Information security should be at the heart of every system launched. In accordance with the Federal Information Security Management Act (FISMA), an information technology system is granted an Authority to Operate (ATO) after passing a risk-based cybersecurity assessment.

The ATO Problem

However, the ATO process can pose several challenges to the modern DevOps processes, as it requires an authorizing official (AO) to approve systems against a preset of risk controls before putting the systems into operation.

An ATO is typically valid for three years based on the assumption that the system’s cybersecurity posture will not change significantly during that period. This assumption is often unrealistic, making the “set and forget” ATO inadequate. As a result, the need to reassess and reauthorize the system negatively impacts the overall cost and schedule of delivering it to the end-users. What is more, it is contrary to the DevOps agile principles of:

  • embracing continuous integration, testing, and delivery
  • embedding operations in team to internalize expertise on delivery and maintenance

The Risk Management Framework (RMF) Solution

According to a Carnegie Mellon University study, the Risk Management Framework (RMF) suggests an alternative approach to the traditional three-year ATO process through ongoing authorization decisions or continuous reauthorization. Dubbed NIST SP 800-37, the guide for “Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach” offers a structured process to secure, authorize and manage IT systems. RMF defines a process cycle that is used for initially securing the protection of systems through an Authorization to Operate (ATO) and for integrating ongoing risk management (continuous monitoring).

The RMF transforms the traditional Certification and Accreditation (C&A) process into a six-step procedure that integrates information security and risk management activities into the system development lifecycle. These steps are: