How achievable is the continuous Authority to Operate model?

Software is a critical component of military missions, but for too long, the Defense Department’s security compliance procedures have blocked organizations from delivering relevant software capabilities to the warfighter.

Mission requirements and cyber threats change quickly. Staying current requires agile development practices that continuously integrate and deliver high-quality software with reduced risk. Security authorizations should be equally nimble, but repeatedly seeking an Authority to Operate, or ATO, is notoriously time-consuming. Waiting for an ATO and working through assessments is often the longest step in deploying software. These delays can have significant consequences, especially on the battlefield.

There are better ways to manage the risk of information systems. DoD officials recently released the DevSecOps Continuous Authorization Implementation Guide , which maps out the principles of the continuous Authority to Operate, or cATO, model. After a system achieves its initial authorization, properly implementing cATO a la ongoing authorization is a fundamental step in the department’s vision to build a faster, more secure development environment and achieve software supremacy.

What is cATO?

Getting a traditional ATO requires a point-in-time check of security controls that can drag on for months. The exercise repeats when new features roll out or the authorization expires. Meanwhile, cyber adversaries continue to unveil novel threats.

cATO is an ongoing authorization for continuous delivery after achieving the initial authorization. It allows an organization to build and release new system capabilities if it can continuously monitor them against the approved security controls. To achieve cATO, DoD identifies three criteria organizations must meet:

— Continuous monitoring of security controls.

— Active cyber defense measures.

— The adoption of DevSecOps practices.

Shifting from periodic reviews to constant monitoring avoids drifting out of compliance and creates a more robust cybersecurity posture. This isn’t just theory; it’s a proven concept. As co-founder of the U.S. Air Force’s Kessel Run, we originally designed cATO as a specified approach to ongoing authorization for continuous delivery, without cutting any corners.

We applied DecSecOps principles to meet the National Institute of Standards and Technology’s Risk Management Framework , or RMF, requirements. In April 2018, DoD officials approved cATO for Kessel Run’s systems. The ongoing authorization granted authorization at the time of release and removed it as the bottleneck for lead time and deployment frequency. High performing DevOps organizations employing this approach often achieve lead time and deployment frequency that is measured in hours, which is considered “elite” in The State of DevOps Report .

Preparing teams for ongoing authorization

cATO is not a waiver or a shortcut to compliance with the RMF. Instead, the method tackles requirements at every step of the software development lifecycle to reduce risk. When done correctly, adopting this ongoing authorization strategy is still about authorizing the system, not “authorizing the people and the process” or employing “cATO pipelines.” That said, the inputs that result in secure and authorized outputs for a trustworthy and transparent environment are the right people, processes, and technologies.

To start, leaders must foster a culture of security awareness across the organization by eliminating bureaucratic barriers and recruiting the right technical talent. To shift left on anything, we have to make space for it. For example, cutting low-value work out of developer schedules or removing backlogs gives them time to work on security with their regular tasks.

Programs should have at least one dedicated independent technical assessor for their teams, who work for their Security Controls Assessor and Authorizing Official, to help get the software to production more efficiently. And because security doesn’t happen in a silo, build open lines of communication between security, development, and operations teams to synchronize the latest mission requirements.

Building a security baseline

A critical technical component of continuous authorization is maximizing common control inheritance. The RMF allows applications deployed on top of cloud and platform environments to inherit the underlying controls. Organizations like software factories or service-level programs with thousands of apps can quickly see time and cost savings by architecting for these authorized common controls providers.

The DoD has the opportunity to drive greater efficiency by providing centralized, inheritable security baselines and cloud services for department-wide use, or at a minimum, mission-wide use. Enterprise-wide common controls would enhance the entire department’s cyber posture and support faster software delivery for every service and component.

Building a transparent system

Successful cATO implementations require organizations to deeply understand a system and the cascading effects of any changes to it. Organizations must focus on transparency and traceability, embracing an everything-as-code mindset to ensure controls remain within the approved configurations.

Processes require digitization and, when feasible, automation, including documentation and evidence assessment. The most commonly used governance, risk and compliance platforms weren’t built for ongoing authorizations; systems with the ability to handle modular evidence packages may need to replace antiquated platforms. Give the team’s independent technical assessors access to logs, code repositories, and dashboards to monitor controls and communicate changes to authorizing officials as necessary.

One misconception is that pipelines are a magic wand for cATO. While they are an essential tool, there is much more required for ongoing authorization. A smart way to use pipelines is to incorporate scans that evaluate software against service-level agreements and block it from the production environment if issues remain.

At the end of the day, an organization pursuing cATO must produce a secure system and deliver new capabilities within an acceptable risk profile. Ongoing authorizations are the most effective way for DoD to streamline software delivery and ensure a future where fewer bad things happen because of bad software.

Bryon Kroger is the CEO and founder at Rise8 and co-founder of the U.S. Air Force’s Kessel Run, the Department of Defense’s first software factory, where he pioneered cATO.