THE FIVE KEYS TO ONGOING
identify vulnerabilities efficiently, places scrutiny on critical
AUTHORIZATION SUCCESS
WHITE PAPER
With the prevalence of hackers and cybercrimes, it is
important for strong cybersecurity measures in the federal
space. Using existing ongoing authorization (OA)
regulations to create a healthy OA program will strengthen
cybersecurity measures and allows decision makers to
make appropriate decisions. Key leadership can make
risk-based and quantitative, fact-based decisions by using
systems reporting to a central location.
This white paper discusses OA solutions that best fit your
needs. It will explain the history of OA, other government
agencies implemented OA best practices to understand
how to proceed with establishing foundational groundwork
for a successful OA, and OA benefits.
BACKGROUND
DEFINITIONS
In December 1985, the Office of Management and Budget
(OMB) published the OMB Circular A-130 in response to
the Paperwork Reduction Act of 1980. In 2000, a revision
of OMB Circular A-130 first defined authorization to
operate (ATO) as compliance with existing requirements
that should occur once every 3 years.
Before too long, once every 3 years became once a
year, which then became quarterly. This is called
continuous monitoring. Continuous diagnostics and
monitoring (CDM), which is a program focusing on
providing tools to help manage government assets and
implement information security continuous monitoring.
National Institute of Standards and Technology (NIST)
Special Publication (SP) 800-137, Information Security
Continuous Monitoring (ISCM) for Federal Information
Systems and Organizations, supplies ISCM guidance.
ONGOING AUTHORIZATION
OA is authorization based on using frequent trigger-based
security controls to have near real-time continuous
monitoring. NIST 800-37 states that initial system
authorization is based on evidence available at one point
in time, but systems and environments of operation
change. The Department of Homeland Security (DHS)
addresses the needs of constantly changing environments
by implementing OA, which involve shifting from periodic
to ongoing assessments and facilitates a continual state of
awareness. The goals of OA are to prioritize risk and risk
mitigation, streamline security authorization testing and
reporting processes, and provide Authorizing Officials
(AOs) and System Owners with frequent evaluations of
system security risk status. DHSs Operational Risk
Management Board (ORMB) manages the OA program to
and changing controls, shifts focus from compliance to
risk, increases open communication with the AO, and
provides new threat response flexibility. Implementing OA
to make quick, real-time decisions will revolutionize the
world of cybersecurity.
OMB AND FEDERAL INFORMATION
SECURITY MANAGEMENT ACT
Title III of the E-Government Act of 2002, or FISMA,
became law two years after OMB Circular A-130 defined
ATO. In 2012, the government published more FISMA
guidance and made updates to OMB Circular A-130. OMB
M-12-20 states that to qualify for an OA, Continuous
monitoring programs thus fulfill the three-year security
reauthorization requirement, so a separate reauthorization
process is not necessary. However, a system must also
meet several prerequisites. Prerequisites include having
common and inherited controls and reciprocity, continuous
monitoring, event-driven monitoring, and having a valid
ATO. The DHS OA Team decides which graduating
systems join
the OA In April 2013, Rep. Gerry Connolly and Rep. Darrell
Issa, chairman of the Oversight and Government
program.
The Reform Committee, sponsored the FISMA
modernization bill (H.R. 1163), citing a 782%
government
published the increase of cybersecurity threats over a 6-year
period.
latest version
of FISMA in
2014 to require OMB to revise OMB Circular A-130 to
eliminate inefficient and wasteful reporting.
OMB published the latest revision of the OMB Circular A-
130 in July 28, 2016. See Figure 1 for a timeline.
Figure 1 | OA Background and Timeline
RISK MANAGEMENT FRAMEWORK
(RMF) AND ISCM PROCESS
Federal Information Processing Standard (FIPS)
Publication 199 defined the RMF as that which contains
information on categorization of systems and data. RMF
is flexible, based on organizational needs, and provides
checkpoint questions along the way. The Joint Task Force
Transformation Initiative published the Guide for Applying
the Risk Management Framework to Federal Information future to be the de facto FISMA system of record for the
Systems (NIST SP 800-37) in February 2010 in support of Department of Health and Human Services (HHS) and
the FISMA Implementation Project by the Computer other agencies.
Security Division. CASE STUDIES
Similar to RMF, ISCM has six steps from NIST SP 800-
137. See Figures 2 and 3. NASAS WORST-CASE SCENARIO
National Aeronautics and Space Administrations
OA focuses on (NASAs) Chief Information Officer (CIO), Renee Wynn, let
Steps 4-6 of the an ATO expire and issued a conditional ATO, which goes
RMF (Assess, against OMB policy and the Cybersecurity National Action
Authorize, and Plan. By April 2016, 38,000 machines under the Hewlett
Monitor) as well as Packard Enterprises (HPE) Advanced Countermeasures
ISCM Step 4 Electronic Systems contract, were missing hundreds of
Analyze/Report. thousands (> 88.7%) of the critical patches needed for
RMF Step 5, 53,000 systems across all of NASA.
Authorize, is an The Federal Information Technology Acquisition Reform
important step and Act (FITARA) 2013 revision mandated that CIOs have a
identifies significant role in information technology (IT) decisions,
continuous with which NASA did not comply. This limited federal
monitoring of oversight, causing a breakdown in communications
security controls. between Senior Security Officers and the CIO. As a result
RMF Step 5 of this strained relationship, NASA was exposed to
requires significant vulnerabilities and HPE was awarded a $35
determining the million settlement over the terms of their contract.
risk to
DHS U.S. CITIZEN AND IMMIGRATION
organizational
operations SERVICES (USCIS) BEST PRACTICES
organizational After DHS experienced a hacker incident in 2012, they
assets, individuals, sought to improve information security through continuous
other and event-driven monitoring. In 2012, DHS determined
organizations, or system eligibility criteria, established processes, and
the Nation. Soon created metrics in support of an OA program. By 2017,
after the DHS had instituted an annual performance plan,
publication of NIST accelerated the use of personal identity verification (PIV)
Figure 2 | RMF (Above) vs ISCM cards for multi-factor authentication, and strengthened
SP 800-37, NIST
Process (Below) oversight of its plans of action and milestones (POA&Ms).
SP 800-137
provided additional guidance on Step 5. The continuous DHS had become the authority to administer the
monitoring and event-driven monitoring implementation of implementation of information security policies for security
OA aligns to Step 6, Monitor. Managing Federal Executive Branch systems, including providing technical
Information as a Strategic Resources, the 2016 revision of assistance and deploying technologies to such systems in
OMB Circular A-130, leverages RMF and the NIST the FISMA of 2013.
Cybersecurity Framework in its appendix. THE PILOT PROGRAM
In 2010, NIST produced NIST 800-37 and NIST 800-137,
CYBERSTAT
introducing continuous monitoring. Two years later, DHS
CyberStat sessions are accountability sessions
responded by releasing policy explaining the
established January 2011 by OMBs FY 2011 Report to
implementation of continuous monitoring, and it led by
Congress on FISMA implementation. Its job is to analyze
example in 2013 as the first to implement the guidance by
CyberScope, a tool sponsored by DHS to which agencies
piloting the OA program.
provide summary risk data to DHS on a monthly basis on
From May to August 2013, DHS developed and applied
behalf of OMB per OMB 1403. As a result of negative
standard approaches to five core capabilities of
feedback, DHS is replacing CyberScope with Archer in the
continuous monitoring to some of its components under

2
an OA pilot program, including anti-virus, configuration
settings, hardware asset management, software white
listing/asset management, and vulnerability management.
After going through various levels of approval (at the
USCIS level and DHS level), the AO (CIO) approved
USCIS being admitted into the OA pilot program. This
involved monthly collaborative ORMB meetings where
Information System Security Officers (ISSOs) discussed
security patches and compliance and monitored the
system administrators automated reports of Intranet,
database, and operating system scans. In addition to the
RMF, FISMA requirements, and NIST guidance, USCIS
also followed the in-house DHS 4300 policy.
Under USCIS, only four systems were enrolled in May
2013 at the beginning of the pilot program. By August
2013, the OA pilot program affected 12 DHS systems with
an equal number per component. By July 2016, 96
systems were enrolled in the OA program at the DHS
level, according to the Inspector General Report. Today
there are 42 systems enrolled in the OA program under
USCIS.
FISMA ACCESS MANAGEMENT AND
INFORMATION SECURITY SERVICES
(FAMISS)
DHSs FAMISS contract supports the USCIS Chief
Information Security Officers (CISOs) Information
Security Division (ISD) to provide a holistic, risk-based
approach to information security through the following
work streams:
1. Security Engineering supports the Cyber
Defense Branch, which focuses on CDM using
various scanning tools, Tenable Security Center
(a repository for Nessus scans), and Splunk as a
data aggregator that presents data in user-
friendly dashboards.
2. Compliance supports the Risk Management
Branch, which manages ISSO support, training,
governance, and continuous monitoring through
OA.
3. Identity, Credential and Access Management, led
by Joy Robbins, ISSO, focuses on controlling
resources from the Office of Information
Technology office with multi-factor authentication,
account provisioning, and re-certification.
SECURITY ENGINEERING
Security Engineering provides operational support for
ISDs security tools/applications and specialized expertise
to support security initiatives that offer endpoint protection
and security via applications like McAfee or Splunk. The
3
team also supports several security-related initiatives,
including Security Operations Center exercises,
penetration tests, threat modeling, and code
review. These enterprise-wide initiatives are important for
maintaining an acceptable risk posture. The team
supports management efforts to address system
vulnerabilities and develops a custom application to
manage system inventory across the enterprise.
COMPLIANCE
The compliance work stream uses tools to capture and
record six months of trending data, including vulnerability
spikes) with monthly reviews. They also use data as
evidence of compliance in case of audit. The compliance
work stream focuses on the implementation of RMF Steps
4, 5 and 6. See Figure 2.
As part of OA monitoring, Silvia Ruiz says that the OA
Team compiles trending data to provide a near real-time
status of systems and the agencys overall security
posture. Support teams collaborate to ensure that the
systems remain in compliance with NIST guidance and
DHS policy. Senior Security Officials facilitate the USCIS
OA program through regular system reviews via
collaborative ORMB meetings. The OA Team prepares a
quick-glance data trending PowerPoint slide highlighting
the systems security posture, compiled with inputs from
the vulnerability scans, authorization documentation,
POA&M status and remediation efforts, and compliance
with the DHS OA methodology, collectively called the
ORMB Scorecard.
ISSOs and assessors follow a schedule and standard for
testing controls outlined in the Control Allocations Table
(CAT). USCIS uses a contractor-developed spreadsheet
mapped to NIST guidance and DHS policy and factors in
applicable common controls. The CAT recommends test
procedures and evidence and has been instrumental in
ISSOs identifying failing or potentially outdated controls.
With a DHS-provided TRigger and Accountability Log
(TRAL), ISSOs document any change or potential issue
that could impact the systems security posture from
contract changes, new releases, the status of POA&Ms,
technical refreshes, critical and high vulnerabilities, etc.
USCIS considers risk identification and tracking via the
TRAL as a key component to the OA program.
ICAM
DHSs USCIS is especially concerned with OA, which is
the major focus of this document, and identity
management. As of 2017, all USCIS systems are PIV-
enabled.
KEY #1: COLLABORATION
USCIS has developed a culture of collaboration among all
stakeholders involved, including ISSOs, Privacy, the OA
Manager, various teams, etc. Collaboration and
communication, both internally and externally, is important
for successful implementation of a holistic, risk-based
approach to information security. The teams across all
three work streams collaborate to improve efficiency by
sharing information and best practices, discussing the
programs status, strategizing and leveraging resources
on heavy lift tasks, and brainstorming solutions. Megan
Kane thought the layout of the contracts task structure
helped with efficiency by providing opportunities for reach-
back support. If necessary, teams were also able to
contact the contracting team supporting DHSs Federal
Emergency Management Agency (FEMA), also
participating in OA.
Additionally, direct interactions with the client proved
helpful. USCISs ISD federal leads also work
collaboratively across the work streams.
As each task area supports continuous monitoring, this
collaborative effort has significantly benefited the OA
program, as open communication allows the client to
make informed decisions and produces effective results.
KEY #2: FLEXIBILITY
Being flexible is a contributor to USCISs success.
Originally, there was less guidance because OA was
relatively new and agencies were trying to understand
how to effectively and efficiently implement OA. In many
cases, USCIS had to develop their own standards by
leveraging others experiences and implementing test
cases to determine what worked.
For instance, understanding time restrictions, the team
recommended shorter and more frequent ORMB meetings
with focused discussion as opposed to reviewing all
systems in one day. The new format allowed the client to
accomplish more and allowed the systems support teams
to join. We try to think ahead, said Ms. Kane.
Additionally, they learned to think strategically about what
information might be helpful to the client and how to get
better inputs. It is important to continuously assess OA
programs, to see what is and is not working, as well as to
review the OA methodology to focus on DHSs intentions
for the Department. In doing so, the team can identify
opportunities to streamline processes and procedures and
help USCIS maintain its position as a leader in OA
implementation. Fortunately, the USCIS CISO encourages
innovation, researching current and developing tools and
technology, and utilizing industry best practices to stay
ahead of the game.
4
KEY #3: TRANSPARENCY WITH DATA
The goal of continuous monitoring is to have a dashboard
for ISSOs to use. They can use the dashboard to identify
the top 10 vulnerabilities and prioritize remediation
according to the risk level. Several tools assist the ISSO
in managing the system and complying with DHS
requirements. They are continuously up-to-date with their
systems and can identify risks quicker than with the
previous pre-OA quarterly model. ISSOs are responsible
for validating and maintaining accurate asset inventories
in Security Center 5 (SC5). ISSOs have access to near
real- time scanned data. For manual processes, ISSOs
receive detailed reports within one business day.
Monthly reviews to further escalate issues to the OA
Manager and gain concurrence and/or new direction on
risk-based decisions supported a goal of accountability.
The AO also receives monthly briefings on the security
posture of systems, escalated risks (triggers), and
weakness remediation plans, or WEARs.
Improvements to the OA program include re-focusing on
more POA&M oversight and accountability, as well as
more efficiently remediating vulnerabilities and applying
patches. Applying OA-provided insight into the systems
security posture leads to fewer surprises, mitigated risk,
and communication leading to the actions by the
appropriate authorities. Implementing OA has raised
overall awareness at DHS.
KEY #4: EXPERIENCE
Implementing a successful OA program can be
complicated without clear guidance and a roadmap. DHS
looks to experienced contractors to provide the necessary
guidance and innovation to achieve high levels of
success. Kane and King said they were lucky to have
resources on the contract who know and understand NIST
guidance, DHS policy, and the supporting RMFs.
KEY #5:
TRAINING
The training team on HHS ESPS is similar but
Another key factor even better because theres more involvement
for a successful
in terms of financial and personnel resources,
OA program is as well as interest from the agency staff.
ensuring that
resources have access to the knowledge and tools
necessary to complete their work. USCIS values training
so much that they have dedicated an entire team to
ensuring the support teams have the tools they need and
know how to use them. USCIS offers a 3-day Basic
Training course for ISSOs and support teams focusing on
roles and responsibilities, compliance, how to use the
tools, drafting documentation, and vulnerability scanning.
Additionally, the Training Team hosts monthly brown bag
sessions focused on specific issues or tools.
With the five keys of DHSs success, they kept ahead of
the threats by constantly striving to do more testing and to
think of risks as opportunities to protect against
vulnerabilities.
APPLICATION IN REAL-TIME
HHS-SPECIFIC APPLICATION
According to FITARA, HHSs responsibilities are to
manage the following: (1) a comprehensive inventory of
data centers owned, operated, or maintained by or on
behalf of the agency; and (2) a multi-year strategy to
consolidate and optimize inventoried data centers.
Requires such strategies to include performance metrics,
timelines, and year-by-year calculations of investment and
cost savings to measure progress toward meeting goals of
the Federal Data Center Consolidation Initiative.
Note that Federal Acquisition Regulation (FAR) 52.204-21,
Basic Safeguarding of Covered Contractor Information
Systems (June 2016), relating to FITARA, has been
revised to only apply to contractor-owned contractor-
operated information systems and holds contractors to
NIST and FISMA requirements.
CREATE A PROCESS AND PLAN
Creating a process and plan for migrating the system to
OA for the AOs approval is crucial. The CDM and ISCM
Program is HHSs solution to support the ISCM mandate
for federal agencies. In terms of a process, Charles
Livingston, the CDM and ISCM Program Lead for HHS
ESPS, stated that eGlobalTech already drafted the ISCM
policy. Operational Divisions have reviewed the draft and
the anticipated signature will be by the end of April or May
2017. Phase 2 of the CDM and ISCM Program has
already begun.
The plan should include independent assessments and
security categorization of each security control according
to the RMF and FIPS 199, a framework mapped to CDM
capabilities, a gap analysis of each systems current
control testing capabilities, and a way to report risk to the
AO in near real-time.
The recommendation is to apply the lessons learned from
NASAs failures and DHSs successes gradually, using
the snowball effect. The idea is to start small and build
on successes with low-impact systems to ease the
transition and collect lessons learned prior to applying
them to high-impact systems. According to the
Supplemental Guidance on OA, A phased approach for
the generation of security-related information may be
necessary in the interim as additional automated tools
5
become available. After the AO initiates the ATO, an
ISCM program is in place, and the system moves to the
production environment, the OA program can begin. It is
also important to assess proposed security controls before
collecting data.
BENEFITS
Currently, system monitoring for ATO is on a quarterly
schedule model, or longer, where the damage could be
done by the time it is detected. The road to ATO can be
time-consuming, cumbersome, and wasteful.
OA, on the other hand, ties with event-driven triggers.
Event-driven assessments include incidents, new threat
information, major changes to operating environments,
results of a risk assessment, etc. Because of
predetermined triggers, frequency of network activity and
summary metrics, updates can be by minute, hour, day,
week, month, or as needed.
Agencies most interested in the ability for senior leaders to
make well-informed decisions quickly should use OA. The
use of actionable metrics will ensure a faster response
than to data that is a quarter, a year, or three years old.
The government needs to focus on the short-term data as
that data will create the long-term results that the
government seeks.
DHS USCISs keys to success for implementing an OA
program were communication, flexibility, transparency with
data, experienced personnel, and training. Internal and
external communication, flexibility involving innovation,
contractors creating transparent database collection
systems, and having the personnel be risk management
subject matter experts are all factors for success. While
training was helpful, it could have been better with a team
like the one established for HHS ESPS.
In addition, when comparing DHSs best practices to
NASAs lessons learned, it is important to highlight having
an RMF and ISCM process as well as CIO buy-in.
DHS had OA, an RMF, an ISCM strategy, and a robust
CDM Program, augmented by ISSO testing of controls
and validation by the Information System Security
Manager. When an organization has all four, senior
leadership has an on-demand high-level view of the
organizations cybersecurity posture and each systems
contribution to it. Also, since the CIO leads the ISCM
program, it is most important that he or she is fully
committed to the program and has all the information he
or she requires.
KEY TAKEAWAYS
As presented in this white paper, federal agencies have
moved from static cyber-surveillance based on
compliance checklist exercises conducted once every 3
 years to dynamic, near real-time authorization and
continuous monitoring for risk-based cybersecurity.
With the help of eGlobalTech, the Department of HHS
could get to the state that is as good as or better than
DHSs state so there will be flexible OA and CDM.
With OA, the resilience of the system will mean more than
the date a system received an ATO, and the high-impact
and critical systems will receive greater attention. As
more agencies see this, the OA umbrella will include
more and more systems.
Ideally, OA is a mix of automated tools and manual
processes for analyzing those tools to have near real-time
continuous monitoring. Mr. Livingston says, Too often
people translate near real-time to automation, but there is
also a mature manual process engaged. As we heard
from Megan, theyre reviewing four to five systems two to
three times a week. We will never get to 100%
automation because we need man in the loop to say, This
isnt trending the right way. These tools arent making
sense. Tools just spit out. Analysis cannot be
automated. Some manual systems and processes will
never go away because people are essential to validating
the data that information systems produce.
He says that they
Analysis cannot be automatedCharles are leveraging
Livingston, CDM and ISCM Program Lead best practices
from USCIS in
terms of establishing the OA program and structure and
helping the environment to mature. Only experience
provides maturity. Having a Capability Maturity Model
Integration (CMMI) work stream helps because the
outcome of a CMMI assessment identifies the level of
maturity of the environment, which is more important than
whether they have automated tools. Tools help, but
human interaction and collaboration is more proactive and
cuts down vulnerability. Continuous monitoring can
translate into continuous improvement. Collaboration
takes time because ISSOs, groups, and support teams
change. Setting up processes like checklists, standard
operating processes, and concepts of operation helps with
stability throughout transitions.
eGlobalTech (eGT) resources have the knowledge that
provides insight into best practices. Not many
organizations have four years of hands-on experience with
a highly effective and mature OA program or as much
exposure. eGT can reach out to their employees with OA
program experience and have access to lessons learned
from DHS and FEMA as well.
It makes a difference to work with a company that has a
strong understanding of the RMF and experience
implementing successful ISCM and OA programs. eGT
welcomes the opportunity to work with HHS on gradually
moving toward an OA model.
ABOUT EGLOBALTECH
eGT is a woman-owned management consulting and IT
solutions firm based in Arlington, Virginia with additional
offices in Alexandria, Virginia and Baltimore, Maryland.
eGT supports multiple federal customers including the
Departments of HHS, Homeland Security, State,
Education, Labor, Energy, the General Services
Administration, and Defense. For more information,
please visit http://www.eglobaltech.com.
RESOURCES
1. Dempsey, Kelley, Nirali Shah Chawla, Arnold Johnson,
Alicia Clay Jones, Angela Orebaugh, Matthew Scholl, and
Kevin Stine. 2011. ISCM for Federal Information Systems
and Organizations. Special Publication 800-137.
Gaithersburg, MD, September.
2. Dempsey, Kelley, Ron Ross, and Kevin Stine.
Supplemental Guidance on OA. PDF. Gaithersburg, MD:
NIST, June 2014.
3. H.R. 1232, 113th Cong. (2014) (enacted).
4. Joint Task Force Transformation Initiative. 2010. Guide for
Applying the Risk Management Framework to Federal
Information Systems. Special Publication 800-37.
Gaithersburg, MD, February.
5. Livingston, Charles, Silvia Ruiz, Megan Kane, and Julie
King. "OA Interview. Interview by author. March 7, 2017
and March 9, 2017.
6. Miller, Jason. DHS putting post-FISMA approach to cyber
through a trial run. FederalNewsRadio.com. May 08, 2013.
Accessed February 23, 2017.
http://federalnewsradio.com/technology/2013/05/dhs-
putting-post-fisma-approach-to-cyber-through-a-trial-run/.
7. --. House approves FISMA modernization bill, two other
cyber bills. FederalNewsRadio.com. April 17, 2013.
Accessed February 23, 2017.
http://federalnewsradio.com/congress/2013/04/house-
approves-fisma-modernization-bill-two-other-cyber-bills/.
8. --. NASAs act of desperation demonstrates continued
cyber deficiencies. FederalNewsRadio.com. August 24,
2016. Accessed February 24, 2017.
http://federalnewsradio.com/reporters-notebook-jason-
miller/2016/08/nasas-act-desperation-demonstrates-
continued-cyber-deficiencies/.
9. Ross, Ron, Stu Katze, Arnold Johnson, Marianne Swanson,
Gary Stoneburner, and George Rogers. 2007.
Recommended Security Controls for Federal Information
Systems. Special Publication 800-53, Revision 2.
Gaithersburg, MD: NIST, December.