Summary

Cyber Risk Advisors say there’s a way to complete ATOs better and faster

Graphic of shark wearing eyeglasses and reading from notes
Related Stories

 Articles

Inside the Shark Tank: CMS Lean Authorization Process

Published Thursday, September 21, 2023

Read Time: 3 minutes

Graphic of a shark wearing eyeglasses and reading from notes

At the April All-Staff meeting, OIT leadership challenged employees to propose solutions that target opportunities for improvement. In this series, we are sharing brief summaries of the resulting proposals, playfully dubbed “shark tank pitches,” that your colleagues presented to the Front Office, with updates on their progress.

What if there was a way to reduce the time and resources needed to secure an Authorization to Operate (ATO) that also directed more bandwidth to the systems posing higher risk to CMS? 

That’s what Rama Sistla set out to accomplish with CMS Lean Authorization, or CLEAN. 

The Senior Cyber Risk Advisor in the Division of Security and Privacy Compliance (DSPC) proposes some adjustments to the automated Authorization to Operate (ATO) workflow that would allow CMS to incorporate risk-based decision making. These changes will facilitate better resource allocation, reduce administrative burden on Business Owners, and improve communication, all while significantly decreasing time to authorization. 

Sistla’s recommendation is based on observation of the automated ATO process and data from the 247 CMS FISMA systems. In the past year, only 15% of systems posed a high overall risk to CMS, while 85% of systems posed little risk. In fact, 8 system authorizations came up with zero findings. 

“The data show an opportunity to delegate authority to authorize systems with zero and low overall risk to personnel other than the CISO and CIO so that they can focus on working with Business Owners on managing the most significant risks to CMS,” says Sistla. 

CLEAN assigns final ATO approval to different levels of OIT Executive Leadership based on overall system risk. Systems would be classified as low, medium, or high overall risk based on summarization of the system’s risk data versus CMS enterprise risk tolerance. 

For the first time, systems with low overall risk – including the 85% of OIT systems with zero or few risks – will be eligible for a shorter ATO without sign-off from the CISO or CIO, leaving them more time to focus on high-risk systems. 

Triaging systems based on overall risk not only reduces the number of approval tasks for systems that are consistently maintaining low risk; it can help shed light on systemic gaps and provide better perspective on enterprise-wide risks. 

Sistla’s CLEAN proposal reorganizes the automated ATO workflow to focus time and resources on developing the ATO package and authorization (e.g., Review and Approval), eliminating duplicative efforts and reducing opportunities for miscommunication while better defining stakeholder expectations. The renamed ATO workflow phases under the proposal are: 

  • Initiate
  • Review
  • Submission
  • Approval 

The Review phase will begin immediately after Initiation by the ISSO instead of waiting for confirmation tasks to be completed (steps 2-4 of the current process in graphic below). During Review, the system team organizes cybersecurity and privacy tasks iteratively, developing the best possible ATO package before sending it forward to the Business Owner and Senior Leadership. 

In the current process, steps 5-9 are sometimes repeated multiple times, which costs time and creates confusing communication loops for staff. 

During Submission, the Business Owner will review the ATO package and decide whether to submit the ATO package to Executive Leadership. The current Approve and Authorize phases will be condensed to a single Approval phase where the number of required approvers decreases in proportion to the overall system risk level of low, medium, or high. 

Decreasing the number of ATO approvers required to complete ATO for systems that consistently manage risk well incentivizes Business Owners to help craft such systems.

For a comparison of CLEAN to the current ATO process, see the graphics below. 

Graphic outlining current ATO process. From left to right: 1) Initiate (ISSO Submission and Request Review 2) Certify (SDM Review and Business Owner Request Approval) 3) Review (ATO Artifact Review and CRA Recommendation Submitted) 4) Approve (ISSO Approval, Business Owner Recommendation Approval, Privacy Officer Approval, DSPC Approval, CISO Approval) 5) Authorize (CIO Approval).

Graphic of proposed CLEAN ATO Reorganization. From left to right: 1) Initiate (ISSO Submission) 2) Review (ATO Artifact Review, CRA Recommendation Submitted, SDM Review and Approval, ISSO Review & Approval, Privacy Officer Review & Approval 3) Submission (Business Owner Approval) 4)Approval (DSPC Approval, CISO Approval, CIO Approval).

Graphic showing proposed ATO risk profiles. 1. High overall risk profile approval: DSPC Approval, CISO Approval, CIO Approval. 2. Moderate overall risk profile approval: DSPC Approval, CISO Authorize. 3. Low overall risk profile approval: DSPC Authorize. 85% of systems undergoing ATO are managing risk well and have a LOW or MODERATE risk profile. 15% of systems undergoing ATO have a HIGH risk profile and therefore require CIO direct involvement in ATO approval.

If you have any questions about CLEAN, please reach out to Rama Sistla at ramakrishna.sistla1@cms.hhs.gov.

Team Members: Ramakrishna Sistla, Jessica Hayden, Prasad Athota

Related Stories

Recent Articles

Recent Media