News & Resources

Blog

What Is Assessment And Authorization (A&A) — And How Can I Manage It?

November 2, 2023

There are always associated risks when federal government agencies undergo modernization. Information security risk is one of those, making continuous monitoring of information systems and risk mitigation crucial for federal government agencies and the contractors working for them.

Through Assessment and Authorization (A&A), federal agency stakeholders can get the protection they need to keep a robust security posture.

What Is A&A

Assessment and Authorization “is a comprehensive assessment and/or evaluation of an information system policies, technical / non-technical security components, documentation, supplemental safeguards, policies, and vulnerabilities,” as per the US Department of Interior (DOI). The DOI itself determines the authorization methodology and administers the process.

The purpose of A&A is to analyze whether or not a specific design and implementation meet internal security requirements and other relevant external guidelines and mandates.

How Is A&A Carried Out

Before the assessment and authorization, the agency will have its information security documentation analyzed by the DOI Office of the Chief Information Officer (OCIO). The usual documents to review include the Documented Risk Assessment, Contingency/Disaster Recovery (CP/DR) Plan, and System Security Categorization Federal Information Processing Standards (FIPS) 199.

This phase is crucial for ensuring that the company’s chief information security officer (CISO) and the Authorizing Official (AO) have a common understanding of and agree on the terms of the agency’s System Security Plan (SSP).

  • Assessment
    In this phase, the AO will conduct a comprehensive assessment to confirm the proper implementation and optimal operation of information security controls and remediation tactics. Some activities involved in this phase are the Security Assessment Report, Security Test and Evaluation Plan, and Plan of Action and Milestones (POA&M).
  • Authorization
    The Authorizing Official will confirm the Authorization To Operate (ATO) based on the assessment. The agency will receive either an Authorization to Operate, ATO with conditions, or denial of ATO.

When Should Agencies Perform A&A

Federal Information Security Modernization Act (FISMA) requires federal agencies to “create, document, and execute agency-wide programs that provide information security for their systems as well as for those provided or managed by a third party.” In doing so, they need to observe the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) Special Publication 800-37 as the standard for the A&A process.

As per NIST 800-37, the agency must implement the authorization process before the implementation/production of the contract and must reassess it five years later.

The NIST RMF provides a flexible, holistic, and repeatable 7-step process that federal agencies must follow:

  1. Categorize system
  2. Select controls
  3. Implement controls
  4. Access controls
  5. Authorize system
  6. Monitor controls

What Are The Key Challenges

Based on our years of experience helping federal agencies conduct A&A, dealing with manual and labor-intensive processes is one of the main challenges organizations usually face when applying for an ATO.

Our client at the Navy’s future Naval Networking Environment (NNE), for one, had to contend with their A&A process that was highly manual and labor-intensive, involving multiple sources of data spread across many source systems.

Just to give you an idea of how complex the problem was, the agency operates one of the largest-combined networks in the world. They provide secure end-to-end IT services to over 400,000 hardware devices and 800,000 users at over 1,600 Continental United States (CONUS) sites and end-to-end IT services to nearly 30,000 hardware devices and 45,000+ users across 82 other locations. It is also interoperable with and leverages other DoD’s net-centric enterprise services.

Due to these complexities and a lack of a means to automate the entire A&A process, the agency had to designate more people for this task, spend more time and other resources to accomplish A&A, and manually deal with costly errors.

How To Manage The A&A Process More Effectively

Automation is key to managing the A&A process more effectively. According to Gartner, government agencies worldwide are expanding their use of automation or RPA solutions. They use automation to offload mundane manual tasks, remove errors, reduce processing times, and focus on activities of higher value.

Combining our cybersecurity, intelligent automation, and agile competencies, we at Alpha Omega Integration (AOI) can help your agency take advantage of automation to manage your A&A process more effectively. Just like what we did for our client at the Navy’s future Naval Networking Environment.

Manage A&A with A2O™

Leveraging our A2O™ solution, we help our client automate the entire A&A process — from data collection to validation and publishing exceptions and outcomes. The automation is a series of UiPath bots (both individual and aggregate) that augments the information systems engineering team to implement steps 2, 3, and 6 of the RMF process — from data collection to resolving vulnerabilities while taking technical actions to secure network and infrastructure. A2O™ uses the RMF as a guide to discovering the best value for automation in the ATO process.

As a result, the agency reaped various competitive advantages, including the following:

  • RMF process for STIG imports and propagation, reduced by 90%
  • ISO time required to combine and audit A&A packages, reduced by 90%
  • Processing and validation defects with A&A, reduced by 80%
  • The A&A process was standardized and streamlined to improve effectiveness.

You can reap the same benefits (and more) if you manage your A&A using A2O™.

You may download our white paper to read the whole story. Or, shoot us a message to learn about how our A2O™ solution helps federal agencies manage the A&A processes more effectively to stay compliant, reduce costs, and focus on more critical tasks. Let’s talk.