Skip to main content
Image of businessmen looking at tablets

This article was originally written and published on Government Technology Insider.

In 2022 the Department of Defense (DoD) issued a memo about incorporating Continuous Authority to Operate (cATO) in the Risk Management Framework for cybersecurity. The DoD’s plan is to use the cATO framework to accelerate innovation and stay ahead of cybersecurity threats. We talked with Kynan Carver, Maximus’s Cybersecurity Lead for the Defense Market, to discuss how the cATO framework could enable a faster, more secure application development process.

Government Technology Insider (GTI): The DoD’s digital modernization strategy calls for a digital environment that creates a competitive advantage. How does cATO achieve that?

Kynan Carver (KC) An Authority to Operate (ATO) allows an IT system to operate in the federal government after meeting security criteria. Traditionally, an ATO gets awarded based on a one-time evaluation of the security posture of an organization’s application or system enterprise. Then, based upon that security posture, the organization is granted an ATO for a certain number of years.

However, the advancement of technology and ever-changing threat landscape call for a continuous authority to operate (cATO). A cATO automates continuous monitoring of current threats and vulnerabilities during the application development process by both the organization and authorizing official. Instead of a one-time ATO snapshot, cATO looks at that constant, real-time analysis of the security posture of that application or system. This is hugely powerful,

The cATO framework encourages agencies to accelerate the shift to agile methodology and DevSecOps practices as a foundation for development. When developing an application or system, security has to be in the forefront of that process. The authorizing official needs to know the security posture of that application during development and in production.

Transitioning to a cATO framework requires a cultural shift in how we approach security. The idea that security can be bolted onto the operations after the fact still persists. The DoD has thousands of legacy applications that were built this way, and most of the DoD still uses a waterfall development methodology that is slower and more vulnerable. However, adopting a cATO framework requires a shift to an agile methodology that prioritizes security at each stage of development.

Historically, organizations don’t build software factories until later in the development process. However, the DoD’s software factories would benefit from cATO. This presents opportunities to modernize and validate overall environments against requirements instead of going through the process for individual applications.

In summary, a cATO framework will require organizations to build security into the application or systems at development. This will allow them to get certified and recertified faster and then republish that to the software factory for a smoother process. This will not only improve cybersecurity efforts, but it will also significantly shorten the development to accreditation timeline from months to days.

GTI: What are steps required to obtain the competencies shared above and a cATO?

KC: First, we have to shift the culture and adopt agile development. This will enable teams to iterate new versions, address vulnerabilities faster, and get releases out quicker. Second, we need to deploy a DevSecOps methodology so that security is built into the process. This can include the use of automatic code analyzers to scan containers and having a defined CI/CD pipeline that includes automatic remediation when a vulnerability is discovered. Third, when you’re looking at how to implement cATO, I recommend targeting non-mission critical systems first for modernization. Once you’ve seen how the cATO process works, then you can use it on a mission-critical system that doesn’t have a broad impact and expand from there.

GTI: How does Maximus’s framework provide a strategic advantage to the DoD?

KC: Maximus developed 30 process improvements for the cATO framework. Learning from cybersecurity attacks, including the log4j vulnerability, prioritized cybersecurity reviews at the architectural level. As the DoD develops an application or system, part of its DevSecOps pipeline process should be checking for vulnerabilities prior to release in production. Maximus has created Sentry, which maximizes development of both a DevSecOps model and a customized CI/CD pipeline. This includes the software pieces to allow the DoD to migrate to the DevSecOps environment, and Sentry provides the data governance and monitoring. Maximus focuses on building security into the entire development process. We label elements and document attributes, then integrate this metadata with data loss prevention capability.

GTI: What are complications that the DoD software factories and agencies might experience when trying to comply with cATO?

KC: When building a DevSecOps model, it must be documented with one of the reference designs already approved by the DoD CIO for compliance. The DoD must be able to explain the design for a CI/CD pipeline, how it works, and then provide the authorizing official with the visibility they need to approve cATO on that software.

The application development process needs to be as modular as possible. If the authorizing official can say that a particular section of this application is secure, then it can accelerate the overall development process. At that point, you can approve an application and its previous sections so that the whole application becomes accredited. Conducting security scans and system updates is great, but agencies must demonstrate the ability to be in constant communication with authorities in the cyber community to share information and remediate in real-time.

GTI: How does cATO enable the DoD to stay current on the threat environment and plan for the future?

KC: Historically, frameworks have been evaluated on their ability to help the public sector to keep up with the capabilities of industry. But what we’ve failed to do is mature those frameworks to keep up with the ever-changing threat landscape and technical challenges.

We don’t necessarily modify these existing frameworks to adapt to new challenges. Defense-in-Depth is good, and router boundaries were a great idea for on-premises equipment at a time when we controlled everything coming in and going out of the network. However, as agencies have migrated to the cloud, the ability to control everything entering the network has become nearly impossible. Agencies must adapt their cATO process when challenges arise to continue to provide effective defenses against cyberattacks. A cATO framework gives agencies more control over service delivery and ensures that development is secure when done at speed. In the future, cATO will become a necessary credential to continue to keep pace with not just the evolution of cyber threats, but also the need for applications and tools to be deployed more quickly.

The DoD has embraced digital transformation and agile development to improve the modernization of federal services, risk management, and cybersecurity resilience. As a result of these efforts, the DoD is prepared for the transition to a cATO framework. Once implemented, the cATO framework can help to accelerate the modernization of federal services and improve the nation’s cyber defenses.

Learn more about Maximus’s cybersecurity solutions and services here.