The inaugural financial audit and impending implementation of the Risk Management Framework (RMF) for Certification and Accreditation (C&A) highlight the criticality of effective IT controls. To that end, a June 2, 2015 joint memo from the Assistant Secretary of the Navy for Research, Development and Acquisition (ASN RD&A), the Assistant Secretary of the Navy for Financial Management and Comptroller, Office of Financial Management (ASN FM&C) FMO, and Deputy Under Secretary of the Navy for Management DUSN (M) titled, "Auditability of Financial Information Technology Systems and Transition to Risk Management Framework" and the CHIPS article from the January-March 2015 edition titled, "Navy IT Systems and Audit Readiness Efforts — The Road to Clean Opinion," highlight the fact that the IT controls tested during the audit and RMF C&A are the same controls issued by National Institute of Standards and Technology Special Publication 800-53 (NIST SP 800-53) but viewed from a slightly different lens.
Therefore, the Department of the Navy will be leveraging current and future C&A processes to ensure the financial audit readiness of the systems that are affected by the financial statement.
From a financial statement perspective, the auditor ultimately renders an independent opinion on whether there is reasonable assurance of a material misstatement in the financial statement, and whether the IT controls can be relied upon to reach that conclusion.
From a Navy RMF C&A perspective, the approving official (AO) ultimately determines if the IT controls in the context of the system's security categorization are within an acceptable level of security risk to operate within the Navy IT environment.
Based on those two different perspectives and applications of the same control set, the DON Chief Information Officer and FMO are jointly producing the Enterprise IT Control Supplemental Guidance to the RMF. System owners that are within the scope of the financial statement audit, as they comply with the RMF in accordance with their authority to operate (ATO) requirement on the Navy network, will also be required to adhere to the Supplemental Guidance for the same IT controls, since the auditor will view them from a different lens than an approving official.
For example, the Access Control (AC-11) Session Lock control for both the cybersecurity requirement and audit requirement states that the system should deny access to a user after 15 minutes of inactivity. But in the Supplemental Guidance, it is also required that the system owner perform a quarterly review to ensure the system configuration has not changed. This is based on industry best practice. An auditor will look for evidence of a quarterly review to ensure that the sessions lock configuration did not change.
In a similar example, the Access Control (AC-12 ) Session Termination control states that after an organizationally defined period, the system should terminate a user's session. For the cybersecurity requirement, the Defense Department and DON do not provide an enterprise defined time period for session termination control. Instead, this determination is authorized by a lower level entity such as the system owner. However, according to the Supplemental Guidance, again based on industry best practice, to ensure that the system control is in compliance with audit requirements, the system should terminate a user's session after 30 minutes of inactivity.
Entity level IT controls supplemental guides to RMF will be completed for all 18 NIST control families in December 2015 and posted on the DON CIO’s website. (ACAC is required for access). System owners that are within the scope of the financial statement audit, and are transitioning to the RMF in accordance with the Navy schedule, will be expected to incorporate these guides as they begin validating controls and collecting evidence as required to obtain an ATO.
The benefit of entity level IT standards stretches beyond providing IT system owners with common templates that help them document their processes. It also ensures that Navy systems are performing to a level that meets audit readiness standards thereby adding significant value to the IT processes that DON program managers and system owners already perform. The importance of safeguarding and securing data is becoming more significant because our adversaries are growing shrewder every day. Since an audit of financial statements is an ongoing process, implementation of IT standards across the enterprise will ensure that the DON’s data integrity is high and its systems are performing to standards that meet both cybersecurity and financial audit requirements via a single robust process.
The road to the Risk Management Framework, even without enterprise IT controls standards, is a challenging one. Likewise, the path to assertion of audit readiness is an uphill climb involving every organizational component, from accountant to Navy validator. Performing these demanding steps only once ensures that in-scope audit systems will meet a financial audit standard. It will assist system owners and program managers in avoiding the requirement to go back and strengthen or change their validation procedures and documentation after they obtain an ATO. In an environment where manpower is shrinking and funds are scarce, the synchronization of business processes is a goal that Navy leadership collectively aims to achieve.