The Defense Department launched a new cybersecurity initiative that will allow for continuous monitoring of cloud systems, the agency announced this week as part of a department-wide shift from passive to active cybersecurity practices.
The initiative calls for continuous authorization to operate (cATO), which DOD touts as an improvement upon its Risk Management Framework (RMF), which previously relied on one-time ATO sign-offs on systems or technologies.
Continuous authorization to operate allows DOD to engage in real-time monitoring of cyber risk. A cATO does not expire as long as the required real time risk posture is maintained,” according to a DOD memo signed by DOD CISO David McKeown.
DOD Chief Software Officer Jason Weiss told GovCIO Media & Research in an email that the cATO memo intends to "build" off current DevSecOps initiatives throughout the agency.
"The memo represents a concerted effort to raise-the-bar beyond what an existing paper document oriented authorization to operate (ATO) requires," Weiss said. "Different services have created different standards and understanding of what it takes to reach this level of maturity. This memo is the first step to rectify this problem by spelling out very specific ingredients that must be present, and it captures that not every system can or should qualify for a cATO."
The initiative comes as federal cybersecurity continues to be a major point of reform for federal agencies during the Biden administration and follows a May 2021 executive order that calls for federal agencies to immediately begin deployment of zero trust architectures. In December 2021, DOD also created a new zero trust office within the Office of the CIO to spearhead zero trust deployment.
“Real-time or near real-time data analytics for reporting security events is essential to achieve the level of cybersecurity required to combat today’s cyber threats and operate in contested spaces,” according to the memo.
The memo said authorizing officials must achieve three metrics to reach cATO:
- Continuous visibility and monitoring of “key cybersecurity activities” within the system they’re authorizing
- The “ability to conduct active cyber defense in order to respond to cyber threats in real time
- The adoption and use of an approved DevSecOps reference design” and embrace the department's enterprise DevSecOps strategy
DOD believes cATO is key for apt cybersecurity because most IT and OT systems do not operate independently of each other, and bad actors are more likely to move laterally across systems and networks than in years past.
“The goal of a cATO is to formalize and monitor the connections across these systems of systems to deliver cyber resilient capabilities to warfighters at the speed of relevance,” according to the memo.
In practice, DOD expects authorizing officials to “feed” security controls into a dashboard view, “providing a real time and robust mechanism for AOs to view the environment.” This will allow authorizing officials to make better decisions regarding current cyber threats and allow defensive cyber operations to respond more quickly to threats based on “current system [cyber] posture.”
The memo also calls for DOD components to adopt an “active” cybersecurity mindset. Scanning and patching are no longer viable strategies for cybersecurity, and “systems must be able to show a real, or near real time ability to deploy appropriate countermeasures to thwart cyber adversaries.”
As part of the cATO initiative, DOD also outlined requirements for securing the software supply chain. To reduce human error and adequately track software through a software bill of materials (SBOM), DOD components and military service branches must adopt an approved software platform and development pipelines, according to the memo.