In today’s rapidly evolving technology landscape, federal agencies face multiple challenges. They must stay current with the latest digital innovations, keep pace with regulations, respond to demand for improved services, accommodate ever-changing citizen needs, and support an increasingly virtual workforce. These challenges require agencies to foster a culture of successful and sustained change rooted in a foundation of robust cybersecurity practices. This is especially important for federal health agencies where data availability impacts the timeliness of health services and care. However, traditional Authorization to Operate (ATO) approaches, in which the federal government approves an IT system for a set period based on a one-time security evaluation, can leave agencies vulnerable to threats in between reassessments that are typically every three years – an especially long time in today's threat environment.
With continuous Authorization to Operate (cATO), federal agencies establish a software factory that encompasses all necessary tools and processes to develop applications securely. Once an application is deployed, it undergoes continuous monitoring and testing to detect and address any new security threats. Through this continuous approach, vulnerabilities are mitigated, and critical operations remain uninterrupted. By subjecting the software factory to regular assessment, validation, and monitoring, federal technology leaders know that all systems are secure and can automatically receive an ATO.
The cATO process offers another benefit: it is a catalyst for overall cultural change, particularly for federal health agencies and the volume of data they process. cATO accelerates the shift to applying agile principles and DevSecOps practices as a foundation for development. The speed, scale, and security of this nimbler approach improves data protection and usability, which helps drive successful change initiatives at federal health agencies like the Centers for Medicare and Medicaid Services (CMS), the Centers for Disease Control and Prevention, and the Veterans Administration.
As cATO introduces security innovation and expedites change across the enterprise, agencies find other benefits that impact their mission. For health agencies in particular, the benefits of cATO may contribute to better health outcomes and equity by providing:
This proactive approach positions agencies for innovation and continual protection against the mounting security threats of our modern world. It also ensures consistent use of cybersecurity best practices with automated validation and monitoring of the organization’s security posture. With this foundation, agencies establish a model for efficiency with:
It should be noted that, while the up-front costs of cATO can be high, a robust and thoughtfully executed cATO approach pays dividends in the long run. This is because cATO allows federal agencies to adapt and evolve their security practices throughout the application and software development lifecycles. They keep pace with an ever-changing threat landscape and can avoid larger security threats and emerging cyber attacks.
A challenge for many federal health agencies is shifting their mindset to embrace ongoing change as an enabler for delivering better outcomes while still ensuring security. cATO addresses this by bringing security to the forefront in the application and software development life cycle (SDLC). Rather than being a hindrance to progress, cATO instills a culture of speed and agility to deliver enhanced services to citizens.
Adopting a cATO framework requires a shift to an agile methodology that prioritizes security at each stage of development. cATO takes the acceleration of the SDLC to another level, ensuring that cybersecurity keeps up with development. Cybersecurity becomes the responsibility of all, not just some. Each team member receives training, creating tight-knit collaboration between engineering, operations, and security teams.
cATO blends advanced technologies, robust security processes, and a culture of security to improve the end-to-end protection of applications and environments.
With cATO, agencies can leverage a software factory that blends risk management and agile development practices. DevSecOps tools create an automated pipeline to discover vulnerabilities before application deployment, enabling rapid resolution without compromising systems or data. In addition, a secure application development approach based on a Scaled Agile Framework (SAFe) with an enhanced focus on cybersecurity guards the software supply chain against attacks and vulnerabilities. This approach removes exposure to single points of failure by overlapping each individual security control.
Assessment, validation, and monitoring of the Software Factory give federal IT leaders assurance that all products and systems coming out of it are secure as a result of the cATO approach. An open monitoring and reporting dashboard is a key component of any cATO process to provide a real-time, granular view of application security for rapid issue identification and tracking remediation. Once deployed, applications are continuously monitored and tested against new security threats while vulnerabilities are mitigated for uninterrupted mission operations.
With a modular application development process, agencies can build control inheritance, continuous security checks, and Zero Trust security protocols into every stage of application and system design. Authorizing officials can approve sections of an application so that the whole application becomes accredited, allowing for individual sections to be updated as necessary without discrediting the entire system.
While managing security controls using agile processes is vital at every phase of the SDLC, it is also important to validate development processes. Dcybersecurity frameworks including Open Web Application Security Project’s Software Assurance Maturity Model (SAMM) and the Building Security in Maturity Model from Synopsis.
cATO is critical to improved cybersecurity and a catalyst for change in development, processes, and resourcing. With touch points and stakeholders across agencies, cATO generates momentum toward greater agility and responsiveness while driving much needed secure transformation. Agencies can expect this combination of benefits to provide a positive cultural change that meets expectations for government efficiency.
Reply to this post...