Comment

ATO ASAP: Streamlining government security with a Federal Compliance Library

low code development 

With the perfect brew of open technologies and culture, the federal technology community now has the potential to leapfrog how we manage government security compliance.

To do this, the community — public and private sector alike — must “think different” and work openly, iteratively and collaboratively. This has worked for the technology community at large, enabling it to create continuous, exponential leaps in innovation.

By taking a systems thinking approach to the problem, we can effectively modernize the compliance process, make government more secure and save taxpayer money.

Expediting the authority to operate (ATO) process is fundamental to all of this.

One of the top IT modernization priorities of the federal government technology community should be to build a Federal Compliance Library.

The problem: Component redundancy, duplication of efforts

As we previously wrote, the bureaucratic process to obtain the ATO needed to launch a government IT system is slow, labor-intensive and expensive.

Agency product owners need an ATO to demonstrate compliance with common security standards and controls. The end paperwork product of ATOs — systems security plans (SSPs)— are cumbersome documents that become obsolete before they’re even completed.

To compound all of this, we have hundreds of federal agencies generating unique compliance statements for the same or similar products.

The solution: A centralized, integrated components catalog

It’s time we build and maintain a Federal Compliance Library of reusable components that agencies can share and iterate on in a public-private partnership. 

This library would support cross-agency compliance efforts by offering vetted pre-sets, templates, and baselines for various IT systems.

Reusable compliance components will enhance the creation, maintenance and understanding of SSPs. They’ll also support gap analysis, automated verification and ongoing assessments and authorization. Security and compliance checks will still need to be verified at the system level, but a Federal Compliance Library would prevent us from reinventing the components wheel.

Our end goal should be to:

  • Shift compliance to developers and build it into the development process (versus treating it as the last item on a bureaucratic checklist).
  • Create the initial SSP with vetted, managed, component-based control implementation statements.
  • Ease system audits with continuous monitoring/authorization.

How the Federal Compliance Library could work

The Federal Compliance Library could be both public and private Git repositories that contain reusable SSP components, paired with the code or configuration representing that component. Leveraging tools that developers already use can inform that shift.

Everything that can be released publicly and without requiring a login should be. Aspects of SSPs that contain personally identifiable information or system-sensitive information can be excluded or shared privately.

To accomplish this the code.gov metadata standard could be used to indicate repositories that contain SSP components. That way, the same inventory tools developed for code.gov could be used for building public and private compliance libraries — as well as assembling components from these libraries into systems.

Compliance further, faster

When agencies can seamlessly tap into a communal resource to share and collaborate on commonly used components, they will have more time to focus on security postures that are truly unique and require more attention.

By building a Federal Compliance Library based on open, iterative, collaborative principles, the federal government technology community will go further, faster.

When it comes to truly securing our federal IT systems, we need this now more than ever.

About the Author

Mary Lazzeri is a former technology advisor and bureaucracy backer at the Office of the Federal CIO and United States Digital Service. She now serves as director of federal strategy with CivicActions.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected