National Industrial Security Program Information Systems Authorization: A Case Study

This case study addresses a timeliness and cost problem associated to attaining the Authorization to Operate (ATO) for National Industrial Security Program (NISP) information systems. Industry contractor organizations are required to attain ATOs to operate NISP computing systems processing classified information located at their facility locations. The origin of the case study problem is decades old, the problem prompted action from the Executive Office of the President to establish the NISP in 1993. The NISP programs intent is to promote security requirement uniformity between the defense industry and the U.S. government, and to reduce security costs. However, despite efforts to lessen the ATO process burden, the problem continues to impede timeliness and increases cost associated with NISP system ATOs today. The case study will focus on reasons the ATO problem is still prevalent today and why the cost saving attributes designed into the Risk Management Framework (RMF) remain an implementation challenge. First, a systematic multivocal literature review methodology is used to collect relevant formal research literature from academic databases, as well as gray literature from authoritative government resources. Second, a cost estimate comparison is used to examine a Department of Defense (DoD) and a NISP information system authorization. The RMF cybersecurity reciprocity and inheritance attributes are applied to the cost comparison to measure ATO impact analysis.