By Lon J. Berman, CISSP, RDRP
DoDI 8510.01, entitled Risk Management Framework for DoD Information Technology, specifies that “each DoD Information System (IS) … must have an authorizing official (AO) responsible for authorizing the system’s operation based on achieving and maintaining an acceptable risk posture.” Within each DoD Component, the Component Head is responsible for appointing the AO(s) within the Component. The DoD Instruction does not specify how many AOs there should be within each Component; that detail is left to the discretion of each Component’s leadership (Component Head, CIO, etc.).
Most DoD Components have opted for a single AO with responsibility for authorizing all systems within the Component. Other Components (most notably Army) have opted for a multiple AO approach, with each AO responsible for authorizing systems within a specific command or agency within the Component. In this article, I will try to explain the benefits and detriments of each approach, and perhaps provide some insight into the question of which approach is “better”.
The Single AO approach is by far the most prevalent within DoD, and non-DoD departments/agencies as well. A senior official, typically a General Officer or civilian Senior Executive Service member, is appointed by the Component Head to serve as AO. Often, particularly in the larger DoD Components, the AO will employ a staff whose job it is to review incoming authorization packages and present them to the AO for final review and signature. The Single AO approach facilitates “consistency” in AO decision-making across the Component, since the same AO and staff is making all the authorization decisions.
Army is the most prominent proponent of the Multiple AO approach. Individual AOs are assigned to major commands, Program Executive Offices, etc. The principal benefit is that each AO is likely to have more familiarity with the operational needs of the specific command and thus better able to make informed authorization decisions that balance risk level against mission need. A detriment of the multiple AO approach is the potential for “inconsistency” in the decision-making process among the various AOs, as well as potentially higher aggregate cost of supporting multiple AOs.
So which approach is “better”? Clearly, for a small DoD Component (or civil agency) with relatively few IS, the Single AO approach makes the most sense. For a larger DoD Component with hundreds or even thousands of IS, serious consideration should be given to the Multiple AO approach.
Having said all that, is it likely that there will be major changes from Multiple AO to Single AO, or vice versa? The answer is probably No – the inertia of “doing things as they’ve always been done” will most likely win out over other considerations. Army has given some indication they are considering a move from Multiple AO to Single AO, but they are encountering considerable resistance. Bottom line is system owners just need to deal with whatever AO structure is in place for their component/agency.