Air Force pushes fast-tracked ATOs
- By Lauren C. Williams
- May 10, 2019
The Air Force plans to migrate 100 applications to the cloud this year with the hope that most of them will use a new streamlined process to obtain authorization to operate certification.
Getting an ATO can take around six to 18 months, Air Force Deputy CIO Bill Marion said May 7 during a keynote speech at an BMC Federal Exchange event. The goal is to get as many cloud-bound applications using the Fast-Track ATO pilot, which Marion announced via memo in March.
"Imagine if you will an Air Force software ecosystem where these major factories are baking in security -- the things that we’ve talked about for a decade -- truly baking in security and remediation and pen testing [and sensors] into the process,” he told FCW following the event.
Kessel Run, the Air Force’s popular software factory, has undergone penetration testing to see if rapid ATOs can be secure. And they have, Marion said.
"It basically validated the processes that we were performing were the right oversight process when developing code and looking at code," he said of the testing. "We've had to continue to refine and improve, but that's any software pipeline."
Marion said the vulnerabilities that were found were more or less expected and related to maturity rather than any "big smoking hole in our process."
Fast-Track ATO approvals involve a cybersecurity baseline, penetration testing and a plan for continuous monitoring. The Air Force is using Fast-Track alongside two existing pathways to approval -- the old Risk Management Framework and a phased framework called Operational Risk Tolerance Baseline. The USAF memo specifies that systems that "aren't prepared to endure as strong penetration test" are not good candidates for Fast-Track.
"What we’re doing is baking the right types of security into the process," Marion said.
The testing will continue, and Marion said he expects to have more data later this year.
Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.
Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.
Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.
Click here for previous articles by Wiliams.