THE CHALLENGE
Modernized software is critical to the function of most organizations. Imagine, then, the frustration of waiting more than a year for approvals to move forward. That was the reality for agencies within the U.S. government, which sets a high bar before it will accept the risk of allowing new software on its networks. The Authority to Operate (ATO) process requires a risk assessment that involves hundreds of pages, lots of complexity, and a manual for developers that is ambiguous in nature. It’s way too much information for a single human to quickly make sense of.
The ATO process is onerous at best, and discouraging to software companies that have regular code updates and don’t have capacity to dedicate the human talent necessary to deal with it, often at great expense to the company.
The government’s static and antiquated process is no match for the speed necessary for change in today’s world. In addition, the process focused largely on manual checklist compliance to validate security. The actual impact of the ATO process on cyber security was difficult to measure. The ATO process was negatively impacting government missions, taxpayers, and those who use software to access essential government services.
Knowing that its mission required something much faster with a larger impact on cyber security, the National Geospatial-Intelligence Agency (NGA) set an ambitious goal of “ATO-in-a-Day” for its own assessment and authorization (A&A) process. To achieve it, NGA and its Silicon Valley Outpost turned to BMNT to modernize and streamline the ATO process.
THE RESOLUTION
Using BMNT’s sprint process for creative problem-solving, we brought together NGA leaders with legal, information security, and development professionals from NGA, the National Reconnaissance Office, Special Operations Command, In-Q-Tel, and industry. Together, we developed solution concepts and designed Minimum Viable Products (MVPs) to test those concepts against the critical assumptions.
To do so, the coalition engaged with non-traditional industry experts, who provided a detailed risk assessment for various vulnerabilities that NGA wasn’t looking for and did not know existed. They also discovered largely unused internal tools that could shorten the time for some security processes from months to days. They achieved organizational agreement on a strategy to use the tools, which streamlined procedures and accelerated the approval process.
The entire process took less than 90 days. By the end, the NGA mindset shifted from collecting mountains of evidence to making informed risk decisions.
THE IMPACT
The immediate result was a new, unclassified platform that allowed NGA to automate control and configuration testing. This eliminated redundancies in the A&A process. The team also developed a new protocol to onboard software developers that incentivized them to include security considerations earlier in development. Basically, DEVSECOPS well before it was a familiar term in government.
Now, software is required to be built within NGA’s DevOps continuous integration pipeline, which accesses the fast-track A&A process. Security compliance is built into the DevOps pipeline, creating continuous testing and validation in software, not on a paper checklist. The platform provides up to 80% of the required security controls, meaning NGA can now ATO new software in less than a week.
Today, NGA is the model example of how the ATO process can be solved, giving other government agencies the confidence to do the same. ATO-in-a-Day was the model for the development of continuous ATO (cATO), which is currently in use in software factories throughout DoD.
