Continuous ATO: The Realities and the Myths

Continuous Authority to Operate: The Realities and the Myths

The Continuous Authority to Operate (cATO), sometimes known as the Rapid ATO, is becoming necessary as the DoD and civilian agencies are putting more applications and data in the cloud. Speed and agility are becoming increasingly critical to the mission as the government seeks new features and functionalities to support the warfighter and other critical US government priorities.

What’s a Continuous ATO?

For purposes of this post, a continuous authority to operate (cATO) is the continuous authorization of software components such as containers by building security into the entire development lifecycle using DevOps technologies and processes ensuring that the application and its components meet security levels equal to or greater than what an ATO requires.

You authorize once and use the software component many times. With a cATO, you gain complete visibility into all assets, software security, and infrastructure as code.

There’s no better statement about the current process for obtaining an ATO than this commentary from Federal Computer Week:

“The muddled, bureaucratic process to obtain an ATO and launch an IT system inside government is widely maligned — but beyond that, it has become a pervasive threat to system security. The longer government takes to launch a new-and-improved system, the longer an old and potentially insecure system remains in operation.”

— Mary Lazzeri, ATO ASAP: Let’s finally fix the security compliance problem

DevSecOps can be at Odds with cATO

Myth! DevSecOps in the DoD and civilian government agencies is still the domain of early adopters. The strict security and compliance requirements — the ATO in particular — of the federal government make it a fertile ground for DevSecOps adoption. Government leaders such as Nicolas Chaillan, chief software officer for the United States Air Force, are championing DevSecOps standards and best practices that the DoD, federal government agencies, and even the commercial sector can use to launch their own DevSecOps initiatives.

One goal of DevSecOps is to develop and deploy applications as quickly as possible. An ATO is a bureaucratic morass if you’re not proactive. When you build a DevSecOps toolchain that automates container vulnerability scanning and other areas critical to ATO compliance controls, can you put in the tools, reporting, and processes to test against ATO controls while still in your development environment.

DevSecOps, much like DevOps, suffers from a marketing problem as vendors seek to spin the definitions and use cases that best suit their products. The DoD and government agencies need more champions like Chaillan in government service who can speak to the benefits of DevSecOps in the language that government decision-makers can understand.

Agencies need to adopt DevSecOps to prepare for the cATO 

Reality! The “shift left” story that DevSecOps espouses in vendor marketing literature and sales decks aren’t necessarily one size fits all. Likewise, DoD and federal agency DevSecOps play at a different level.

Using DevSecOps to prepare for a cATO requires upfront analysis and planning with your development and operations teams’ participation. Government program managers need to collaborate closely with their contractor teams to put the processes and tools in place upfront, including container vulnerability scanning and reporting. Break down your Continuous Integration/Continuous Development (CI/CD) toolchain with an eye on how you can prepare your software components for continuous authorization.

cATO is about technology and process only

Myth! As more elements of the DoD and civilian federal agencies push towards the cATO to support their missions, and a DevSecOps culture takes hold, it’s reasonable to expect that such a culture will influence the cATO process. Central tenets of a DevSecOps culture include:

  • Collaboration
  • Infrastructure as Code (IaC)
  • Automation
  • Monitoring

Each of these tenets contributes to the success of a cATO. Collaboration between the government program office, contractor’s project team leadership, third-party assessment organization (3PAO), and FedRAMP program office is at the foundation of a well-run authorization. IAC provides the tools to manage infrastructure such as virtual machines, load balancers, networks, and other infrastructure components using practices similar to how DevOps teams manage software code.

Reusable Components Make a Difference in cATO

Reality! The growth of containers and other reusable components couldn’t come at a better time at the Department of Defense (DoD) and civilian government agencies push to the cloud driven by federal cloud initiatives and demands from their constituents.

Reusable components save time and budget when it comes to authorization because you can authorize once and use the authorized components across multiple projects. Look for more news about reusable components coming out of Platform One and other large-scale government DevSecOps and cloud projects that can help push this development model forward to become part of future government cloud procurements.

Final Thoughts

DevSecOps represents the best case for the DoD and other agencies to achieve their cATO goals. However, the DoD and federal agencies need to step up their efforts to provide mentoring, coaching, reusable components, and other related technical and operational help to other DoD and government entities so others can learn from their lessons.