What Is Assessment And Authorization (A&A) — And How Can I Manage It?

There are always associated risks when federal government agencies undergo modernization. Information security risk is one of those, making continuous monitoring of information systems and risk mitigation crucial for federal government agencies and the contractors working for them.

Through Assessment and Authorization (A&A), federal agency stakeholders can get the protection they need to keep a robust security posture.

Assessment and Authorization “is a comprehensive assessment and/or evaluation of an information system policies, technical / non-technical security components, documentation, supplemental safeguards, policies, and vulnerabilities,” as per the US Department of Interior (DOI). The DOI itself determines the authorization methodology and administers the process.

The purpose of A&A is to analyze whether or not a specific design and implementation meet internal security requirements and other relevant external guidelines and mandates.

Before the assessment and authorization, the agency will have its information security documentation analyzed by the DOI Office of the Chief Information Officer (OCIO). The usual documents to review include the Documented Risk Assessment, Contingency/Disaster Recovery (CP/DR) Plan, and System Security Categorization Federal Information Processing Standards (FIPS) 199.

This phase is crucial for ensuring that the company’s chief information security officer (CISO) and the Authorizing Official (AO) have a common understanding of and agree on the terms of the agency’s System Security Plan (SSP).

Federal Information Security Modernization Act (FISMA) requires federal agencies to “create, document, and execute agency-wide programs that provide information security for their systems as well as for those provided or managed by a third party.” In doing so, they need to observe the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) Special Publication 800-37 as the standard for the A&A process.

As per NIST 800-37, the agency must implement the authorization process before the implementation/production of the contract and must reassess it five years later.

The NIST RMF provides a flexible, holistic, and repeatable 7-step process that federal agencies must follow:

Based on our years of experience helping federal agencies conduct A&A, dealing with manual and labor-intensive processes is one of the main challenges organizations usually face when applying for an ATO.

Our client at the Navy’s future Naval Networking Environment (NNE), for one, had to contend with their A&A process that was highly manual and labor-intensive, involving multiple sources of data spread across many source systems.

Just to give you an idea of how complex the problem was, the agency operates one of the largest-combined networks in the world. They provide secure end-to-end IT services to over 400,000 hardware devices and 800,000 users at over 1,600 Continental United States (CONUS) sites and end-to-end IT services to nearly 30,000 hardware devices and 45,000+ users across 82 other locations. It is also interoperable with and leverages other DoD’s net-centric enterprise services.

Due to these complexities and a lack of a means to automate the entire A&A process, the agency had to designate more people for this task, spend more time and other resources to accomplish A&A, and manually deal with costly errors.

Automation is key to managing the A&A process more effectively. According to Gartner, government agencies worldwide are expanding their use of automation or RPA solutions. They use automation to offload mundane manual tasks, remove errors, reduce processing times, and focus on activities of higher value.

Combining our cybersecurity, intelligent automation, and agile competencies, we at Alpha Omega Integration (AOI) can help your agency take advantage of automation to manage your A&A process more effectively. Just like what we did for our client at the Navy’s future Naval Networking Environment.

Leveraging our A2O™ solution, we help our client automate the entire A&A process — from data collection to validation and publishing exceptions and outcomes. The automation is a series of UiPath bots (both individual and aggregate) that augments the information systems engineering team to implement steps 2, 3, and 6 of the RMF process — from data collection to resolving vulnerabilities while taking technical actions to secure network and infrastructure. A2O™ uses the RMF as a guide to discovering the best value for automation in the ATO process.

As a result, the agency reaped various competitive advantages, including the following:

You can reap the same benefits (and more) if you manage your A&A using A2O™.

You may download our white paper to read the whole story. Or, shoot us a message to learn about how our A2O™ solution helps federal agencies manage the A&A processes more effectively to stay compliant, reduce costs, and focus on more critical tasks. Let’s talk.