In part 5 of this series, we explore implementing the Authorize step of the Risk Management Framework using a data-driven approach. The main objective of the Authorize step is to “provide organizational accountability by requiring a senior management official to determine if the security and privacy risk (including supply chain risk) to organizational operations and assets, individuals, other organizations, or the Nation based on the operation of a system or the use of common controls, is acceptable.”[RMF] We know, you might have to reread that. Summarily, the Authorize step determines if the results of the control assessment deem authorization of your system. Are the required levels of data confidentiality, integrity, and availability met? If so, are you ready to authorize the system?
The Data-Driven Approach
That might seem pretty simple but it’s not; at least it isn’t if you’re not using a data-driven approach. The typical approach is for the authorizing official to review hundreds of pages of documentation. This documentation may include the system’s security and privacy plans, control assessment reports, and plans of actions and milestones that address any deficiencies that were discovered. This is a laborious process where the authorizing official just has to trust that the information in the documents is accurate and correct and that the state of the system and the threats that it faces haven’t changed since the documents were written (which can easily be from three to six months ago).
Conversely, using a data-driven approach means not having to rely on qualitative information written in documents, potentially several months old. The results of the control assessments automatically feed scoring algorithms that quantify the risk and compliance posture of your system. These scores are continuously updated based on continuous assessments of controls driven by machine data that is automatically collected and you can continuously update the authorization status of the system based on this. This is the true holy grail of ongoing assessment and authorization.
Authorization using Q-Compliance
Q-Compliance supports this data-driven approach to authorizing systems with the System Authorization dashboard, shown in Figure 1, which serves as a “live authorization package” with all of the information in real-time that an authorizing official need to make an authorization decision. We make it easy with compliance scores and color-coded control charts, providing a summary view of the assessment results. Furthermore, clicking any of the color-coded control icons displays the Control Compliance Hub, specific to that control. Within the Control Compliance Hub are the details of the assessment along with supporting evidence. The scores and charts are updated in real-time as assessment statuses are captured or updated.
All of the Plans of Actions and Milestones (POA&Ms) for the system are also displayed on the System Authorization dashboard so that authorizing officials can see if there are any uncompleted or overdue POA&Ms as they make their decisions. At the bottom of the System Authorization dashboard are documents for the authorizing official to review as we recognize that many organizations still require the documentation. Behind the scenes are automation actions to grant or deny system authorizations based on time-driven or event-driven conditions, e.g. automatically grant or deny an ATO when a system’s compliance scores exceed or fall below a certain threshold or when a critical set of controls pass or fail their assessments.
The benefits of using Q-Compliance’s to implement Step Five – Authorize:
- Reduce laborious hours of reviewing hundreds of pages of compliance documentation
- Ability to make authorization decisions based on quantitative risk and compliance scores and not just documents that are months old
- Easily drill into any control dashboard to see live supporting evidence for a real-time representation of the system’s security state
- Dynamically update a system’s authorization status as its compliance posture and acceptable level of risk changes
