Per a Department of Defense (DoD) memorandum sent to senior Pentagon Leadership in February, 2022, it acknowledged that while the Risk Management Framework (RMF) establishes the continuous management of system cybersecurity risk, current RMF implementation focuses on obtaining system authorizations (ATOs), yet falls short in implementing continuous monitoring of risk once authorization has been reached.
DoD Chief Software Officer Jason Weiss stated that “The memo represents a concerted effort to raise-the-bar beyond what an existing paper document oriented authorization to operate (ATO) requires...Different services have created different standards and understanding of what it takes to reach this level of maturity. This memo is the first step to rectify this problem by spelling out very specific ingredients that must be present, and it captures that not every system can or should qualify for a cATO.”
It's not an abandonment of the NIST RMF at all, rather, a much-needed emphasis on the all-important step of Monitoring, a concept that the DoD, other federal agencies, and thousands of federal contractors have all struggled with.
The memo further notes how “Real-time or near real-time data analytics for reporting security events is essential to achieve the level of cybersecurity required to combat today’s cyber threats and operate in contested spaces.”
In order to achieve cATO, the Authorizing Official (AO) must demonstrate the following:
- On-going visibility of key cybersecurity activities inside of the system boundary with a robust continuous monitoring of RMF controls.
- The ability to conduct active cyber defense in order to respond to cyber threats in real time.
- The adoption and use of an approved DevSecOps reference design
Other important considerations from the DoD's cATO memo include the following:
- DoD CISO approved cATOs do not have an expiration date and will remain in effect as long as the required real time risk posture is maintained.
- The cATO determination does not affect the underlying system ATO. Rather, it modifies requirements for re-authorizing that system’s ATO.
- cATOs are a privilege and represent the gold standard for cybersecurity risk management for systems.
And it’s not just the DoD that’s embracing a move towards cATO. According to Bo Berlas, CISO, General Administration Services (GSA), “GSA is actively moving systems from traditional three-year authorizations to ongoing authorizations as a fundamental pivot away from traditional compliance to more outcome-oriented models focusing on operational security and automation.” GSA sees cATOs as “necessary and fundamental to balancing compliance workloads and with requirements to provide operational resiliency.”
Furthermore, says Berlas, for agencies seeking to adopt cATO, they need to use a “robust and formalized continuous monitoring program, which requires the ability to maintain ongoing situational awareness and ready response in the event of security events.”
We are Arlington, a team of innovative, solution-oriented, highly agile, and well-versed professionals with decades of experience in working with America’s defense industry. From emerging cybersecurity regulations to helping our clients solve complex security & compliance solutions – and so much more – you can trust Arlington, the firm that’s Dedicated to Defense®. Learn more at arlingtonintel.com.