An Authority to Operate (ATO) is a government seal of approval for an IT solution to operate on government networks. It signifies that software is functional and secure. Most ATOs are static because the results of security and risk assessments only capture a snapshot of an information system’s security posture. As changes are made to the system, a new assessment must be accomplished to update the static security information. This process takes time, often resulting in slow releases of new features and capabilities. A continuous ATO (cATO) is a type of ATO that can be achieved to avoid this problem.
How does a cATO Work?
A cATO can be achieved when a system can demonstrate three key competencies: continuous monitoring, real time cyber defense, and the adoption and use of an approved DevSecOps reference design.
- Continuous monitoring entails maintaining on-going visibility of a system’s cybersecurity posture. The controls in place to perform this monitoring and reporting must be common across the system.
- Real time cyber defense involves the ability of the system to respond to active threats and cyber attacks. Countermeasures must be effective in thwarting attacks. Data of these attacks should be recorded and reported to official United States cybersecurity entities such as the United States Cyber Command, and JFHQ-DoDIN.
- An approved DevSecOps reference design is a certified set of processes, tools, platforms, and infrastructures used in combination to develop software. DevSecOps platforms can use inherited security models. An inherited security model means that software built in accordance with pre-determined security protocols and policies and run within the security guard rails of an accredited system, can inherit an ATO.
Benefits of a cATO
The benefits of a cATO relate to savings in time, cost, and required expertise for software providers:
- Software releases can be approved and released in hours versus months, complementing continuous integration and continuous delivery (CI/CD) pipelines.
- Software providers can avoid spending excess money on in-house security and government compliance experts.
- There is no need for software providers to develop their own private production environments.
- The cATO method cuts out the need for an itemized assessment of all of the thousands of security controls for every software release.
- Dynamic Application Security Testing (DAST) and other runtime scanning tools can be leveraged to test application security in production environments.
The benefits of a cATO are felt by all sides of the capability exchange. Authorizing officials, software providers, mission owners, and end users can all enjoy automated security assurance, greater access to secure virtual capabilities, and software that can adapt to meet changing conditions.
This ATO pathway offers great benefits in cost and time savings. It lends itself to more efficient security assessments and reviews by solving the problem of “snapshot” security perspectives that are only useful until the next software changes are committed. cATOs can streamline security implementation, assessment, review, and certification for those providing software capabilities to the government.