Atlassian found that modern agile teams deploy software changes 200x more frequently than a non-agile team – roughly 33 times per month.
How will cybersecurity keep up with this pace?
Technology and digital data are crucial for delivering federal government programs, products, and services. Consequently, IT leaders have had to respond faster than ever to new requests from their agencies and Congress. Adopting modern software development and operational practices like Agile Software Development and DevOps has increased business and IT velocity and agility, but security teams have struggled to keep up. The federal government, with its sensitive information, has long been a target for cyber-attacks, making cybersecurity a top priority. The widespread adoption of technology has also led to an expanded attack surface for bad actors, intensifying the impact of cybersecurity risks as more sensitive information is stored and transmitted digitally. Maintaining a robust security posture is more important than ever, yet the processes and activities related to establishing and maintaining it have challenged security teams to keep pace with the technologies they must protect. Compliance with the various laws, policies, and regulations is necessary to ensure consistent IT and cyber security practices across the Federal government but cannot stop there. To go further and tackle more, our stretched cybersecurity personnel need more efficient approaches that reduce the “toil” of compliance to free up their valuable resources to support a continuous security enhancement posture. This shift will move us from “compliance” to “confidence”. In this series, we start by exploring one aspect of the complex cybersecurity web – the Authority to Operate (ATO).
Why is the prevailing sentiment AT-Oh No?
In 2002, the Federal Information Security Management Act (FISMA) introduced the Authority to Operate (ATO) process to ensure comprehensive assessments of a system’s security controls, risks, and potential impacts. The ATO provides documented assurance that the system complies with relevant security policies and standards, following the NIST Risk Management Framework (RMF). However, the ATO process has not adapted to the modern digital era, and it has become an onerous documentation and review exercise that takes too long and becomes stale even as the ATO is being achieved.
A survey of over 27,000 IT professionals worldwide shows that high-performing organizations deploy software 46x more frequently while enjoy a change failure rate of 5x lower.
The ATO process is not helpful to developers and system implementers, with each project starting from scratch. It is not friendly to the system owners, and each team must independently gain knowledge and gather artifacts, which could be organized, standardized, and inheritable from the enterprise level. This results in redundant, inefficient manual effort, and teams cannot embrace and deliver IT capabilities using Agile approaches with security integrated right from the start, with “confidence” as you would expect with DevSecOps. It is also hard for teams to have visibility into where the ATO process is stuck, or what the key security concerns from assessments and reviews must be addressed as a priority to avoid deployment delays.
Additionally, the information collected during this process is often buried in Excel files or lengthy Word documents. This information is sometimes copied and stored separately in other IT platforms like Enterprise Mission Assurance Support Service (eMASS), leading to manual work, rework, information redundancy (or conflicts), and other human-induced errors.
The work doesn’t end after the significant upfront investment required to establish the ATO. Historically, ATOs were issued for a three-year period, assuming that systems remained relatively stable and new development took multiple years. However, due to the accelerating pace of business and IT change, this assumption is no longer valid. IT and Security teams now must maintain the ATO on a continuous basis. New system updates, enhancements, or access for new stakeholder groups may necessitate a re-evaluation of the security controls. This update process is made burdensome by the difficulty in retrieving original ATO data located or updated in multiple artifacts, especially for the Word- and PDF-based Security Packages that can easily exceed a hundred pages for a small application. The time spent on tedious documentation detracts from efforts better spent understanding underlying risks and proactively mitigating them.
How do we get to AT-Oh Yes?
Modern software delivery has brought numerous benefits to government agencies and the American public, but it falls short of providing the time required to support government accreditation and compliance processes. Adopting modern practices like DevSecOps can lead to better coordination and more iterative, cyclic processes, but this depends on the DevOps culture, the agency’s preferred software development lifecycle processes, and still lacks the upfront agility needed to decrease authorization lead time. IT and security leaders must explore alternative approaches to keep pace since cloning their teams is not (yet) an option. Here are a few viable options to consider.
Establishing an Enterprise View
Develop a comprehensive enterprise view of your organization’s IT assets, infrastructure, and security posture to facilitate rapid response to vulnerabilities, make informed decisions about cryptographic needs (e.g., post-quantum cryptography), determine the inheritance of controls and processes, and keep track of critical controls and monitoring plans/frequency as you move toward a Continuous Authorization to Operate (C-ATO). Implement an IT Asset Management (ITAM) system that allows you to maintain an up-to-date inventory of your organization’s hardware, software, and network components. Leverage configuration management tools to track changes and maintain a baseline of your IT environment. Additionally, utilize vulnerability management solutions to identify and respond to security risks in a timely manner. Establish a process to regularly review and update your organization’s control inheritance, monitoring plans, and cryptographic requirements. Creating an enterprise view of your IT environment will enable your organization to have a clear understanding of its assets and security posture. This holistic approach allows for faster decision-making, improved risk management, and a more efficient RMF process. With an accurate and comprehensive inventory, your organization can respond more effectively to emerging threats, better allocate resources, and optimize its progress toward a C-ATO.
NIST SP 800-37 specifically says “Organizations should maximize the use of automation, wherever possible, to increase the speed, effectiveness, and efficiency of executing the steps in the Risk Management Framework (RMF). Automation is particularly useful in the assessment and continuous monitoring of controls, the preparation of authorization packages for timely decision-making, and the implementation of ongoing authorization approaches—together facilitating a real-time or near real-time risk-based decision-making process for senior leaders.”
Maximize the Use of Automation
NIST SP 800-37 specifically says “Organizations should maximize the use of automation, wherever possible, to increase the speed, effectiveness, and efficiency of executing the steps in the Risk Management Framework (RMF). Automation is particularly useful in the assessment and continuous monitoring of controls, the preparation of authorization packages for timely decision-making, and the implementation of ongoing authorization approaches—together facilitating a real-time or near real-time risk-based decision-making process for senior leaders.”
Invest in a centralized platform for producing artifacts, orchestrating tasks related to monitoring and control reviews, and maintaining a consistent component inventory to ensure true inheritance throughout the system. This platform should have the capability to import data from disparate systems, such as component list to identify (EOL) or near EOL components, vulnerabilities, and encryption specifications, effectively becoming a one-stop shop for all security-related information. With so many ways to streamline processes and options for automation at our disposal, many of the administrivia of manual reminders, re-producing the same actions, converting one offline document to another format, and creating and retiring collaboration spaces and file sharing processes can be automated. Leveraging these digitized workflows helps avoid missed steps and information, standardizes the data collection to higher quality levels, and mitigates rework. Reviews and approvals do not require a human dedicated to tracking the progress and guiding it from one email box to another when process automations provide transparent status updates. Where permitted, data that needs to be replicated from one system to another can use service-based integration or other alternatives without the manual duplication. Streamlined artifact production and task orchestration, reduces the burden on limited resources and allows them to focus on more critical aspects of the cybersecurity program.
Continuous Monitoring and Risk Assessment
Implement continuous monitoring and risk assessment processes to proactively identify and address potential security threats. Leverage advanced analytics tools and security information and event management (SIEM) systems to monitor your IT environment in real time. Establish a risk assessment framework that can prioritize risks and allocate resources accordingly. Continuous monitoring and risk assessment enable your organization to detect and respond to threats more quickly, reducing the likelihood of successful cyber-attacks. It also ensures that your resources are allocated effectively, focusing on the most significant risks.
Intelligent Collaboration
Implement a system that supports multiple distinct review cycles for different organizational units, such as the Privacy Office and the CISO. This feature will allow for a more streamlined and efficient risk management process, catering to the unique requirements of each unit. By adopting this approach, your organization will have better collaboration between different organizational units, resulting in more comprehensive and effective risk management.
Prioritization and Risk-based Approach
Adopt a risk-based approach to prioritize IT assets and allocate resources effectively. Identify the most critical IT assets and the associated risks within your organization. Develop a risk matrix to prioritize these assets and ensure that resources are allocated based on their importance to the organization. A risk-based approach allows you to focus on protecting the most crucial assets, ensuring that your limited resources are used effectively and efficiently.
You got my attention! What should I do next?
Ultimately, the transition from compliance to confidence in federal cybersecurity measures hinges on embracing modern practices, fostering collaboration, and leveraging technology to improve the efficiency and effectiveness of the ATO process. By striking the right balance between agility and security, federal agencies can confidently protect their sensitive information and assets from evolving cyber threats while continuing to deliver critical services to the American public.
At NetImpact, we’ve lived through decades of painful but necessary experiences with supporting the A&A process. We know this pain is shared by the federal collective. Not satisfied with the piecemealed automations we have had to use in our previous engagements, we built DX360°® Security Accreditation, Remediation, Management of Operations and Risk (ARMOR™).
Security ARMOR® is an app that solves of the above challenges – cutting your accreditation timeline by half and manages all your IT assets as a unified, secured portfolio. Whether the organization holds RMF-based ATOs or is pushing through the FedRAMP process, Security ARMOR® accommodates the diverse processes federal agencies must follow – all in a single place. Imagine never needing to re-write a word document again or port it over from one template to another or convert XCCDF to CSV, then, to XLS only to present the final information in .DOC format.
Security ARMOR® is built directly on the Microsoft platform so the install of this solution itself comes with the accreditation acceleration by inheriting from your Microsoft tenant.
If you or your customers are ready to increase visibility into your IT portfolio, improve your security process, and elevate the agility to keep up with mission requirements, we’re ready for the call.
