Ideas
ATO ASAP:
How to streamline
government security
A communal resource for commonly used components would allow agencies to focus on security postures that are truly unique
BY MARY LAZZERI
With the perfect brew of open technologies and culture, the federal technology community now has the potential to leapfrog how we manage security compliance and truly secure federal IT systems.
To do this, the community — pub- lic and private sectors alike — must “think different” and work openly, iteratively and collaboratively. This has worked for the technology community at large, enabling it to create continu- ous, exponential leaps in innovation.
By taking a systems thinking approach to the problem, we can effec- tively modernize the compliance pro- cess, make government more secure and save taxpayer money. Expediting the authority to operate (ATO) process is fundamental to all of this.
The bureaucratic process to obtain the ATO needed to launch a govern- ment IT system is slow, labor-intensive and expensive.
Agency product owners need an ATO to demonstrate compliance with common security standards and con- trols. The end paperwork product of ATOs — system security plans (SSPs) — are cumbersome documents that become obsolete before they’re even completed.
To compound all that, hundreds of federal agencies generate unique
compliance statements for the same or similar products.
It’s time we build and maintain a Federal Compliance Library of reus- able components that agencies can share and iterate on through a pub- lic/private partnership. The library would support cross-agency compli- ance efforts by offering vetted pre-sets, templates and baselines for various IT systems.
Reusable compliance components would enhance the creation, mainte- nance and understanding of SSPs. They would also support gap analysis, auto- mated verification and ongoing assess- ments and authorization. Security and compliance checks would still need to be verified at the system level, but a Federal Compliance Library would prevent us from reinventing the com- ponents wheel.
Our end goal should be to:
• Shift compliance to developers and build it into the development pro- cess, rather than treat it as the last item on a bureaucratic checklist.
• Create the initial SSP with vetted, managed, component-based control implementation statements.
• Ease system audits with continu- ous monitoring and authorization.
The Federal Compliance Library could be both public and private Git
repositories that contain reusable SSP components, paired with the code or configuration representing that compo- nent. Leveraging tools that developers already use can inform that shift.
Everything that can be released publicly and without requiring a login should be released. Aspects of SSPs that contain personally identifiable information or system-sensitive infor- mation can be excluded or shared pri- vately.
To accomplish this, the code.gov metadata standard could be used to indicate repositories that contain SSP components. That way, the same inventory tools developed for code.gov could be used for building public and private compliance libraries, as well as assembling components from these libraries into systems.
When agencies can seamlessly tap into a communal resource to share and collaborate on commonly used com- ponents, they will have more time to focus on addressing security postures that are truly unique and require more attention. n
Mary Lazzeri was a digital technol- ogy adviser and bureaucracy hacker in the Obama administration’s White House. She is now director of federal strategy at CivicActions.
March/April 2021 FCW.COM 49