Faster innovation with automated ATOs
Agencies need smarter, faster ways to get authority to operate, according to a top IT advisor at the Department of Health and Human Services.
When hackers are wielding sophisticated exploits enabled by artificial intelligence, agencies can’t be armed simply “with spreadsheets or Word documents,” said Oki Mek, a top IT advisor at the Department of Health and Human Services. “You're going to lose that battle.”
Now with the expanded attack surface resulting from the remote work environment, more flexible, quicker methods of getting systems authority to operate (ATO) are more critical than ever, he said.
As one of the agencies at the center of the federal government's response to the COVID pandemic, HHS is "getting hit hard" by attackers attempting to penetrate its networks, Mek said. Additionally, hackers and bad actors are leveraging AI to see how network users are interacting with infrastructure and systems.
One area where AI and machine learning technology can provide a targeted lift for federal IT systems is speeding up the processes to obtain mandatory ATO certifications, Mek said in remarks at an Oct. 14 webinar sponsored by the Institute of Critical Infrastructure Technology.
Leveraging machine learning and AI to automate the ATO process can shorten review of hundreds of security controls on a system and provide an assessment in hours or days, rather than months, Mek said.
Automated ATOs, he said, could follow the same model as popular commercial machine learning and AI-based tax filing software. That software draws on previous year’s data.
For an automated ATO process, the software can ask basic questions, such as, “Are you building a new system, moving to the cloud, or making changes to the system?” By asking a series of questions, Mek said, that common information can automatically fill in parts of the ATO system security plan.
IT systems operators could also develop a machine learning "confidence score" for cybersecurity.
"When you assess a system for an ATO, there are about 500 to 600 security controls. You could run machine learning against each requirement," he said. A system owner would use machine learning to compare requirements and policies against the agency's implementation statement to produce a confidence score. If the score is below 50%, then the owner should try again, he said.
An auditor's ATO assessment process, which can take up to two months, could be shortened to a week or two depending on the score, according to Mek. The automation would also allow the ATO process to become mostly continuous, providing more timely cybersecurity, he said.
This article was first posted to FCW, a sibling site to GCN.