Last month, a memorandum was released for senior pentagon leadership, defense agencies and Department of Defense (DoD) field activity directors urging the use of continuous Authorization To Operate (cATO).
In it, the Department of Defense (DoD) acknowledges that current Risk Management Framework (RMF) implementation focuses on obtaining system authorizations to operate (ATOs) but falls short in implementing continuous monitoring of risk once ATO has been reached. So, this memo provides guidance and explains the necessary competencies for enabling information systems to achieve cATO.
cATO is an alternative to traditional point-in-time ATOs and provides real-time (or near to real-time) data for analytics used in cybersecurity reporting. The DoD views cATO as essential in combating increasingly complex cyber threats and is part of their strategy to enhance the Department’s cyber risk approach.
According to the memo, the aim of cATO is to formalize and monitor connections across systems and for systems to be capable of providing cyber resilient capabilities to warfighters at the speed of relevance.
cATOs are a privilege and represent the gold standard for cybersecurity risk management for systems
This initiative is just one part of the federal government’s approach to standardizing and enhancing cybersecurity protections and monitoring.
It follows on from President Biden’s May 2021 Cyber Executive Order, which set out the government’s plans to modernize cybersecurity and adopt security best practices. The adoption of a Zero Trust Architecture strategy was also outlined as part of risk identification and monitoring improvements.
Achieving continuous Authorization To Operate
There are three overarching competencies that Authorizing Officials must be able to demonstrate in order to achieve cATO, these include:
- Visibility of key cybersecurity activities within the system boundary and robust continuous monitoring of RMF (Risk Management Framework) controls
A continuous monitoring strategy is required for each system. System Owners and System Providers must be able to effectively integrate automation and monitoring of all security controls.
- Ability to conduct active cyber defense to respond to threats in real-time
Scanning and patching are not enough, systems should be able to deploy countermeasures to stop cyber adversaries in real time.
- Adoption and use of an approved DevSecOps reference design
Systems must follow the Department of Defenses’ Enterprise DevSecOps Strategy and adopt an approved DevSecOps Reference Design.
Process for cATO approval by DoD CISO
The Authorizing Official must notify their component CISO of their plan to move to cATO status. The AO and CISO can then submit their request to the DoD CISO for consideration.
While DoD CISO-approved cATOs do not have an expiry date, permission to operate under cATO can be revoked. This could be due to poor cybersecurity posture identified through external assessments or continuous monitoring, risk tolerance changes or insufficient adherence to best practice.
Using tools such as Nipper Enterprise is one way in which organizations can maintain good cybersecurity posture through the continuous monitoring of network configurations, identifying when the actual state deviates from the desired state.
Nipper Enterprise delivers accurate security assessment and RMF assurance at scale. This solution can assess up to 300,000 firewalls, routers, and switches on an up-to-hourly basis. Risks are prioritized and reported with device-specific remediation advice.
Following the memo, the DoD Chief Information Officer for Cybersecurity (CIO-CS) plan to release further guidance on cATO implementation and reaching cATO-approved status.