If there was a waiver issued for your ATO, it would have had to have been issued by a department head or the OSD and approved by the DoD CIO after Director DISA provides a recommendation and it is mandatory that it be posted at https://gtg.csd.disa.mil. Please see this DoD Instruction http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/831001p.pdf (the waiver process is on page 23). If it did not go through that process, then it is not approved not matter what anyone told you. I know your opinion did not make it through that process. Want to tell us what system this is? Steven Naslund Chicago IL
And yet I got my DoD system ATOed my way earlier this year by demonstrating to the security controls assessment team that the cost of default-deny-all exceeded the risk cost of default-allow with IDS alerts on unexpected traffic.
Because not spending more on a security implementation than the amount by which it reduces the risk cost, is a CORE SECURITY PRINCIPLE while default-deny-all is merely a standard policy.
Regards, Bill Herrin