The Department of Defense’s (DoD) top cyber official announced that the department is evaluating three potential candidates for continuous authority to operate (cATO) authorizations.
During his keynote session on Oct. 24 at the AFCEA Tech Summit in Washington, D.C., DoD Chief Information Security Officer (CISO) David McKeown explained that the department has yet to award cATOs authorization, but it has “three really good candidates in the pipeline.”
cATOs are authorizations granted to systems or applications that operate within a specific DoD component, which allows a system to operate in a live environment while ensuring that it meets necessary security requirements.
On April 11, the DoD Chief Information Officer (CIO) released the DevSecOps Continuous Authorization Implementation Guide which seeks to guide defense agencies to achieve cATOs to operate DevSecOps platforms and other applications produced by a software factory as part of efforts to counter cyber threats.
The cATO process involves assessing the security posture of systems and ensuring compliance with applicable standards and policies. The goal is to facilitate faster deployment of technologies while maintaining a focus on security.
McKeown explained that DoD component CISOs seeking consideration for cATOs must meet specific requirements.
To achieve cATO, authorizing officials must demonstrate three competencies: continuous monitoring of risk management framework controls, active cyber defense, and use of an approved DevSecOps reference design for a software factory with a secure software supply chain.
The presence of these factors is partly assessed through the demonstrated use of system-level dashboards, which aggregate information from logging, testing, and various activities to provide a real-time view of the environment.
According to McKeown, these dashboards will play a critical role in evaluating the effectiveness of security measures and ensuring that the three potential candidates meet the necessary standards for cATO consideration.
McKeown further explained that components are not limited in the way they conduct efforts to meet the three factors.
The three candidates under consideration are all DevSecOps environments, he said.
