Cybersecurity ATOs, faster: Air Force sets up new Fast Track
The Air Force is piloting a new way to give systems an authority to operate (ATO) in just weeks.
Last month, Undersecretary Matt Donovan issued a directive allowing Air Force authorizing officials to start using Fast Track ATO, which emphasizes an “appropriate balance between rapid deployment and appropriate level of risk assessment.”
Essentially Fast Track is a combination of existing processes: systems must meet a cybersecurity baseline, plus include penetration testing and continuous monitoring. But according to Air Force CISO Wanda Jones-Heath, the powerful part of Fast Track is that it puts cybersecurity front-and-center and continues that through the lifecycle of a system, changing “the mindset from compliance to more risk-based security discussions.”
“The penetration testing finds it and fixes it up front,” she told FedScoop. “The continuous monitoring actually finds it continuously and then you’re able to keep moving.”
Software and IT systems that typically take close to a year to authorize can be approved in a matter of weeks. In the first proof of concept, it took five weeks, Jones-Heath said. With penetration testing, the Air Force discovered a vulnerability that it was able to remediate up front and quickly bring the system online.
That same system had already gone through the traditional Department of Defense risk management framework compliance process, a feat that took nine months. Even with all the added time, it didn’t detect the vulnerability.
The Air Force’s focus on penetration testing comes after its success using bug bounties in recent years, bringing in white-hat hackers to detect vulnerabilities in its systems. Through Fast Track, the service wants to better standardize bug bounties and “third-party adversarial testing” for authorizing officials to use, Jones-Heath told FedScoop.
“We’re setting up task order or companies that can do it on behalf of the Air Force,” she said. “We want to make sure that we’re standardized to support reciprocity. … We want to make sure as a corporate entity, we have a standardized approach to using a third party to test our cybersecurity.”
Cloud-friendly
Jones-Heath said the service has targeted a number of additional systems it wants to take through the process as well, though she wouldn’t detail their business or mission purposes. “We have two more that we’re working with right now, and then we have a list that we’re working through as well. We’re targeting mostly those systems that are going to the cloud because we feel like it will allow them to move faster and plus it meets the DOD intent of full-fledged migration to the cloud.”
Cloud systems tend to work best for Fast Track “because you’re going into an environment that has possibly been hardened already … that environment is already secured,” she said. New development systems are also good “because you can add that [security] into your development cycle up front.”
But it doesn’t work for everything. Legacy systems, which must be reauthorized every few years, Jones-Heath explained, may not work, unless they’re undertaking some sort of modernization. Authorizing officials will make that determination.
If Fast Track doesn’t fit for a system, there’s also RMF Now, which is the Air Force’s standard ATO pathway, and the Ongoing Authorization for agile software development.
Beyond pushing paper
Jones-Heath said she believes Fast Track will improve the Air Force’s cyber-hygiene and deliver better security rather than just presenting boxes to check and overwhelming officials with paperwork. Too often, she said, cyber personnel were telling her “RMF is too slow, I don’t have the expertise, that’s a lot of paper, but are we really secure? So when you start asking all of these questions and you can’t really answer those questions, then that kind of shows you there may be some issues.”
“Because cybersecurity is something we often do after, I’m glad that we’re actually doing it early in the process,” Jones-Heath said. “I think that will definitely pay big dividends on the back end. Fast forward a year and a half from now, and I believe that we will be in a better position.”
Lauren Knausenberger, Air Force’s director of cyberspace innovation, recently emphasized to FedScoop that importance of Fast Track in moving from a compliance exercise and “making it much more about security.”
“The next step really is to be able to do this at an enterprise level,” Knausenberger said. “I’ll say that we’re having amazing success in pockets — we need to expand it. I think that Fast Track ATO … will go a long way toward helping with that.”
