The Department of Defense said it will take steps to strengthen reciprocity guidance for IT systems security authorization after the department’s inspector general found its existing processes to be lacking.
In an audit published Tuesday, the DOD IG found that the department’s CIO did not oversee components’ reciprocity efforts as required by the DOD Risk Management Framework (RMF). Instead, the CIO looked to the components themselves “to manage the system authorization process and use reciprocity to maximize the reuse of testing and assessments results developed during prior system authorizations,” the audit says.
The result was a mixed bag for the DOD components the IG investigated with some taking advantage of security authorization reciprocity — that is, accepting and using another organization’s review of security controls for information sharing to save time and money — and others failing to do so. The U.S. Transportation Command and the Defense Health Agency, for instance, leveraged reciprocity when going through the RMF process, but the Defense Logistics Agency (DLA) and Defense Human Resources Activity (DHRA) did not.
The DOD uses a risk compliance tool called the Enterprise Mission Assurance Support Service (eMASS) to coordinate and share information across the defense enterprise during the RMF process.
The reciprocity concerns for DLA and DHRA involved their use of this platform. DLA did not appoint “reciprocity users” in the system to review existing systems and authorization documentation, and “did not consider the DoD’s RMF and reciprocity policy and implementation guidance to be a priority.”
DHRA similarly did not appoint reciprocity users, which it attributed to a reorganization having not yet assigned “cybersecurity roles and responsibilities for implementing RMF and reciprocity requirements,” the audit says.
“The DoD could achieve even greater cost savings and efficiencies if all DoD Components maximized the use of reciprocity when authorizing their systems through RMF,” the audit says. “DoD Components can increase reciprocity by making systems and authorization documentation available to other DoD Components in eMASS, appointing eMASS reciprocity users, and identifying and authorizing common controls.”
The IG recommended that the DOD CIO update its eMASS system registration process to require users to select a justification when a system is not made available for reciprocity. It also called on the CIO to revise its guidance or issue new guidance requiring system program managers to ensure they considered reciprocity before considering another authorization or reauthorization.
A member of the DOD CIO’s Office acting on behalf of the CIO agreed to the changes, saying the changes will be made by the end of the second quarter of fiscal 2022.