For the last several years, Defense agencies and military services have dabbled with reforms to their IT security approvals process that acknowledge the realities of modern software development and cyber threats. The general idea is that the old way of doing things, a point-in-time grant of an Authority to Operate (ATO) takes too long, and might have lost its relevance before the system actually gets up and running anyway.
The “continuous ATOs” (cATOs) that have taken their place in some quarters of DoD IT development community now have the full attention of the office of the DoD chief information officer. In a new memo, the Pentagon said it wants to make them the “gold standard” for cybersecurity across department, while also bringing more commonality to how Defense organizations use them.
The Defense components that have moved to continuous ATO models see at least two big benefits. For one, the emphasis on continuous monitoring, instead of rigorous, single-point-in-time security exams means new software and systems can get online much more quickly. But the general belief is the approach also does a much better job of assessing cybersecurity in the real world, since the authorizations are based on current threats and vulnerabilities, not what the state of cybersecurity happened to be months or years ago, when an authorizing official finally gave a particular system a green light.
A new memo from the DoD CIO’s office is focused on that second benefit, the continuous monitoring aspects of the NIST Risk Management Framework. To get a cATO endorsed by the DoD CIO, system owners will also need to show they’re capable of defending their systems in real-time, and that they have a secure software supply chain.
One overarching goal is to make sure everyone who uses the term “continuous ATO” is speaking the same language, said Jason Weiss, DoD’s chief software officer.
“What we’ve had in the past was different program elements, different services, using that term in different ways, and it’s created some confusion,” he told reporters last week. “In order to figure out what that standardized look of a cATO is, and what level of cybersecurity we expect across the three ingredients within that memo, we are going to be working closely with our software factories to tease out those best practices. I see that as an opportunity for finding exactly where that baseline needs to be and then amplifying that further.”
But the Pentagon’s formal embrace of cATOs probably should not be read as a sign that it expects all of the department’s applications and systems to move there overnight.
Indeed, the memo makes clear that a DoD-approved cATO is a privilege, not a right, and it can be revoked at any time, if for example, continuous monitoring shows that a system has slipped into a poor cyber posture.
And system owners will need to meet a high bar to get one.
When it comes to active cyber defense, for example, the memo makes clear that scanning and patching systems isn’t good enough. Rather, their authorizing officials will need to show they’re in “constant communication” with U.S. Cyber Command and other cyber defense organizations to share and act on threat information in real time.
Simply asserting that a system embraces a DevSecOps model isn’t good enough either. They’ll have to adopt one of the specific DevSecOps reference designs the DoD CIO has already approved.
Despite those guardrails, the DoD CIO’s formal endorsement of continuous ATOs is likely to accelerate adoption across the department, said Angel Phaneuf, the chief information security officer at the Army Software Factory.
“I think it’s a wonderful memo, because it just makes space,” she said during a forum hosted by AFCEA’s D.C. chapter last week. “A lot of organizations have followed the continuous ATO model, and now it gives other organizations that space to be able to want to do the same. Over the course of the next few years, I think we’ll probably see multiple guidance documents coming out, which is great. I’m glad that it came out DoD-wide, I think it’s a huge win for us. I’m interested to implement [the DoD-wide approach] and I hope to go after it within the year.”
Weiss said DoD also expects the guidance to change over time, and the memo makes that clear too.
“PublishedcATOguidanceis intended to be agileas threats maturesocATOevaluation criteria will also be updatedto outpace the threats we face.DoDCIO will iterate with the community to ensure that guidance is up to date andcommensuratewith cybersecurity best practices,” according to the document, signed by David McKeown, the department’s deputy CIO for cybersecurity.
In the short term, Defense components and vendors should expect those guidance documents to be focused mainly on the software development platforms DoD’s 29 software factories use.
One key idea behind its approach is that many or most of the security controls an authorizing official would normally need to sign off on are, instead, checked and enforced by the platform itself. If a piece of software clears those automated gates, it doesn’t necessarily need to be re-inspected.
“At the end of the day, Platform One platform isn’t executing a specific mission, it’s a platform-as-as-service, effectively,” Weiss said. “So initially, we’re really going to target the platform providers that are out there, where other application teams are building on top of them. That’s really our starting point. It’s the beginning of the journey; we’re not at that destination yet. But we have to start this journey by figuring out how to bring some degree of precision of language across the authorizing official community as to what [cATO] means.”