How Agencies Can Take Advantage of DevSecOps and Automation to Accelerate ATOs
To discuss how agencies can take advantage of DevSecOps, while meeting their ATO and security requirements in the same timely fashion, Checkmarx and CloudBees, along with the Institute for Critical Infrastructure Technology and Cybersecurity (ICIT), recently convened a distinguished online panel to discuss how automation and modern tooling can help the ATO process and highlight real world examples of how this is being achieved.
As federal agencies develop more online services and systems to meet the mission of the U.S. government, their appetite and need to develop and deploy secure software applications rapidly continues to grow. Many agencies are embracing DevSecOps and cloud services as a way to release these applications quickly; however, the need to meet compliance standards (i.e. RMF, STIG, FISMA, HIPAA, etc.) to obtain their Authority to Operate (ATO) can slow down the process, or lead to exhaustive POAMs.
“As an AO, my goal is to identify the risk of use. What is the risk to the government of using a product? I liken it to a grocery store. Just as consumers look at the nutritional facts label before making a decision to buy a product, my goal is to create a ‘cyber risk label’ before I can inform my consumers in the Air Force whether there is a risk to using a product.”
Understanding the critical role of the ATO – nutritional facts label analogy
Kicking off the discussion, Daniel “Danny” Holtzman, ICIT Contributor & Cyber Technical Director with the U.S. Air Force, offered the perspective of an accreditation officer (AO) on the role of the ATO process.
“The reason why ATOs have become complicated is we’re dealing with complicated systems,” said Ross. “Authorizing a system involves a lot of moving parts. But as we transition from a paper-based to a digital, high speed ATO where continuous authorization becomes possible, DevSecOps is the right place to make that happen. We must work our security processes into the speed of mission.”
The ATO process – at odds with CI/CD
While the goal of any development and operations team in a DevSecOps environment is to roll out applications as quickly as possible, the ATO process can take time—which is at odds with the continuous integration/continuous delivery (CI/CD) processes. Commenting on why there is often pushback on the ATO process, Dr. Ron Ross, Fellow, NIST & 2019 ICIT Pioneer stressed the complexities of making informed risk decisions in government.
How streamlining ATOs fits into larger digital transformation
Emphasizing how accelerating the AO process can spur digital transformation, Ron Thompson, Associate CIO with NASA, discussed why speed of software delivery is important to the agency and how security accreditation must adapt.
Dr. Ross stressed that: “DevSecOps is the place to do that because as you go through that development process, you’re producing evidence and testing information that can be conveyed from the left of the lifecycle all the way to AO on the right side. In that way, we don’t burden the AO with everything they do today.”
A case study in AO automation and acceleration
Sharing an example of how the Air Force has adapted and automated its AO processes in a DevSecOps environment to become more resilient, Holzman explained how it comes together in support of the mission.
“We’re going through a point of transformation at NASA where we’re using digital as a lever to transform our workplace and workforce. The pace of delivery needs to change,” said Thompson. “As we look to deliver software faster to meet mission objectives, we are baking-in the security processes and looking into speeding up our ATO accreditation process by identifying areas where we can automate and use other agencies’ accreditations where it makes sense—almost like a continuous AO.”
But agencies must also account for the human element and use training to facilitate a move away from a compliance culture that forces them to check boxes. Holzman continued, “We have a lot of people with degrees and certifications, but we’ve lost the art of the apprentice model. That hands-on learning that we believe will increase agility. We’re looking at ways to in-breed that continual learning and education into our process.”
“First, there’s the foundational factory–the tools, the computers, the COTS products–everything we use to build the software. Then, we automate the communication mechanisms so that everything moves securely from the development to the production environment—where everything is locked down, safe.”
Being quite specific, Steven shared how the concept of shifting everything left, back into the development side, starts by building the pieces the developers work on from scratch, looking at securing those first. In that way, we can use the reciprocity of all those pieces, for example a Java app.
Accelerating and automating the ATO
The conversation included a question to Steven Pruskowski, ICIT Contributor & CISA, ST&E Federal Lead, Department of Homeland Security, pertaining to what ways he can conceive a DevSecOps pipeline automating an ATO, or at least some of the ATO processes.
ATO acceleration and where to spend
Near the end of the conversation, Steven shared his thoughts on where best to spend money to improve the process. “I would say probably training, and not just for one specific skill, not just your developers, not just your security assessors, not just management, not just your AO—but everybody. Educate your developers… what are the new threats, what’s the changing landscape… what are the business risks we need to start focusing on.”
Steven then described a case where we’ve already got the container built for a JVM and other pieces are secured, and now looking at the deltas—what does your code do, how to automate those analyses, learning what are the differences, what are the true findings, then feeding that back into the tools that get smarter, which allows the whole process to start speeding up. Then he discusses understanding how a piece of code works in a test environment and providing all that seamless feedback to our development teams if there are issues.
Federal Agencies can benefit from the full Checkmarx Software Security Platform, which combines SAST, SCA, IAST, and developer education solutions, to mitigate risk from software vulnerabilities earlier in the development lifecycle and empower their shift to a true DevSecOps model in light of ATOs.
Watch the discussion on-demand
In this hour-long discussion (now available on-demand), the panel also shared ideas about using machine learning to improve the AO workflow, how the DevSecOps pipeline can help automate some ATO processes, and why agencies must move away from a compliance culture that forces them to check boxes through training.