The Department of Defense (DoD) is going to release the evaluation criteria for Continuous Authorization To Operate (cATO) in the coming weeks, according to George Lamb, the director of cloud and software modernization in the DoD’s Office of the Chief Information Officer (CIO).
At ServiceNow’s “Cloud Transformation Powering DoD Missions” event on Oct. 12, Lamb explained how traditional ATOs serve as a “checkbox,” but continuous ATOs can help to prove the security of systems at any moment that the system is running.
“In the following weeks, the next big thing we’re going to release is the evaluation criteria for continuous authorization to operate. That’s a really big deal,” Lamb announced at the event.
Lamb explained how continuous ATOs can help aid zero trust efforts, because the first thing you need to know is whether or not a cyber incident has occurred.
“So, continuous ATO puts the policy in place to mandate continuous monitoring so you know if something happens,” he said.
“We’re also building in continuous ATO at the active cyber aspect,” he added. “So, in the old days, it was kind of you wait for something to happen. And now, we’re actually having our red teams contractually going in and trying to break our systems.”
Additionally, Lamb said the DoD CIO Office is also making sure that the cyber teams know who to call if there is a problem, ensuring that the cybersecurity service provider (CSSP) is fully integrated.
The final part of continuous ATO, Lamb said, is following the DevSecOps (Development, Security, and Operations) paradigm.
“If you’re looking at a lot of the attacks that are happening now, the attacks originally started in the supply chain – as code is being developed, things are getting baked in,” Lamb said. “So, we’re really securing the supply chain and using DevSecOps as the principle of knowing what comes into the factory, knowing how the software is composed at the factory level, and then all the software going through the factory … following all of the checks and balances through that demo. So that’s what’s next.”
Shortly after that, he said the DoD plans to have four “exemplars.” These will look at each of the services and feature a big presentation on cATO, followed by four examples of certified continuous ATOs, “and then follow that with guidance so that we can start replicating that capability,” Lamb said.
DoDEA Looking to Implement Zero Trust
As the DoD CIO Office is looking to continuous ATOs to help zero trust efforts, the Department of Defense Education Activity (DoDEA) is hoping to reap those benefits.
At the same event, DoDEA CIO Mark Patterson said that his team is laser-focused on zero trust moving forward, especially as the DoD’s goal to implement zero trust across all enterprise systems by 2027 “is right around the corner.”
“We’re not looking at that as a negative but a positive in many ways,” Patterson said. “I think we easily could look at it grumbly as a negative, but it’s really a positive for us.”
“In fact, it’s going to bring a change to our architecture, which is really important,” he added. “I’ll be delivering WAN [wide-area network] connections at a school level versus an archaic form that I am now in the three regions. So, there’s a lot of changes coming with that that’s going to make it positive.”
DoDEA educates more than 72,000 children of active-duty military and DoD civilian families, and Patterson joked that he has “the most insider threats of anybody in the department” because of the smart DoDEA kids who try to get around his security.
And while transitioning to a new architecture while school is in session will be “a challenge,” Patterson said, he’s “looking at it positively.”
“We have a good team, governance has to be in place, we’re establishing more rigid governance in many ways around what we’re doing now, which will only help us in the future,” he concluded.
