Building Cyber Defense:
A strategic approach to streamlining and accelerating ATO and transitioning to cATO
Public sector organizations are expanding their cloud footprint as cloud adoption ensures flexibility, agility, and scalability with reduced time and costs. However, its dynamic nature expands attack surfaces exponentially opening up your sensitive data assets, infrastructure, and applications to a whole new spectrum of sophisticated threats.
Unlike a data center, a cloud is a complex and distributed environment with a range of services that can be configured and set up in a hundred different ways. Moreover, each of these services is open to the internet and subsequently to complex threats all the time.
With that comes unique challenges related to securing the operational technology that directly monitors data assets, infrastructure, processes, environments, and events. This is creating tremendous pressure for IT teams to ensure the security and compliance of hybrid cloud environments against risks that are interconnected and constantly evolving.
For federal agencies migrating to the cloud, everything starts with getting an Authorization to Operate (ATO)—a security approval to authorize the operation of an IT system and explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security and privacy controls.
This requires a cumbersome endeavor that relies heavily on reporting. To get the ATO signed it is critical to ensure continuous monitoring, assessment, recording and reporting on security and compliance status on an ongoing basis. Everyone is racing to the cloud, and we are yet to solve the basic problem of assessing and reporting risk.
An ATO and the consequent continuous authority to operate (cATO) is in its nascent stage in terms of managing applications that are deployed in the cloud.
How can an organization figure out what controls they need to apply to configure and secure their hybrid cloud? These controls may need to be reevaluated based on their applicability in the cloud, so how does one go about choosing the right solution?
With everything being dynamic and open to threat actors and application developers constantly spinning up new environments to meet business goals, how can one assess risk and manage it centrally and continuously?
With reporting being key to the ATO process, how can a federal organization get a handle on reporting? How are they looking to assess this from your cATO or ongoing authorization (OA) programs?
How to discover and manage all assets, applications, and infrastructure and ensure that they are secure and compliant?
How does an organization accurately calculate risk in the cloud, where the impact of risk is much higher?
Co-Founder and CEO, Caveonix
CISO Cybersecurity Directorate, U.S. Department of Labor (DOL)
CISO of the U.S Census Bureau, U.S. Department of Commerce
CISO, Office of Information Technology [OIT], U.S. Securities and Exchange Commission (SEC)