Agencies are turning to automation and modern tooling, such as DevSecOps, to help their Authority to Operate process. This article, originally published on GovDevSecOps Hub, further discusses the role that Authority to Operate plays among agencies.
As federal agencies develop more online services and systems to meet the mission of the U.S. government, their appetite and need to develop and deploy secure software applications rapidly continues to grow. Many agencies are embracing DevSecOps and cloud services as a way to release these applications quickly; however, the need to meet compliance standards (i.e. RMF, STIG, FISMA, HIPAA, etc.) to obtain their Authority to Operate (ATOs) can slow down the process, or lead to exhaustive POAMs.
To discuss how agencies can take advantage of DevSecOps, while meeting their ATOs and security requirements in the same timely fashion, Checkmarx and CloudBees, along with the Institute for Critical Infrastructure Technology and Cybersecurity (ICIT), recently convened a distinguished online panel to discuss how automation and modern tooling can help the ATO process and highlight real-world examples of how this is being achieved.
Understanding the critical role of the ATOs – nutritional facts label analogy
Kicking off the discussion, Daniel “Danny” Holtzman, ICIT Contributor & Cyber Technical Director with the U.S. Air Force, offered the perspective of an accreditation officer (AO) on the role of the ATO process.
“As an AO, my goal is to identify the risk of use. What is the risk to the government of using a product? I liken it to a grocery store. Just as consumers look at the nutritional facts label before making a decision to buy a product, my goal is to create a ‘cyber risk label’ before I can inform my consumers in the Air Force whether there is a risk to using a product.”
The ATO process – at odds with CI/CD
While the goal of any development and operations team in a DevSecOps environment is to roll out applications as quickly as possible, the ATO process can take time—which is at odds with the continuous integration/continuous delivery (CI/CD) processes. Commenting on why there is often pushback on the ATO process, Dr. Ron Ross, Fellow, NIST & 2019 ICIT Pioneer stressed the complexities of making informed risk decisions in government.
“The reason why ATOs have become complicated is we’re dealing with complicated systems,” said Ross. “Authorizing a system involves a lot of moving parts. But as we transition from a paper-based to a digital, high-speed ATO where continuous authorization becomes possible, DevSecOps is the right place to make that happen. We must work our security processes into the speed of mission.”
Dr. Ross stressed that: “DevSecOps is the place to do that because as you go through that development process, you’re producing evidence and testing information that can be conveyed from the left of the lifecycle all the way to AO on the right side. In that way, we don’t burden the AO with everything they do today.”
How streamlining ATOs fits into larger digital transformation
Emphasizing how accelerating the AO process can spur digital transformation, Ron Thompson, Associate CIO with NASA, discussed why speed of software delivery is important to the agency and how security accreditation must adapt.
“We’re going through a point of transformation at NASA where we’re using digital as a lever to transform our workplace and workforce. The pace of delivery needs to change,” said Thompson. “As we look to deliver software faster to meet mission objectives, we are baking-in the security processes and looking into speeding up our ATO accreditation process by identifying areas where we can automate and use other agencies’ accreditations where it makes sense—almost like a continuous AO.”
A case study in AO automation and acceleration
Sharing an example of how the Air Force has adapted and automated its AO processes in a DevSecOps environment to become more resilient, Holzman explained how it comes together in support of the mission.
“First, there’s the foundational factory–the tools, the computers, the COTS products–everything we use to build the software. Then, we automate the communication mechanisms so that everything moves securely from the development to the production environment—where everything is locked down, safe.”
But agencies must also account for the human element and use training to facilitate a move away from a compliance culture that forces them to check boxes. Holzman continued, “We have a lot of people with degrees and certifications, but we’ve lost the art of the apprentice model. That hands-on learning that we believe will increase agility. We’re looking at ways to in-breed that continual learning and education into our process.”
Accelerating and automating the ATOs
The conversation included a question to Steven Pruskowski, ICIT Contributor & CISA, ST&E Federal Lead, Department of Homeland Security, pertaining to what ways he can conceive a DevSecOps pipeline automating an ATO, or at least some of the ATO processes.
Being quite specific, Steven shared how the concept of shifting everything left, back into the development side, starts by building the pieces the developers work on from scratch, looking at securing those first. In that way, we can use the reciprocity of all those pieces, for example a Java app.
Steven then described a case where we’ve already got the container built for a JVM and other pieces are secured, and now looking at the deltas—what does your code do, how to automate those analyses, learning what are the differences, what are the true findings, then feeding that back into the tools that get smarter, which allows the whole process to start speeding up. Then he discusses understanding how a piece of code works in a test environment and providing all that seamless feedback to our development teams if there are issues.
ATO acceleration and where to spend
Near the end of the conversation, Steven shared his thoughts on where best to spend money to improve the process. “I would say probably training, and not just for one specific skill, not just your developers, not just your security assessors, not just management, not just your AO—but everybody. Educate your developers… what are the new threats, what’s the changing landscape… what are the business risks we need to start focusing on.”
This article was originally published on GovDevSecOps Hub on December 3, 2020