In January 2015, the UK government’s ‘technical authority on information assurance’ (CESG) announced the end of the requirement for systems security accreditation.
I remain a watcher of the British government’s way with information security. This goes back to my own work on accreditation, from the time when it was launched in the mid-90s up until the mid-2000s.
What was Accreditation?
Most recently, UK government accreditors were defined as advisors to risk owners on whether to accept security risks after balancing them against business needs. They were expected to be impartial and independent.
The closest proximity to the term in U.S. government seems to be ‘certification and accreditation’ (C & A). This is a factor within HIPAA and also mentioned in NIST advice from 2002 about security in systems’ interconnection. However, these two descriptions of C & A do not seem to amount to the same thing, and neither is directly related to the British flavor of accreditation.
How it started
Back to the UK – an ‘impartial and independent’ assessment was not how accreditation started. By the early 1990s, government security was conscious of disparate office systems collecting unknown amounts of data. It decided controls were needed. The first attempts at this coincided with my arrival on the computer security scene, and involved helping system owners draw up secure operations processes under which their systems could function securely. But the proliferation of systems and the impracticality of identifying them all made this a paper exercise. There were no sound methods of checking the effectiveness of the security controls.
How it changed: Accreditors as intercessors
What changed everything was the government’s creation in the late 90s of a government-wide area network, which also gave its users onward connection to the Internet. The process for deciding whether systems were fit to join this network was what I understood then to be accreditation. The IT security section became accreditors who now had the authority to ensure any connecting systems met the vigorous security requirements of the new network. Without an accreditor’s say so, systems would not be allowed to join it.
The accreditors became, if not popular, a vital part of the systems management process. We did come under pressure to approve the security of systems. But we also had powerful friends in central government who jealously guarded the integrity of the area network, and whose authority was needed for connections to be made. Accreditors actually became intercessors between these guardians of the area network and those wishing to join it. It was perhaps the golden age of accreditation!
The new challenges
With such powers inevitably came new challenges. Our methods for appraising the security of systems came under the spotlight of business managers. I must say the accreditation process was not easy to grasp, or even describe, and sometimes this led to mutual frustrations. Another unforeseen problem was that our acquired skills naturally overlapped the security responsibilities of systems designers and integrators. Accreditors got so well-versed in the often complex issues around information risk that it seemed quite natural for busy managers to shunt complex security issues towards them. So without a good grip of exactly where responsibilities for risks should lie, accreditors could be sucked in to becoming the sole security expertise on systems they were expected to impartially assess.
In its attempts to separate systems security design from the accreditation process, government decided to hand the former to approved private sector security consultants. These were given some training and full access to its risk assessment and management methodologies, set out in Information Assurance Standard IS1 & IS2.
This standard was developed for government systems and was formally abandoned alongside accreditation. Evolving over two decades, with origins in the DoD Orange Book, the standard only got more unwieldy as it was updated. Also some restrictions on the availability of the whole standard added an air of exclusivity which was unhelpful. The government eventually concluded – in its own words – that the standard’s “…focus [was] typically on the process rather than analysis”. Even so it has not been deleted, but instead effectively left to wither away, without further support. It is such a convoluted document and couched in such complex terms, I’d be surprised if anyone tried to revive it or adapt it to future use.
The accreditors role
The accreditor’s role was finally established as the independent arbiter of security for government systems. Government tried to consolidate the role further by staging events and, even quite recently, introducing a certification for accreditors of different levels of accomplishment. Thus accreditation maintained its separate branding from risk management.
The biggest problem I had with it was the variety of views on what an accreditor’s duties were, as well as what seemed to me to be an artificial division from the skills of risk managers. I never did meet anyone who called themselves an accreditor who did not also work for the UK government. Accreditation had sprung from a need by government to approve the security of systems, but it then crossed over into new territories without serious consideration of whether it might have been better to fold it inside of common risk management methods. But once the term had anchored itself inside of officialdom, it proved very resistant to change. That is my own view, but the UK government itself wrote its most critical epitaph recently, when it said “accreditation [sat] outside of the business or technology decision-making processes. This [led] to an unhealthy adversarial approach to security that neither support[ed] the business or result[ed] in good security…”
As for C &A, it remains to be seen how the term accreditation might live on through the security management of HIPAA. The NIST guide that spotlights C & A has not been revised, so it does not look as if will maintain a strong branding within the USA (at least outside of HIPAA).
The UK government’s information security accreditation process now looks like an extinct common ancestor of information security risk management. It was nurtured for a long time inside of government, where it was sheltered from new developments in risk management. The overriding need to integrate systems (and for governments to cut budgets) seems to have made its continued sustenance too high a price to pay, and the standards that it rested upon have also gone. I’ll be interested to see if any non-government authority will pick up any of the pieces.