The Air Force is about to join the still-small group of federal agencies who’ve found ways to dramatically accelerate the process of granting cybersecurity approvals for IT systems.
The Authority to Operate (ATO) process, a paperwork gauntlet that routinely consumes months of time before new systems are allowed to be connected to government networks, is a requirement of the Federal Information Security Management Act. FISMA tells CIOs they must know and accept the security risks each system carries with it.
But there’s no particular reason the system can’t work much more quickly, said Bill Marion, the Air Force’s deputy CIO. Service officials are expected to sign off on a new “fast-track” ATO policy within a matter of days, he said.
“We fundamentally believe this is going to help us bring capability faster,” he said last week at AFCEA NoVA’s annual Air Force IT Day. “It will bring us software modernization at a faster clip, but also provide better security.”
Marion said the new policy won’t be appropriate for every IT system, but in some ways, it will turn the traditional ATO process on its head. Rather than assessing every single system against the entire catalog of NIST security controls, the goal is to make intelligent decisions about which of those assessments really need to be performed at all for a particular system.
He offered an example: If the Army has already gone through the Risk Management Framework (RMF) and deployed a system the Air Force wants to use, does the Air Force really need to put itself through every one of those same painful paces?
“What do I think I’m going to find in that whole other 900 controls in RMF that we didn’t already flush out when we put that system in a hardened cloud computing center and put it through penetration tests? What do we expect to find, and is the juice worth the squeeze? Part of this is getting the decision in front of the approving official sooner, to then determine what parts of the RMF you even need to go through,” he said. “In some cases it may be very, very short. In some cases it may be truncated by a third, or half. It’s a fundamental retooling, but we are in a different world in how we’re managing risk.”
Streamlining approval process
One reason the Air Force may feel comfortable with less quadruple-checking of those security controls on the front-end is that it’s become increasingly confident that it can spot and fix genuine cybersecurity problems after a given system is deployed.
In early 2017, it deployed a commercial tool developed by Tanium which lets Air Force cyber defenders scan the service’s entire network within a matter of minutes and automatically patch any security holes they find in real-time.
Officials ordered that the tool, which the Air Force calls Automated Remediation and Discovery (ARAD), be deployed on virtually all of its IT systems by May of 2017. Any systems that couldn’t employ the tool for one reason or another were deemed “high risk.”
The timing was fortuitous. The WannaCry ransomware attack struck computers across the globe that same month. But because of ARAD, the Air Force managed to effectively immunize its entire network from the malware in less than an hour, Marion said.
“That was game changing for us,” he said. “We had never done that before in our history. While we had been pretty fast, it typically took days or weeks to re-mediate something of that magnitude. And we did it at scale across the Air Force in 41 minutes. We have to be able to act when something happens. This belief in defense-in-depth and network-perimeter-only security, I would argue, is a failing one in this globally connected world.”
Aside from the new availability of the ARAD tool, Marion said the Air Force’s move to the new, faster ATO process will be guided by two other major factors.
Understanding risk, benefits
Authorizing officials will need to see demonstrable evidence that any new system adheres to basic cyber hygiene, and at least some of those systems will be subjected to a new generation of penetration tests once they’re up and running, including the “bug bounties” that are becoming increasingly pervasive across government.
Air Force wants acquisition to take weeks, not years
“I liken it to the USDA meat inspection process,” Marion said. “We don’t inspect every piece of meat, but every piece of meat could kill you. So we inspect and we review and we check our processes to make sure that bad things aren’t creeping their way back into the system. We’re finishing Hack the Air Force 3.0 right now, but we’ve got a whole series of pen tests and bug bounties planned for fiscal year 19, and they’re funded.”
It’s not yet clear how long the revamped ATO process will take, but Kessel Run, the Air Force’s new agile software development office, has been working on a “continuous ATO” model it calls “ATO in a day.”
“So this is the new world order: Make sure you’ve got a basic level of hygiene coming into the mix – that’s the price of entry – bringing the sensors and remediation tools that sit on top, and then bringing a bug bounty pen testing process,” he said.
Similar concepts have been proven out in other federal agencies, including at the National Geospatial Intelligence Agency, which used the same terminology when it began working on its own speedier security approval process.
NGA has managed to get the process down to three days.
“We are continuing to build the telemetry necessary, the business rules, the promotion path for code committed to our dev/ops pipeline and to promote that as quickly as possible to operational,” Matt Conner, the agency’s chief information security officer said in an August interview with Federal News Network. “We still haven’t realized the one-day ATO, but it’s out there.”