Automating the ATO
- By Sara Friedman
- May 25, 2018
When Greg Elin worked at the Federal Communications Commission as chief data officer, he was frustrated by how long it took to get applications and services approved for agency use. In 2014 he left his job and founded GovReady, a public benefit corporation that offers an open-source toolkit to help automate the security compliance process.
GovReady found the biggest problems came from the “sheer amount of documentation” that agencies must provide in their system security plans to get an authority to operate. After a series of experiments to determine how agencies created their SSPs, GovReady worked with developers to create component-centric guidance and build apps that map system components to compliance controls and include compliance documentation. When users select apps to build their systems from the GovReady-Q Compliance Server, their SSP automatically populates.
“We came up with different explanations of what is like to go through the ATO and developed diagrams and representations of the process,” Elin told GCN. “We shared those with various parties and looked for levels of agreement and set up the maps in comparison with the [Risk Management Framework] to determine the biggest problems.”
The company’s early work was supported by a $1.1 million grant from the Department of Homeland Security’s Science and Technology Directorate in March 2016.
“When it comes to the certification and accreditation, we want to look into how technology can be preconfigured or preloaded with requirements that are necessary,” Vincent Sritapan, program manager for S&T’s Cyber Security Division, told GCN. “We want to be able to automate and streamline the ATO process so every three years the process can be reduced.”
GovReady recently completed a proof of concept with the DHS Office of the CTO that showed how scanning and automatically updating SSPs could be conducted as part of a continuous integration pipeline.
S&T plans to award another contract to GovReady to integrate its platform into existing agency systems and accelerate the ATO process for other government agencies.
“For me, the ATO process is the primary constraint of modernizing, delivering services and incorporating innovation into government,” Elin said. “If we are able to accelerate the ATO process, then we could accelerate modernization and the rightsizing of the federal government.”
Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.
Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.
Friedman can be contacted at firstname.lastname@example.org or follow her on Twitter @SaraEFriedman.
Click here for previous articles by Friedman.