Department of the Navy Chief Information Officer (DON CIO) review and approval is required for continued operation of a network, system, or circuit with the following characteristics:
- Unmitigated category (CAT) I vulnerabilities,
- Very High or High Risk,
- Operating on an Interim Authority to Operate (IATO) greater than 360 days,
- Operating on an Interim Platform IT Risk Approval (IPRA) for more than one year, or
- Operating on an Authority to Operate (ATO) with conditions greater than 360 days.
The DON Deputy CIO (Navy) (DDCIO(N)) established the initial High Risk Escalation (HRE) process used by the Navy to submit to DON CIO in FY11. In cases where mitigations and/or closure of high risk findings were not possible, or the system owner required additional time to analyze and identify solutions, the program could utilize the HRE process to request approval to continue system operation.
The Navy’s High Risk Escalation Advisory Group (HREAG) is the official recommendation body that reviews all HRE requests and submits a recommendation to the DON CIO for decision. The HREAG is comprised of designated representatives from the DON CIO, DDCIO(N), Navy Authorizing Official (NAO), and the Navy Security Control Assessor (SCA). DON CIO makes a final decision leveraging the HREAG’s authorization recommendation.
In FY15, DON CIO requested that the Navy revise its HRE process with a focus on enhancing the understanding of operational risk, mission criticality, and any potential negative impacts to DON/DoD networks. In response, the NAO developed an improved HRE process, which required the program offices of systems/circuits to submit detailed information to the HREAG. This information required included a summary of unmitigated CAT I vulnerabilities; an operational impact statement, which identifies the impact to the mission if the system/circuit were directed to be disconnected; and a proposed way forward consisting of possible solutions (to get out of the HRE process) along with potential risk mitigations or compensating controls that may be employed to reduce the overall risk.
The HREAG body utilized this information to formulate recommendations to DON CIO for authorizing the continued operation of high risk systems or circuits. The new process required approximately 70 days from the time the NAO contacts the program office until the time NAO issues a new accreditation letter, decreasing the previous process by approximately 30 days.
In FY16, the HREAG implemented an additional condition requiring program offices to include an endorsement memo from their Flag Officer or Senior Executive Service (SES) member acting as the primary stakeholder and business (data) owner of the system or circuit in HRE. Within the memo, the Flag Officer/SES endorses and joins with the DON CIO in accepting risk. In addition, they acknowledge the following:
- The presence of unmitigated high risk vulnerabilities;
- That systems/circuits operating without a valid authorization or on an expired authorization are subject to disconnection without additional notice; and
- That the operating system/circuit with the identified residual risk represents possible negative impact to the Navy’s mission, finances, and reputation.
The purpose of the Flag/SES memo is to ensure that senior leadership understands the residual risk and is aware of the potential negative impacts that come with operating a system or circuit containing high risk vulnerabilities.
The Navy’s HRE Process remained the same during the transition from the Defense Information Assurance Certification and Accreditation Process (DIACAP) to the Risk Management Framework (RMF). The RMF places a greater emphasis on documenting compensating controls for unmitigated CAT 1 vulnerabilities when issuing an ATO with conditions.
The Navy depends on understanding the risks of operating information technology and information systems (IT/IS) to successfully carry out its mission and business functions. These systems are subject to serious threats that can have adverse effects on naval operations by exploiting both known and unknown vulnerabilities. During the second half of FY17, to successfully identify and understand cybersecurity risks, DDCIO(N) implemented an additional requirement for programs with IT systems/circuits in high risk escalation.
The additional requirement is completion of a “Risk Evaluation Threat Assessment (RETA)” form. The RETA form compares a list of vulnerabilities and exploits against the latest vulnerability scan data produced by the program office of the system or circuit residing in HRE. The RETA form: (1) aids in identifying high interest vulnerabilities; (2) allows the HREAG body to set priorities for corrective action; and (3) allows the group to make informed decisions for accepting the risk over the duration of the authorization. Once corrective actions are taken by the program (in the form of mitigations of any discovered vulnerabilities), the SCA then reviews those mitigations for accuracy and makes a recommendation to the HREAG body on the effectiveness of the corrective actions.
In FY18, the HREAG will continue to seek ways to increase the efficiency of the process while ensuring decision makers receive information needed to make decisions on high risk security authorizations. The Navy plans to continue efforts to expand on the HRE process by adding threat intelligence information. Threat intelligence is the process of understanding the threats to an organization based on available information. It combines various data and information in order to determine relevant threats. Gaining real-time threat intelligence information will strengthen leadership’s decision-making abilities and ensure that cybersecurity risk across the Navy enterprise is managed effectively.
Paul Harig works in the Office of the Navy Security Control Assessor for Space and Naval Warfare Systems Center Atlantic. Tony Plater supports the DON CIO Cybersecurity Team in processing HRE requests.