This article originally appeared on the Checkmarx blog. Click HERE to read the original in its entirety.
An ATO or Authority to Operate is an authorization process that a software system needs to have before the agency can use it in a production environment. The ATO is an essential component for information systems under the Federal Information Security Management Act (FISMA). Authorizing Officials (AOs) review the ATO process and ensure that it complies with agency security requirements.
The ATO process identifies the type of data that the system will manage and ascertains the level of risk related to the system should it be attacked, or worse, breached. Based on those outcomes, security controls are selected, implemented, and then assessed to determine their effectiveness in safeguarding the system.
Once the security controls are fully implemented and validated, the system may be granted an ATO and monitored to ensure compliance. The ATO is not an audit, but security auditors may use ATO documentation in security audits of the system to ensure that the security controls continue to be appropriate, maintained, and monitored effectively.
Here are some actionable steps that you and your agency can take to accelerate the ATO process, and more importantly, safeguard the data of those you serve.
Selecting Baseline Security Controls
While your specific applications and systems are unique to the work your agency conducts, the security needs and potential threats that your agency faces are not uncommon. Not only do you have the benefit of being able to draw on experience from organizations that specialize in security and threat remediation, but it’s also an industry best practice to use established and hardened tools and procedures to protect your systems.
Ideally, you want to identify tools and practices that you can fully integrate throughout the software development life cycle (SDLC). In the previous article, we talked about the principles of shift-left. You move security testing to the beginning of the process, incorporating it into the requirements and system design. Beginning with security in mind helps you design robust and secure systems. You can validate this by testing within the development process as your engineers add code and build and deploy it.
Training developers to code securely is as shift-left as you can get.
For this step in the ATO process, identify vendors and security integrations with a strong history of supporting other government agencies. Look for evidence that they are familiar with federal regulations and best practices. You may also want to consult with security professionals in other agencies to identify vendors they have experienced success with, as well as tools that are well maintained and easy to integrate with their systems.
Implementing Security Controls
Automation is critical to successful security implementation. Automation ensures that all additions and updates to your codebase pass through a gauntlet of standardized and repeatable security checks. Automation also enables you to scale your engineering activities while maintaining your security processes. Identify tools that allow you to automate your processes. A reputable security partner will provide integrations that can work within your development environment and with your integration and deployment pipelines.
Security controls should monitor for known vulnerabilities and validate that your systems include robust code patterns. As your systems may also have third-party libraries and frameworks, you want controls that can monitor and identify vulnerabilities within these components as well.
Developer education is also a critical component of resilient security practices. Your engineers must understand the importance of security, have relevant training in security best practices, and work with the tools you have in place. Knowledge of the security tools and how they function improves their ability to respond to warnings and potential vulnerabilities, and mitigate them effectively.
Monitoring and Reporting on System Security
A focus on security in all phases of the SDLC and automating security scans and validation utilities form the core of a successful security strategy are critical for a successful ATO application. However, without a robust monitoring and reporting solution in place, you won’t be able to demonstrate the effectiveness of those systems. More importantly, you lose visibility into the process, making it difficult to identify opportunities to adjust and optimize your operations.
We identified key performance indicators (KPIs) that you should require from your security reporting system. Metrics such as vulnerability counts, mean-time-to-detect, and mean-time-to-respond provide essential insights into the health of your security implementation and maturity of your engineering processes from a security perspective.
You will want to maximize the effectiveness of the reporting and relevance to your ATO application by selecting security partners that include compliance as a core component of their reporting capabilities. Incorporate compliance standards such as FISMA, National Institute of Standards and Technology (NIST), Security Technical Implementation Guides (STIG), and others; select partners familiar with these standards.
Following the recommendations above won’t complete your application for an ATO or guarantee that you can satisfy all the requirements. Still, they will help you accelerate the process and design and build more secure systems as a result. Suppose you’d like to learn more about the ATO process from a federal perspective. In that case, an excellent place to start is Navigating the US Federal Government Agency ATO Process for IT Security Professionals. You will also want to identify and meet with the AO for your agency and work with them to identify specific requirements that your agency may have, as well as resources within your agency that can assist you in your quest.