We were privileged to have the opportunity to share a Tech Talk at this year’s Rocky Mountain Cyber Symposium. Caveonix’s Mark Zong and Fernando Deanda of the US Air Force took the stage together in front of a full house to share their perspectives on transforming the Authority to Operate (ATO) process.

Both faced ATO challenges during their active duty careers. While in the Army, Mark had a division headquarters relocation held up by a year thanks to manual ATO efforts. During Fernando’s time as an ISSM working two cloud systems, he continually saw delays driven by workflow issues. They’re now both able to drive changes inspired by their earlier experiences.

The three opportunities for improvement that they highlighted were:

• Effectiveness – Ultimately ATO in both USAF and USSF is intended to support the warfighter and deliver secure systems that serve the mission. Is compliance enabling/securing them, or slowing them down? How often are systems authorized without being properly assessed because processes aren’t fast enough or data is incomplete? If there’s doubt around either of those questions we need to change quickly.

• Process Efficiency – Everyone agrees that the ATO timelines are too long. Some of this stems from manual processes like review and correlation of documentation. Some is created by friction in the workflows, where all departments need to follow RMF but don’t always have technology that easily aligns with those steps. Both of these angles should be addressed.

• Visibility – Continuous monitoring is at times more theoretical than practical. How do we simplify the move away from reports that capture a moment in time, and how do we communicate security postures, compliance gaps, and expected timelines up and down the chain of command?

They also shared a few recommendations:

• Compliance Automation – Using technology to pull in an asset inventory and supporting evidence delivers a complete picture of everything in that environment including long-forgotten or brand new systems. And it takes substantially less time than gathering the data and manually connecting the dots.

• RMF Workflow – RMF creates a common language of security – one that’s universal to all federal organizations and government-mandated. Make sure your technology choice supports it.

• Integrations – Technology should connect with task management software, tools provided by your CSP, and other operational platforms in use. Working POA&Ms, for example, becomes much easier and transparent if you’re managing the projects in something that has a two-way feed into your compliance platform.

Thanks again to everyone who joined us, and special thanks to Fernando!