Security accreditation is an important part of the measures taken by states and international organisations to ensure adequate cyber security in national security systems. This paper reports the findings from a survey of CCDCOE member nations, NATO and EU organisations to investigate possible shortcomings of current security accreditation practices for national security systems.
This research shows that nations and international organisations experience similar challenges with their security accreditation processes even though there are differences in the organisation and performance of accreditation activities.
The issues raised were varied, with the most commonly noted one being that the process is too time-consuming. The times reported for accrediting a national security system vary from just under one month to 18 months. These times are clearly too long in many cases, especially if they apply to re-accreditation in an agile development environment. Costs and resource requirements and a lack of staff are also seen as challenges.
The causes of the issues reported by SAAs (security accreditation authorities) can be said to fall into five broad categories: funding, competence, changing technology, clients and requirements. Both a lack of funding and competent personnel affects the SAA’s ability to manage the workload. Job market competition with private industry is raised as a particular concern. The rapidly changing technology puts additional strain on the SAAs in keeping knowledge and requirements current and also increases the rate of new and changed systems in need of accreditation. The clients are the operational authorities or business owners who wish to have their systems accredited. A lack of awareness and focus on security from the clients will impede the security accreditation process. Finally, complex and sometimes unclear or poorly understood requirements also hamper the ability to efficiently achieve compliance.
Based on the analysis, some policy recommendations are made that will address some of the challenges. The first is to define security requirements more clearly. One option is to define specific requirements for different types of systems rather than just applying generic security principles. The next is to require that vendors clearly specify the systems they deliver in a standardized manner. Third, we recommend that nations and organisations work to secure a sufficient number of competent accreditors and look into the possibility of outsourcing part of the workload. The fourth recommendation is to define the role of the client in the security accreditation process to make expectations from the SAA clear. The fifth is to establish an efficient and effective accreditation continuity strategy to manage the challenges of maintaining the security of systems that are updated more frequently than before. The sixth is to use automated validation and verification tools to make re-accreditation more efficient. Finally, we recommend that nations and organisations increase their efforts to share information on security measures and vulnerabilities. Such exchanges are becoming more important as information technologies change rapidly and it will be more difficult for a single nation to tackle all security issues within an appropriate time frame.