“AO A-Okay” writes:
I have worked on a number of different DoD contracts over the years and I’ve noticed that some of the DoD Components (e.g., Army) have different Authorizing Officials (AOs) for each of their various major commands or programs, while other DoD Components (e.g., Navy) have a single AO for the entire organization. Are both of these approaches in accordance with “official” DoD policy? From a practical standpoint, is one approach “better” than the other? Recently I heard a rumor that Army may be attempting to go to a “single AO”. If that is the case, what effect do you think it will have on present and future Army RMF efforts?
Dr. RMF Responds:
DoD policy requires each system to have an assigned Authorizing Official (AO), but does not specify a single AO or multiple AOs per DoD Component. Therefore both approaches are considered to be in accordance with DoD policy. As for the question of which approach is “better”, Dr. RMF most definitely prefers the multiple AO approach. The reason is that the AO’s role is to make an authorization decision for each system based on risk and mission need. A single AO at the very top of a DoD component would be so far removed from the individual pro-grams that it would be nearly impossible for him or her to have good insight into mission need. In practice, the single AO will likely turn out to be little more than a “rubber stamp” for the recommendation of the Security Control Assessor (SCA). So you’ve probably figured out by now that Dr. RMF does not favor the Army’s apparent move to “consolidate” the AO role. In addition to the weakness de-scribed above, the “single AO” approach will also create yet another bottleneck in the Army’s already overly lengthy ATO process. Alas…
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF consists of BAI’s senior RMF consultants who have decades of RMF experience as well as peer-reviewed published RMF research.
Want to see more of Dr. RMF? Watch our Dr. RMF video collection at https://www.youtube.com/c/BAIInformationSecurity
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/