The Air Force is joining an ever-growing number of agencies so frustrated with the arduous and burdensome authority to operate (ATO) process that it developed an alternative plan.
Similar to the National Geospatial-Intelligence Agency and the General Services Administration’s 18F organization, the Air Force figured out a way to speed up the process to get systems approved to run on its network, while keeping the necessary rigor and adding a new twist—continuous monitoring.
Air Force undersecretary and chief information officer Matt Donovan signed a memo March 22 detailing the new process that comes under the Defense Department’s risk management framework.
Called the “Fast Track ATO,” Donovan said the new process gives authorizing officials the discretion to make decisions based on several factors: the cybersecurity baseline, an assessment or penetration test and ensuring there is a continuous monitoring strategy for the system.
“A fundamental tenet of this Fast-Track ATO process is the authorizing official will make these decisions by working closely with information systems owners and warfighters to find the appropriate balance between rapid deployment and appropriate level of risk assessment,” writes Air Force deputy CIO Bill Marion in accompanying guidance to the new policy. “Use cases for Fast-Track include applications developed for deployment to secured cloud infrastructure, and authorizing officials may consider other applicability as well; system that have not ‘baked security in’ to the system design and are not prepared to endure a strong penetration test, are not good candidates for Fast-Track.”
Frank Konieczny, the Air Force’s chief technology officer, said the penetration testing assessment is the key piece to the entire faster process because it’s giving some relief to system owners from the need to comply with every security control in the risk management framework.
“The penetration testing will actually answer some of those controls right away, and, in fact, in better cases because it’s not compliance anymore but how you operationally put information out there,” he said at the RSA Security conference in Washington, D.C. “As we roll this out, what do we mean by penetration test? We are trying to explain that now by getting back to the operational side. What do we really need to support the system going forward and doing it faster than just by doing paperwork?”
Konieczny said the Air Operations Center tested out the Fast Track ATO completed one in about a week for an application that lives on a highly structured platform that uses a dev/ops approach.
“They are doing a lot of testing automatically. They are filling out most of the controls automatically. What they do after that is the penetration test, if it passes, then it’s ready to go,” he said. “The penetration testing is really an operational viewpoint. That will eventually take over some of the compliance issues.”
Fast-Track tested at Kessel Run
The service also tested out the Fast Track ATO at its Kessel Run organization, which is the Air Force’s new agile software development office.
The Air Force’s requirement for continuous monitoring is the piece to Fast Track. He said it could mean different things to different organization ranging from redoing the code every week with another penetration test to using automation to test the system and track any changes to the code.
“Each authorizing official has the authority to do whatever they really want to do and take that risk or determine how much risk they want to take. They can determine the depth of the penetration test. The deeper the penetration test the better the results will be, and the best way to go into operational. I assume that more critical applications will actually receive a very deep penetration test as well as the continuous monitoring they want to field as well.”
The reason why the Air Force is joining the ranks of agencies finding a better, faster approach to the ATO process is the frustration of how long it takes to get new capabilities to warfighters.
The military services and DoD agencies, too often, view the risk management framework as a compliance issue, meaning there is no sufficient evidence that any one system is secure.
“The RMF process was taking too long based on the workload everyone was having and we wanted to go back to something that was more operational relevant,” Konieczny said. “The focus now is looking at real risk and operational risk. We looked at compliance risk before and everything was focused on compliance, which was good. But I can be a very devious programmer and I can get through the compliance issues without any problems, but I can still have an operational hole in my system. This is a way to fix that operational hole.”
OMB ATO streamlining strategy expected soon?
The Office of Management and Budget and others have recognized over the years that the ATO process was broken. Back in 2017, OMB said it was running a pilot program to consider other approaches to shorten the ATO life cycle and may potentially look at a “phased ATO.”
It’s unclear what happened to those pilots around a phased approach to an ATO as OMB never publically discussed those results or findings.
The attempt to fix the ATO process has been an ongoing project for OMB.
If you go back to 2013 in the annual FISMA guidance, OMB told agencies they had four years to get to continuous monitoring of systems, which would change the ATO process by making it an infrequent event to one that happens every time there is a change to the system.
As part of the President’s Management Agenda’s IT modernization cross-agency priority goal, improving the ATO process, specifically for cloud services is one of the goals.
“OMB and GSA are also developing a process to better incorporate agile methodologies into the ATO process, providing a more flexible approach for federal agencies and cloud service providers,” the December 2018 update says.
Additionally, OMB, DHS and GSA say they have issued “a draft strategic plan for streamlining ATO processes, to include vision for future of FedRAMP and rollout of activities,” and sometime in early 2019, they expect to issue a final strategic plan.
OMB hasn’t offered any update on its progress to revamp the ATO process, but back in October, Margie Graves, the deputy federal CIO, offered this insight: “If we can get to the point where we are doing continuous authorization through automated controls and automated use of data, then suddenly all the authority to operate (ATO) paperwork and approach becomes totally different. There is more veracity and more accurate because it’s based on data in the environment. That’s where we are going.”
The sooner OMB can provide some guidance around improving the time it takes to achieve an ATO, the more consistent approach agencies can take instead of these one-offs that are quickly developing.