ATO ASAP: Let’s finally fix the security compliance problem
The process federal agencies go through to prove a system is secure may actually be making us less secure. This is a problem that we must fix today, not tomorrow.
We've been talking about Authority to Operate (ATO) automation for several years now, even before former U.S. Deputy Chief Technology Officer Nick Sinai posed the radical question, "Could it be possible to complete the ATO process in just 24 hours?"
Fortunately, the short answer is: "Yes, now we can."
The ATO problem
The muddled, bureaucratic process to obtain an ATO and launch an IT system inside government is widely maligned — but beyond that, it has become a pervasive threat to system security. The longer government takes to launch a new-and-improved system, the longer an old and potentially insecure system remains in operation.
The process federal agencies go through to prove a system is secure may actually be making us less secure.
This is a problem that we must fix today, not tomorrow.
Let's stop doing the same thing over and over again
Government product owners must get an ATO to demonstrate compliance with common security standards and controls. But we have hundreds of agencies generating unique "compliance statements" for the same or similar products.
Systems Security Plans (SSPs) are the paperwork product of the ATO. They are hundreds of pages long and can be out-of-date the moment they are completed.
The solution isn't a Word document, printed and stored in a binder.
Instead, we need to introduce reciprocity, automation — and, above all, to examine the ATO requirements to determine what aspects are contributing to real system security.
Launch the Federal Compliance Library
We should reduce these redundant efforts by creating a Federal Compliance Library of vetted pre-sets, templates and baselines for various known IT systems and technology stacks.
Security and compliance checks will still need to be verified at the system level, but a Federal Compliance Library would at least prevent us from reinventing the wheel every time.
We also should convert compliance narratives into a machine-readable format and envision an enterprise-wide dashboard that holds compliance information—and conducts actual security checks through continuous code monitoring.
The U.S. Centers for Medicare & Medicaid Services Office of Information Technology has a promising pilot in the works, as do a handful of other compliance forward-leaning agencies.
Let agencies experiment
Finally, we should give agencies the tools and support they need to experiment with localized innovations and pilot automated compliance methods.
The DayOne Project published a detailed, specific plan of action to advance these common sense solutions. The plan suggests a government-wide initiative spurred by Office of Management and Budget oversight and coupled with General Services Administration support for agencies.
Federal technology leaders have run this play many, many times.
If we collaborate and take deliberate steps to integrate automation, we can unlock the bureaucratic inertia that has stalled compliance modernization and fix the ATO problem once and for all.