POLICY AS CODE IN SUPPORT OF CATO

Written By: Chet Hayes, Vertosoft CTO

DevOPs infinity symbol showing the DevOps process

Original picture sourced from Harness.

If you have spent any time developing or deploying software at a government agency, you have heard about Authority to Operate (ATO). Traditionally, an ATO was/is a point-in-time authorization. Systems would be subject to ‘rigorous’ testing & review, and once deemed secure by some group of humans by looking at written documentation and maybe some code reviews, were granted an ATO for a defined period.  In the case of the traditional Risk Management Framework (RMF), that ATO is for three years.  The challenge is that these ATOs are generally ‘static’ as they only review the system at a specific moment of time.  Turns out, mission requirements, technical innovation, security threats, and vulnerabilities are not static, requiring the system to be updated frequently. These updates require the system to go back through the ATO process and is almost always slow which hinders the mission.

The answer to the challenges presented by the legacy ATO process is moving to a Continuous Authority to Operate (cATO).  So, the big question is how do we get to a point where we have a cATO?  We can start by looking at guidance provided by the Department of Defense in a Memorandum regarding what must be demonstrated to achieve cATO.

  • Continuous Monitoring: “Continuously monitor and assess all of the security controls within the information system’s security baseline, including common controls.”
  • Active Cyber Defense: “the ability to respond to cyber threats in real, or near real time. Simply conducting scans and patching does not meet the threshold for active cyber defense. Systems must be able to show a real, or near real time ability to deploy appropriate countermeasures to thwart cyber adversaries.”
  • Secure Software Supply Chain: “In order to prevent any combination of human errors, supply chain interdictions, unintended code, and support the creation of a software bill of materials (SBOM), the adoption of an approved software platform and development pipeline(s) are critical. To achieve a cATO, a system must embrace the DoD Enterprise DevSecOps Strategy, aligning to an approved DevSecOps Reference Design.”

In support of these three areas, policy-as-code is a transformative approach that federal organizations are adopting to streamline their IT compliance processes. By allowing DevSecOps teams to programmatically define and enforce IT policies, policy-as-code ensures that development and deployment activities remain flexible without compromising on security and compliance. This approach enables IT specialists to codify policies once and enforce them at the onset of development, reducing the manual toil associated with policy assessments for every new software adoption or deployment. When IT specialists leave an organization, their expertise is retained and reused in policy agents, ensuring continuity in policy compliance operations. Moreover, developers are provided with guardrails, allowing them to safely utilize software and infrastructure assets while ensuring policy compliance. In the context of continual authority to operate, policy-as-code, combined with automated change management, ensures that any changes or deployments are in line with established policies, reducing the risk of non-compliance and ensuring that IT operations remain within the bounds of federal regulations.

If you or your organization is trying to figure out how to accelerate your software delivery, give us a call and let’s have a discussion how Vertosoft and our technology partners can support your efforts to achieve a cATO