Red tape often delays digital transformation initiatives across government agencies, including the adoption of modern software delivery practices critical for mitigating disruption from emerging threats and changing mission requirements.
Well-meaning policies have blocked many agencies from swapping traditional waterfall or siloed software development models for agile methods capable of continuous delivery. By understanding process bottlenecks, officials can avoid bureaucratic barriers and enhance security. As co-founder of the U.S. Air Force’s Kessel Run, I know this firsthand.
To enable continuous delivery, Kessel Run had to design an alternative to the traditional authority to operate (ATO) process for the changes we had to make in near-real time. The traditional ATO process provides neither the speed nor adequate security to address changes in technology and cyber threats. Our answer was to establish continuous authority to operate (cATO), a process dependent on the continuous application of the structured, but adaptable National Institute of Standards and Technology’s Risk Management Framework (RMF).
Think of cATO as an ongoing authorization for continuous delivery after achieving the initial ATO. The process embeds compliance into the development lifecycle by creating strong controls, rigorous continuous monitoring for security and privacy risks, and exceptional documentation.
Ongoing authorization is not a shortcut. It is a disciplined approach to constantly understanding a system’s risk profile based on building trust through transparency and enabling technologies that create a secure, compliant agile environment. With the right processes and partners, federal agencies can regain control of digital transformation initiatives and deliver higher-quality software faster than ever before.
Stack your AO’s team with its own technical assessors
More than 80% of the time it takes to get a traditional ATO is spent waiting in the queue. Developers wait months before receiving feedback on their code while the rest of the technological landscape continues to change. Waiting often leads to obsolescence.
Capacity and skills deficits cause the delay. The government doesn’t employ enough information security analysts and authorizing officials to handle the volume of systems and changes that require evaluation. Hundreds or even thousands of requests are waiting for review overload security analysts, and some lack the technical expertise to assess modern systems properly.
Programs seeking an ATO should set aside money for their authorizing official to hire dedicated, technically skilled assessors to work directly with them to significantly reduce delays. Build this technical talent into your budget and contract vehicles, even if it means sacrificing a developer – it’s a smart trade-off for getting software to production more efficiently.
Take advantage of flexibilities in the RMF
The Federal Information Security Management Act requires agency systems to undergo a risk management process. NIST made the RMF flexible and adaptable, but many agencies slow the workflow with unnecessary, additional practices.
By design, the framework allows agencies to tailor the guidance to their systems. For example, a myth persists that RMF doesn’t work with a DevOps environment. Some agencies freeze their code baselines when they send them for assessment and assume they cannot conduct new work until they receive authorization. But the framework doesn’t call for serial assessments. Instead, NIST explicitly states agencies should align the framework with their software development life cycles.
NIST avoids dictating particular platforms or methods, keeping the framework technology neutral. Agencies often get stuck doing things the way they have always done them rather than following new roadmaps.
Focus on common controls
One of the first technical steps in transitioning from traditional ATOs to ongoing authorization is to implement common controls inheritance.
To achieve initial authorizations at Kessel Run, we locked ourselves in a room for days exclusively focused on understanding the controls inheritance for each layer of our infrastructure and platforms. Everyone wants to skip this kind of compliance work, but it’s fundamental to saving time later. A dedicated technical assessor also makes this process go more smoothly.
This time investment paves the way for maximizing common control inheritance. For example, developers can reuse the authorized controls of a cloud environment for each deployed app to shrink the scope of future project assessments. Organizations save time on each deployment, which pays dividends considering how many apps agencies use.
Prepare to present evidence
Once an organization achieves initial ATOs, it must demonstrate comprehensive continuous monitoring capabilities after deployment in order to achieve cATO. The NIST RMF focuses explicitly on verifying that security controls remain in place. Don’t confuse this with dynamic scanning for security vulnerabilities, which is merely one component of continuous monitoring.
Organizations will need to digitize and automate control implementation documentation, but the governance, risk and compliance (GRC) platforms agencies commonly use weren’t built for ongoing authorizations with dynamic, modular inheritance. Agencies must prepare to manage very modular evidence packages and understand how changing one layer of the tech stack impacts the others. Most importantly, agencies need to detect when the production environment drifts from approved configurations.
Make room to shift left
Leaders must create a low-friction environment so development teams can easily integrate security into their work. Examine overloaded schedules or backlogs for tasks that provide no to negligible value. Remove what can be removed and reduce friction for essential tasks.
Seek continuous improvement. Look for ways to optimize change approval workflows, shorten the time waiting for ticket resolutions, or otherwise address chronic inefficiencies. Teams can’t “shift left” on security without organizations proactively making space for it.
By embracing the ongoing authorization process, federal agencies can overcome bureaucratic delays, better manage emerging threats, and accelerate digital transformation initiatives. Adopting this mindset and the processes to achieve it ensures agencies can respond to mission-critical demands by continuously delivering software at the speed of relevance.
Bryon Kroger is the CEO and founder at Rise8 and co-founder of the U.S. Air Force’s Kessel Run, the Department of Defense’s first software factory.
Overcoming bureaucracy to expedite software development cycles
One-off authorizations take too long to achieve, but adopting a method for continuous delivery will lead to faster, more agile and secure software.
Red tape often delays digital transformation initiatives across government agencies, including the adoption of modern software delivery practices critical for mitigating disruption from emerging threats and changing mission requirements.
Well-meaning policies have blocked many agencies from swapping traditional waterfall or siloed software development models for agile methods capable of continuous delivery. By understanding process bottlenecks, officials can avoid bureaucratic barriers and enhance security. As co-founder of the U.S. Air Force’s Kessel Run, I know this firsthand.
To enable continuous delivery, Kessel Run had to design an alternative to the traditional authority to operate (ATO) process for the changes we had to make in near-real time. The traditional ATO process provides neither the speed nor adequate security to address changes in technology and cyber threats. Our answer was to establish continuous authority to operate (cATO), a process dependent on the continuous application of the structured, but adaptable National Institute of Standards and Technology’s Risk Management Framework (RMF).
Think of cATO as an ongoing authorization for continuous delivery after achieving the initial ATO. The process embeds compliance into the development lifecycle by creating strong controls, rigorous continuous monitoring for security and privacy risks, and exceptional documentation.
Discover how agencies ensure end-to-end security of software development in our new ebook, sponsored by Synack.
Ongoing authorization is not a shortcut. It is a disciplined approach to constantly understanding a system’s risk profile based on building trust through transparency and enabling technologies that create a secure, compliant agile environment. With the right processes and partners, federal agencies can regain control of digital transformation initiatives and deliver higher-quality software faster than ever before.
Stack your AO’s team with its own technical assessors
More than 80% of the time it takes to get a traditional ATO is spent waiting in the queue. Developers wait months before receiving feedback on their code while the rest of the technological landscape continues to change. Waiting often leads to obsolescence.
Capacity and skills deficits cause the delay. The government doesn’t employ enough information security analysts and authorizing officials to handle the volume of systems and changes that require evaluation. Hundreds or even thousands of requests are waiting for review overload security analysts, and some lack the technical expertise to assess modern systems properly.
Programs seeking an ATO should set aside money for their authorizing official to hire dedicated, technically skilled assessors to work directly with them to significantly reduce delays. Build this technical talent into your budget and contract vehicles, even if it means sacrificing a developer – it’s a smart trade-off for getting software to production more efficiently.
Take advantage of flexibilities in the RMF
The Federal Information Security Management Act requires agency systems to undergo a risk management process. NIST made the RMF flexible and adaptable, but many agencies slow the workflow with unnecessary, additional practices.
By design, the framework allows agencies to tailor the guidance to their systems. For example, a myth persists that RMF doesn’t work with a DevOps environment. Some agencies freeze their code baselines when they send them for assessment and assume they cannot conduct new work until they receive authorization. But the framework doesn’t call for serial assessments. Instead, NIST explicitly states agencies should align the framework with their software development life cycles.
Read more: Commentary
NIST avoids dictating particular platforms or methods, keeping the framework technology neutral. Agencies often get stuck doing things the way they have always done them rather than following new roadmaps.
Focus on common controls
One of the first technical steps in transitioning from traditional ATOs to ongoing authorization is to implement common controls inheritance.
To achieve initial authorizations at Kessel Run, we locked ourselves in a room for days exclusively focused on understanding the controls inheritance for each layer of our infrastructure and platforms. Everyone wants to skip this kind of compliance work, but it’s fundamental to saving time later. A dedicated technical assessor also makes this process go more smoothly.
This time investment paves the way for maximizing common control inheritance. For example, developers can reuse the authorized controls of a cloud environment for each deployed app to shrink the scope of future project assessments. Organizations save time on each deployment, which pays dividends considering how many apps agencies use.
Prepare to present evidence
Once an organization achieves initial ATOs, it must demonstrate comprehensive continuous monitoring capabilities after deployment in order to achieve cATO. The NIST RMF focuses explicitly on verifying that security controls remain in place. Don’t confuse this with dynamic scanning for security vulnerabilities, which is merely one component of continuous monitoring.
Sign up for our daily newsletter so you never miss a beat on all things federal
Organizations will need to digitize and automate control implementation documentation, but the governance, risk and compliance (GRC) platforms agencies commonly use weren’t built for ongoing authorizations with dynamic, modular inheritance. Agencies must prepare to manage very modular evidence packages and understand how changing one layer of the tech stack impacts the others. Most importantly, agencies need to detect when the production environment drifts from approved configurations.
Make room to shift left
Leaders must create a low-friction environment so development teams can easily integrate security into their work. Examine overloaded schedules or backlogs for tasks that provide no to negligible value. Remove what can be removed and reduce friction for essential tasks.
Seek continuous improvement. Look for ways to optimize change approval workflows, shorten the time waiting for ticket resolutions, or otherwise address chronic inefficiencies. Teams can’t “shift left” on security without organizations proactively making space for it.
By embracing the ongoing authorization process, federal agencies can overcome bureaucratic delays, better manage emerging threats, and accelerate digital transformation initiatives. Adopting this mindset and the processes to achieve it ensures agencies can respond to mission-critical demands by continuously delivering software at the speed of relevance.
Bryon Kroger is the CEO and founder at Rise8 and co-founder of the U.S. Air Force’s Kessel Run, the Department of Defense’s first software factory.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
Foundation for origin data through software attestations set
The old issue of software licensing comes up anew in a hearing
Two DoD agencies team up to collect software vulnerabilities