Why Federal Agencies Turn to DevSecOps to Improve the ATO Process
Leaders discuss execution of cybersecurity is just as important as modernized systems.
Automating the authorization to operate (ATO) process could save federal agencies time and also enhance IT infrastructure security. DevSecOps and Agile processes could accelerate the ATO process, according to some federal IT leaders at a virtual event hosted by the Institute for Critical Infrastructure Technology (ICIT) last week.
Danny Holtzman, cyber technical director at the U.S. Air Force, said DevSecOps in IT is uniquely positioned to handle gaps in the ATO process.
“One thing that keeps me up at night as an authorizer, if [there is] a known risk in it that I misidentify,” Holtzman said at the event. “That’s what I’m concerned about. Can we continuously monitor and watch that risk over time?”
Steve Pruskowski, a security test and evaluation lead at CISA, said adopting a “holistic” approach to IT development and security is key for automating the ATO process.
“We deal with our end users a lot on the development side, and meet demands and get tools the analysts need out the door as quickly as possible,” he said at the event. “But also know we have risks and take a holistic look at this is what the environment looks like, the threatscape looks like, then [telling] our authorizers and customers this is what we found inside your apps, this is how you might want to prevent them, and then what is the business risk to not doing this.”
Speed of delivery is equally important, according to NASA Chief Data Officer and Associate CIO Ron Thompson. Speed of delivery helps quell IT hiccups, which can hinder the agency mission.
“Where the speed of delivery for the ATO process comes in, is the goal of optimizing our operations,” he said. “It’s really linking into that authoritative approval chain to make sure that security is baked in upfront. … Speeding up the ATO process is valuable, it’s important, and it’s something we’re taking a very close look at right now.”
Ron Ross, a fellow at NIST, said agencies should definitely focus on DevSecOps to optimize the ATO process because the cyber threat landscape now evolves at a breakneck pace. Federal agencies, he said, should think about moving to an IT environment where the ATO process is continuous.
“The attack surface for the adversary is humongous,” he said. “Authorization to operate has always been about giving senior leaders credible basis to make risk-based decisions. We authorize systems and common controls. The system is defined as the capability. It’s complicated, it has a lot of moving parts. We consider this a paper-based process. The world of DevSecOps is absolutely the right place to make [continuous ATO] happen.”
NASA hopes to use artificial intelligence and machine learning to automate and accelerate the ATO process. Prukowski suggested federal agencies look at the process in “smaller and smaller bites” in order to ensure accuracy and resiliency.
The ATO process should “add value,” not be a “hindrance,” Thompson added.
“I think the common theme you’re hearing today is that we’re not just doing an evolution of cybersecurity. This is a revolution, from static security to dynamic security,” Ross said. “It’s not just about doing things digital versus paper. We need speed, transparency, and information-sharing. It’s the execution and efficiency of doing those things.”
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
Biden Signs New Tech Executive Orders Before Departing Office
Joe Biden signed two new executive orders this week promoting future cyber and AI priorities before Donald Trump takes office Monday.
5m read -
DODIN Strategy Aims to Outpace Cyber Threats
JFHQ-DODIN Commander Lt. Gen. Paul Stanton says the new "How We Prevail" plan moves from reactive defense to proactive threat mitigation.
4m read -
Preparing for the Future Cyber Landscape
CISA, CFPB and Rubrik discuss how they’re building cybersecurity best practices and developing their workforces to prepare for the future threat landscape and bolster cyber resilience.
30m watch -
Air Force Chief: Modernization Is Critical to Maintaining Superiority
Air Force Secretary Frank Kendall cites AI, automation and cyber resilience as key modernization components to outpace China by 2050.
3m read