Background: I've been in the IT industry for well over 13 years now, and a computer enthusiast since my parents first put a Commodore VIC-20 in my hands as a child. I avidly watched the industry grow up, mature, and start to diversify. In my adult life, I continued to learn all I could about computers and their application in life. Approximately 9 years ago, I got my first "real" IT job. I had been working in a call center environment for 4 years at that point doing tech support work, but this new job was working for a contractor at a DOE facility. This proved to be my first taste of what we now call Information Security (IS) or Information Assurance (IA). I currently work for a DoD organization where my primary job responsibilities are IA.
Over the last 9 years, I became increasingly aware that the IT field was undergoing a split, or had split into two distinct areas, that of administration of computer systems, and securing computer systems. They were integrated in such a way that it was very difficult to tell the two apart. About four years ago, a program was implemented where I was working for at the time that led me into the IS field. While there, I experience how IS should be implemented as far as personnel and policy.
I left that position in 2008 and re-entered the field in 2009 working as an IT Systems administrator for a different government agency. At this new position, I found that although the regulations and policy were in place, and an implementation strategy was well thought out, that only existed at the root or direct subordinate level. Below that level, especially for non-centralized sub-organizations
The incumbent in the position I held had been working towards getting the organization up to speed, and I began to assist him in this effort. One would think that with the regulation in place, and pressure from members internal to the organization, that an effective IA shop would be instituted. This did not happen. After the incumbent left, the task fell to me to get this done. It has now been over two years since this was brought to the attention of all levels of the organization and still, there is not a resolution in sight.
Problem: The basic problem seems to be that of manpower denying critical billet positions. That, and procrastination on the part of several parent organizations to dictate how an IA shop should be setup at a remote location. In addition, there are some specific cases where this policy fails to clarify how an IA shop should be run.
Disclaimer: In order to maintain some obscurity, I won't name specific organizations or people, but will try to define the problem in sufficient detail so that the community can recognize the problems and hopefully discuss possible solutions. I ask that anyone posting comments please adhere to these stipulations and do not try to guess at names or organizations involved.
If you are familiar with regulations within the DoD branch specific to IA, you will know that in order to successfully execute a C&A package, you must have, at a minimum, the following roles:
- DAA – Designated Accrediting Authority
- SIAO – Senior Information Assurance Official
- CA – Certifying Authority (or Certifying Agent) (typically the SIAO)
- PM – Program Manager
- IAM/IAO – Information Assurance Manager/Informati
on Assurance Officer - UR – User Representative
In a typical organization of mid to large size (100+), these roles are very easy to fill, but for a smaller organization, two of these roles become increasingly difficult to fill. Specifically, the DAA and SIAO/CA roles. From the US Code down, these must be filled by government civilians or military personnel and both carry heavy responsibility and authority, meaning upper organization management positions. The DAA is required to be at the GS-15/O-6 level while the SIAO is the single policy maker for the entire IA department.
What I have discovered, and inferred from multiple sources as well as my own experience, is that neither of these individuals would be comfortable signing off on a system that they cannot either virtually or physically see and touch. This makes perfect sense to me as they are, in essence, assuming the risks and responsibility of any system they approve.
This wouldn't be a problem if a small organization is physically located at or near their parent organizations HQ, but, as is typical for DoD organizations, there are many sub-organizations
In an ideal world, and I acknowledge that DISA is trying to effect this change, the hosting base would simply accept the systems that belong to the MAJCOMs as is, even though they might not be able to fully understand the mission, they can at least see and touch systems attached to their network. This, at least, I have witnessed, and it seems to work.
There is one type of system though that this cannot work for and it is the hardest system to run through the C&A for. Standalone Enclave systems are a bear to work with. Many units ignore these systems, or fail to acknowledge DoD's specific instruction that "All DoD owned systems will be accredited." The problem is that the only entities that can virtually or physically see and touch these systems exist within the sub-organization itself. This, by inference, means that all DoD roles must exist within the sub-organization.
Well, I can tell you that simply can't happen for every organization out there. Some organizations don't even have a GS-15/O-6 to throw a DAA appointment to, much less second position able to take on the SIAO/CA role. The sticking point is not the DAA, interestingly enough, it is the SIAO/CA role. This position, given the standalone enclave system, requires a CISSP or equivelent certification per DoD 8570-M.
I've not found a person in a current position of authority to entertain the idea of obtaining a CISSP certification just to satisfy this requirement. The most common answer I've gotten is that they are just too busy. I can understand this stance, as we are talking small shops, and the workload is typically piled on deeper than a larger organization for each person.
So, where does that leave the situation? A small shop, not co-located with their parent organization with a need to C&A a standalone system is left out in the cold. DAA's don't want to touch these systems, and the small shop can't requisition the proper billet to get the right IA personnel into the organization to do it in house.
This is my frustration, as I know it needs to be done, but I can't change the minds of the people over my head.
Warnerd writes: I work for a PEO in Florida. I completely understand your frustration. However, you have described just one aspect of the total problem that is plaguing DoD systems. One of our main issues is patch management once the system has obtained an ATO. Most systems I have encountered are either not accredited, or do not have adequate resources to patch the systems delivered to them. On most non GIG connected systems (stand alone enclaves) the DOIM wants nothing to do with it, they have not been allocated money to support such systems, and the IT personnel are not sufficiently trained. Another issue we have is that now that our system is accredited, other units wish to integrate with accredited systems which they cannot due to their systems not having an ATO. However, I have witnessed systems connected to all sorts of unaccredited IT platforms when the annual or 3 year audit comes due. Its almost like the wild west.
ReplyDeleteMy main frustration has to do with the Cross Domain Solutions office. At a minimum, you are looking at 2-3 years before you can get a CDS accredited. By the time the CDS is ready to test, the system needs major upgrades or has been changed so drastically, the system requires recertification in order to test with the CDS.
Welcome to the DoD. I feel your pain, all we can do is deliver the most secure, cost effective, and certifiable systems to the customer and hope the government has the resources to maintain such systems.
Skeeter writes: Having spend significant time working for the government (both active duty and contractor), I understand your pain. In my opinion, the problem began with DISA. They, or DoD, have levied the requirements, but have done a poor job, for the last 20 years, in doing the anything to support the personnel in the field. Furthermore, Commanders and system owners don't realize the importance of the security positions in their organizations and don't want to spend the manpower.
ReplyDeleteWarnerd....having also worked with the CDS office.....good luck.
Warnerd - Patch management, however it's done, is always a pain and I feel your frustration there too. Especially in light of a CDS. Effectively, the hosting organization doesn't trust the hosted enclave and won't pass down patches to non-domain systems, therefore, it's up to the domain owner to download and patch the systems in the enclave, whether this is physically attached to a network or a standalone machine/network. Fortunately, DISA can and will allow systems connected to the GIG to download directly from their patch server, however, now a program needs to be implemented locally to deal with criticality issues and distribute the patches. As you indicated, IT personnel are rarely sufficiently trained in this aspect or the organization simply doesn't recognize that this is a necessary part of the job description.
ReplyDeleteThe second part comes with recipricity. DISA has been showboating this around and meeting with extensive resistance to the concept. I don't see a light at the end of the tunnel for this simply because us, being our natural paranoid selves in the security field, do not trust our peers running an unaccredited attached system. In regulation, this should be easy to fix, in reality, the whole C&A process is broken, so it's up to the IS managers to either accept the risk or deny the mission.
Skeeter - DISA can't influence the decision making process beyond the regulations that DoD puts out, so the problem lies firmly below DoD in the MAJCOM arena. I have no experience with DoD HQ, but I suspect they are following the regulations and it is the MAJCOM's component heads that are being obstinant about the whole thing. This is largely due to your second comment about them not understanding the importance and fighting to get the manpower equation solved within their own islands of control.
ReplyDeleteI'm about to experience the healthcare industry as I'm leaving DoD and headed over to IHS (another federal agency). I'm curious as to whether a similar problem exists over there....