Due to numerous cyber attacks on government and public utilities, an executive order was passed in 2021 to improve the nation’s cybersecurity posture through system modernization and implementation of stronger cybersecurity standards. For government suppliers, it means that whenever a new software application or information system is being built by or for the federal government, an Authorization to Operate (ATO) must be processed first.
An ATO, which must be aligned with the NIST Risk Management Framework (RMF), is a fundamental step to meeting security compliance before launching a software application.
Challenges in Obtaining an ATO
Obtaining an ATO is a tedious and exhaustive process. Recent research shows that the duration it takes to obtain an ATO is a major challenge for federal government agencies – ranging from two to more than four months. This is because thousands of requirements must be covered consistently in creating security policies and placing mitigation controls. Remember, the ATO application process must comply with the NIST Risk Management Framework which includes 1) categorizing the system within the organization based on potential adverse impacts on the organization, 2) selecting relevant security controls, 3) implementing security controls, 4) assessing the effectiveness of the security controls, 5) authorizing the system, and 6) monitoring the system.
Another significant hurdle in obtaining an ATO is when monitoring of implemented controls is done manually. The same research reveals that 62% of government agencies are manually using spreadsheets for tracking implemented controls. This process is prone to errors and is time-intensive.
Best Practices to Address ATO Processing Challenges
Resolving the above challenges in the ATO process lifecycle needs some best practices which include:
Shifting Left. One way to accelerate software development is to “shift left” or to move security controls into the earliest phases of the Software Development Life Cycle (SDLC). It is better to discover weaknesses at the start of the lifecycle so mitigation controls can also be established early on.
Centralized Documentation. Documentation is crucial in the ATO process. A single repository for all ATO documentation ensures a controlled and auditable environment and facilitates certification.
Integration. To streamline the development of software, integrating tracking tools such as Jira, Archer, and ServiceNow is extremely useful.
Automation. Manual practices impede software time to market. By using automation, the ATO process can be expedited.
Accelerate the ATO Process with Intelligent Automation
Certain steps in the NIST RMF, such as selecting and implementing security controls and monitoring the system, can be automated to accelerate the ATO process and achieve continuous compliance.
Alpha Omega’s A20™ is a next-gen ATO solution that enables federal agencies to get an ATO certification in weeks instead of months by replacing tedious and error-prone manual data collection with intelligent automation. Built on and in collaboration with the industry-leading automation vendor UiPath, A20™ takes a continuous automation approach to ATO by automating the collection of data from manual controls, executing the controls, identifying gaps, and increasing observability and transparency through technical and operational dashboards
Using intelligent bots to automate the selection and implementation of security controls, A20™ eliminates manual data processing by automating data collection, validation, and reporting. It also helps automate monitoring by providing a method to evaluate the system, eliminate false positives, and support continuous monitoring.
To learn more about how Alpha Omega can help accelerate your ATO process, contact us today.