Authorization to Operate: Preparing Your Agency’s Information System

Posted by Laura Stanton
on October 30, 2020

To close out National Cybersecurity Awareness Month, here are some steps federal agencies can take to protect their IT systems from cyber attacks and cybersecurity vulnerabilities using the Authorization to Operate (ATO) process.

An ATO demonstrates that a federal agency has gone through a federally approved, detailed process to protect an IT system from incidents such as cyberattacks, security breaches, malware, and phishing attempts. Many federal IT systems are required to obtain an ATO to process government data and federal regulations recommend that agencies follow the Risk Management Framework (RMF) to become authorized.

GSA’s Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) provides solutions for all of an agency’s cybersecurity service needs, including RMF. The HACS SIN connects agencies with vendors who have passed oral technical evaluations for cybersecurity services performed within the RMF, and who are ready to assist agencies with the RMF process for a successful authorization.

RMF Graphic full definitions ATO highlight (3)
Disclaimer: RMF steps can vary based on an organization’s cybersecurity needs.

All of the steps, tasks, and activities that precede the “Authorize” step of the RMF help to prepare the information system for the authorizing official’s appraisal. The authorizing official is not a contractor, but a federal employee of whichever agency is seeking ATO.

The HACS SIN connects federal agencies with contractors who can help in each stage of the RMF. Contractors can assist agencies in producing the deliverables associated with each RMF step listed in the chart below.

Disclaimer: RMF deliverables can vary based on an organization’s cybersecurity needs.

Once an agency has successfully completed the first four steps of the RMF (“Categorize” through “Assess”), an authorizing official will evaluate the system. The authorizing official for the federal agency in question evaluates residual risks identified during the security control assessment, and makes the decision to authorize the system to operate, deny its operation, or ask the agency to address any issues.

When granting an ATO, authorizing officials look for the following checklist of items:

  • Plan of Action and Milestones (POA&M)
  • Authorization Package
  • Final Risk Determination and Risk Acceptance
  • Authorization Decision

The POA&M is one of the most important deliverables produced in the RMF process. It reflects organizational priorities for addressing any remaining weaknesses and deficiencies in an information system and its environment of operation. The Authorization Package includes all key documents including the security plan, security assessment report, and the POA&M. 

Following the RMF steps helps your agency to achieve ATO, but the work does not end after an ATO is issued. Agencies must also continuously monitor their systems to ensure that security controls remain effective over time.

In addition, many federal agencies must reauthorize their information systems every three years by going through the RMF process again. This is where the final step of the RMF, “Monitor Controls,” is important. As part of continuous monitoring, a sample of the applicable security controls are tested annually, periodic vulnerability scanning is performed, and security impact analysis of changes are performed. If an agency continuously monitors its systems over those three years by documenting specific technical changes, environment changes, or changes to the organizational risk management strategy, it may be easier to renew an ATO because any security risks can  be mitigated at the time they occur. 

For more information on HACS RMF services and how using the HACS SIN can make it easier for your agency to achieve an ATO, visit the HACS homepage or download the customizable RMF Statement of Work (SOW).

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Continue Reading...

Cybersecurity Best Practices During the COVID-19 Pandemic

Posted by Bill Zielinski
on June 2, 2020

The unprecedented and extraordinary efforts by businesses and Federal agencies to keep employees and customers safe during the COVID-19 pandemic have also inadvertently opened the door to cyberattacks.

Large-scale transitions to work-from-home technologies, heightened activity on many public-facing networks, and greater use of online services have presented new openings for cyber attackers to exploit. As people around the world shelter in place, they turn to online platforms to chat with friends, shop, work, and go to school. That transition to virtual life puts a large strain on cybersecurity controls.

Federal agencies face new daily challenges in assuring the security of networks. In the midst of the current global pandemic that imperative is even greater — they must protect their institutions while ensuring that daily tasks go on uninterrupted. The Office of Management and Budget (OMB) recommends that agencies “make risk-based decisions as appropriate to meet mission needs” during the COVID-19 pandemic.

It is important now for agency leaders to focus on supporting technologies and capabilities that are absolutely essential to their organizations’ operations. Priority actions — and relevant technologies — may include testing already existing security plans, continuously monitoring security systems, and maintaining access security. GSA’s Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) provides Federal agencies with rapid access to cybersecurity vendors who can assist with the following priority actions and more.

Best practices

Testing and having incident response plans in place are helpful for any agency. If an agency has plans such as incident response, disaster recovery, or continuity, it is important to test those plans and assess any risks as soon as possible. GSA’s HACS SIN provides rapid access to vendors evaluated for incident response services.

Chief Information Security Officers (CISOs) should continue to monitor their systems closely in order to identify cybersecurity events and incidents as soon as they may appear. Focus areas include monitoring networks for new strains of malware, monitoring collaboration tools such as Google Drive or Dropbox, and monitoring personnel activity. CISOs can also monitor their systems by using Intrusion Detection Systems or their preferred live network monitoring software. The HACS SIN is an efficient way to access these capabilities.

Access management in a remote work environment is another essential focus area during the COVID-19 pandemic. Though cybersecurity is essential, so is the physical safety of the American people. Agencies are encouraging teleworking whenever possible to adhere to the Government’s social distancing guidelines, and cybersecurity experts are needed to help make telework safe and secure for employees.

With many — if not all — of an agency’s employees working from home, click-through rates for phishing emails may increase when employees no longer work closely enough with coworkers to ask them in person about suspicious activity. Remote work can also require agencies to enable offsite access to critical and/or confidential information, which can increase the risk of a cyber attack. Employees can mitigate this risk by adhering to their agency’s access control policy and utilizing secure connections (such as Two-Factor Authentication (2FA) and/or VPN) when accessing Government networks containing sensitive information.

The COVID-19 pandemic is first and foremost a human challenge, with heads of agencies and employees all juggling professional duties with personal and family responsibilities. The risk of cyberattacks will be elevated, but by focusing now on cyber activities — testing response plans, monitoring security systems, and maintaining personnel security — agencies can successfully maintain their security.

GSA is here to help connect Federal agencies with vendors that provide necessary cybersecurity services during this time through the HACS SIN solution. For more information, visit the HACS Homepage. To learn more about the additional services the HACS SIN provides, watch our HACS Overview Video.

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Continue Reading...

Protecting State and Local Election Systems and Strengthening Cyber Defenses

Posted by Kay Ely
on September 12, 2018

By Kay Ely, Assistant Commissioner, Office of Information Technology Category

Preventing infiltration and tampering of elections systems and fortifying cyber defenses continue to be important topics.

Through our established IT contract vehicles, GSA can provide government agencies with access to cybersecurity products and services to improve resilience, protect important information, and bring election systems into compliance with leading-edge practices for enhancing security in today’s tech-savvy environment.

Cooperative Purchasing Program

GSA’s Cooperative Purchasing Program allows state, local, and tribal governments to benefit from access to solutions, products, and services from pre-vetted industry partners through IT Schedule 70 — the same as those offered to federal agencies.

That means these government agencies can buy the newest cybersecurity offerings under the Highly Adaptive Cybersecurity Services (HACS) and Continuous Diagnostics and Mitigation (CDM) Special Item Numbers (SINs) which can help with risk assessments and management of election systems.

Cyber Products and Services

Services offered by our HACS partners:

  • Risk and Vulnerability Assessment (RVA) services that adhere to the Department of Homeland Security’s (DHS) methodology for assessing High Value Assets
  • Penetration Testing to proactively identify and detect cyber vulnerabilities
  • Cyber Hunt to mitigate immediate and potential threats
  • Incident Response to expand government’s ability to recover from cyber attacks

Government agencies can also buy cybersecurity tools that are on DHS’s CDM Approved Product List through the CDM Tools SIN. These offer hardware and software tools designed to:

  • Identify enterprise cybersecurity risks on an ongoing basis
  • Prioritize these risks based upon potential impacts
  • Enable cyber security personnel to mitigate the most significant problems first

Here at GSA, we are committed to providing the best quality products and services to our state, local, and tribal government customers and we’re ready to help you secure our nation’s systems.

For more information on the HACS and CDM Tools SINs, visit https://gsa.gov/itsecurity, or contact the IT Security Subcategory Team at itsecuritycm@gsa.gov.

Continue Reading...

The Next Phase for HACS (Cyber) — Modernization

Posted by Kay Ely
on May 29, 2018

By Kay Ely, Assistant Commissioner, Office of Information Technology Category

Cybersecurity incidents and on-going emerging threats to our data, networks, and systems over the last few years have significantly changed how we approach cybersecurity. GSA remains committed to ensuring the government’s long-term security, responsiveness, and efficiency when it comes to monitoring and protecting our valuable digital assets and IT systems.

We’re always proactively focusing on the products, services, and vehicles needed to help carry out agency missions. We’re also sharpening our focus on cyber acquisition solutions, so security is integrated into the system acquisition process. This means that we’re constantly evaluating and improving our solutions.

With this in mind, our Highly Adaptive Cybersecurity Services (HACS) program is entering its next phase: HACS Modernization.

Today’s HACS Portfolio on IT Schedule 70 consists of four Special Item Numbers (SINs):

  • Cyber Hunt
  • Incident Response
  • Penetration Testing
  • Risk and Vulnerability Assessment

Feedback from the expert providers in the cybersecurity services market can help us further enhance our current array of HACS offerings. Enhancements to GSA’s cybersecurity acquisition solutions will not only help us drive more use by agencies, it will also lead to improved outcomes and safer IT systems for federal, state, local, tribal, and territorial governments.

To that end, our team is working to make it easier for industry to provide feedback through two RFIs and a stakeholder event in June.

HACS Modernization Requests for Information (RFI)

To determine the best course of action, we released two HACS Modernization Requests for Information (RFI) on May 22, 2018, one for agencies and the other for industry partners. We encourage our current HACS suppliers and agency partners to participate in those RFIs. We particularly want feedback from those agencies that have not yet used the HACS SINs.

The RFIs are open until June 23, 2018 at 5 p.m. EDT

June 18 Stakeholder Event

We’re also hosting a HACS Stakeholder Event on Monday, June 18, 2018, from 9 a.m. to 1 p.m. EDT at GSA headquarters to discuss the HACS program’s past, present, and future.

We welcome both in-person and virtual attendees. We’ll be featuring guest speakers from Department of Homeland Security (DHS), Office of Management and Budget (OMB), and GSA’s Office of IT Category and GSA’s Office of Small Business Utilization (OSBU).

Let’s Work Together

We want to hear what you think about the cybersecurity landscape and how effective you think GSA’s current services are now, where we can improve them for the future, and the best ways to enhance our delivery to agencies.

Please respond to the relevant RFIs and attend our Stakeholder Event. Together we can enhance our HACS program and deliver a total package that helps agencies securely accomplish their mission.

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government I

Continue Reading...