Evaluating cybersecurity risk

Faster innovation with automated ATOs

When hackers are wielding sophisticated exploits enabled by artificial intelligence, agencies can’t be armed simply “with spreadsheets or Word documents,” said Oki Mek, a top IT advisor at the Department of Health and Human Services. “You're going to lose that battle.”

Now with the expanded attack surface resulting from the remote work environment, more flexible, quicker methods of getting systems authority to operate (ATO) are more critical than ever, he said.

As one of the agencies at the center of the federal government's response to the COVID pandemic, HHS is "getting hit hard" by attackers attempting to penetrate its networks, Mek said. Additionally, hackers and bad actors are leveraging AI to see how network users are interacting with infrastructure and systems.

One area where AI and machine learning technology can provide a targeted lift for federal IT systems is speeding up the processes to obtain mandatory ATO certifications, Mek said in remarks at an Oct. 14 webinar sponsored by the Institute of Critical Infrastructure Technology.

Leveraging machine learning and AI to automate the ATO process can shorten review of hundreds of security controls on a system and provide an assessment in hours or days, rather than months, Mek said.

Automated ATOs, he said, could follow the same model as popular commercial machine learning and AI-based tax filing software. That software draws on previous year’s data.

For an automated ATO process, the software can ask basic questions, such as, “Are you building a new system, moving to the cloud, or making changes to the system?” By asking a series of questions, Mek said, that common information can automatically fill in parts of the ATO system security plan.

IT systems operators could also develop a machine learning "confidence score" for cybersecurity.

"When you assess a system for an ATO, there are about 500 to 600 security controls. You could run machine learning against each requirement," he said. A system owner would use machine learning to compare requirements and policies against the agency's implementation statement to produce a confidence score. If the score is below 50%, then the owner should try again, he said.

An auditor's ATO assessment process, which can take up to two months, could be shortened to a week or two depending on the score, according to Mek. The automation would also allow the ATO process to become mostly continuous, providing more timely cybersecurity, he said.

This article was first posted to FCW, a sibling site to GCN.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected