Please submit the paper (3000) words, not counting the text on the title page, nor text in the appendices) as a Microsoft Word document. The paper must be in APA format.

Office of Management and Budget’s (OMB)

http://www.whitehouse.gov/omb

Federal Information Security Management Act (FISMA)

http://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002

National Institute of Standards and Technology Federal Information Processing Standards (NIST FIPS and SP documents) http://csrc.nist.gov/publications/PubsFIPS.html

TASK

The assignment really tells you what to do.  It is set up as an outline.  It tells you to think about an improved future and gives you license to recommend changes in law (e.g. FISMA) and policy (e.g. Office of Management and Budget’s (OMB) http://www.whitehouse.gov/omb circulars, National Institute of Standards and Technology Federal Information Processing Standards (NIST FIPS and SP documents) http://csrc.nist.gov/publications/PubsFIPS.html. Existing law and policy do not hamstring you, though…and you should not assume that current law/policy is sufficient justification to keep doing things as they are done now.

OUTLINE

The Vision Thing: “What C&A is Intended to Accomplish” Bottom of Form

Here’s what you are being asked to do in this section…

“Why assessment and authorization (A&A) is desirable/what A&A should accomplish.  This should persuade a skeptical audience for the need to undertake A&A or should persuade that skeptical audience to abandon A&A.”

You should persuade your audience for the need to undertake A&A or explain why it’s not necessary. If you think A&A necessary, you should state the scope of A&A. If you think it is not necessary, you have to explain why it’s not necessary at each level.  (If you intend to argue completely against A&A (i.e. No A&A for any part of government) you get in touch with me if you run into difficulty answering the assignment.)

As to necessity–is this intended to be mandatory or advisory (voluntary) for the Government? If so, should it apply just at the national level or down to local levels? (Explain what level of government this applies to and why that is the right level.) Is this (also) intended for industry? Explain why/why not? How about for individual citizens?”  (Students often make the mistake of limiting their discussion to the federal government, as FISMA is today only applies to federal government ISs and systems that process federal information.)

Persuasion seems a dying art form in government, something that likely adds to bureaucratic inertia.  Too many “leaders” issue (without persuasive explanation) orders or policies that require substantial change that threatens existing conditions and relationships which have real value to existing stakeholders.  “Because I said so” only goes so far, even when those words come from powerful figures such as SECDEF.

That’s why THE persuasive reasoning is the big part of this section.  You likely have an opinion about certification and accreditation (C&A) (whether or not it’s necessary) that you need to get a skeptical reader (me) to share.  If you like C&A, show the value that C&A provides.  Don’t just say FISMA requires C&A.  Prohibition required abstinence from alcohol, something that proved wildly unpopular even if it had a few advantages.  If the costs aren’t worth the benefits, requirements will change, even at the Constitutional level.  (e.g. the repeal of Prohibition.)  So you have to support your perspective with reasoning that makes broad and enduring sense.  (The basis of the best kind of laws…)

One you’ve established the general point about C&A, you need to persuasively argue where C&A should be used or should not be used.  (This is a reference to user categories: State, local/tribal, industry, CIP, & individuals)  Answering “why” or “why not” is crucial here.  Absent persuasive reasoning, which can sometimes come via an expert outside source, a “yes” or “no” would fall flat.  (e.g. Individuals shouldn’t be required to do this because it’s too hard.)

Avoiding the Unnecessary: What Tuh Not Tuhs…

Maybe I just like Cars too much…

“What do you think the C&A process should avoid doing or becoming? Call this out separately from what C&A should achieve and explain why these things should be avoided. (This prevents “mission creep” by bounding the scope of the C&A process.)”

Why on Earth ask this?

It’s been said that “an elephant is a mouse built to government specifications.”  I doubt that FISMA is doing exactly what its authors intended and/or only that which its authors intended.  One way to circumvent unintended consequences is to anticipate them and cut them off before they surface.

One simple approach to constructing an answer is to focus on the problems you see with FISMA as it currently reads/as it is currently practiced/enforced.  That won’t be sufficient if you foresee big changes, such as an expansion of Federal Information Security Management Act (FISMA) http://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002 into new areas of government/society.  Such an expansion of C&A would demand matching thought about where the second and third order consequences could lead.  If these downstream developments have downsides worth preventing, they’re worth writing about.  You obviously can’t anticipate every consequence, but you need to show that you can think downstream a little bit.

The Certifier: “Is There a Problem, Officer?”

“This is a reference to the organization. Using an agency model, should it be done internally, by an outside agency (including one created for the purpose), or a contractor?  Two general points to consider are: What are the tradeoffs between self-assessment and outsourcing?  Should assessment be inherently governmental work?  Explain your thinking with pros and cons.”

As you consider who should perform the certification, you’ve got a few questions to think about (and to comment on).

• If certification is performed by an organization with a stake in the system’s operation, would they underplay the severity of an issue or pass along something that has gaps and insecurities?
• If the certification is performed by agents who are unfamiliar with the operating environment, the system, its uses, or some combination, is there some chance the analysts will fail to see the big picture?
• This is a classic Goldilocks conundrum… Independent enough, but not so detached as to be unresponsive to the organization’s mission.
• Another aspect worth considering is the cost.
• Should certification be done “in house,” with personnel who perform these tasks as additional duty? (You’ll need to answer “What are the advantages/disadvantages of this approach?”)
• Should an Agency maintain its own certification organization, or should it outsource? If outsourced, should this be to a federal organization (inherently governmental?), contracted out, or some combination?  (Obviously you’ll need to explain your thinking here, too–even if you think the “in house, additional duty approach” is best.)
• Should the certifier service be a sunk cost to the Agency, with no end cost to the user, or should it be fee for service? Explain why…

Approval Authority: “Who Should Be the Head Honcho?”

“Who should authorize the system for use?  This should first be considered in the context of approving the system for use within the Agency. Using an Agency model, should it be done internally or by an outside agency (including one created for the purpose)?  One the Agency issue has been resolved, there is still the matter of the individual who would make the authorization decision.  Using expected traditional roles, (e.g. CEO, CIO, and CISO) explain why this decision-maker is the right person/position in terms of organizational power and in terms of ownership of the information resident in the system.  Do they have the right level of authority?  Are they likely to have the time and knowledge to make an informed decision?  Explain why or why not.  (You also have the freedom to pick some other position—including a newly created one—to make the authorization decision.  But it must be clear who the authorizing official (AO) reports to and why this is the right person to make the decision.)”

Why ask this question?  The hierarchical position has a lot of bearing on risk management, since the approver is accepting risk at their level and no higher.  There’s a balance to be struck between too high and too low, as well as considerations about looking after the interests of the larger Enterprise.  What are the effects of scale (the number of systems in an enterprise needing approval) on the Approving Authority’s workload?  So what is “too high in the food chain” for a decision like this and what is too low?

Frequency: “Is It Time Yet?”

“How often should A&A be conducted?  Explain the why you think this is often enough.  Explain the balance between the costs of organizational disruption caused by A&A “inspections” and the cost (in terms of risk) of having a stale A&A.  Once authorization (ATO) is granted, should there be any means to provide updates to the AO about the IA status of systems in operation?  If so, how frequently and why?  If not, why not?”

Why is this important to discuss?  It has to do with the balance between getting a re-baselined risk assessment and the costs (including organizational turbulence) of making the assessment.  C&A processes can drag on for years.  Is that what policy-makers want?  Is a quick, no pain, system registration good enough to provide assurances of due diligence with respect to information assurance?

Setting Boundaries: “Good Fences Make Good Neighbors”

“Where should the C&A boundaries be (size/scope)? This is where you say what is too big to be an information system and, perhaps, what is too small or what should be exempt from C&A. Explain your reasoning. (Hint, part of this is related to the definition of an information system.)”

The Goldilocks conundrum once again…  A system that is too big is impractical to measure, especially if it’s in production.  An easily measured system, say a single server, may fit nicely into a C&A checklist, but do you really want to do one C&A for each server in the rack?

Commonalities can help bound the problem…the more things are alike, the more they can be managed together.  Same ownership helps, for example…

Resourcing: “What’s All of This Going to Cost Me?”

“You will not need to explain exactly where monetary resources come from, nor do you need to precisely quantify them.  Rather, explain what level of staff effort and capital (a rough percentage of the IT budget) should be spent on A&A for the agency.  (Consider whether or not A&A should be embedded in the IA budget or identified separately.)  This will be an opinion more than a calculation or research, but the answer should be persuasive and should include an explanation of why you set the resource limit where you set it.”

I’ll admit it; this is tough.  But a big part of a good answer is in explaining why it’s tough to sort out how much to spend.

Is it easy to measure the dollar costs of IA?  How about C&A?  What if anything is hard to measure or categorize? (i.e. Is this an IA expense, a C&A expense, or some combination?)

What’s a good ratio between the costs of providing an information service and the costs of protecting the information?  Explain your thinking.

Lastly, this isn’t just about the money, it’s about labor and level of effort.  How much of your staff/their time should be devoted to C&A?

Conclusions

Bottom Line Up-Front… Created for those who want to know the answer, not the details…

You can write this first, but you’d be advised to relook at it as you go through the rest of the assignment.  The bottom line may change as you add to the story.

The one to two paragraph limit is a bow to organizational writing that demands concision above all else.  Its close academic cousin is the abstract.

The challenge is to catch the high points and package them into something that makes sense and captures the essence of both the problem and the solution.

As to the content, remember the big picture.  From a strategic perspective, the tasking is for your Agency so you need to frame the problems accordingly.  (Think SECDEF or CJCS as the one who was actually tasked.) You were assigned to look at a system that has national coverage for all the categories your Agency thinks need to be included.  A common mistake is to look at this at a far lower level (i.e. part of an Agency) and, as a result, fail to address the bigger picture (i.e. the rest of government and society).

This commentary applies equally to the conclusion, a necessary element of the paper, even if slightly redundant to the BLUF. Make sure you include a conclusion in your paper.

Click here to have a similar paper done for you by one of our writers within the set deadline at a discounted…