In the last episode of the ContinuousX Podcast, hosts Rick Stewart and Michael Fitzurka of DLT were joined by Kaitlin Bulavinetz, the Chief of Staff to the Chief Software Officer of the United States Air Force, to talk about enabling a DevSecOps culture in the military.
During their discussion, Kaitlin explained how culture plays a role in embracing DevSecOps in an enterprise, and how the Air Force is working to transition the organization to one that, “embraces a DevSecOps mindset.”
In the second part of their discussion, which is featured in the most recent episode of the ContinuousX Podcast, the hosts and Kaitlin discuss the Air Force’s approach to authorizing applications, and the concept of continuous Authority to Operate (cATO ) in the government.
Ultimately, the DevSecOps approach to application development is lauded for its ability to expedite application development and deployment without sacrificing quality or security. However, long authorization and approval processes can eliminate many of the benefits that agencies gain from shifting from traditional “waterfall” approaches to development to the more agile and rapid DevSecOps approach.
A cATO would be a dream for application development teams, freeing them to rapidly develop, patch, and deploy applications without the need for lengthy authorizations. However, in today’s increasingly-sophisticated and constantly-evolving security landscape, the concept of a cATO may seem impossible.
In the latest episode, Rick, Michael, and Kaitlin discuss if a cATO is possible for government application development teams in 2022, and the policies that the Air Force is embracing to ensure that the organization can continue to move at the speed of innovation.
Click the play button to listen to their conversation, or read the transcript of the podcast below.
Transcript: ContinuousX Podcast (Season 2, Episode 2) with Kaitlin Bulavinetz
Rick Stewart: Welcome back to our discussion with Kaitlin Bulavinetz, Chief of Staff to the Chief Software Officer of the United States Air Force, as we doggedly try to “Solve for X in the SDLC Equation.” Mike wanted to pose a discussion topic to you, Kaitlyn, regarding Continuous ATOs.
Michael Fitzurka: Thanks. It seems that the Air Force has changed its approach from authorizing a system in the continuous ATO, or Authority to Operate, to a process of authorizing the platform, the process and then the team itself. Can you expand on this approach? How you came to it? What does it mean to authorize a team or various aspects? It’s fascinating.
Kaitlin Bulavinetz: It’s a great question. So, continuous Authority to Operate, it’s the state that’s achieved when the people, processes and the platform are performing continuous risk mitigation, cyber event monitoring and are maintaining their ability to be a resilient system.
When you’re looking at the people and the process’s part, it’s recognizing that you can’t just authorize. The state of cyber is constantly evolving because the number of threats is constantly changing. It’s recognizing that you can’t just give something a stamp and say this is good in the state it is right now, because it’s constantly evolving.
So, what you do is, you do a traditional authorization for the infrastructure. And then on top of that goes the cATO where it’s authorizing the people and the process. It’s just making sure that the team is able to keep up with continuously monitoring the environment and making sure that they’re balancing their risk and mitigating any threats.
Michael Fitzurka: So, it’s the team’s capabilities then, it’s not the individuals themselves. It’s making sure that the team is doing the right activities on securing and continuing to secure their process.
Kaitlin Bulavinetz: Yeah, and you have the people you need; you have the assessors, the platform team, the software product team. That you have the right people involved. That they’re engaging in the right way. And so that’s really what it’s about. Just making sure that the people and the processes are in place that enable continuous monitoring. And what you automate, you do automate. This way people can focus on the really tough things.
Rick Stewart: Right. And that’s interesting, Kaitlin, because I have always found that incongruent with the way things actually work. When we talk to other agencies, and they do an ATO for their product. They get it released, and then maybe three months or so they do the infrastructure of the platform as a separate event or in combined event with a new release of their product. And, reality is that things happen along the way, not just to your product or your service, but to the infrastructure itself, you might have a vulnerability etc.
So, making changes to it could affect your service, etc. So, one of the things I found was kind of puzzling is, how do you do that continuously? When you have that kind of process in place that’s important for governance and compliance, but it’s not congruent with reality or the way that you said, that things are speeding up at the pace of relevance.
Kaitlin Bulavinetz: Yeah, and I think this is where your trust also factors in. Because it’s the idea that the team needs to continuously be looking for the threats. And you can’t just be like; “This is our perimeter, and we are safe in here no matter what we do.” That’s why we are saying that we have this authorization. It’s recognizing that things are constantly evolving. So, zero trust is a key part of the cATO that is part of Platform One, to speak very specifically.
Rick Stewart: Right, and you can’t hide within your perimeter when the perimeter is constantly changing and evolving and moving outward. So, it’s difficult.
Kaitlin Bulavinetz: And it’s moving in the direction of zero trust. So, I think that’s an area where this is a really exciting idea. Because when it comes to cATO you’re also making it possible…It’s easier for industry to work with the government because once you get that cATO, it makes it easier to consistently improve and consistently work together.
Rick Stewart: And evolve your product, because you’ll have the flexibility to capitalize on disruptive technology and process improvement and service improvement. So, agreed.
Kaitlin Bulavinetz: Yeah, exactly. And it’s just looking at things … It’s just looking at it from risk mitigation. And I think it’s important to note that the NIST framework, the cATO is in line with the framework. I think it’s also an exciting way to think about it, because it enables you to constantly be able to make those updates and see what else you can do.
Rick Stewart: Great. Well, thank you, Kaitlin. I think we all can agree on this topic in the public sector is incredibly important as we navigate the need for compliance and governance against the need to deliver services quicker. And thank you to our listeners for your time and attention. Join us for our next session with Kaitlin when we discuss improvements with provisioning tools and services within the public sector.
