The Army is weeks away from unveiling a new approach to certifying the cybersecurity of its software, leveraging the concept of a continuous authority to operate rather than granting ATOs at fixed points in time. And although continuous ATOs aren’t a new idea for the Defense Department, the Army says its approach is different.
The Army’s thinking on continuous ATOs mirrors some of the same aspirations officials from across DoD have been expressing for the past several years: making them less focused on compliance and more on genuine cyber risks.
Leonel Garciga, the Army’s chief information officer, said a new roadmap for doing that will be signed and published within the next 30 days. Officials in the CIO’s office have been working on two pilot efforts to prove out the new process, including one involving the Army’s Nett Warrior program. That initial pilot will likely become the first approved continuous ATO within the new framework, which is focused on deploying software quickly.
“This is really about whether we can deliver directly to production,” he told attendees at last week’s AFCEA TechNet conference in Augusta, Georgia. “We’re comfortable with what we’re seeing right now and definitely looking for feedback. This is probably an 80% solution, because we still have some challenges on how this looks when we have hardware in the loop. If we want to move fast on putting new software into the [High Mobility Artillery Rocket System], it’s a little different than if we’re delivering a web app. So I think we need some help on kind of rethinking what that looks like.”
Accrediting pipelines, not systems
He said the new approach starts with accrediting the DevSecOps pipelines developers use to build software, rather than detailed examinations of the software itself.
But those won’t necessarily need to be Army pipelines.
“Three years ago, we said we were going to centralize all this and deliver it for the Army, and one organization is going to run it. That was a terrible idea, because we black boxed how we were going to deliver software, and we learned from that,” he said. “So our approach is a little different: What we’ve said is, there are Army services, there are Air Force services, there are services around the entire department. Leverage what works — things that are already accredited, that people are managing and maintaining, and then it’s up to program offices and Army commands to daisy chain that together.”
Other DoD organizations — up to and including the department’s chief information security officer — have been pushing toward the approach of certifying DevSecOps (DSO) pipelines to build more trusted software via continuous ATOs.
But Garciga said getting and keeping one within the forthcoming Army framework will be slightly different than previous approaches. Earning one will be less about the technical specifications and controls over the pipeline itself, and more about the development organization’s demonstrated maturity and competencies.
Assessing organizational maturity, not checklists
“It’s not going to be a checklist, and this is something that we’ve been talking about for a while: How do we actually validate this? I think everybody else’s approach to this has been, ‘We’re going to do a checklist and we’re going to check this box and we’re going to grade your homework on a rubric.’ We’re taking a very different approach in this space,” he said. “We’ve said that we’re going to do a maturity assessment for this: These are the basic things you need to get a pipeline certified for CI/CD so that you can go straight to production, and we’re going to assess your maturity. That doesn’t mean technology. It’s all about tactics, techniques and procedures. Do you have the right folks who can adjust the rheostats on some of these software tools?”
As of now, for many Army organizations charged with building software, the answer is no, he said.
“Somebody came to me the other day from a program office and said, ‘Sir, we got this. We’ve got a DSO pipeline and we can go to production, we just need your help.’ I said, ‘Great, interesting. Where are your cybersecurity folks, and how are they integrated into how you deliver?’ The answer was they’re not, so your maturity score is a one out of five, which means you are nowhere near ready to do CATO and to do DSO to production.”
Expanding continuous ATOs to contractor-owned systems
As far as that 80% solution — and getting the Army closer to 100% — Garciga said part of the evolution is likely going to be about experimenting with accreditation for new ownership and operational models.
He said the Nett Warrior pilot is proving out the use cases for government-owned and contractor-operated systems. And a second pilot involving Army Cyber Command and the program office for Defensive Cyber Operations will involve government-owned and government-operated systems.
But at some point, the Army will want to expand the approach to cover systems that are both owned and operated by contractors on the Army’s behalf.
Gargica acknowledged that’s going to be a challenge.
“It’s really easy for us to say that we’re going to validate and certify our own tools. It’s a lot different when I call a lead system integrator and say, ‘I need my government people to see your logs for your pipeline,’” he said. “But I think there’s a space for that, and I think we’re starting to see the demand signal in a couple of different areas where it just makes sense to deliver that way. So my challenge to industry is come to the table with a solution in this space. I don’t think it’s going to be every program, but I definitely think there are projects out there where that makes sense, and we need a couple of test runs with some folks to really codify what that’s going to look like.”
Copyright
© 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.