The Department of Defense (DoD) recently called cATO the “gold standard” in cybersecurity. However, the current process for obtaining authorization to operate (ATO) is “point in time,” costly, and time consuming. Based on these issues, an alternative, continuous authority to operate (cATO), is gaining momentum.
cATO can be a game changer: streamlining compliance, mitigating risk, and enabling agencies to deploy new IT capabilities faster than ever before. How does cATO differ from the traditional approach? What are cATO’s advantages? What are the biggest challenges to deploying cATO in Federal agencies? And what do agencies need to implement cATO?
To answer these questions, MeriTalk spoke with Travis Howerton, co-founder and chief technology officer (CTO) at continuous compliance platform provider RegScale. As CTO at the National Nuclear Security Administration and deputy CIO at Oak Ridge National Laboratory, Howerton witnessed agencies’ ATO and compliance challenges firsthand.
MeriTalk: How does a continuous ATO differ from a “point in time” ATO? The DoD’s recent cATO memo called it “a challenging but necessary enhancement of our cyber risk approach in order to accelerate innovation while outpacing expanding cybersecurity threats.”
Travis Howerton: For years, systems were largely static. You deploy them and you create a Word document or Excel spreadsheet that lays out the security controls. It’s a point-in-time snapshot. But today, with the rise of cloud, containers, and the ability to spin services up and down on demand, systems are changing faster than ever before.
Taking a static approach to security controls into a dynamic technology environment creates a cadence mismatch. As a result, agencies have a hard time deploying new technology in a reasonable time frame – and feeling confident about its security. Their paperwork is obsolete almost the instant they write it.
DoD is going with cATO because they’ve recognized that archaic cyber processes are hindering their ability to get the latest, greatest technology to enhance their capabilities on the battlefield. They’re saying we need to fundamentally rethink the ATO process. That aligns well to RegScale, which is a real-time continuous compliance/continuous risk platform, not a point-in-time risk and compliance solution like others we’ve seen for the last 15 years with legacy governance, risk, and compliance (GRC) tools.
MeriTalk: What challenges does cATO present? What hurdles must agencies or contractors overcome to demonstrate compliance with the processes and regulations that are required for an ATO?
Howerton: One challenge is process change, which is difficult in government. People get married to their processes, which have helped them pass audits for years. They aren’t sure how to do the new thing.
The second part is the technology. They’re managing security controls with Word, Excel, SharePoint, or a legacy GRC tool. To be truly continuous, you need an API-driven, real-time, machine-to-machine architecture. This approach lets you determine progress against baselines and see your risk so you can decide if it is acceptable. That’s how the cloud works and how future technologies will work. ATO processes have to align to that rather than fighting it. NIST has recognized the need for machine-readable communication with its Open Security Control Assessment Language (OSCAL) standard, and we were proud to be one of the earliest adopters.
MeriTalk: Tell us a bit about continuous compliance. What is it, and how does it help achieve continuous ATO?
Howerton: Today, a regulation or law says you must do something, and you draft a compliance policy and audit it periodically – typically by pulling samples or collecting evidence and screenshots. The system is very manual, reactive, and after the fact.
Most government agencies make great investments in continuous monitoring technical tools – cloud security posture management tools, vulnerability scanners, or security and information event management systems. They have a lot of data, but still need humans to go get it. If compliance became machine-readable, then machines could do that. Our system is a collection of APIs – pulling the data in real time so the paperwork updates itself.
We envision an evergreen system that’s constantly updating as things change in the real world. That’s a fundamental shift – to unlock the value in data and make better risk-based decisions closer to real time and at lower cost, because you don’t need an army of people figuring out what has changed. The machines just talk to each other. That’s the core of our platform and a big piece of our differentiation in the market that directly supports cATO.
MeriTalk: We’re familiar with the…
Read More: Continuous ATO can Reduce Agencies’ Compliance Headaches