ATF begins looking to new cyber strategies as it nears 100% cloud migration

The Bureau of Alcohol, Tobacco, Firearms and Explosives is only a few months away from having 100% of its systems in the cloud. That’s the culmination of almost eight years of effort, said Mason McDaniel, ATF’s chief technology officer. He said that’s been such a large lift because there are no commercial, off-the-shelf products for missions like criminal investigations, firearms dealer regulations or firearm tracing. And because those systems weren’t compatible with the cloud, ATF needed an environment that allowed them to be rebuilt from the ground up.

“We really refocused on building an enterprise, continuous integration, continuous delivery (CI/CD) environment, rebuilding all of our processes around automation, and really focused on building this pipeline that let us rebuild our applications quickly, efficiently, deploy things quickly, and then we use that as the enabler to go through application by application and try to get those rebuilt. And we are just about at the end of that journey,” McDaniel said on Federal Insights — Best Practices in Secure Software Development.

One key part that McDaniel said ATF prioritized was not changing the business processes, in order to minimize retraining. Instead, ATF focused on wrapping modern frameworks and automation technologies around those, to set the stage for modernizing those business processes as rapidly as possible in the future.

Automating cybersecurity

That also gave ATF the opportunity to embed automated cybersecurity processes throughout the development lifecycle, said ATF Chief Information Security Officer Hillary Carney. That includes penetration testing, endpoint detection and response tools, security information and event management logging tools, and more. That gives developers the feedback they need to address vulnerabilities from test cases through production, as well as lifetime visibility.

“One of the things that I think cloud really helped us with is that near-real time visibility; it allows us to be so much more agile, not only for meeting the business mission need, but for the security testing portion as well,” Carney said. “And being able to interact with the operations teams and say ‘we monitor on a daily basis through our tools. And we’re seeing this change; the posture has changed, and we need you to get in there, and diagnose why that’s happening.’ So cloud has been essential in order to move our program forward, to be a lot more responsive to both mission and then to cybersecurity.”

“But just like the tools have gotten better, so have the adversaries. That’s really what’s driving this. It’s an arms race. So if we are not on top of it, someone else will find it. They will exploit it,” she added. “I am over the moon with the progress we’ve made and being able to do more near real-time analysis, do more agile testing. However, as we get better, they get better. So there is no rest for the weary.”

That’s why the next thing on ATF’s cybersecurity to-do list is to begin using the Cybersecurity and Infrastructure Security Agency’s software attestation form. Eventually, Carney said, the goal is to get to using Software Bills of Materials, but that’s too much of a culture change all at once. She said, much like ATF has done with it’s CI/CD program, the intent is to start slow and build the case as they build the program.

Containerization

But in the meantime, ATF is leveraging its new CI/CD capabilities along with a push toward containerization and virtualization to enhance its systems’ resiliency. McDaniel said using automated deployment and containerization limits the configuration creep of patching, because every new instance is automatically deployed from a known-good state. When paired with ATF’s more frequent deployments, that shrinks the window that adversaries have to create a persistent presence in the systems.

And as ATF uses this method to re-architect its systems, it’s also implementing zero trust principles like least privilege, and continuous verification of identity and authorization. That’s an ongoing process McDaniel said will help ATF protect its application programming interfaces.

“Identity is so foundational to our cloud journey as well as the zero trust mandate. We’ve started some work on device. We’ve made inroads in multiple pillars,” Carney said. “What we need to do now, and we’re trying to drive towards, which is difficult in these constrained budget environments, is really getting that integrated plan to move together, to ensure that we’re taking everything into account as we’re planning our featured architectural state. So it’s a work in progress.”

Information sharing

All of this has been bolstered by increased information sharing among Justice Department components, both Carney and McDaniel said. Many of ATF’s systems are law-enforcement specific; there’s no need for agencies outside DoJ to have them. That limits the applicability of information sharing in wider venues, like the Chief Information Officers Council. But within DoJ, they’re sharing strategies that they find to be more effective than “the traditional, ‘let’s throw 500 FISMA controls at it’” strategies, Carney said.

“So we’ve been figuring a lot of it out as we go and refining our processes and sharing a number of our lessons learned with some of the other components,” McDaniel said. “And then for those that have been on the same path, we’re certainly taking what we can from them. But there’s definitely active lessons learned sharing going on, between all the components.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.