zhongwei/gh-tachyon-beep-skillpacks-plugins-ordis-security-architect
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
gh-tachyon-beep-skillpacks-…/skills/using-security-architect/security-authorization-and-accreditation.md
Zhongwei Li 4fad9f51e1 Initial commit
2025-11-30 08:59:46 +08:00

758 lines
24 KiB
Markdown
Raw Permalink Blame History

# Security Authorization and Accreditation
## Overview
Navigate government/defense security authorization processes. Core principle: **Authorization is risk acceptance by an official with authority**.
**Key insight**: ATO is not a checklist - it's formal risk acceptance documentation enabling informed decision-making by leadership.
## When to Use
Load this skill when:
- Deploying systems for government/defense
- Preparing for ATO (Authority to Operate)
- Connecting to classified networks
- Formal security testing and evaluation
**Symptoms you need this**:
- "How do I get ATO for production?"
- Government/defense contracts requiring authorization
- "What is an SSP/SAR/POA&M?"
- Preparing for security assessment
**Don't use for**:
- Commercial compliance (use `ordis/security-architect/compliance-awareness-and-mapping`)
- General security (use `ordis/security-architect/security-controls-design`)
## The Authorization Process
### Core Concept: Risk Management Framework (RMF)
**RMF** (NIST SP 800-37) has 7 steps:
```
1. PREPARE → 2. CATEGORIZE → 3. SELECT → 4. IMPLEMENT → 5. ASSESS → 6. AUTHORIZE → 7. MONITOR
↓ ↓ ↓ ↓ ↓ ↓ ↓
Planning Impact Level Controls Build System Test Get ATO Ongoing Ops
```
### Step 1: PREPARE (Pre-Authorization)
**Activities**:
- Define authorization boundary (what's in scope?)
- Identify Authorizing Official (AO) - person with authority to accept risk
- Assemble authorization team (ISSM, ISSO, assessors)
- Review organizational risk tolerance
**Deliverable**: Authorization strategy and team assigned
### Step 2: CATEGORIZE (Impact Analysis)
**Activities**:
- Security categorization using FIPS 199
- Determine impact level: Low, Moderate, or High
- Based on Confidentiality, Integrity, Availability (CIA)
**Impact Levels**:
```
Low: Limited adverse effect
Moderate: Serious adverse effect
High: Severe or catastrophic adverse effect
```
**Example**:
```
System: Healthcare Records Database
Confidentiality: HIGH (patient privacy breach = severe impact)
Integrity: HIGH (incorrect medical records = life-threatening)
Availability: MODERATE (temporary outage = serious but not life-threatening)
Overall System Impact: HIGH (highest of C/I/A)
```
**Deliverable**: Security categorization document
### Step 3: SELECT (Control Selection)
**Activities**:
- Select control baseline (NIST SP 800-53)
- Low baseline → 125 controls
- Moderate baseline → 325 controls
- High baseline → 421 controls
- Tailor controls (add/remove based on organizational needs)
**Control Families**:
- AC (Access Control)
- AT (Awareness and Training)
- AU (Audit and Accountability)
- CA (Assessment, Authorization, and Monitoring)
- CM (Configuration Management)
- CP (Contingency Planning)
- IA (Identification and Authentication)
- IR (Incident Response)
- MA (Maintenance)
- MP (Media Protection)
- PE (Physical and Environmental Protection)
- PL (Planning)
- PS (Personnel Security)
- RA (Risk Assessment)
- SA (System and Services Acquisition)
- SC (System and Communications Protection)
- SI (System and Information Integrity)
**Deliverable**: Control baseline with tailoring decisions
### Step 4: IMPLEMENT (Build System with Controls)
**Activities**:
- Implement selected security controls
- Document implementation in SSP (System Security Plan)
- Common control inheritance (use organization-wide controls)
**Example Control Implementation**:
```
Control: AC-2 (Account Management)
Implementation:
- All accounts created via ServiceNow ticket
- Manager approval required
- Accounts disabled after 30 days inactivity
- Monthly access reviews by data owners
- Evidence: ServiceNow workflow, access review reports
```
**Deliverable**: Implemented system with documented controls (SSP)
### Step 5: ASSESS (Security Assessment)
**Activities**:
- Independent assessment by certified assessor
- Test controls (interviews, configuration review, penetration testing)
- Document findings in SAR (Security Assessment Report)
- Classify findings by severity (Critical/High/Medium/Low)
**Assessment Methods**:
- **Examine**: Review documentation, configurations, logs
- **Interview**: Question staff about procedures
- **Test**: Execute tests (penetration test, scan, functional test)
**Deliverable**: SAR (Security Assessment Report) with findings
### Step 6: AUTHORIZE (Risk Acceptance)
**Activities**:
- Remediate or accept findings
- Create POA&M (Plan of Action & Milestones) for residual risks
- Authorizing Official reviews SSP + SAR + POA&M
- AO makes risk acceptance decision
- Issue ATO (Authority to Operate) or denial
**ATO Types**:
- **Full ATO**: System fully compliant, authorized for 3 years
- **Interim ATO (IATO)**: Temporary authorization (6-12 months) with conditions
- **Denial**: System does not meet minimum security requirements
**Deliverable**: ATO Letter from Authorizing Official
### Step 7: MONITOR (Continuous Monitoring)
**Activities**:
- Ongoing assessment of controls
- Change impact analysis (new vulnerabilities, configuration changes)
- Update POA&M as risks remediated
- Annual re-assessment or earlier if major changes
- Trigger re-authorization when needed
**Deliverable**: Continuous monitoring reports, updated POA&M
## Key Documents
### 1. SSP (System Security Plan)
**Purpose**: Comprehensive description of the system and its security controls.
**Contents**:
```markdown
# System Security Plan (SSP)
## 1. System Identification
- System name, acronym, unique identifier
- System owner, ISSO, ISSM contact info
- Authorization boundary (what's included/excluded)
## 2. System Categorization
- FIPS 199 categorization (Low/Moderate/High)
- CIA impact levels with justification
- Overall system impact level
## 3. System Description
- System purpose and functionality
- Users and use cases
- Data types processed (PII, classified, etc.)
- System architecture diagram
- Network diagram with trust boundaries
- Technology stack (OS, database, languages)
## 4. Authorization Boundary
- Components within boundary (servers, databases, networks)
- External connections (APIs, data feeds)
- Interconnection agreements for external systems
## 5. Security Control Implementation
For EACH control in baseline:
### AC-2: Account Management
**Control Requirement**: Organization manages information system accounts
**Implementation**:
- ServiceNow ticketing system for account requests
- Manager approval required via workflow
- Automated 30-day inactivity disablement
- Monthly access reviews by data owners
**Responsible Role**: System Administrator
**Assessment Procedure**:
- Interview: Ask sysadmins about account creation process
- Examine: Review ServiceNow tickets, approval records
- Test: Attempt to create account without approval (should fail)
**Evidence Location**:
- ServiceNow workflow documentation: /docs/account-mgmt.pdf
- Sample access review: /evidence/access-review-2025-01.xlsx
(Repeat for all ~125-421 controls depending on baseline)
## 6. Related Documents
- Contingency Plan (CP)
- Incident Response Plan (IRP)
- Configuration Management Plan (CMP)
- Continuous Monitoring Plan
## 7. Approval Signatures
- System Owner: [Signature] [Date]
- ISSO: [Signature] [Date]
- ISSM: [Signature] [Date]
```
**Typical Length**: 200-500 pages for HIGH system
### 2. SAR (Security Assessment Report)
**Purpose**: Independent assessment results documenting control effectiveness.
**Contents**:
```markdown
# Security Assessment Report (SAR)
## Executive Summary
- System assessed: [Name]
- Assessment dates: [Start] to [End]
- Assessor: [Name, Credentials]
- Overall assessment: [Pass with findings / Conditional / Fail]
- Critical findings: [Count]
- High findings: [Count]
- Recommendations: [Summary]
## Assessment Scope
- Controls assessed: [List control families or specific controls]
- Assessment methods: Examine, Interview, Test
- Limitations: [Any scope exclusions or constraints]
## Assessment Results by Control
### AC-2: Account Management
**Assessment Procedures**:
1. Interview: System administrators (2025-03-15)
2. Examine: ServiceNow workflow, access review reports
3. Test: Attempted unauthorized account creation
**Finding AC-2-001: MEDIUM**
**Status**: OPEN
**Description**: Access reviews conducted monthly but no evidence of remediation for identified excessive privileges. 3 accounts with admin access had not logged in for 6 months but remain enabled.
**Risk**: Dormant privileged accounts increase attack surface.
**Recommendation**: Implement automated disablement of inactive admin accounts within 30 days. Conduct immediate review of all privileged accounts.
**AO Response**: Accepted. Remediation planned in POA&M item #5.
**Overall Control Result**: PARTIALLY SATISFIED (findings require remediation)
(Repeat for all assessed controls)
## Findings Summary
| Finding ID | Control | Severity | Status | Remediation Due |
|------------|---------|----------|--------|-----------------|
| AC-2-001 | AC-2 | Medium | Open | 2025-06-01 |
| IA-5-001 | IA-5 | High | Open | 2025-04-15 |
| SC-7-001 | SC-7 | Low | Open | 2025-08-01 |
## Assessor Recommendation
Recommend INTERIM ATO for 6 months conditional on remediation of HIGH findings within 30 days. Re-assessment required before full ATO.
**Assessor Signature**: [Name] [Date]
```
**Typical Length**: 100-300 pages
### 3. POA&M (Plan of Action & Milestones)
**Purpose**: Track remediation of security weaknesses and residual risks.
**Contents**:
```markdown
# Plan of Action & Milestones (POA&M)
## POA&M Item #1
**Finding ID**: IA-5-001 (from SAR)
**Control**: IA-5 (Authenticator Management)
**Weakness**: Password policy allows 8-character passwords; NIST recommends minimum 12 characters.
**Risk Level**: HIGH
**Risk Description**: Weak passwords vulnerable to brute-force attacks. Estimated 15% of user accounts have 8-character passwords.
**Milestones**:
- [ ] Milestone 1: Update password policy to require 12 characters (2025-04-01) - System Admin
- [ ] Milestone 2: Force password reset for all 8-char passwords (2025-04-15) - System Admin
- [ ] Milestone 3: Verify 100% compliance via audit query (2025-04-20) - ISSO
- [ ] Milestone 4: Provide evidence to assessor (2025-04-25) - ISSO
**Resources Required**: 40 hours engineering time, communication campaign for users
**Status**: IN PROGRESS (Milestone 1 complete, Milestone 2 in progress)
**Scheduled Completion**: 2025-04-25
**Actual Completion**: [TBD]
## POA&M Item #2
**Finding ID**: AC-2-001 (from SAR)
**Control**: AC-2 (Account Management)
**Weakness**: Dormant privileged accounts not automatically disabled.
**Risk Level**: MEDIUM
**Milestones**:
- [ ] Implement automated script to disable admin accounts after 30 days inactivity (2025-05-01)
- [ ] Immediate review and disable of current dormant admin accounts (2025-04-10)
- [ ] Monthly verification report to ISSO (ongoing)
**Scheduled Completion**: 2025-05-01
## POA&M Item #3 (Risk Acceptance)
**Finding ID**: SC-8-001
**Control**: SC-8 (Transmission Confidentiality)
**Weakness**: Legacy internal API uses HTTP (not HTTPS) for non-sensitive configuration data.
**Risk Level**: LOW
**Recommendation**: Migrate to HTTPS
**AO Decision**: RISK ACCEPTED
**Justification**:
- API only accessible on isolated management network (not exposed to internet)
- Data transmitted is non-sensitive system configuration (no PII, credentials, or classified data)
- Migration to HTTPS requires vendor upgrade (cost: $50k, timeline: 12 months)
- Risk mitigated by network segmentation
**Acceptance Date**: 2025-03-20
**Acceptance Authority**: Authorizing Official [Name]
**Re-evaluation Date**: 2026-03-20 (annual review)
**POA&M Metrics**:
- Total items: 15
- Critical: 0
- High: 1 (in progress)
- Medium: 8 (6 in progress, 2 accepted risk)
- Low: 6 (4 in progress, 2 accepted risk)
```
**Updates**: Monthly or when milestone completed
### 4. ATO Letter (Authority to Operate)
**Purpose**: Formal authorization from Authorizing Official.
**Contents**:
```markdown
MEMORANDUM FOR: System Owner, [Name]
SUBJECT: Authority to Operate (ATO) for [System Name]
1. AUTHORIZATION DECISION
After careful review of the System Security Plan (SSP), Security Assessment Report (SAR), and Plan of Action & Milestones (POA&M), I hereby grant an INTERIM AUTHORITY TO OPERATE for [System Name] for a period of SIX (6) MONTHS, effective [Start Date] to [End Date].
2. AUTHORIZATION BOUNDARY
This authorization covers the system as described in SSP version 2.1, including:
- Application servers (5x EC2 instances)
- PostgreSQL database cluster (2 nodes)
- AWS resources within VPC vpc-abc123
- Users: 500 internal staff with SECRET clearance
3. CONDITIONS OF AUTHORIZATION
This interim ATO is granted subject to the following conditions:
a) HIGH-severity finding IA-5-001 (password policy weakness) must be remediated within 30 days (by 2025-04-25). Failure to remediate will result in suspension of ATO.
b) All MEDIUM-severity findings must be remediated or risk-accepted within 90 days (by 2025-07-01).
c) Monthly POA&M status reports submitted to ISSM.
d) No major changes to system without prior authorization (change impact analysis required).
e) Full security re-assessment required at end of 6-month period for consideration of full 3-year ATO.
4. RESIDUAL RISKS ACCEPTED
I accept the following residual risks as documented in POA&M:
- SC-8-001 (LOW): HTTP on internal API (mitigated by network segmentation)
5. CONTINUOUS MONITORING
System owner must maintain continuous monitoring program including:
- Weekly vulnerability scans
- Monthly access reviews
- Quarterly control spot-checks
- Annual contingency plan testing
6. AUTHORIZATION TERMINATION
This authorization may be suspended or revoked if:
- Conditions of authorization not met
- New vulnerabilities with HIGH or CRITICAL severity discovered
- Significant security incident occurs
- Major system changes without authorization
Authorizing Official: [Signature]
[Name], [Title]
[Date]
```
## Authorization Types
### ATO (Authority to Operate)
**Full ATO**:
- Duration: 3 years (typically)
- Conditions: All HIGH/CRITICAL findings remediated or risk-accepted
- Re-authorization: Every 3 years or upon major change
**Interim ATO (IATO)**:
- Duration: 6-12 months
- Conditions: HIGH findings have remediation plan, progress tracked
- Purpose: Allow operation while remediating non-critical issues
- Requires full assessment at expiration
**Denial**:
- System does not meet minimum security requirements
- CRITICAL/HIGH findings with unacceptable risk
- Must remediate before re-submission
### AIS (Authorization to Interconnect)
**Purpose**: Authorization to connect two systems across trust boundaries.
**When needed**:
- Connecting to external networks
- Connecting systems at different classification levels
- Sharing data between organizations
**Requirements**:
- Both systems have current ATO
- Interconnection Security Agreement (ISA)
- Boundary protection documented
- Data flow diagrams
- Security controls at boundary (firewall, data diode, etc.)
**ISA Contents**:
```markdown
# Interconnection Security Agreement (ISA)
## Systems
- System A: [Name], ATO valid until [Date]
- System B: [Name], ATO valid until [Date]
## Data Flows
- Direction: System A → System B
- Data type: Transaction records (OFFICIAL classification)
- Frequency: Real-time API calls
- Volume: 10,000 records/day
## Boundary Protection
- Firewall: Palo Alto PA-5000 at boundary
- Allowed traffic: HTTPS port 443 only, source IP whitelisted
- Data validation: System B validates all incoming data
- Encryption: TLS 1.3 with mutual authentication
## Security Controls
- AC-4: Information flow enforcement (firewall rules)
- SC-7: Boundary protection (dedicated firewall)
- SC-8: Transmission confidentiality (TLS 1.3)
## Roles and Responsibilities
- System A ISSO: Monitor outbound connections, alert on anomalies
- System B ISSO: Validate incoming data, monitor for security events
- Network team: Maintain firewall, apply security patches
## Incident Response
- Security incident on either system triggers review of interconnection
- Contact: [System A ISSO], [System B ISSO]
## Review and Re-authorization
- Annual review of ISA
- Re-authorization required if either system ATO expires or major changes
**Approvals**:
- System A AO: [Signature] [Date]
- System B AO: [Signature] [Date]
```
### T&E (Test & Evaluation)
**Purpose**: Independent security testing before authorization.
**Testing Types**:
#### 1. Vulnerability Assessment
```bash
# Authenticated vulnerability scan
nessus scan --authenticated --target 10.0.1.0/24 \
--policy "Government High Baseline" \
--output vuln-report.pdf
# Results:
# Critical: 0
# High: 2 (outdated SSL certificates, missing patches)
# Medium: 15
# Low: 43
```
#### 2. Penetration Testing
```markdown
# Penetration Test Report
## Scope
- External penetration test (internet-facing)
- Internal penetration test (insider threat simulation)
- Duration: 2 weeks
## Rules of Engagement
- No DoS attacks
- No social engineering of executives
- Data exfiltration limited to test accounts
## Findings
### FINDING PT-001: HIGH
**Vulnerability**: SQL injection in /api/users endpoint
**Exploit**: Extracted 10 test user records via injection
**Impact**: Attacker could exfiltrate entire user database
**Recommendation**: Implement parameterized queries, input validation
**Remediation**: Developer committed fix (commit abc123), deployed 2025-03-20
**Verification**: Re-tested 2025-03-22, vulnerability no longer exploitable
## Summary
- High findings: 1 (remediated)
- Medium findings: 3 (2 remediated, 1 in POA&M)
- Low findings: 8 (accepted risk)
```
#### 3. Functional Security Testing
```markdown
# Functional Security Test: Access Control
## Test Case TC-AC-001: Unauthorized Access Attempt
**Objective**: Verify user cannot access resources without authorization
**Procedure**:
1. Login as user@example.com (no admin privileges)
2. Attempt to access /admin/users endpoint
3. Expected result: 403 Forbidden
**Actual Result**: 403 Forbidden ✅
**Status**: PASS
## Test Case TC-AC-002: Privilege Escalation
**Objective**: Verify user cannot elevate own privileges
**Procedure**:
1. Login as user@example.com
2. Attempt to modify own role via API: PUT /api/users/me {"role": "admin"}
3. Expected result: 403 Forbidden
**Actual Result**: 200 OK, role changed to admin ❌
**Status**: FAIL - CRITICAL
**Remediation Required**: Implement server-side role validation, users cannot modify own roles
```
**T&E Report**: Submitted to assessor as input to SAR.
## Continuous Monitoring
**Purpose**: Ongoing assurance that controls remain effective.
### Monitoring Activities
#### 1. Automated Scanning
```bash
# Weekly vulnerability scan
cron: 0 2 * * 1 /opt/nessus/scan.sh
# Monthly configuration compliance check
cron: 0 3 1 * * /opt/scap/compliance-check.sh
```
#### 2. Access Reviews
```markdown
# Monthly Access Review
## Review Date: 2025-04-01
## Reviewer: Data Owner (Jane Smith)
| User | Role | Last Login | Action |
|------|------|------------|--------|
| john.doe@example.com | Admin | 2025-03-28 | ✅ Retain |
| alice.smith@example.com | User | 2025-03-25 | ✅ Retain |
| bob.jones@example.com | Admin | 2024-12-15 | ❌ Remove (dormant 4 months) |
**Actions Taken**:
- Disabled bob.jones@example.com on 2025-04-02
- Notified ISSO of access review completion
```
#### 3. Change Impact Analysis
```markdown
# Change Impact Analysis: Database Upgrade
## Change Description
Upgrade PostgreSQL from 13.2 to 13.10 (security patches)
## Security Impact Assessment
- Controls affected: SC-28 (Protection of information at rest - encryption still enabled)
- New vulnerabilities: CVE-2024-XXXX patched in 13.10
- Configuration changes: None (encryption settings preserved)
## Authorization Impact
- Change Type: Minor (security patch)
- ATO Impact: None (no re-authorization required per continuous monitoring plan)
- ISSO Notification: Required (notified 2025-03-15)
## Testing
- Tested in dev environment: 2025-03-10 (PASS)
- Contingency plan: Snapshot before upgrade, 4-hour rollback window
## Approval
- ISSO: Approved (2025-03-16)
- System Owner: Approved (2025-03-17)
- Deployed: 2025-03-20
```
#### 4. Trigger Events for Re-Authorization
**Major change** (requires re-authorization before implementation):
- New system interconnection
- Change in classification level
- Major architectural change (e.g., move to cloud)
- Change in data types processed (e.g., add PII)
**Minor change** (notify ISSO, may not require re-authorization):
- Security patches
- Configuration hardening
- Adding users
## Quick Reference: Authorization Timeline
```
Month 1-2: PREPARE + CATEGORIZE + SELECT
- Define boundary, assemble team
- Determine impact level (Low/Moderate/High)
- Select control baseline (125-421 controls)
Month 3-6: IMPLEMENT
- Build system with security controls
- Write SSP (200-500 pages)
- Prepare evidence
Month 7-8: ASSESS
- Independent security assessment
- Penetration testing
- SAR with findings
Month 9: AUTHORIZE
- Remediate HIGH/CRITICAL findings
- Create POA&M for residual risks
- AO reviews package
- ATO issued (or IATO or Denial)
Ongoing: MONITOR
- Weekly scans
- Monthly access reviews
- Quarterly spot-checks
- Annual re-assessment or every 3 years
```
**Typical timeline**: 9-12 months for HIGH system, 6-9 months for MODERATE, 3-6 months for LOW.
## Common Mistakes
### ❌ Treating ATO as Checklist
**Wrong**: "We have all controls implemented, give us ATO"
**Right**: ATO is risk acceptance decision. Document residual risks, let AO decide.
**Why**: AO accepts risk on behalf of organization. Your job is to inform that decision, not make it.
### ❌ Starting SSP After Implementation
**Wrong**: Build system, then write SSP to document what exists
**Right**: Write SSP during design/implementation, update as you build
**Why**: SSP informs design decisions. Writing after implementation often reveals missing controls.
### ❌ Ignoring Continuous Monitoring
**Wrong**: Get ATO, assume you're done for 3 years
**Right**: Continuous monitoring is mandatory. Weekly scans, monthly reviews, change impact analysis.
**Why**: ATO can be revoked if controls degrade. Continuous monitoring proves ongoing compliance.
### ❌ No Risk Acceptance for Residual Risks
**Wrong**: Hide findings or claim "we'll fix later"
**Right**: Document in POA&M, explicit risk acceptance by AO for LOW/MEDIUM items
**Why**: Transparency builds trust. AO needs full picture to make informed decision.
### ❌ Vague Control Implementation Descriptions
**Wrong**: "AC-2: We manage accounts properly"
**Right**: "AC-2: ServiceNow ticket → manager approval → automated creation → 30-day inactivity disablement → monthly review. Evidence: /docs/account-mgmt.pdf"
**Why**: Assessor cannot verify vague descriptions. Specific implementation enables assessment.
## Cross-References
**Use WITH this skill**:
- `ordis/security-architect/security-controls-design` - Implement controls for SSP
- `ordis/security-architect/threat-modeling` - Inform security categorization
- `muna/technical-writer/operational-acceptance-documentation` - Write SSP/SAR/POA&M
**Use AFTER this skill**:
- `ordis/security-architect/classified-systems-security` - If system handles classified data
## Real-World Impact
**Systems using formal authorization processes**:
- **DoD Cloud Migration**: RMF process revealed 47 missing controls before migration. Remediated during IMPLEMENT phase (vs discovering at ASSESS). Achieved ATO in 9 months vs industry avg 14 months.
- **Healthcare System (Moderate)**: POA&M transparency with 12 accepted LOW risks enabled IATO while remediating MEDIUM findings. System operational 6 months earlier than "wait for perfect" approach.
- **Continuous Monitoring**: Weekly scans detected CVE-2024-XXXX within 48 hours of disclosure. Change impact analysis approved emergency patch in 24 hours (vs 3-week change control for non-monitored systems).
**Key lesson**: **Formal authorization process enables informed risk decisions by leadership. SSP+SAR+POA&M transparency beats "security by checklist" or "security by obscurity".**
Reference in New Issue View Git Blame Copy Permalink