Automating Continuous Authorization

As the federal government moves ahead with IT modernization, it’s making an important change in the mechanism that ensures IT systems, apps and other assets are secure and ongoing continuous authorization practices are implemented for obtaining and maintaining Authority to Operate (ATO). By automating Continuous Authorization, and integrating it with DevSecOps development pipelines, agencies can ensure that the modern, agile IT capabilities they’re deploying have security built in, not bolted on.

The most powerful kinds of automation use artificial intelligence to reduce both the labor involved and the prevalence of errors in preparing an ATO — and they automate compliance, too.

Accenture’s Cyber Assurance Integration Framework, or CAIF, is a methodology and toolset that can enable automation for Continuous Authorization and ultimately improve agencies’ security and cyber assurance posture.

The challenges of paper-based ATO

For years agencies have relied on a cumbersome, paper-based process by which system owners manually document the security measures they have in place and demonstrate their compliance with relevant risk management, privacy, data security and other requirements. The resulting bundle of paper goes to the Authorizing Official, who has to sign off — to issue the ATO — before the system can go live.

The paper-based ATO process is lengthy and laborious. Every agency has a slightly different procedure, but the end result is the same: A static snapshot of a system’s security at a single point in time. Many experts regard this as less than useful in a dynamic threat environment where new vulnerabilities are emerging, and patches for them being released, on a weekly basis.

It’s also labor-intensive. Compliance to multiple frameworks or standards, often with duplicative or overlapping requirements, must be diligently recorded. A paper-based ATO typically takes six-to-nine months to complete for a Civilian agency, twice that in DoD. Security professionals must spend valuable time doing repetitive documentation tasks, rather than hunting for intruders on the agency’s networks or performing other proactive security missions.

Automated tools for authorization like CAIF gather the data and the evidentiary artifacts needed to demonstrate compliance and prepare them for export to systems of record or Information Assurance (IA) repository tools like eMASS, XACTA or CSAM. CAIF takes a proactive risk-based approach and reduces the time taken to achieve authorizations by 50% in both Civilian and DoD agencies, while freeing up skilled security personnel from these routine administrative tasks so they can focus on mission essential tasks.

Continuous ATO ensures a more real-time view of security and compliance

Even if the more laborious elements can be automated, the single-point-in-time ATO makes it all too easy to adopt a view of security requirements as something to be completed once the system is designed and built — the last box to be checked.

Federal agencies are now changing the way they issue ATOs, though — moving from this static, point in time assessment to a more dynamic process that continuously assesses and documents system compliance. Best practices dictate that security — and other compliance requirements like privacy — should be designed in, incorporated at the earliest stages of development, not added on afterwards.

Continuous ATO offers agencies the chance to ensure their compliance with required security and risk management frameworks on a real-time basis. The requirements for Continuous ATO are laid out in NIST Special Publication 800-37 Revision 2, its Risk Management Framework for Information Systems and Organizations.

CAIF uses intelligent automation such as robotic process automation (RPA), artificial intelligence (AI) and machine learning (ML) to automate the repetitive administrative tasks involved in obtaining authorization, reducing both the labor involved and the error-rate of manual inputs. CAIF accelerates the preparation of Assessment & Authorization (A&A) packages by 75% and reduces costs by up to a third.

CAIF also documents compliance with multiple frameworks and standards on a touch-once, report-many-times basis. Eliminating separate reporting silos for different compliance requirements increases efficiency and simplifies assurance.

But because the A&A packages are always subject to review before they’re submitted, these solutions don’t take humans out of the loop altogether. Security professionals check the work of the intelligent automation CAIF bot.

Continuous ATO and DevSecOps

Continuous ATO is most powerful when integrated with DevSecOps and technology platforms, so AI-powered software agents can automate both compliance and documentation. These platforms enable not just the capture of evidentiary artifacts needed to show that required security measures are in place; they can also ensure that the measures are implemented and working.

Better yet, by laying down security requirements at the beginning of an agile process, they can be incorporated at every phase of the system development life cycle — giving system owners the confidence that their data is secure from end to end.

DevSecOps provide security guardrails for modern, agile software development. By incorporating compliance requirements and AI into them, agencies can ensure both security and efficiency throughout.

CAIF provides Continuous ATO capabilities integrated with a range of leading technology platforms. All Accenture solutions, including CAIF, leverage pre-authorized security solutions like FedRAMP. And CAIF prioritizes the controls you need to implement, too.

As agencies move to adopt DevSecOps, Continuous ATO is another benefit they can realize in making the cultural and organizational changes needed to implement modern, agile development processes.