If there was a waiver issued for your ATO, it would have had to have been issued by a department head or the OSD and approved by the DoD CIO after Director DISA provides a recommendation and it is mandatory that it be posted at https://gtg.csd.disa.mil. Please see this DoD Instruction http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/831001p.pdf (the waiver process is on page 23). If it did not go through that process, then it is not approved not matter what anyone told you. I know your opinion did not make it through that process.
Want to tell us what system this is? Steven Naslund Chicago IL >And yet I got my DoD system ATOed my way earlier this year by >demonstrating to the security controls assessment team that the cost >of default-deny-all exceeded the risk cost of default-allow with IDS >alerts on unexpected traffic. > >Because not spending more on a security implementation than the amount >by which it reduces the risk cost, is a CORE SECURITY PRINCIPLE while >default-deny-all is merely a standard policy. > >Regards, >Bill Herrin
