The Department of Defense (DoD) recently called cATO the “gold standard” in cybersecurity. However, the current process for obtaining authorization to operate (ATO) is “point in time,” costly, and time consuming. Based on these issues, an alternative, continuous authority to operate (cATO), is gaining momentum.
cATO can be a game changer: streamlining compliance, mitigating risk, and enabling agencies to deploy new IT capabilities faster than ever before. How does cATO differ from the traditional approach? What are cATO’s advantages? What are the biggest challenges to deploying cATO in Federal agencies? And what do agencies need to implement cATO?
To answer these questions, MeriTalk spoke with Travis Howerton, co-founder and chief technology officer (CTO) at continuous compliance platform provider RegScale. As CTO at the National Nuclear Security Administration and deputy CIO at Oak Ridge National Laboratory, Howerton witnessed agencies’ ATO and compliance challenges firsthand.
MeriTalk: How does a continuous ATO differ from a “point in time” ATO? The DoD’s recent cATO memo called it “a challenging but necessary enhancement of our cyber risk approach in order to accelerate innovation while outpacing expanding cybersecurity threats.”
Travis Howerton: For years, systems were largely static. You deploy them and you create a Word document or Excel spreadsheet that lays out the security controls. It’s a point-in-time snapshot. But today, with the rise of cloud, containers, and the ability to spin services up and down on demand, systems are changing faster than ever before.
Taking a static approach to security controls into a dynamic technology environment creates a cadence mismatch. As a result, agencies have a hard time deploying new technology in a reasonable time frame – and feeling confident about its security. Their paperwork is obsolete almost the instant they write it.
DoD is going with cATO because they’ve recognized that archaic cyber processes are hindering their ability to get the latest, greatest technology to enhance their capabilities on the battlefield. They’re saying we need to fundamentally rethink the ATO process. That aligns well to RegScale, which is a real-time continuous compliance/continuous risk platform, not a point-in-time risk and compliance solution like others we’ve seen for the last 15 years with legacy governance, risk, and compliance (GRC) tools.
MeriTalk: What challenges does cATO present? What hurdles must agencies or contractors overcome to demonstrate compliance with the processes and regulations that are required for an ATO?
Howerton: One challenge is process change, which is difficult in government. People get married to their processes, which have helped them pass audits for years. They aren’t sure how to do the new thing.
The second part is the technology. They’re managing security controls with Word, Excel, SharePoint, or a legacy GRC tool. To be truly continuous, you need an API-driven, real-time, machine-to-machine architecture. This approach lets you determine progress against baselines and see your risk so you can decide if it is acceptable. That’s how the cloud works and how future technologies will work. ATO processes have to align to that rather than fighting it. NIST has recognized the need for machine-readable communication with its Open Security Control Assessment Language (OSCAL) standard, and we were proud to be one of the earliest adopters.
MeriTalk: Tell us a bit about continuous compliance. What is it, and how does it help achieve continuous ATO?
Howerton: Today, a regulation or law says you must do something, and you draft a compliance policy and audit it periodically – typically by pulling samples or collecting evidence and screenshots. The system is very manual, reactive, and after the fact.
Most government agencies make great investments in continuous monitoring technical tools – cloud security posture management tools, vulnerability scanners, or security and information event management systems. They have a lot of data, but still need humans to go get it. If compliance became machine-readable, then machines could do that. Our system is a collection of APIs – pulling the data in real time so the paperwork updates itself.
We envision an evergreen system that’s constantly updating as things change in the real world. That’s a fundamental shift – to unlock the value in data and make better risk-based decisions closer to real time and at lower cost, because you don’t need an army of people figuring out what has changed. The machines just talk to each other. That’s the core of our platform and a big piece of our differentiation in the market that directly supports cATO.
MeriTalk: We’re familiar with the “shift left” concept as a relates to application development and cybersecurity. What does “shift left” mean in compliance?
Howerton: The promise of continuous compliance and shifting left is that compliance will be like security today – baked in, not bolted on. People have good tools in the cloud today – continuous monitoring, logs, and incident response. We’ve come a long way, but compliance is the same as 30 years ago. RegScale wants to make it continuous and complete in real time, shifting it left the same way the security industry is doing.
People have been unhappy with compliance processes for a long time, but they were hard to fix. Now systems are becoming more homogenous, and everything is software defined. You have a ton of telemetry you never had in a bespoke on-premises environment. No matter what cloud you’re in, RegScale can take the telemetry, update ATO paperwork in real time, and auto assign tickets. This system makes the pain of manual data entry and data calls go away and reduces costs, so agencies can focus on the things that matter.
MeriTalk: Both you and your co-founder, Anil Karmel, have deep Federal agency and cybersecurity experience. How did that experience inform the creation of RegScale?
Howerton: Fundamentally, it’s because we felt the pain. As Federal employees, we’ve had the experience of thinking we’re done with engineering a solution because it all worked. Then we were asked if we had a system security plan; after hundreds of pages and months of busted schedules, we finally got it deployed. And we’ve commissioned audits where things were always wrong; the paperwork was always out of date. We were constantly trying to fix things. That damages your credibility, saps your resources, and causes distractions.
When compliance is continuous, it becomes just a part of doing business. It means you can be proactive rather than being surprised in an audit. The more you can make compliance routine and automate it, the faster government can adopt technology.
MeriTalk: RegScale has introduced the concept of RegOps. What is it, and what is the RegOps manifesto?
Howerton: RegOps applies the concept of DevOps to compliance in order to transition manual, static processes into dynamic processes. It’s a combination of cultural philosophies, best practices, and tools that speeds compliance for applications and services.
The RegOps manifesto is a set of principles for thinking through compliance problems and demonstrating value in every part of the process. Conversations about compliance and automation can scare people. Some worry about automating away people’s jobs, while others act as though the existing processes don’t have value, but they do. The RegOps manifesto recognizes that.
MeriTalk: Why did you think the RegOps manifesto was needed?
Howerton: Because the biggest problem is culture change, not technology. If you want people to change, they first need to understand why and then be able to think through what that means for them. The manifesto helps people think about the compliance problem and how they can help fix it where they work.
MeriTalk: How does RegOps help achieve cATO under FedRAMP or the NIST Risk Management Framework (RMF)?
Howerton: We’ve applied our RegOps manifesto into the RegScale platform, which automates all the pieces of the RMF, zero trust, or any other compliance framework. We’re one of the early adopters of the NIST OSCAL standard for machine-readable compliance and assessment documentation. Not only are we automating with the latest technology, we’re partnering with commercial vendors, so we have tons of integrations – with more coming every day. Because we’re incorporating government standards and building on top of industry standards for interoperability, we’re future proofing agencies’ investments in compliance automation.
MeriTalk: What advice do you have for system owners who are working to achieve a cATO?
Howerton: It starts with accepting that they need to change and thinking through that change. Cloud’s not going away. It’s the foundation for artificial intelligence and other things that are coming next. If you’re already feeling pain because of how fast things are moving, that trend will get worse, not better. You need to apply fundamentally different approaches, which is that RegOps mentality. The alternative is spending your time trying to pass audits and not letting systems go live because they can’t meet every requirement in a 300-page plan.
System owners ought to be telling senior executives: “Here’s the risk and here’s our plan for fixing it.” That’s the conversation that every risk professional wants to have. Don’t say, “If we can’t automate everything, we’ll just keep doing what we do.” Every little change can help you progress. Agencies should start small, be agile, accept the problem, think it through, and educate people on the need for change, all while valuing every stakeholder and their contributions along the way.