Evaluation of a model-based approach to accrediting United States government information technology systems following the authorization to operate process

Abstract

This research project explores Model-Based Systems Engineering (MBSE) methodology as a modernized, alternative strategy to improve the United States Government's (USG) accreditation processes and procedures for accepting new/updated information systems. While the primary goal is to significantly accelerate the transition of advanced technology to operational environments, it is imperative that we take advantage of the potential benefits realized through the implementation of a model-based process. While this dissertation primarily focuses on defense systems within the USG domain, the principles discussed are applicable in a broader context. This research focuses on the application of MBSE to defense Information Technology (IT) systems, or simply Information Systems (IS) that requires an Authorization to Operate (ATO). Currently, the security accreditation process for obtaining an ATO for Government systems is primarily document-centric. This approach often leads to frequent schedule overruns, significantly increasing costs and negatively impacting stakeholders. This issue is particularly pronounced for large, software- and data-intensive systems, such as those utilized by the Department of Defense (DoD), Intelligence, and command and control (C2) operations. The complexity of authorization is significantly magnified when systems incorporate third-party applications requiring independent accreditation, creating cascading dependencies that impact overall system security and deployment timelines, as well as for real-time systems that must meet stringent cybersecurity requirements while adhering to strict process deadlines. Mission effectiveness is compromised when operators and end users experience delays in accessing essential tools. The trend toward implementing these types of IT systems is accelerating, highlighting the urgent need to enhance their authorization processes. The proposed approach aims to capture the existing ATO process using a formal Systems Modeling Language (SysML) model. This model will facilitate an analysis to identify bottlenecks, redundant activities, missing interfaces, and other areas of concern. Once the model is developed and analyzed, corrective actions and proposed improvements will be introduced to enhance the process model. The potential benefits will be quantified in terms of speed-to-operations, particularly regarding schedules, as well as improvements in consistency and efficiency throughout the end-to-end process, ultimately leading to a potential reduction in overall system costs. Furthermore, the anticipated gains will be validated through modeling and analysis of the enhanced process as applied to a representative IT system, also represented in SysML. This modeled IT system will reflect the cloud-centric environments currently found in operational contexts, utilizing approved tools and technologies available to development contractors. This research will assess the impact of MBSE on the ATO. It aims to measure MBSE's effectiveness in mitigating inconsistencies, streamlining system deployment timelines, enhancing quality, reducing costs, and delivering other advantages in this practical context. The conclusions drawn from this study will establish a framework for investing in the modernization of the ATO towards a systems-engineered, model-based approach, particularly within the realm of USG systems development. The model-based ATO process will facilitate integration with the federal Digital Engineering (DE) transformation as DE continues to broaden its presence within the federal systems engineering landscape.