7 Experts on Attaining ATO Faster in US Government Agencies

Throughout the private sector and particularly in the financial services and banking sectors, DevSecOps and agile development continue to grow in importance among software development teams. Companies that have adopted an agile mindset and integrated best practices within their development teams have seen unprecedented growth, even during the COVID-19 pandemic. According to the 15th Annual State of Agile Report, 86 percent of organizations adopted agile methodologies for their development teams in 2020, up from 37 percent in 2019.

Despite these gains, the public sector has been slow to adopt agile and DevSecOps approaches to software development. Across state, local, and federal government, agencies and organizations have struggled to adopt these best practices and have yet to capitalize on the ability to address secure development earlier in the software development life cycle (SDLC). By identifying opportunities to adopt an agile mindset and embrace a DevSecOps approach, agencies at all levels of government can improve the speed at which they deliver software while achieving better security outcomes.

Professionals at all levels of government agencies and departments can ship secure code faster with the implementation of leading practices, such as “shifting left” by integrating security checks earlier in the SDLC, benchmarking and tracking improvements in delivery speed, streamlining software onboarding, and encouraging knowledge of regulatory requirements.

This guide explores how agencies can increase the speed and security of their software development efforts, the importance of shifting left and adopting agile and DevSecOps practices, the link between Authority to Operate (ATO) and DevSecOps, and best practices for establishing and evaluating a software development approach.

Mighty Guides make you stronger. These authoritative and diverse guides provide a full view of a topic. They help you explore, compare, and contrast a variety of viewpoints so that you can determine what will work best for you. Reading a Mighty Guide is kind of like having your own team of experts. Each heartfelt and sincere piece of advice in this guide sits right next to the contributor’s name, biography, and links so that you can learn more about their work. This background information gives you the proper context for each expert’s independent perspective. Credible advice from top experts helps you make strong decisions. Strong decisions make you mighty.

Foreword

Shifting left and building software with security and compliance integrated from the start is critical to increasing trust in our digital infrastructure. As we have seen through recent executive orders and Department of Defense (DoD) memos, creating a foundation that enables a continuous ability to quickly certify and deliver software is critical to federal organizations being responsive enough to meet their missions.

Enabling the Assessor to reduce assessment time in an Authority To Operate (ATO) process is a prerequisite to shortening software release cycles in the government. When assessors have access to audit trails generated throughout the SDLC, they can be confident that software was built to adhere with NIST and other requirements thereby reducing their assessment time.

We believe in developer-centric security: people, process, and technology focused on making security easy for developers to embed, with just-in-time training and detailed, relevant guidance during development. A developer-centric approach enables teams to plan and prevent for security and compliance rather than engaging in an endless cycle of finding and remediating security defects.

With security by design and audit trails that accelerate the ATO process, organizations can spend less time focusing on documentation and compliance, and more on delivering on their mission.

Security Compass, a leading provider of software threat modeling and secure development solutions, enables organizations to build secure software faster. SD Elements, our flagship product, helps software development teams continuously model threats at scale, then proactively write code that significantly reduces cyber risk and remediation costs. Security Compass is the trusted solution provider to leading financial and technology organizations, U.S. government agencies, and renowned global brands. The company is headquartered in Toronto, with offices in the U.S. and India.

Meet Our Experts

Chapter One: Traditional Waterfall Development vs. Agile Development

To its benefit, the federal government has used agile development practices since 2014 in place of waterfall methodologies.

With a waterfall approach to software development, teams follow a standard cycle, with product requirement documents driving design and development. Testing and security improvements occur at the end of this cycle and are often considered an add-on to the process.

“Outdated development methodologies and manual security processes are roadblocks to timely product releases. These two factors have a significant impact on the public sector’s ability to release software and applications with speed and safety.”Rohit Sethi, The CEO of Security Compass.

By contrast, in an agile development cycle, testing and security evaluations are continuous, resulting in early discovery of bugs and vulnerabilities, and providing an opportunity to address them much earlier in the cycle (Figure 1). This approach integrates security at several points along the SDLC, so development teams can correct security shortcomings while minimizing rework.

Some elements of government information security and software development in general have made adopting such an approach challenging. The benefits of an agile approach to development, however, when combined with DevSecOps, are significant efficiency gains, reduced costs, and faster time to market.

As reported in The State of Secure Development & ATO in U.S. Government Agencies in 2021, responses from cybersecurity professionals in federal, state, and local government agencies indicated that speeding software time to market is a priority.

The report provides the following additional insights:

• More than half of respondents (55 percent) indicated that shifting left is either a top priority or one of the top three priorities in their organization’s SDLC.

• More than a third (34 percent) of respondents in federal agencies indicated that improving software time to market is the top priority for their team this year.

• A quarter of respondents (24 percent) indicated that they do not track the speed with which their teams produce software, and another 7 percent are unsure if or how such acceleration is accomplished.

• Of respondents who track the speed with which their teams produce software, 72 percent indicated that increasing the speed with which their team onboards or develops and deploys applications is the top priority.

The agile methodology emphasizes the continuous delivery of working software. The approach can help mitigate risks by engaging customers (internal and external) in development cycles early, giving them an opportunity to adapt to changing requirements and environments. It can also be particularly useful with modern, highly dynamic environments, such as the cloud. An agile approach and a shift-left methodology reduce the likelihood of letting security problems and vulnerabilities go unaddressed until later in the development cycle, when they become more difficult and costly to resolve.

Key Points

  • Review the agency’s development processes, and introduce techniques such as agile development, DevSecOps, and development best practices where possible.
  • Implement security reviews and early testing cycles to help developers shift left.
  • Focus on continuous delivery to improve developer velocity.

Chapter Two: How to Shift Left and Deliver Requirements Before Coding Begins

Understanding how to build software securely while complying with all government cybersecurity regulations is a major challenge when developing for federal, state, or local government agencies. As an example, the National Institute of Standards and Technology (NIST) has defined myriad compliance standards, and it can be challenging to integrate them into a project correctly without overwhelming developers or accidently delivering on requirements that do not actually apply to the project. Additionally, all this complexity adds time to the SDLC and can extend the project. Adhering to government guidance or requirements that shift mid-project or simply do not apply translates to wasted development time and the risk of potential rework.

“By shifting left and incorporating security efforts earlier in the SDLC, more teams will identify areas where they can automate and improve their existing software development approach and ultimately improve their overall security posture.” – Rohit Sethi, CEO of Security Compass.

By using agile development processes and breaking down requirements into relevant, tactical tasks, developers can focus their efforts on shorter development sprints (typically two weeks per sprint), deliver code more frequently, and integrate security and standards regulations into the cycle more efficiently. In this way, they insulate the project against the risk of implementing security as an add on at the end of development.

This approach of continual releases, testing, and evaluation also helps avoid release delays when weaknesses in code that threat actors can exploit are found late in the SDLC.

Agencies should also consider the adoption of tracking tools to help document the secure development steps that developers take when writing code. Traditionally, organizations track developers’ secure coding efforts manually, often in spreadsheets, and conduct interviews to understand how developers followed a particular regulation or secure coding practice. This time intensive process is inefficient both for auditors and developers. Vast quantities of developer time are tied up in this manual documentation process to achieve ATO.

A leading practice is to track and monitor these security efforts as developers write their code. Organizations that follow this approach may also have an\ easier time when applying for ATO certification.

Clearly demonstrating the security efforts, improvements, testing, and monitoring that took place during the SDLC can help establish a pattern of security. By considering security from the start, organizations are more likely to code “watertight systems” that have fewer vulnerabilities. Leaving the security review until the end of the development process increases the probability that issues and vulnerabilities buried deep within code paths will be discovered late in the release cycle, contributing to significant delays and project overruns.

Developing a DevSecOps Mindset and a Shift-Left Approach

Adopting an agile development method (where appropriate) can make a significant difference in secure software development. These benefits are enhanced when agile combines DevSecOps and a shift-left approach.

In a traditional (waterfall) software development model, development teams are responsible for coding and implementation; then, testing occurs to identify and address bugs and vulnerabilities (Figure 2). Security fixes are addressed during testing or, often, during a post-release maintenance cycle. This approach risks introducing zero-day vulnerabilities into the wild and can lead to extended patch cycles.

By contrast, adopting an agile approach, embracing DevSecOps, and shifting security reviews and assessments left can help identify gaps earlier, reduce software flaws, and speed secure development. In this model (Figure 3), developers take an active role in identifying risks, modeling threats, and remediating security concerns early.

Many organizations, including IBM, have studied the impact and benefits of shifting security earlier in the software development life cycle (Figure 4). By shifting left throughout the process, organizations can reduce the cost of remediation significantly.

Key Points

  • Manual tools for tracking developers’ secure coding efforts are time-intensive and inefficient.
  • Adopting an agile development method can significantly impact a secure development approach.
  • Shifting left helps identify gaps earlier, reduce software flaws, and speed secure development.

Chapter Three: Include Security Seamlessly in the Software Development Process

In traditional software development, security was included at the end of the SDLC. Today, security requirements, as well as implementation and verification of controls, should be baked into the entire process. The security lead defines requirements up front and then pushes requirements down to developers as tasks in systems such as Atlassian Jira.

At a high level, Table 1 shows how organizations implement a shift-left strategy at each stage of software development without slowing the process.

ATO and DevSecOps

Software development within the federal government often begins with an alignment to ATO and related required security processes. Acquiring an ATO is a complex challenge for US federal agencies. Developers must not only comply with thousands of security controls, all of which are too frequently updated but do so as quickly and effectively as possible. If they do not, mounting inefficiencies waste money, delay software releases, and take a toll on team morale.

It is a significant challenge to achieve ATO when the development team is burdened with outdated manual processes, such as spreadsheets, email, and other siloed tools, to track the process and communicate issues. Such a manual approach creates confusion, redundant work, and version control issues.

“When agencies embed ATO in the development effort, they streamline the entire auditing process. All the time and effort that used to go into supporting an audit now get turned into productive developer time. It’s a real game changer.” -Rohit Sethi, The CEO of Security Compass.

To eliminate this challenge, agencies should move to a more modern approach that embraces\ DevSecOps, which helps avoid bottlenecks caused by a waterfall approach and outdated software modalities. By integrating security at all points of the development process, the DevSecOps engine improves security across the entire SDLC.

The organization must take two steps to shift certification left:

  • Identify relevant requirements specific to ATO. Agencies that want to shift ATO as far left as possible must meet numerous requirements, such as process- and development-related controls, early in the SDLC. Many of these controls go beyond normal security requirements: They are process-oriented requirements. Figure 5 shows the steps for attaining ATO.
  • Ensure effective control mitigation by employing a layered compliance perspective. In a layered enterprise service model, one control can mitigate multiple identified threats or vulnerabilities. The challenge the organization faces is visibility into each issue and how many instances of that issue its controls can mitigate. Without this visibility, an organization often deploys redundant or inefficient controls.

Key Points

  • Benchmark your program.
  • Accelerate your development and release cycles.
  • Streamline your security efforts by using a DevSecOps and continuous ATO approach.

Chapter Four: Ensure Developers Follow Secure Development Best Practices

When implementing a major shift (such as a shift left) across development teams, it is important to leverage techniques like just-in-time training, integration of regulatory guidance, and fine-grained documentation to support the developers as they write code. The benefit of this approach is higher developer velocity with strong compliance with regulatory standards and practices. By integrating these techniques throughout the development process, high-performing organizations can document all the needed information to support ATO audits and certification.

High-performing organizations that have significantly higher developer velocity use the following techniques:

  • Documented best practices tuned to the agency or department.
  • Automation of testing, monitoring, and verification.
  • Just-in-time training delivered in short formats to keep developers informed and focused.
  • Verified code libraries and repos to foster efficient code reuse.
  • Additional process optimizations to help teams develop with speed and safety.

By supporting developers with just-in-time training and reinforcement, developers are freed from the expectation of remembering secure coding best practices they learned years ago in class.

After an organization fully integrates its product and software life cycle workflows, monitoring, documenting, and verifying the environment becomes markedly easier. It is essential that security is an integral part of the process to both minimize costs and accelerate product delivery.

Streamlining the Process for Tracking, Verifying, and Documenting

Implemented Controls

When the development team has shifted left, adopted a DevSecOps mindset, and embraced an agile development approach, the organization must support these modernization efforts through automation, monitoring, and the right tools. Manual processes that include spreadsheets and issue tracking by email are not efficient or scalable. To streamline developer efficiency and the ATO certification process, agencies should support development teams:

  • With tools to help integrate automation and speed into the development, testing, and approval processes.
  • By evaluating bottlenecks to implementing the right tasks for the right project.
  • By integrating systems with other tools used in the continuous integration/continuous delivery pipeline.“Leading organizations integrate security throughout the process. They support secure development by using approved code snippets and techniques such as just-in-time training to ensure that developers adhere to secure guidelines. Elite organizations monitor and track that activity to provide strong audit documentation effortlessly.” -Rohit Sethi, The CEO of Security Compass.

In addition to making investments in developer efficiency, organizations need visibility to all their processes—an easy way to identify, assess, and remove bottlenecks. Such visibility requires detailed reporting and analytics on what has been done and the ability to report on completed tasks and implemented controls. Giving teams a way to track these efforts throughout the SDLC helps minimize the drain on development efforts.

Effective monitoring and reporting help streamline ATO certification efforts and support security assessors, who need to audit what has been done during the development cycle, assess security and compliance efforts, and determine whether the software meets requirements.

Other best practices include integration with code scanners and testing to show and validate which controls have been implemented correctly. Software developers gain efficiencies through early testing and understanding how to address security early and often.

Key Points

  • Manual processes start and end with bottlenecks. Automation and scanning are essential to improving development efforts.
  • Antiquated tools and a manual process will likely prevent a smooth ATO.
  • A commitment to shifting left liberates the software team to build faster and safer software.

Chapter Five: Achieve ATO Faster with a Modern, Agile Environment

Obtaining ATO to build software for the federal government can take months because it involves compliance with nearly 900 security controls. If teams lack knowledge or training in the use of these controls, the process can be delayed further.

Agencies seeking to accelerate their development efforts should embrace modern development approaches, including agile frameworks, DevSecOps, and:

  • Help integrate configuration, integration, and change planning across critical software platforms and development efforts, including integrating software development elements from existing issue-tracking systems (e.g., Jira) and security testing tools (e.g., Checkmarx, Fortify, Veracode).
  • Look for ways to use internal resources and time efficiently, focusing on all aspects of the modernization transformation.
  • Develop new systems without creating friction or draining resources to bring on the new approach.
  • Establish teams’ processes, roles, and responsibilities to support the agile and DevSecOps transformation.
  • Look for opportunities to adopt custom guidance and methods to embed best practices to demonstrate value quickly; focusing on early wins helps ensure adoption across the organization.
  • Allow time to define project goals, align priorities, and build meaningful stakeholder relationships by creating an honest assessment of the organization’s security culture, future goals, technology portfolio, regulatory requirements, and project priorities.
  • Plan for future staff needs, including just-in-time training, consolidating relevant content and documentation, and updating materials to stay current with compliance and regulatory changes. This plan should include a curriculum for existing employees, additions to the team, program managers, and administrators.

Moving from a traditional waterfall development process to a modern, agile DevSecOps environment helps agencies and departments ship code faster but also helps ensure developers embrace security, deliver better outcomes, and achieve ATO.

Key Points

  • The process of attaining ATO can be accelerated by modernizing its development approaches.
  • Moving from a traditional waterfall development process to a modern, agile environment ensures developers deliver better outcomes.


Complying-with-Executive-Order-14028-Software-Security-Requirements v1.1