In a previous blog post, we talked about the shift-left movement and the principles behind DevSecOps. The article’s objective was to take the learnings and outcomes from processes and use them to assess the maturity of your security systems.
If you’d like see an example of the transition of DevSecOps in action, look no further: Learn How the Air Force and SSA Navigate the (Sometimes Bumpy) Flight to DevSecOps >>
In this article, we’re going to apply those concepts to the ATO process. Our goal is to provide you with actionable steps that you and your agency can take to accelerate the ATO process, and more importantly, safeguard the data of those you serve.
The exact process of applying for an ATO will depend on your agency and specific requirements they might have in place. While this article will not address those particular requirements directly, it will cover many of the foundational needs and orient you towards fulfilling those requirements with essential processes to monitor and report on the security of your applications and systems.
Mike Mackrory is a Global citizen who has settled down in the Pacific Northwest - for now. By day he works as an Engineer Manager for a DevOps team, and by night he writes and tinkers with other technology projects. When he's not tapping on the keys, he can be found trail-running, hiking and exploring both the urban and the rural landscape with his kids. Always happy to help out another developer, he has a definite preference for helping those who bring gifts of gourmet donuts, craft beer and/or Single-malt Scotch.
Understanding The ATO Process
An ATO or Authority to Operate is an authorization process that a software system needs to have before the agency can use it in a production environment. The ATO is an essential component for information systems under the Federal Information Security Management Act (FISMA). Authorizing Officials (AOs) review the ATO process and ensure that it complies with agency security requirements. The ATO process identifies the type of data that the system will manage, and ascertains the level of risk related to the system should it be attacked, or worse, breached. Based on those outcomes, security controls are selected, implemented, and then assessed to determine their effectiveness in safeguarding the system. Once the security controls are fully implemented and validated, the system may be granted an ATO, and monitored to ensure compliance. The ATO is not an audit, but security auditors may use ATO documentation in security audits of the system to ensure that the security controls continue to be appropriate, maintained, and monitored effectively.Selecting Baseline Security Controls
While your specific applications and systems are unique to the work your agency conducts, the security needs and potential threats that your agency faces are not uncommon. Not only do you have the benefit of being able to draw on experience from organizations that specialize in security and threat remediation, but it’s also an industry best practice to use established and hardened tools and procedures to protect your systems. Ideally, you want to identify tools and practices that you can fully integrate throughout the software development life cycle (SDLC). In the previous article, we talked about the principles of shift-left. You move security testing to the beginning of the process, incorporating it into the requirements and system design. Beginning with security in mind helps you design robust and secure systems. You can validate this by testing within the development process as your engineers add code and build and deploy it. Training developers to code securely is as shift-left as you can get. Discover more about developer training in the context of regulatory compliance. >> For this step in the ATO process, identify vendors and security integrations with a strong history of supporting other government agencies. Look for evidence that they are familiar with federal regulations and best practices. You may also want to consult with security professionals in other agencies to identify vendors they have experienced success with, as well as tools that are well maintained and easy to integrate with their systems.Implementing Security Controls
Automation is critical to successful security implementation. Automation ensures that all additions and updates to your codebase pass through a gauntlet of standardized and repeatable security checks. Automation also enables you to scale your engineering activities while maintaining your security processes. Identify tools that allow you to automate your processes. A reputable security partner will provide integrations that can work within your development environment and with your integration and deployment pipelines. Security controls should monitor for known vulnerabilities and validate that your systems include robust code patterns. As your systems may also have third-party libraries and frameworks, you want controls that can monitor and identify vulnerabilities within these components as well. Developer education is also a critical component of resilient security practices. Your engineers must understand the importance of security, have relevant training in security best practices, and work with the tools you have in place. Knowledge of the security tools and how they function improves their ability to respond to warnings and potential vulnerabilities, and mitigate them effectively.Monitoring and Reporting on System Security
A focus on security in all phases of the SDLC and automating security scans and validation utilities form the core of a successful security strategy are critical for a successful ATO application. However, without a robust monitoring and reporting solution in place, you won’t be able to demonstrate the effectiveness of those systems. More importantly, you lose visibility into the process, making it difficult to identify opportunities to adjust and optimize your operations. We identified key performance indicators (KPIs) that you should require from your security reporting system. Metrics such as vulnerability counts, mean-time-to-detect, and mean-time-to-respond provide essential insights into the health of your security implementation, and maturity of your engineering processes from a security perspective. You will want to maximize the effectiveness of the reporting and relevance to your ATO application by selecting security partners that include compliance as a core component of their reporting capabilities. Incorporate compliance standards such as FISMA, National Institute of Standards and Technology (NIST), Security Technical Implementation Guides (STIG), and others; select partners familiar with these standards. Checkmarx helps agencies uphold compliance requirements for FISMA, NIST, STIG and more. Visit Checkmarx for the U.S. Public Sector now. >>Learning More
Following the recommendations above won’t complete your application for an ATO or guarantee that you can satisfy all the requirements. Still, they will help you accelerate the process and design and build more secure systems as a result. Suppose you’d like to learn more about the ATO process from a federal perspective. In that case, an excellent place to start is Navigating the US Federal Government Agency ATO Process for IT Security Professionals. You will also want to identify and meet with the AO for your agency and work with them to identify specific requirements that your agency may have, as well as resources within your agency that can assist you in your quest.Additional Resources:
Mike Mackrory is a Global citizen who has settled down in the Pacific Northwest - for now. By day he works as an Engineer Manager for a DevOps team, and by night he writes and tinkers with other technology projects. When he's not tapping on the keys, he can be found trail-running, hiking and exploring both the urban and the rural landscape with his kids. Always happy to help out another developer, he has a definite preference for helping those who bring gifts of gourmet donuts, craft beer and/or Single-malt Scotch. 
