By Marcus Norman
For years, Assessment and Authorization (A&A) analysts have held an important job – deciding which applications and systems can connect to a network by assessing the potential risks new systems introduce. A security assessment consists of reviewing a system security plan (SSP), contingency plans, network topologies, vulnerability and compliance scans, manual checks, and other artifacts to provide a risk recommendation for each system. However, this assessment has been a bit limited, based on documentation reviews and interviews, rather than actual knowledge of many of the cyber tools protecting the system. A&A analysts are not familiar with computer network defense (CND) techniques, cyber tools, and their usage, leading to less fidelity during risk assessments, which provide the basis for the development of the security assessment report for the Authorizing Official (AO) recommendation. Organizations are faced with a combination of threats, vulnerabilities, and impacts and must be able to identify important trends to determine how to effectively evaluate their operational readiness and defend against threats impacting national security. AOs face difficult decisions due to the limited scope of investigation that A&A analysts currently follow.
NetCentrics’ recommendation is to operationalize A&A, by training A&A analysts like CND analysts to provide a holistic view of risks targeting an organization’s infrastructure. This approach would provide A&A analysts with both the knowledge and ability to assess and defend against threats, reducing the risk of intrusion, reducing failure in implemented controls, and reducing operational information systems knowledge gaps. Training A&A analysts like CND analysts would also increase visibility, encourage use of automation, and promote effective management of risk.
Over the last decade it became clear that a new security framework is necessary for mission-critical systems. The Department of Defense (DoD), Office of the Director of National Intelligence (ODNI) and the Committee of National Security Systems (CNSS) sought to transform the traditional A&A processes into the Risk Management Framework (RMF) approach to address authorization challenges facing multiple entities. RMF promotes uniformity during assessments amongst organizations and establishes a continuous monitoring strategy leading to longer authorization periods. As a result, A&A analysts must shift from checklist operations to a cyber defense tool-oriented approach. Analysts who understand the strengths and gaps within the network can benefit by leveraging cyber tools when assessing risk. As hacks and breaches increase, Chief Information Security Officers (CISOs) and AOs are under immense pressure to stay abreast of the latest threats. This heightened scrutiny has led senior officials to question the ability of the A&A analysts to conduct technical risk assessments. Organizations must ensure that all members are properly trained and qualified to support all types of assessments, limiting exposure to the enclaves and providing a high-level of assurance for all stakeholders.
In the past, A&A analysts who assess risks have operated in a narrow context, often unfamiliar with the systems they oversee and the tools that are used within those systems. They typically perform their analysis based on system documentation rather than familiarity with the systems, and usually have less experience, less knowledge and are less certified than their CND counterparts. This means they may not fully understand protective measures used across the enterprise security stack during a system review, and may not understand the impact and value of tools like Assured Compliance Solution (ACAS), Host Based Security System (HBSS), and Security Information and Event Management (SIEM). Today, an A&A analyst has no way, other than using an independent validator, to assess the systems and verify that the system is accurately documented.
Risk assessments are mostly “paper-driven” reviews, an activity which does not provide decision makers the ability to effectively categorize, define, and address risks due to the lack of rigorous assessment techniques (e.g., Security Technical Implementation Guide (STIG) reviews, configuration and change management reviews, threat mapping, vulnerability assessment, and security control testing) being conducted on an information system. A&A professionals are often not trained or expected to interpret the technical results generated from cyber tools. A false representation of risk can be derived from how the information is presented and documented in the SSP. The heavy reliance on policy and administrative controls has allowed analysts to overlook indicators of compromise against deployed controls impacting the effectiveness, integrity, and authorization conditions of operational systems. It is imperative that organizations invest in automation and training to mature security infrastructures.
Although the National Institute of Standards and Technology (NIST) has provided guides to support the development of risk management and assessment methodologies, the burden still falls on the organization to employ qualified personnel trained in multiple cyber disciplines to achieve the level of assurance with limited budgets and resources.
Integrating CND techniques into security authorization will significantly improve A&A analysts’ understanding of risk by creating synergy with defense practices, enhanced knowledge of tool sets and infrastructure, reducing exposure to threats. Introducing threat actors’ Tactics, Techniques, and Procedures (TTPs) into security assessments will improve A&A analysts’ understanding of threats leading to better selection of controls throughout each phase in the System Development Life Cycle (SDLC). The increased awareness will allow near real-time risk management responses enabling analysts to craft recommendations supporting the decision making capability of senior officials.
A CND approach to authorization would significantly reduce risk and empower personnel to focus on leveraging cyber infrastructure and automation in determining motive, opportunities, and means of potential threats by:
- promoting awareness,
- integrating information security into the SDLC,
- emphasizing impacts on the selection of controls, and
- providing near real-time risk management responses in developing a risk recommendation supporting senior officials in the organization.
The development of dashboards within a cyber toolset provides everyone with key performance indicators determining the effectiveness of the organization’s authorization process. A&A analysts should be data driven to formulate authorization metrics that support the cyber security goal established for authorization.
The proposed approach promotes and enables organizations to correlate data feeds derived from existing infrastructure (e.g., ACAS, HBSS, NIDS, HIDS, SCCM, Active Directory, Proxy, and other compliance tools) into a SIEM, providing the A&A analysts the ability to identify, query, and assess weaknesses in the infrastructure, processes, and methodologies for delivering threat-fusion to AO’s promoting risk-based decision making. Understanding TTPs and the CND tools enables analysts to proactively evaluate how implemented security controls function, ensuring events are blocked, contained, or remediated while preserving the confidentiality, integrity and availability (CIA) of the authorized systems.
A security assessment consists of reviewing a SSP, Contingency Plans, network topologies, vulnerability and compliance scans, manual checks, and other artifacts to provide a risk recommendation for each system. Incorporating CND and its practices will provide analysts with an understanding of system weaknesses to defend against threats targeting each system. This approach will indicate how selected controls do or do not protect the system, prompting System Owners to reassess defense strategy is necessary. Introducing the concept will provide a holistic enclave-view on the performance of controls enabling AOs to grant longer authorization periods with confidence. From this analysis we can make five definitive recommendations:
- Train A&A analysts on tools such as ACAS, HBSS and SIEM so they can understand the output of the tools and how to query them to determine accuracy with an accreditation package.
- Train A&A analysts on the use of CCRI or risk matrix scoring, to provide a common risk score across analysts that is reproducible, consistent, and allows for risk baselining irrespective of technologies or implementations.
- Encourage A&A analysts to think more holistically, to consider the needs of systems and users in a framework more like the one that CND analysts use.
- Implement NIST Special Publications, STIG, vendor hardening guides, and industry best practices to support authorization.
- Develop performance metrics to determine the effectiveness of security controls. Establish a reporting dashboard for awareness, cohesion, and to allow senior leaders to promote accountability and responsibility throughout the organization.
Ultimately, A&A analysts must embrace and leverage CND capabilities to provide senior officials with fact-driven recommendations to support the organization’s mission drivers and capabilities. The CND approach we recommend will significantly improve the organizational risk posture with four categories of benefit:
- Overall system security will increase, leading to fewer intrusions and incidents
- Intrusions will be more readily identified, assessed, and addressed
- Executives will have greater certainty that the data provided is accurate and reflects what is documented
- Increased awareness of how controls should be implemented and how they will perform
- Comprehensive knowledge of services, ports, software, and hardware within the environment
- Risk modeling can be reproduced and quantified across systems and analysts, improving organizational efficiency and effectiveness and increasing maturity of the process.
- Improved understanding of risk to support the AO decision b. Comprehensive technical assessments
Our adversaries are constantly working to gain greater ability to compromise DoD and public infrastructures. A&A analysts must possess a holistic understanding of the systems they are appointed to protect. Training these analysts like CND professionals so they have a deeper and more holistic awareness of the systems and threats will increase the security of the systems and networks. It is our responsibility to be stewards of safe cyber practices delivering assurance in each assessment we conduct supporting each AO.