Reckless Compliance

DCSA Authorization Official – Alex Hubert – ATO in a Day – Is it real?

SHARE EPISODE

Alexander Hubert talks about his journey to becoming an authorization official in the public sector. He explains how he transitioned from being a weatherman in the Air Force to becoming an IT guy and then delves into his interest in cybersecurity. Alex shares that he has worked various positions within the risk management framework, including information assurance manager and security controls assessor. As an AO, his role is to accept risk on behalf of the government and determine the suitability of systems on the network. He also discusses the mission of his organization, the Department of Defense Counterintelligence and Security Agency (DCSA), which focuses on investigations, counterintelligence, and industrial and cybersecurity.


Topics we discuss:

  • Alexander’s background
  • What does DCSA do? What is the mission of the org?
  • Role of AO versus a general cyber security practitioner
  • Getting to consistency & clarity in assessments
  • Key takeaways

 

Max’s Bio

Max is the CEO of Ignyte Assurance Platform and a Data Security and Compliance leader delivering DoD-tested security strategies and compliance that safeguard mission-critical IT operations. He has trained and excelled while working for the United States Air Force. He maintained and tested the InfoSec and ComSec functions of network hardware, software, and IT infrastructure for global unclassified and classified networks.

Max Aulakh on LinkedIn

Ignyte Assurance Platform Website

Max 00:01 – 00:10

Welcome to Reckless Compliance Podcast, where we learn about unintended consequences of federal compliance brought to you by ignyteplatform.com. If you’re looking to learn about cyber risk management and get your product into the federal market, this podcast is for you. Or, if you’re a security pro within the federal space looking for a community, join us. We’ll break down tools, tips, and techniques to help you get better and faster to get through the laborious federal accreditation processes. It doesn’t matter what type of system or federal agencies you’re dealing with. If you’ve heard of confusing terms like ATOs, FedRAMP, RMF, DISA STIGs, SAP & SARS, or newer terms like CATO, Big Bang, OSCAL, and SBOMs, we’ll break it down all one by one. And now, here’s the show. 

 

Max Aulakh 00:10 – 00:57

Hello everyone. Thank you for joining us today for this exciting episode of Reckless Compliance, where we learn the unintended consequences of compliance. And just public sector compliance today, we’ve got an exciting guest with us. His name is Alex, but Alex is an Authorization Official. For those of you who have never heard this term before, it is almost like a chief security officer, but in the public sector side of the house. So, we’re going to learn what does an AO do? How do they go about serving the mission of their organization, and then also general problems and things that we’re seeing in the industry. So without further ado, Alex, tell us a little bit about your background, how did you got to where you are, and then, of course, share a little bit about your organization who you work for. 

 

Alexander Hubert 00:57 – 03:19

Thanks, Max. I’m Alex Hubert. I’m a regional mission director and Authorizing Official for the Department of Defense Counterintelligence and Security Agency. How did I get here? That’s a great question because it was a heck of a journey. Started off, joined the United States Air Force in 1988, and spent 20 years in the Air Force as a weatherman. But the funny part of that story is the last four years as a weatherman, bringing Air Force weather an IT guy. So I went to the Army and said, teach me how to be an IT guy. And the Army said, sure. This is the funny part, Max. The Army said, go take an organizational admin test. I said okay. So I took the test, and I failed it horribly. Went back to the G6, and they laughed. And they said, well, take it again. All right, I’ll take it again. So I did. And failed it miserably. And went back to the G6, said, what gives? guy opens up a drawer and gives me the OU Admin Study Guide. I’m like, really? They were trying to make a play on Air Force and Army. But anyway, passed the test and the journey started there with all my education. I got all my education taken care of and all my experience. After retiring from the Air Force, I got hired on with the 69th Signal Battalion as an Information Assurance Manager. And I just got really excited about cybersecurity. Learned how the Army did cybersecurity. And then one of my former bosses me, come back, you bleed blue. So I went back to the Air Force and bounced back and forth a few times. But the point is that I worked every position in the package approval chain and the control approval chain within the risk management framework. So I was the information insurance manager, the information system security manager, the security controls assessor, the Authorizing Official designated representative, and now since January 2022, the Authorizing Official. It’s been a journey of adjusting fire to problem sets, and it’s culminated into the Authorizing Official. Long and short of it, the Authorizing Official is the person who’s left holding the bag, so to speak. 

 

So, I accept risk on behalf of the government. We all know that the risk management framework is a risk-based cybersecurity model. 

 

Alexander Hubert 03:28 – 04:20

So, we’re focusing more on the residual risk after a control mitigation is applied. And so a system could be low risk, moderate risk, high risk, or even very high risk. I’m the person that decides whether that system resides on the network. Now, if you think about scope and breadth and depth, I’m responsible for the tip of Maine down to the Virgin Isles and Puerto Rico part of the country, I’m responsible for every clear defense contractor operating systems or networks in the classified space. My responsibility is to accept risk on behalf of the government of those clear defense contractors performing classified work for the government. 

 

Max Aulakh 04:21 – 04:44

Alex if I could just jump in here because I think there are a lot of people who are not familiar with DCSA right the Defense Counter Agency and I know before it was called DCSS, there’s been a name change, but for those who are listening and they’ve never interacted With DCSA, what is the mission of the organization? What do you guys do overall? 

 

Alexander Hubert 04:44 – 06:19

So we’re gatekeepers investigations for every person that works with the Department of Defense who has a security clearance. We are counterintelligence. We monitor the intelligence that’s out there in the threat space. Industrial security. So think of a weapon system; we have security oversight for it. That’s our industrial security piece from the physical and the logical space. And then the cyber security and so formerly the cyber security fell underneath industrial security, and we’re still partner with industrial security, but we are an entity that does nothing but everything that is cybersecurity from stake checks, the security technical implementation guidelines checks, to everything that’s involved with that. So, baselining a system and making sure that the enterprise policy objects, the group policy objects, and all of the logical and physical controls are in place. We use the NIST special publication 800-53 revision X because right now, We have a problem set that has to be solved for us to go to revision five. So we’re on revision four. We use the Enterprise Mission Assurance Support Service as our repository. 

 

And so a lot of work gets done there. 

 

Alexander Hubert 06:21 – 06:31

So, in a nutshell, DCSA mission is to protect our nation’s secrets and be the gatekeepers to our classified work. 

 

Max Aulakh 06:31 – 06:58

That makes sense, Alex. And I know a lot of there’s a lot of people that are just becoming familiar with the public sector because of this whole CMMC, NIST 171, CUI. Do you see that as kind of a potential added-on mission? Are those some of the things that you might be assessing as an AO within the defense industrial-based community? Or is that something that you guys don’t even worry about altogether? 

 

Alexander Hubert 06:59 – 08:19

Oh, we absolutely worry about it. So we are going to be responsible for the security oversight of government contracts valued at $5 million or more. And CMMC and CUI is definitely in there as something that we may be responsible for. So CMMC is all on the unclassified side. So we do not concern ourselves with CMMC on the classified side. So that would be the confidential, secret, or top secret side. But we do so much more, too. We assess special access programs, and when it comes to CUI, we are building out a program for CUI oversight, but as you know, it’s very complicated. You know, some of the more commonly known ones, like privacy, are easy. Yeah, or PHI, you know, those are going to be easy, but there’s a lot more there to unpack and to determine Who should have access to all of that, so it’s definitely a challenge. 

 

Max Aulakh 08:19 – 09:34

Yeah, I think that’s going to be interesting because I’ve seen a lot on the DCSA website where it’s exploding with this new content around CUI, and a lot of people who are not familiar with the public sector that’s like their first entry into the public sector compliance because of course everybody who’s doing Classified work they know what a nail is they kind of had to deal with eight hundred fifty-three and all of those things but I think. You know, for those who are listening that don’t know the role of the can can you help me understand? How do you make those kinds of risk decisions? You mentioned earlier that you’re basing this risk decision based on residual risk after the controls analysis is done. But what really goes into saying, hey, I, as an AO, I’m going to approve this or not approve this, right? Give it a denial. Can you give us some insight into that how the decision is made and then actually how the decision should be made, right? Because sometimes the reality may not match the actual process depending on the system. 

 

Alexander Hubert 09:56 – 11:46

So, I’m a regional mission director. As a regional mission director, not only do I have to consider the risk of the system or network to the government, but I also have to understand the mission. What is that capability bringing to the warfighter? And so when I make a risk-based decision, everyone in the package approval chain and the control approval chain. So starting off with the information owner, the security manager, the information system security manager, will provide an assessment or test result of the controls. And then there’ll be a security controls assessor representative who will actually look at those test results and determine if they answer the mail to the control, basically. Then a security controls assessor, what we call at DCSA, is an information system security professional. That person will assess the risk of that test result and artifact against the mitigation control. Authorizing Official designated representative to take another look at this package to ensure that all the risk determinations make sense, and then it gets to me. So when I make my decision, I have to look at several things. I have to look at the topology because I have to ensure that there are no interconnected systems that we don’t know about. Is this truly a contractor-to-contractor system? Is this truly a contractor-to-government system? 

 

There are certain package in order for that system to get authorization to operate. And also look at the residual risk. So, moderate or lower, I’m more inclined to provide authorization to operate for that. But what we’re seeing is the problem of non-compliant controls, and the organization is requesting a three-year authorization to operate I just can’t grant that because there are so many problems with the package that we need to give them a one-year authorization to operate to allow that company or that industry partner to fix the problems. Denial of authorization to operate is a very touchy subject. 

 

If I issue a denial of authorization to operate, that stops processing. RND stops, processing stops, productivity stops, which means that profitability goes down and possibly market image goes down. 

 

Alexander Hubert 12:52 – 13:42

And it’s not always the right option. So what I do is if the problem is not egregious, I will allow the company two weeks to fix the problem. If the company cannot fix the problem in two weeks, My job is to make sure that the mission goes, that the mission is successful and that we get the capability into the hands of the warfighter, but also need to protect our nation’s secrets. So the DATO is a tool to right-set a company that may not have the resources or the ability or, I hate to say it, even the motivation to get that system right. 

 

Max Aulakh13:42 – 14:27

I think you’re onto something, Alex, right? Because we hear a lot. Conversations about how the ATO process needs to be innovative and speed up, and I agree with it, but at the same time, when working with a lot of Defense Industrial Base. You hit on something really important sometimes they’re not even motivated to do the right thing right there is there are a lot of organizations where they do see this whole thing as a as a checkbox. and they’ll check all the boxes, but they’re actually not implementing any of the securities. I don’t know if you’ve come across that, but we’ve certainly seen that in our business where a lot of organizations are saying, yeah, can’t you just fill out the documentation and not really worry about the stuff that’s actually happening? 

 

Alexander Hubert 14:27 – 14:56

Well, a case where that has happened is Sole Source. So, Sole Source, the company believes that they’ll get their authorization to operate with minimal effort, and that’s not the case. So I have visited a company that’s the sole source, and what we do at DCSA we assess the systems and networks, and we write something called a deficiency report. And the ask was very simple. 

 

Max Aulakh 14:56 – 15:03

And Alex, when you say sole source, is that like a sole source contract? Is that what you mean? Right. Okay, got it. 

 

Alexander Hubert 15:03 – 16:01

And so we asked the company to get right and answer the deficiency report. And that worked out for about a week. And then they went radio silent. And we continued to try to reach out to them because in the end, the warfighter loses. And so, about 10 days out from the authorization termination date, they came back on the net and said, here’s our package. The package was incomplete, and the deficiency report was not answered properly. So that company has been down for a little bit. And the companies lose a lot of money per day that their engineers are not working. And when you look at that money, and you look at what it would cost, It’s a win if the companies just attack the cybersecurity downfalls or issues. 

 

Max Aulakh 16:02 – 17:32

Yeah, I think it is a lot cheaper to actually fix it because I see a lot of people spending so much ungodly amount of time to avoid things than just to do them the right way up front. You know, so it kind of boggles my mind sometimes being a practitioner. So Alex, one of the things you mentioned, and I think this is part of your journey where you have been an information system security manager, or I am, all the way to SCA and then the representative, now the AO. So I understand, and I think a lot of people understand, the need for validation, multiple validations. Stepping outside of the RMF world, right? So, those that are not familiar with it, what are some innovative methods on how we can speed this thing up? Because it just takes forever, man. I mean, I know you’ve been on both sides of this, right? And so I’m always curious from an AO perspective, how do we accelerate decisions about risk right and so things can get moving faster in our country because, as you mentioned, when I was in Iraq and Afghanistan we didn’t have the best of the best I knew that there was better technology out there, Enhance of like just general population than what we had just you know so a lot of that is to protect Not only the country but how do we speed this whole thing up for our country? What are your thoughts on that? 

 

Alexander Hubert 17:32 – 18:49

So when I was working for the Air Force in the Pentagon, we had something called ATO in a day ATO in a day is basically a one-year authorization to operate with minimal artifacts. So you register to the system, you categorize the system, you do an inventory of the system, you provide us with the inventory, hardware, software list, the vulnerability scan results, the categorization, and the topology, and we can give you the authorization to operate for one year, and that gives the practitioner an entire year to attack the package and get that package pristine with the right security controls in place to achieve a three-year ATO. That’s an ATO in a day. So the bigger problem set is that you know, we have too many frameworks, right? You’ve got the risk management framework. We’ve got the MITRE tech framework. We have TOGAF, we have COVID, we have SAPSA. I mean, name the framework we have at the CIS framework, right? The controls are somewhat the same but different than the NIST controls, right? And look at the Cybersecurity Framework. Version 2.0 is going to be issued here shortly.

 

Max Aulakh 18:49 – 18:52

The NIST Cybersecurity Framework, yep. 

 

Alexander Hubert 18:52 – 21:44

Yeah, the NIST Cybersecurity Framework. But that one makes sense because when you look at the categories and the functions that relate directly to cybersecurity control within RMF, the ISO 27000 series, you name it, it’s there. If an industry partner is out there that’s not doing classified work and seeking CMMC accreditation, I would completely look at the NIST cybersecurity framework because it gives you the answers to the test and down to the control level. Unfortunately, for classified work, we have a family of controls that the industry partner is responsible for implementing. We have a lot more latitude in the collateral secret space. I have zero latitude in the SIPR space, in the secret DOD space. So we asked the industry partner for something that I implemented in the Eastern region. So we’ve all heard of due diligence, we’ve all heard of due care, right? But there’s something we don’t talk about a lot, and that’s the best effort, right? My theme is going to be, and you saw it on my LinkedIn post, Mind the Store. So when I go into a company, I sense the cyber secure culture, if it’s there. When I walk into a room to talk about cyber security, I want to know who’s in the room. Is there somebody from the C-suite in here? Or are they sending me the ISSO, the Information Systems Security Officer? I can tell you that for one company in Colorado, I walked in, and there were three people sitting in front of me, zero decision-makers. But then I walk into a company in California, and all the decision makers are in a room. So when I see those packages come across my desk, I look at C-suite buy-in and support, not only to their staff who’s doing the work but to the cybersecurity posture itself. And that speaks volumes. So, if we talk about how long it takes to get a package across, as I said before, we have so many different frameworks. And one of the most important things that I look for is the culture. Is the culture there to support the cybersecurity staff doing the work? If the answer is yes, then I’m going to do my best to help them succeed. I’m gonna give them extra onsite assessments. extra attention to make sure that we foster that culture. If I don’t see that culture, I try to implement that culture through sending my staff there to help them, to get them energized into what we’re doing. And that’s the only way to expedite an ATO. 

 

Max Aulakh 21:45 – 22:11

Yeah, no, I would agree. I think if you have management commitment, things can move very quickly. But if there’s no management commitment, you could even have the best cyber team or DevOps team. It doesn’t matter. They just don’t have the support. So, were you part of that ATO in a day? Do you see something like that happening within DCSA, at least on the unclassified side of the house? Is that a possibility ever? 

 

Alexander Hubert 22:12 – 23:06

So we don’t deal with anything on the unclassified side for industry. We’re completely on the classified side. And we do issue something like the ATO in a day. It’s called, now, when I say this, this is old DIACAP language, Information Assurance Certification and Accreditation Program. It’s called the IATT, the Interim Authority to Test. And I can give an interim authority to test with minimal artifacts and zero controls answered for 90 days. So for industry in the classified space, that’s the best I can do within my guardrails. Outside of what we do at DCSA, ATO in a day is absolutely possible. It’s just a decision of the Authorizing Official to grant that. 

 

Max Aulakh 23:08 – 23:53

Okay. Okay. Yeah. Now that’s, I think, I think that is, that is important. Now, do you feel like as a community, because I remember the DIACAP days, the old way of doing accreditations, and before we had STIGs, and we had these, whatever they called them, platinum disks, the readiness scripts, and all of that, right? That was over a decade ago. So, as we matured, do you think we pushed too much into just compliance and not enough into operational and actual cyber work? Or do you think there’s a good balance between the two? Have you heard that lately? Like, hey, we’re doing too much compliance work, but we’re not really doing enough cyber work. What are your thoughts on that? 

 

Alexander Hubert  23:53 – 26:07

So, some in my community disagree with me on this. I believe that we never got out of the compliance world. So, in DIACAP, we answered the mail. This control says you must do this; you did it, you wrote it in an SOP, and you’re compliant. But what does RMF do? Access control posts an access roster on the door to the closed area. So we write an access roster, and we post it to the closed area, and we say we did it, and we show that we did it, so therefore we’re compliant. So I believe we never got out of compliance I see. In the risk management framework. So, we added a risk determination of non-compliant controls and a residual risk determination on controls where a mitigation is in place. So with that, in DCSA space, we have to add the 32 CFR part 117.18. So that’s information systems compliance for those systems that are registered in the National Industrial Security Program. And so it’s absolutely compliance-based. And I’ll share this with you, Max. There are four things that the industry cannot fail at, according to 32 CFR part 117.18. Insider threat. Incident response, continuous monitoring, aka minding the store, training. You’d be surprised. So we walked into a facility where the security officer was very proud of his training program. But when we dug in, 80% of his workforce was one year behind in their training. So, uncovering all of that, going in there and saying, okay, great, you state that you’re doing great, let’s see if you’re doing great. So, to wrap it all up with that, again, I really believe that we’re still in the compliance space. We’ve added a risk determination, and within DCSA, we’re still in that compliance space because the industry must be compliant with law. 

 

Max Aulakh 26:08 – 27:14

Yeah, I don’t disagree with that, and I think I don’t think we’re ever going to get away from that. You know, it’s just a matter of figuring out if we can create room for innovation and those kinds of things because I don’t know if you’re seeing this, but the whole DevSecOps movement, the cloud movement, and as a prior, you know, current SCA in a prior ISSM I’m always challenged with how much documentation is enough versus direct observation from the actual system. But I agree with you. I think a lot of this insider threat is continuous monitoring; those are some of the key areas that we typically see as well. So for those who are listening, and are trying to gather insight into how they can improve, When you look at your entire region, what are some of the big ticket items that you always see that almost every company is just failing on or not doing at all? So, what would you say are some of the key items that you’re seeing out there? 

 

Alexander Hubert 27:14 – 28:44

Unbelievably enough, the four things that I just mentioned. And I would wrap it up to say, mind the store. So when DCSA comes in for an assessment, for the authorization to operate decision, we look at everything. And we get a good feel of the culture and we get a good feel on the state of the cybersecurity posture. And then that is documented to me and I make an authorization to operate decision. This is important to note. In industry, industry systems are not required to have a cybersecurity service provider. This is a huge issue. Because think about it this way. In the DoD, my unclassified systems and all classified systems are monitored 24-7-365. That’s right. On a monthly battle rhythm, I will get a hygiene report. And my cybersecurity team can then take action on that hygiene report. happens once a week in some organizations. We expect the industry to do this for themselves. And so when you look at cybersecurity and think about the cost center of cybersecurity, you have an ISM at a company that also wears 15 other hats. 

 

Max Aulakh 28:44 – 28:45

That’s right. Yep. 

 

Alexander Hubert 28:46 – 29:38

And then the month goes around where that ISM should act on an ACAS scan or a vulnerability scan, and then it’s a rush to do that. And that is why it’s so important to look at the culture. And I think that the number one issue that I see out there is culture. We need the C-suite to buy into cybersecurity and to give their cybersecurity staff the autonomy and authority to do their job. Their job, the number one job, should be cybersecurity. And if there’s a time when they’re sitting around doing nothing, give them one of those 15 hats. I think that’s number one. Number two, continuous monitoring. So think about this for a second. You’ve got your system. It’s completely secure. It’s STIG, EPO, GPO. Everything is good. AV is updated. 

 

We’re all good. 

 

Alexander Hubert 29:39 – 31:00

I got third-party apps, which, by the way, in the industry could be hundreds. What could I be doing now to secure the system even more? Well, what about going to CVE details and finding out what the vulnerabilities are in the wild and in the zoo for the software that you have on your system versus waiting for US Cybercom or some other entity, Snort or whomever to tell you that there’s an issue out there. There are so many organizations that are proactive, and I think in continuous monitoring, you have to be proactive. If you look at the law, This is where it gets to me complicated, but if you look at the law, Companies cannot fail an insider threat Yeah, so how can you not look at the log files for a month, right so if employee a Works nine to five, but yet comes in at 8 p.m. To log on to a system that should be questioned. It’s in the law at these logs to question why this happened. I think that we could solve a lot of problems that way on insider threats, false positives, and false negatives. You know, we don’t have to have the best shiny system on our system, such as Splunk. 

 

What we could do, we could do manual log diving. 

 

Alexander Hubert 31:03 – 32:11

And just take a record of logs and go through that now. Again, we talk about cost centers, and companies think that that might be; they could have some cost avoidance there. But in the end, I revert back to 32 CFR part 117.18. You must be compliant with your insider threat program. And the way that you are is not only through your training program, which, by the way, is mandatory, So you train to insider threat, you train to the indicators, but you also do the log diving to find your insider threat or at least to discover the potential so you can do further investigation. So continuous monitoring is number two. I think the incident response is big because there are laws out there right now where the industry has to report incidents within 72 hours, I believe. And when we look at incident response plans, there are key pieces missing, like when you do have a CSSP, a cybersecurity service provider, they should absolutely be in your reporting chain for incidents, and we find that sometimes they’re not. So that would be number three. 

 

And training, training, training. You know, I’ll end it with training. 

 

Alexander Hubert 32:15 – 32:54

If you think about it, I could have every IPS, IDS load. I could have every firewall set to deny all permits by exception. I could have a multimillion-dollar defense set up and it takes one phone call of phishing or a phishing email to destroy all that security. And phishing is 100% successful. So what we have to do is we have to train our users not to be curious. you know, hasn’t emailed you for a year, unsure if she even owns a computer, so you open up the email and, oh, wait, there’s a Christmas card, let me collect that. 

 

Max Aulakh 32:54 – 32:57

Yeah, and she wants mine, right? 

 

Alexander Hubert 32:57 – 33:18

Entire security’s numb because of Aunt Jenny. So, yeah, we gotta train our users to be something like that. And here’s the hard part in today’s world, and that is, this system in front of me, uses it for its intended purposes. Use it for what it was issued to you hardest part is to keep people in the guardrails. 

 

Max Aulakh33:18 – 33:46

I would agree. Well, Alex, I just wanted to thank you for your time. I know people that are listening in, they really appreciate the insight in terms of how decisions are made. And even though a lot of this sounds like common sense, I think some of the things you mentioned, training and actually doing continuous monitoring, figuring out what a security operation center looks like for the organization, I think that’s going to be a critical piece. We’re not going to get away from that no matter what we do. So, I just want to thank you for your time today. 

 

Alexander Hubert 33:47 – 34:15

Thanks, Max. I think my takeaway is mind the store. We must mind the store. We have to stay engaged. The minute you take your eye off the ball, the cyber thugs are going to grab that ball and run with it. And it’s just way too easy. Ransomware is running rapidly. We’re not doing backups like we should. If you did proper backups and tested backups, you could recover from ransomware. There are so many easy things to do. We just have to keep our eyes on the ball. 

 

Max Aulakh 34:16 – 34:17

Thank you for tuning in. If you enjoyed the podcast, head over to ignyteplatform.com slash reckless. You’ll find notes, links, and additional content. Head over to iTunes to subscribe, rate, and leave a review.