What needs an ATO? (Update)

In 2013, I wrote a post that traced the definitions in DoD policy on what things need an ATO (then Approval-To-Operate, now known as Authorization-to-Operate).  Since that time, much policy has been reissued, so here’s an update:

DoD Instruction 8510.01 (Change 2, July 28, 2017) “Risk Management Framework (RMF) for DoD Information Technology (IT)”, says “Each DoD IS, DoD partnered system, and PIT system must have an authorizing official (AO) responsible for authorizing the system’s operation based on achieving and maintaining an acceptable risk posture.”

“DoD IS”, above, is a DoD “Information System”.  The glossary section of 8510.01 says “Information System” is defined in CNSS Instruction 4009, “Committee on National Security Systems (CNSS) Glossary”:  “Set of information resources organized for the collection, storage, processing, maintenance, use, sharing, dissemination, disposition, display, or transmission of information.”

This doesn’t help, in terms of determining what doesn’t need an ATO.  However, DoD Instruction 8500.01, “Cybersecurity”, says this:

(a) DoD ISs are typically organized in one of two forms:

1. Enclave
2. Major Application (Formerly Automated Information System Application)

a. Certain applications, because of the information in them, require special management oversight due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application and should be treated as major applications. A major application may be a single software application (e.g., integrated consumable items support); multiple software applications that are related to a single mission (e.g., payroll or personnel); or a combination of software and hardware performing a specific support function across a range of missions (e.g., Global Command and Control System, Defense Enrollment Eligibility Reporting System). 

b. Major applications include any application that is a product or deliverable of an Acquisition Category I through III program as defined in Enclosure 3 of Reference (av). When operationally feasible all new major applications will be hosted in a Defense Enterprise Computing Center. c. All applications, regardless of whether they rise to the level of major application or not, require an appropriate level of protection. Adequate security for other than major applications may be provided by security of the environment in which they operate. d. When possible, capabilities should be developed as applications hosted in existing authorized computing environments (i.e., enclaves) rather than designated as major applications requiring new and separate authorizations. e. DoD Component CIOs will resolve disputes regarding whether an application rises to the level of a major application. 

c. All applications, regardless of whether they rise to the level of major application or not, require an appropriate level of protection. Adequate security for other than major applications may be provided by security of the environment in which they operate.

d. When possible, capabilities should be developed as applications hosted in existing authorized computing environments (i.e., enclaves) rather than designated as major applications requiring new and separate authorizations.

e. DoD Component CIOs will resolve disputes regarding whether an application rises to the level of a major application.

The Fundamental Absurdity of the Christian Faith

In 1990, as a senior in high school, I had an atheist friend ask me: “What, precisely, is it that Christians believe?”  I will call her “Amy”, because that was her name.  Amy had been raised as an atheist by two atheist parents and had never really known much about Christianity.  I had been raised Protestant by two Christian parents, I had gone to Church and Sunday School every Sunday my whole life, I had gone to Christian youth group (Young Life, mostly) for years, and countless Christian summer camps.  I felt like I had a pretty good understanding of late 20th-century Christian theology.

By that time, I was basically an apostate myself, so Amy’s question left me with an interesting exercise:  how to simply and truthfully explain the essential Christian theology without proselytizing?  I had spent a lot of time at that point literally soul-searching and questioning the truth of the Christian message, but until I explained it to an atheist friend without trying to convert her, I’d never reflected on the complete absurdity of it. This is roughly how that sounded: Continue reading

Galaxy Chart in D3

When I first started working in for the Deputy CIO for Business Process & Systems Review, I was exposed to a data visualization called a “galaxy chart“. The version I saw was developed by Technomics, Inc., who (interestingly) do a lot of work for my former organization, PA&E (now CAPE).

While Technomics seemed to claim (when I met them) that they “invented” the galaxy chart, I think this is probably an overstatement, since there seems to be plenty of prior art.

Anyhow, I built a D3 plugin for a galaxy-chart layout.

Example galaxy chart

Example galaxy chart displaying a view of the United States Federal Budget for Fiscal Year 2011

A Burning Man 2014 Story

A cabinet, standing alone, in the Black Rock DesertIt was early in the morning around Thursday, when my family let me off-leash to go cruise the playa to see the art. I was way out in the deep playa, almost at the 12:00 apex of the trash fence, almost as far out as it is possible to be.  I rode my bike up to a cabinet standing alone by itself in the desert. The sun was just over the hills to the east. There was a man and woman about 50 meters away, on a blanket watching the sunrise, but otherwise, I was alone.

The cabinet was a slightly battered-looking piece of furniture, like you would find in a bedroom at a beach rental.  There were some drawers on the left, and two swinging doors, top and bottom.  The drawers were screwed shut.  The bottom door was secured with some heavy steel rings, locked with a bicycle lock, the kind that you dial in a combination of four letters and it releases. As I parked my bicycle and walked up to the cabinet, I could hear a woman’s voice from within, telling a story.  Here is what I heard, retold as best I can remember 6 weeks later… Continue reading

Most cryptic error message of 2014

My work computer (Windows 7 Enterprise) informed me today with a sad red “x” icon that:

Provider could not perform the action since the context was acquired as silent.

This is now my favorite error message; just barely edging out the message from 2003-era Windows ME which informed my girlfriend that she should contact her system administrator.