;#39;ll want to be familiar with these documents 839 is the highest level document it talks about managing security information security risk at the three levels of the organization 830 is for risk assessments 37 is a risk management framework which is what today&amp;#39;s presentation is coming from 853 is a catalog of security controls for you to implement and 853 a is guidance for assessing those security controls once you have had them implemented so that&amp;#39;s just FYI a set of core documents that you might want to familiarize yourself with so let&amp;#39;s get into the meat of what we&amp;#39;re doing today we&amp;#39;re talking about system and common control authorizations system and common control authorization again occurs as part of the risk management authorized step authorization is the process by which a senior official called the authorizing official reviews the security and privacy related information that describes the current security and privacy posture of an information system or a set of common controls that are going to be inherited by systems within your organization the privacy part is a new addition in 837 rep - if you&amp;#39;re looking at an older version of 837 you won&amp;#39;t see the emphasis on privacy this is this has been part of the revision of that document the authorizing official uses information to determine if the business risk of operating a system or of providing common controls is acceptable and if that business risk is acceptable that then the authorizing official explicitly accepts the risk Security and Privacy related information is presented to the authorizing official in an authorization package which may consist of a report from an automated security management and reporting tool if you look at NIST 801 37 it will talk more about automation and reporting tools there are three types of system or common control authorizations there&amp;#39;s the initial authorization ongoing authorization and reauthorization and we&amp;#39;ll talk about each of those in turn the initial authorization is the first startup risk determination and risk acceptance decision is based on a complete zero based review of a system or of some common controls the initial authorization includes an assessment of all the implemented system level controls including any hybrid controls and a review of the security status or the inherited common controls as specified in your security and privacy plans you know what are your security and privacy man privacy requirements are they met in the system and as the system is implemented the review of the common controls includes an assessment of all applicable controls that contribute to the provision of a common control or a set of common controls so you&amp;#39;re looking at everything you&amp;#39;re looking at policies and procedures you&amp;#39;re not just looking at you know bolts and screws you&amp;#39;re looking at documents as well do we have a security policy do we have operating procedures so forth and so on okay the zero-based review that comes with an initial authorization doesn&amp;#39;t require a zero-based review of the common controls that are available for inheritance by the system say for example you are inheriting the personnel security from as a set of common controls somebody else is in charge of handling all that but you&amp;#39;re inheriting that as part of your system you don&amp;#39;t have to start from scratch evaluating those controls those common controls will be authorized under a separate authorization process with a separate authorizing official accepting the risk associated with providing those common controls the review of the security and privacy plans containing common controls is necessary to understand the current state of the controls that you&amp;#39;re inheriting and so you can factor this information into your risk-based decision that&amp;#39;s associated with authorizing the system that&amp;#39;s inheriting those controls I know that sounds like a lot but stay with me and it&amp;#39;ll become clear the next type of authorization is ongoing authorization and ongoing authorization is the follow-on risk determinations and risk acceptance decisions taken and agreed upon and documented frequencies after the initial authorization happens and this is in keeping with your these business requirements and your organization&amp;#39;s risk tolerance ongoing authorization is either time driven or event-driven where the AO which is the authorizing official is provided with the necessary and sufficient information about the security and privacy posture of the system to determine whether the continued use of that system poses a risk to the organization and acceptable risk to the organization the ongoing authorization is fundamentally related to the ongoing understanding and acceptance of security and privacy risk and it depends on having a robust continuous monitoring program which is something that we will discuss much later the third type of authorization is called a reauthorization and reauthorization is the static single point in time risk determination and risk acceptance decision that occurs after you initially authorized the system in general reauthorization actions are time driven or event-driven however if you&amp;#39;re using ongoing authorization then reauthorization is mostly going to be an event-driven action in response to some event that results in your security and privacy risk escalating above the level of risk that was previously accepted by the authorizing official so if you&amp;#39;re doing ongoing authorization and you have an event that happens immediately a reauthorization is triggered so that you can go ahead and and manage that escalated level of risk reauthorization consists of a review of the system or the common controls is similar to the review that&amp;#39;s carried out during the initial authorization these reauthorizations are initiated by the authorizing official or directed by the senior official who&amp;#39;s accountable for risk management or by what this calls the risk executive function the reauthorization is different from the initial authorization because the AO can choose to initiate a complete ground-up review of the system or the common controls or the AO can choose to initiate a review based on the type of event that happened to trigger the reauthorization reauthorization is a separate activity from the ongoing authorization process because if you&amp;#39;re doing automated monitoring of your system and continuous monitoring you&amp;#39;re looking at the security and privacy posture of that system on an ongoing basis all the time reauthorization then happens if there&amp;#39;s some event that escalates that security or privacy risk and you&amp;#39;re not going to stop your ongoing authorizations while you undertake a reauthorization action so those two are separate activities security and privacy related information generated from the continuous monitoring program can be used to support your reauthorization reauthorization actions might make it necessary for you to change or review the organization&amp;#39;s information security and privacy continuous monitoring strategies and this in turn could affect your ongoing authorization so what we&amp;#39;ve talked about so far is the types of authorizations next up we&amp;#39;re going to go into what&amp;#39;s included in an authorization package so the oculars asian package provides a record of the results of the controlled assessments and it provides the authorizing official with the information that&amp;#39;s needed to make a risk-based decision about whether to authorize the operation of a system or the use of common or the provision of common controls authorization packages for common controls that are not system based may not include a security or privacy plan but they do include a record of common control implementation details the system owner or the common control provider has a responsibility for developing compiling and submitting the authorization package so the system owner or the common control provider develops compiles and submits the authorization package this includes information from reports that are generated by your automated system as well sources of data that go in the authorization package there many the system owner common control provider sieves input from many sources while preparing the authorization package and this could include from the senior agency information security officer so that&amp;#39;s the chief person in charge of security your senior agency official for privacy so that&amp;#39;s your chief privacy officer a senior accountable official for risk management or the risk executive function control Assessors those people who come in to assess your controls whether they&amp;#39;ve been implemented properly and operating intent as intended and meeting the requirements laid out in your security or privacy plan so your control assesses Assessors provide information your system security or privacy officer also are involved and the continuous monitoring program is also a source for data that goes into the authorization package ok the contents of authorized authorization package that&amp;#39;s a tongue-twister includes the following an executive summary security and privacy plans security and privacy assessment reports and your plans of action and milestones the authorization official will also make a determination as to whether additional supporting information or references will need to be included in the authorization package but at a minimum you will need to include an executive summary security and privacy plans and those are covered in this - 818 security plans our privacy plan information will be included in a revision of 837 is what I&amp;#39;ve been told security and privacy assessment reports have to be included and those are covered in this 853 a and plans of actions and milestones and we&amp;#39;ll talk about each of these in turn first of the executive summary the executive summary gives you a consolidated view of the security and privacy related information in the authorization package it helps to identify and highlight risk management issues that are associated with protecting the systems and the environment in which the systems operate the executive summary provides necessary and sufficient information needed by the authorizing official to understand the security and privacy risks to the organization&amp;#39;s operations assets individuals other organizations and the nation and to use that information to make informed risk-based decisions about the operation and use of the system or the provision of common controls that can be inherited by systems then you have your security and privacy plans your security and privacy plans provide an overview of the security and privacy requirements they describe the controls that you&amp;#39;ve put in place or plan to put in place for meeting those requirements and they give you sufficient information to understand the Intendant or the actual implementation of all the controls that are implemented within the system so that&amp;#39;s where your implementation details come in that&amp;#39;s where they&amp;#39;re stored in the security and privacy plans security and privacy plans indicate the controls that are implemented via inherited common controls and the privacy plans specifically describe the methods and metrics that will be used to assess the privacy controls so that&amp;#39;s your security and privacy plans so you have your executive summary your security your executive summary your security and privacy plans and then you have supporting appendices or references that are attached to your security and privacy plans because a lot goes into those documents your security plan will have a lot of detail and so you&amp;#39;ll probably attach as references your privacy impact assessment any interconnection security agreements your security and privacy configurations the contingency plan the configuration management plan incident response plan and your system level continuous monitoring strategy so that&amp;#39;s a lot of work that has to happen before a system is authorized updates to the security and privacy plans are event-driven your plans are updated whenever events dictate that the controls change whether it&amp;#39;s the implemented controls controls that are directly implemented in the system or controls that are inherited by the system any time those secure or privacy controls change then the related plan has to be updated next up in your authorization package you will have a security and privacy assessment reports you&amp;#39;ll have a security assessment report and a privacy assessment report and that will be those will be prepared by the control Assessor so whoever that is that&amp;#39;s assessing the implementation of your controls or it could be generated by an automated security privacy management tool the security and privacy assessment reports give you the findings and the results of assessing the implementation of the security and privacy controls that were identified in the security and privacy plans the assessment reports determine the extent to which the controls are implemented correctly operating as intended and producing the desired outcome with respect to the specified security and privacy requirements so the Assessor is looking at the each control the spin implemented has it been done correctly is it operating as it as intended and is it giving us is it meeting the requirements that were stated in the security and privacy plans security and privacy assessment reports me may also contain recommended corrective actions if any deficiencies have been identified in the security and privacy controls the security and privacy assessment reports have an executive summary attached to them as well and this an executive summary gives the authorizing official an abbreviated version of the security and privacy assessment reports focusing on highlights of the assessment a synopsis of the findings and recommendations for addressing deficiencies in the security and privacy controls for updates the security and privacy assessment reports support near real-time risk management those the objective of the authorisation process is near real-time risk management and so those assessment reports support that they&amp;#39;re updated on an ongoing basis whenever changes are made to the security and privacy controls and within or inherited by the system so anytime those controls change you need to update your security or prior and or privacy assessment reports the updates help to ensure that the system owners the common control providers and the authorizing officials maintain awareness of control effectiveness because you can in fact have controls implement it and not have them implement it correctly or not have them performing in the way that you thought they would maybe because they&amp;#39;re misconfigured or maybe because they&amp;#39;re not appropriate for what it is that you&amp;#39;re trying to do but either way you want ongoing awareness of the control effectiveness and you get that by updating your security and privacy assessment reports the effectiveness of the security and privacy controls will directly affect the security and privacy posture of the system which will directly affect the risk-based decisions that are being made about whether to accept the risk of authorizing those systems finally in your authorization package you will need what&amp;#39;s called a plan of action and milestones also known as poems POA AMS if the system and environments of operations have more vulnerabilities than available resources can realistically address organizations develop and implement poems that facilitate a prioritized approach to risk management and that is consistent across the organization was that mean what that means is when your money does not meet your wish list you have to prioritize what&amp;#39;s going to happen first okay so you have some controls that need to be implemented you don&amp;#39;t have enough money to do everything and I think all of us will find ourselves in that position you don&amp;#39;t have enough money to do everything then you have to make some prioritized decisions about what are we going to do first what do we do immediately what will we do next year what will we do year after you have to phase it in and that&amp;#39;s documented in your plan of action and milestones the poem is prepared by the system owner or the common control provider and it describes specific measures that are planned to correct deficiencies identified in the C and privacy controls during the assessment the poem describes specific measures plan to address known vulnerabilities or privacy risk in the set in the system as well the plan of action and milestones is based on the security categorization of the system and privacy risk assessment the specific deficiencies that are in the controls the criticality of the control deficiencies meaning you know how much will we be hurt if we don&amp;#39;t install this control and something happens what is the impact the risk mitigation approach of the organization to address the identified deficiencies will impact your poem and the rationale for accepting certain deficiencies in the controls because when you&amp;#39;re doing a poem you&amp;#39;re basically saying we know we need this we&amp;#39;re not implementing it now and here&amp;#39;s why and so you want to be able to demonstrate that you are very much aware of what is required and to the best of your ability and budget in conjunction with meeting any compliance requirements that you have you have you&amp;#39;ve implemented this set of controls you&amp;#39;ve got this set of controls coming and you accept the risk of operating that system okay I&amp;#39;m gonna say stop at that okay the content and structure of a poem are informed by the risk management strategy that your high-level officials develop specifically the risk executive function whatever that looks like in your organization the content and structure of the poems are consistent with poet the poems process established by the organization which will include any specific requirements that are defined in federal laws executive orders policies directives or standards remember in this 837 is targeted toward federal organizations but the the non-federal world is using it as well but you&amp;#39;ll hear a lot of talk about federal this and that if it doesn&amp;#39;t apply to you just let it go over your head but I have to include it in this training implementation information about mitigation actions from the poem is you minute in the system security plan again all of your implementation information is going in your system security plan organizational strategies for poems are going to be guided and informed by the categorization of the systems that are affected by your risk mitigation activities let me give you an example your organization may be may decide to allocate your risk mitigation resources your money initially to the highest impact systems or high-value assets because of failure failure to correct the known deficiencies in those systems or assets could potentially have the most significant adverse effects on the mission or business functions so you&amp;#39;re going to protect the high impact systems and the high-value assets first that makes sense organizations prioritized efficiencies using information from risk assessments and the risk mitigation strategy developed as part of the risk executive function and all of that happens the risk assessment or risk mitigation strategy all of that development all of that happens in what&amp;#39;s being called the preparer step which is another video so an a high impact system would have a prioritized set of deficiencies for that system and similarly a moderate impact and a low impact system all right here&amp;#39;s where we are we&amp;#39;ve looked at authorization decision the authorization package next up I want to talk about the four types of authorization decisions authorization to operate command control authorization the authorization to use and denial of authorization so again authorization decisions are based on the content of the authorization package and you have four types of possible authorization decisions that can be rendered by the authorizing officials first up authorization to operate the authorization to operate reviews the author the the AO reviews the authorization package and determines that the risk is acceptable that the risk of operating that system or providing those common controls is acceptable right at that point the AO issues what&amp;#39;s called an authorization to operate for the information system under the ATO the author to operate the systems authorized to operate for a specified period in keeping with the terms and conditions set by the authorizing official the ATO includes an authorization termination date established by the AO as a condition of the authorization the AO can adjust the authorization termination date at any time to reflect an increased level of concern about the security and privacy posture of the system so basically the authorizing official can can give a no-go decision at any point in time even after after issuing the authorization so here&amp;#39;s an example of an authorization to operate the the AO may authorize the system to operate only for short time just to test the system in an operational environment before all the security and privacy controls are fully in place so if the system is ready to be tested and this is a system under development if it&amp;#39;s ready to be tested in the live environment then many of the controls should already be in place and the AO will consider results from the assessment of the controls that are fully or partially implemented the ATO is strictly in that case the ATO is strictly limited to just the time needed to complete the testing objectives so you&amp;#39;ve got a system under development it&amp;#39;s not ready to go online but now you need to test it in a live environment you can&amp;#39;t just spin it up and test it you actually have to get an authorization to operate the AO may choose to include some operating restrictions in that case restrictions could include limiting the number of users who can access the system restricting the time periods in which you can operate this system live employing enhanced or increased audit logging scanning or monitoring requirements or restricting the functionality that you can actually test life requiring that you only test what is needed you only run what is needed for the objectives of the testing got the next type of authorization after your authorization to operate as what&amp;#39;s called a common control authorization the common control authorization is similar to an ato for your systems so again after looking at the authorization packet submitted by the common control provider the AO determines if the risk is acceptable and then issues a common control authorization if the risk is acceptable the common controls are authorized for a specific time period in keeping with the terms and conditions set by the AO and the organization and authorization termination date is established by the AO as a condition of the initial common control authorization the authorization termination date can be adjusted at any time again to reflect the level of concern that the AO has regarding the security and privacy posture of the common controls that are now available to be inherited by systems within the organization if the controls are under ongoing authorization then a time driven authorization frequency is specified within any authorization type including the common control authorization and any adverse event could trigger a need to review the common control authorization alright when you&amp;#39;re looking at common controls you have responsibilities for the common control provider the common control provider is responsible for indicating that the common control selected by the organization have been implemented assessed and authorized and that they are available for inheritance by the organizational systems the common control provider also ensures that the system owners who use those common controls will have access to appropriate documentation and any tools that are needed alright sometimes you have controls that you inherit from other organization systems that may not be officially designated as quote/unquote common controls system owners inheriting controls from other than approved common control providers must ensure that the system that&amp;#39;s providing those controls has a valid authorization to operate so you can&amp;#39;t just inherit controls and say oh yeah we getting that from system a without also knowing that system a has a valid authority to operate authorization to operate the AO of the system inheriting the controls is also made aware of the inheritance okay the next type of authorization is the authorization to use an authorization to use applies to cloud and shared system services and applications so when you&amp;#39;re looking at moving stuff to the cloud and using shared systems services or applications you&amp;#39;re not looking at issuing an authorization to operate you need an authorization to use this is employed when an organization called the consumer organization chooses to accept the information in an existing authorization package generated by a whole nother organization called the provider organization it&amp;#39;s issued by a designated AO from the customer organization in lieu of an authorization to operate an authorization to use is going to be based on a need by the customer organization to use some shared information technology resources like cloud services of some kind the ATU provides opportunities for significant cost savings and avoid a potentially costly and time-consuming authorization process by the customer organization so you&amp;#39;re providing this this organization is providing cloud services this is great but how do we authorize their system how do we know that it&amp;#39;s that is safe to use their systems will they give us an authorization package we take that authorization package and look and we look at it but and we match it against our security requirements and the AO will issue an authorization to use if he or she deems that the risk is acceptable based on what&amp;#39;s in the authorization package provided by the cloud organization a customer organization can issue an authorization to use only after a valid authorization to operate has been issued by the provider organization that&amp;#39;s what I just said they have to give us an authorization to operate that they generated in-house so that we can evaluate it and determine whether we can authorize the use of their systems the provider organizations ATO is a statement of the acceptance of risk for the system service or application being provided the customer organizations that&amp;#39;s ours as buyers of cloud services our ATU authorization to use is a statement of the customers acceptance of risk for the system service or application being used with respect to the customer&amp;#39;s information alright when you&amp;#39;re looking at authorization to use let&amp;#39;s talk about risk management the AO who issues an authorization to use still has the same level of risk management responsibility and accountability as an authorizing official who&amp;#39;s issuing an ATO or a command control authorization so even though you&amp;#39;re just doing an authorization to use and you didn&amp;#39;t create the authorization package at the at the cloud provider organization you still are responsible for a risk management risk-based decisions related to control selection and baseline tailoring actions by organizations providing cloud or shared systems should consider the protection needs of the customer organizations that that may be using those cloud or shared systems so if I&amp;#39;m providing for instance cloud services for federal government organizations then I want to set up my controls in keeping with what they&amp;#39;re going to require if I am providing cloud services for people who are handling PII personally identifiable information or people who are processing credit card information I have to make sure that the controls that are in place as a cloud service provider I have to be sure that that those controls match what the customers I&amp;#39;m targeting are going to need as it relates to security and privacy controls organizations hosting cloud or share systems should consider the shared risk of operating in those types of environments so let&amp;#39;s talk about evaluating the authorization package when you&amp;#39;re when you&amp;#39;re an AO looking at an authorization to use an authorization to use requires the customer organization to review the authorization package from the provider organization as the fundamental base is for determining risk this is the information that you get to determine whether is it&amp;#39;s worth it from a risk standpoint the sharing of the authorization package including any security and privacy plans security and privacy assessment reports poems and the authorization decision document is going to be accomplished under some terms and conditions that you you agree upon with the cloud provider so the customer organization and the service provider organization agree on what information is going to be shared in the terms and conditions under which they that information will be shared some risk factors that you want to consider with an authorization to use the customer organization is going to look at the time that&amp;#39;s elapsed since the authorization results were produced is this a report this current the environment of operation that the cloud provider has if their environment of operation is very different from your organization&amp;#39;s environment of operation then that&amp;#39;s going to impact the effectiveness of the controls and so it must be considered you also need to consider the impact level of the information that you&amp;#39;re going to be processing storing or transmitting you have to look at the overall risk tolerance of the customer organization what is your risk tolerance do they have a similar risk tolerance if the customer organization plans to integrate the shared system application or service with one or more of its internal systems then the customer organization that would be you as the buyer must consider the risk in doing so you also must mitigate the risk of attaching to a cloud or shared system who wanna just you okay here&amp;#39;s an example of an authorization to use FedRAMP it&amp;#39;s a very famous example FedRAMP well it&amp;#39;s famous to me and I may just be too deep in the weeds to know that it&amp;#39;s not famous and the rest of the world I&amp;#39;ll just hit my hand so a provisional authorization to operate can be issued by the GSA the General Services Administration as part of the FedRAMP program and that authorization to operate is considered a valid authorization to operate for customer organizations who want to issue an authorization to use for cloud-based system services or applications so if a cloud service provider wants to provide their services to the federal government they have to go through a FedRAMP process they go through federal risk and authorization management program where they get an authorization to operate issued by the GSA and independent auditors are involved so independent people come in and assess their systems to make sure that their controls meet the FedRAMP requirements and in that case they&amp;#39;re issued an authorization to operate and now all the federal agencies who want to use that cloud provider can use that authorization to operate issued by GSA and they don&amp;#39;t have to each individual agency do an authorization of the of the provider organization because it&amp;#39;s handled you know in a centralized FedRAMP program I hope that makes sense okay authorization to use when there is insufficient information or inadequate controls if the customer organization determines that there is insufficient information in the providers authorization package or they have inadequate controls in place for establishing an acceptable level of risk for the customer organization then you&amp;#39;ve got some options you can negotiate with the provider organization and request additional controls or security and privacy related information this could include supplemental controls for reducing risk implementing some compensating controls conducting additional or more rigorous assessments or establishing constraints on how you use the system application or service that&amp;#39;s provided when the provider organization does not provide the requested controls then the customer organization can choose to implement implement additional controls to reduce the risk to an acceptable level or they can choose to forego using the services altogether if that&amp;#39;s an option sometimes it is sometimes it isn&amp;#39;t alright the issuance of an authorization to use once the customer organization is satisfied with security and privacy posture of the shared or cloud systems application or service as reflected in the current authorization package and the risk of using the cloud system application or service has been sufficiently mitigated then the customer organization issues and authorization to use ok under an authorization to use the customer organization also has responsibilities their responsibility is to explicitly understand and accept and be responsible and accountable for the security and privacy risk incurred by using the shared system service or application you can look at OMB circular a-133 have a document called circular a dash 130 that goes into more detail about your responsibilities and accountability for shared systems the the customer organization is responsible for ensuring that information from the monitoring activities that are conducted by the provider organization that that information is shared on an ongoing basis and to ensure that the provider organization the cloud provider notifies the customer organization when there are any significant changes to the system application or service that could affect the security and privacy posture of the provider the provider organization in an authorization to use situation also has responsibilities they must notify the customer organization when there are significant changes to the system application or service that may affect the security and privacy posture of the provider they also must notify the customer organization if there&amp;#39;s an event that compromises the customer organizations information so if there&amp;#39;s a data breach if there&amp;#39;s something that compromises your information then the cloud provider or the shared system provider has to let you know the authorization to use doesn&amp;#39;t require an authorization termination date like the other authorization types the ATU remains in effect while the customer organization continues to accept the security and privacy risk of using the shared or cloud system and while the ATO that was issued by the provider continues to meet the requirements established by federal or organizational policies the a - you can be specific and specify time or event event-driven triggers for review of the security and privacy posture of the provider organization so you don&amp;#39;t have a termination date but you can can write in you know every 12 months six months every court or whatever we will review the security and privacy posture of the provider the authorization frequency if the system this is again we&amp;#39;re still talking about authorization to use if the system is under ongoing authorization then a time driven authorization frequency is specified so we say once a year we&amp;#39;re going to look at this authorization if worst case is usually once a year it used to be every three years with any authorization type an adverse event could occur that triggers the need to review the authorization to operate okay so here&amp;#39;s a graphic that&amp;#39;s that&amp;#39;s looking at the types of authorizations to use there&amp;#39;s authorizations authorization to operate authorization to use and the common control authorization okay finally you have a no-decision which is called a denial of authorization this is when the AO determines that the risk to organizational operations and assets individuals other organizations and the nation that is a NIST that&amp;#39;s that&amp;#39;s NIST wording and so you&amp;#39;ll hear it a lot in my presentations when the AO determines that the risk is unacceptable and immediate steps can&amp;#39;t be taken to reduce the risk to an acceptable level then the authorization is not granted a denial of operation means that the information system is not authorized to operate and is not placed into operation if you&amp;#39;re looking at common controls the denial means that common controls are not authorized to be provided to systems or that the provider system is not authorized for use by the customer organization if the system is currently in operation all activity stops failure to receive an authorization means that there are significant deficiencies in the controls you can and will get an authorization to operate without having everything in place as it relates to security and privacy but if there are significant deficiencies that that in that caused the risk of operating that system to be above the risk tolerance of the organization then you&amp;#39;re definitely going to get a denial the AO the AO or designated representative works with the system owner or the common control provider to revise the poem to help ensure that measures are taken to correct the deficiencies a special case of authorization denial is an authorization rescission the AL can resend a previous authorization decision in situation where there is a violation of federal or organizational policies directives regulation standards or guidance remember ongoing monitoring is happening so at any point where the AL says you know we&amp;#39;re not complying here we&amp;#39;ve got a problem then they can resend authorization or a violation of any terms and conditions of the authorization an example is your failure to maintain an effective continuous monitoring program that could be grounds for resending an authorization decision okay finally we&amp;#39;re gonna well not finally we&amp;#39;re just going to talk about next up the authorization decision information what&amp;#39;s included in the authorization decision okay the authorization decision is transmitted from the AO to system owners common control providers and other key organizational officials the authorization decision includes the following it includes the authorization decision document terms and conditions for the authorization time driven authorization frequency or the authorization termination date you know how frequently are we gonna look at this authorization or when does this authorization end it contains a list of events that could trigger a review of the authorization decision if any for common controls the FIPS 199 impact level supported by those controls meaning it doesn&amp;#39;t support high low or moderate impact levels the authorization decision indicates if the system is authorized to operate or authorized to be used or if the common controls are authorized to be provided to system owners and inherited by organizational systems the terms and conditions for the authorization gives any limitations or restrictions that are placed on the operation of the system that have to be followed by the system owner or alternatively limitation or restriction placed on the implementation of common controls that must be followed by the common control provider if the system or common controls are not under ongoing authorization then the termination date for the operation established by the AO indicates when the authorization expires and reauthorization is required the authorization decision document is transmitted with the original authorization package to the system owner or the common control provider and authorization decision documents can be digitally signed upon receipt of the authorization decision in the authorization package the system owner and the common control provider will acknowledge implement and comply with the terms and conditions of the authorization the system income and control provider retained the authorization decision and the authorization package and the organization ensures that the authorization documents are available to organizational officials when requested some organizations may choose to use automated tools to support the development distribution and archiving of risk management information to include artifacts that are associated with the authorization process the contents of authorization packages including a sensitive information about system vulnerabilities privacy risk and control deficiencies are marked and protected in accordance with federal and organizational policies this is going to be some of sometimes some highly sensitive information so you do want to market and and make sure that it&amp;#39;s controlled that I&amp;#39;m sorry that the distribution of that information is control authorization decision information is retained in keeping with your record retention policy the AO verifies on an ongoing basis that the terms and conditions established as part of the authorization are being followed by the system owner and the common control provider so the long and short of it is you can&amp;#39;t just spin up a system and use it in an environment where risk management is happening and information security risk management is happening the authorization to use is a streamlined version of the ATO and includes a risk acceptance statement and time or event-driven triggers an authorization to use decision is issued by an AO from a customer organization in lieu of an of an ATO the AO again has the same level of risk management responsibility and authority as an AO who issues the ATO or a common control authorization the risk acceptance statement in the the authorization to use decision indicates the explicit acceptance of the security and privacy risk incurred from the use of a shared system with respect to the customer organization information that&amp;#39;s processed stored or transmitted by or through this shared or cloud system okay all right finally we want to talk about other authorization types so there are some other special authorization types type and facility authorizations and your traditional and joint authorizations first up is your type authorization a type authorization is an official authorization decision that allows for a single authorization authorization package to be developed for an archetype or a common version of a system this includes hardware software or firmware components that are deployed to many locations for use in a specified environment of operation a type authorization is appropriate when the deployed system is comprised of identical instances of software identical information types functionally identical hardware information that is processed in the same way identical control implementations or identical configurations a type authorization is used in conjunction with authorized site-specific controls or with a facility authorization which we&amp;#39;ll talk about next site-specific controls are typically implemented as common controls some examples of that would be your physical and environmental protection controls and your personnel security controls the type authorization is issued by the authorizing official responsible for developing for development of the system and it represents an authorization to operate so our type authorization is an ATO typically type authorizations are you issued by organizations responsible for developing turnkey solutions for instance restaurant systems banking systems where you&amp;#39;ve got the system but you&amp;#39;re using it in multiple locations you don&amp;#39;t want to have to authorize it in every location you want to authorize it at the development level and then as its rolled out each facility has an authorization to use based on the the type author&amp;#39;s ation so the senior leaders issuing type authorizations may be referred to as developmental authorizing officials at the site or facility where the system is deployed there the authorizing official is responsible for the system at the site and that AO accepts the risk of deploying the system and issues and authorization to use so a type authorization works in conjunction with an authorization to use made by the AO at the facility where it&amp;#39;s deployed where the system is deployed the authorization to use uses the information and the authorization packages for the archetype system so it uses the information in the type authorization package and the facility common controls and again an example of a type authorization would be authorization of hardware and software applications for a standard financial system that&amp;#39;s deployed in multiple locations or authorization of a common workstation or operating environment that&amp;#39;s going to be deployed to all operating units within a business then you have facility or authorizations a facility authorization is an official authorization decision that is focused on specific controls implemented in a defined environment of operation to support one or more systems residing within that facility facility authorizations address common controls within a facility and they allow systems that reside in the defined facility to inherit the common controls facility authorizations allowed the effective system affected system security and privacy plans to reference the authorization package for the facility the common controls are provided at a specified impact level to facilitate risk decisions on whether it is appropriate to locate a given system in the facility I worked for a company for example where they had I worked in the R&amp;amp;D department and the buildings that could house Rd had to have a set level of controls and restrictions as to just access in order to be able to house R&amp;amp;D operations so in that case all of the facilities that were designated as R&amp;amp;D facilities they had a specific set of controls in place and they had facility authorizations associated with them if the facility is categorized as moderate impact it wouldn&amp;#39;t be appropriate to locate for example a high impact system or system components in that environment of operation physical environmental controls are addressed in a facility authorization but other controls could also be included for example boundary protection contingency plans and instant incident response plans for the facility or security training and awareness and personnel screening for facility staff the facility authorizing official issues a common control authorization to describe the common controls available for inheritance by systems that will be located within the facility then the other special type of authorization you have are traditional and joint authorizations so there are notices that a business can take two approaches when planning for in conducting authorizations traditional or joint authorization a traditional authorization is what we&amp;#39;ve been talking about for the most part it&amp;#39;s a single authorizing official in a senior leadership position who is responsible for an accountable for a system or for common controls the organizational official accepts the security and privacy related risks that may adversely impact the organization and I think I&amp;#39;ve emphasized if I haven&amp;#39;t again your your authorizing officials do have to be senior leaders because they are accepting responsibility and being held accountable for the risk associated with systems and common controls so that&amp;#39;s the traditional or authorization you have one AO making the decision and accepting the responsibility in joint authorizations you have multiple AOS multiple authorizing officials this is used when multiple AOS either from the same organization or different organizations have shared interests in authorizing a system excuse me I guess they excuse me the AOS collectively are responsible and accountable for the system and they jointly accept the security and privacy related risk that may adversely adversely impact their organization okay so they come together as a group and they are collectively responsible and accountable for the system the joint authorization process is very similar to a traditional optimisation process and it differs mostly by the number of authorizing officials now when you&amp;#39;ve got that many people working together in a joint authorization then the organizations who choose this approach are expected to work together on planning and executing the risk management framework tasks and to work together to document their agreement and their progress in implementing the they collaborate on security categorization control selection and tailoring a plan for assessing the controls to determine the control effectiveness a plan of action of milestones continuous monitoring strategies all of that is necessary for a successful joint authorization the specific terms and conditions of the joint authorization are established by the participating parties including the process for ongoing determination and acceptance of risk the joint authorization remains in effect only while there is a grant is agreement among the authorizing officials and so that&amp;#39;s the basics of authorization as covered in NIST special publication 800-53 other topics that I&amp;#39;m going to cover in another recording but I think this one is long enough the three topics are ongoing authorization reauthorization and event event-driven triggers and significant changes I&amp;#39;m going to cover that next but we&amp;#39;re gonna stop here for now and I thank you so much for joining me if you have any questions please include them in the content check underneath this video for any links that I may have included but again please like subscribe send me questions I will engage and be very happy to work with you and to answer your questions you

Transcript for:System and Common Control Authorizations (NIST 837)

Transcript for:
System and Common Control Authorizations (NIST 837)