Increasing Federal IT Efficiency: How to Streamline the ATO Process Leveraging DevSecOps
As federal agencies embrace new IT modernization efforts, the ability to gain an Authority to Operate (ATO) to launch a new IT system takes on greater importance.
Usually done through the formal declaration by a senior-level agency official, an ATO authorizes that an IT system or product is safe to operate on government networks.
This can only be achieved after an agency categorizes the system based on its criticality to government operations, determines what security measures must be implemented, and finally assesses the effectiveness of those measures. When an ATO is issued for an IT system, it also means that the official has assumed responsibility for any risks.
According to Nick Sinai, former U.S. Deputy CTO at the White House, it can take federal agencies a year or more to receive an ATO with a security plan that can be hundreds of pages long. Outside of complexity, time and cost, other challenges include understanding the overall documentation process and evaluating all risks.
Through development, security, and operations (DevSecOps), it is possible to streamline the entire ATO process, while also ensuring that the respective IT system meets the highest security requirements.
In the first blog post in an ongoing series, we will highlight how Makpar can leverage its DevSecOps capabilities to help any agency meet upcoming ATO requirements.
ATO Brought to Life Through DevSecOps
Following are the DevSecOps stages of implementation that Makpar follows for improving the Federal ATO process.
Stage 1 – Plan: Often involving tools such as JIRA, Confluence, RTC, this stage includes the requirements analysis, agile planning, and the development of release roadmaps, along with threat modeling.
Stage 2 – Create: Leveraging tools such as Bamboo, Maven, GitLab, Junit, Bitbucket and Linters, this is the test-driven development phase where there’s a focus on security-focused programming. This also involves security spell checkers, security-focused unit testing, as well as iterative software engineering.
Stage 3 – Verify: Focusing on tools such as Bamboo, SonarQube, GitLab, AppScan, and Dependency Checker, this phase involves building automation, as well as automated integration, regression, functional and security testing. It also involves Software Composition Analysis (SCA), Black Box testing using Dynamic Application Security Testing (DAST) tools, and Interactive Application Security Testing (IAST). In addition, the tools that Makpar uses not only provide more accurate results, but also efficiently address more of the control requirements, especially those that must be automated.
Stage 4 – Pre-Production: Leveraging tools such as Artifactory, Nexus, Chaos Monkey, Peach, Burp Suite, this phase involves, release and configuration management, along with Artifact Storage Management, Test reporting, Code Quality Analysis, Environment and Deployment Staging, Vulnerability Management, and Patch/Exploit Management.
Stage 5 – Release: Using tools such as Bamboo, Kubernetes, and Docker Hub, the release phase offers container orchestration, application deployment, rolling deployments, and artifact signing. These tools are also configured to generate meaningful artifacts, such as checksums, and digital signatures, which provide evidence that we are protecting the integrity of our code base and signing our releases to allow for third-party verification. These meaningful artifacts provide direct evidence that can be cross-referenced to NIST SP 800-53 r5 security controls – making it easier to demonstrate to an auditor that we are satisfying the controls.
Stage 6 – Prevent: Leveraging security tools such as Cisco, Fortinet, Forcepoint, and Exabeam, this phase offers Configuration Assurance, as well as establishes defense in-depth measures and network monitoring. We also offer user traffic analysis through identity detection, user and entity behavior analysis, as well as use next-generation firewalls and privileged access management.
Stage 7 – Detect: Using tools such as Nessus, Arxan, Trusteer, Splunk, and ELK, this phase offers latency, error, saturation and log analysis. In addition to Runtime Application Self-Protection (RASP), this phase also develops overall Incident Alerting and Security Incident & Event Monitoring (SIEM).
Stage 8 – Respond: Leveraging tools such as Rapid7, Demisto, ArcSight, and QRadar, this phase involves the development of incident response playbooks, On-call SRE Duties, as well as Security, Orchestration, Automation, Response (SOAR) and Alert Delivery Systems.
Stage 9 – Predict: By using STIX & TAXII Standards, this phase analyzes indicators of compromise, along with Prediction, Response and Intelligence Sharing, Co-related Vulnerability Analysis, CBSS Risk Scores, and overall Pattern Analysis.
Stage 10 – Adapt: As the final phase that leverages Jira and Confluence, this is the time for sprint reviews, report analysis, tech debt reviews and gap analysis.
Conclusion
Reducing the complexities in the overall ATO process is critical for federal agencies, especially as new IT modernization efforts are coming into play. Being able to securely leverage next-generation IT systems should always take priority – with the right security measures in place.
By leveraging comprehensive DevSecOps capabilities, it is possible to bring any federal ATO to life in ways that are highly repeatable and scalable. In the coming weeks, we will be launching mini blog posts that detail each step of our DevSecOps process, reinforcing how valuable this approach can be for attaining an IT systems ATO.
Makpar’s DevSecOps support services address security problems by integrating security into all stages of the software delivery process and use an Agile framework methodology to manage our projects.
We understand the importance of all factors within a mature DevSecOps continuous integration and continuous delivery (CI/CD) cultural framework, and our DevSecOps CI/CD model generates efficient, automated productivity within development, testing, and production environments.
Please contact us here for more information about how Makpar can streamline your agency’s ATO processes.