Katie Arrington, acting chief information officer at the Department of Defense and a Wash100 Award winner, is keen on automating and applying artificial intelligence to accelerate the process of granting an authority to operate, or ATO, to software for integration into Pentagon networks.
The official said at the Billington Cybersecurity Summit, as reported by Breaking Defense, that taxpayers pay for ATO, which is why she wants to use advanced tools to accelerate the process and cut associated costs.
Table of Contents
Government Looks to Automation, AI to Streamline ATO
Other government leaders at the event discussed how their respective organizations are implementing technologies to enhance the ATO process.
Dave Raley, who leads a team called Operation Stormbreaker at Marine Corps Community Services, shared that automation is already improving the process of granting an ATO. He shared that the Marine Corps’ Authorizing Officer approves an ATO package within 24 hours, whereas, traditionally, the process would take much longer.
Doug Cossa, the intelligence community CIO, revealed that the IC has an “espresso ATO” or “the minimum set of controls” software needs to have in place to automatically get an authorization.
“Right now, while we define those, it’s a manual process,” he added. “We’re looking to automate that evaluation … over the next year.”
More Than Just Technology
Dave McKeown, the Pentagon’s chief information security officer and a two-time Wash100 awardee, explained that vendors who want to speed up the process and get their products approved for use at the DOD need to submit a software bill of materials and provide proof of Secure Software Development Framework compliance. The documentation would enable AI to check the cybersecurity soundness of a software and grant authority, he said.
Moreover, McKeown divulged that defense leaders plan to overhaul the Risk Management Framework, or RMF. While he said the DOD is not getting rid of RMF, the framework will be modified to shift focus from “compliance and checklists and humans to cybersecurity and cyber survivability and automation.”
Related Articles
The U.S. Army’s Communications-Electronics Command Software Engineering Center, or CECOM SEC, and the U.S. Military Academy at West Point have collaborated to evaluate the feasibility of the CECOM SEC-developed mapping between zero trust and the Pentagon’s Risk Management Framework, or RMF. The Army said Thursday the testing sought to collect feedback on the mapping’s application. Zero trust is a modern cybersecurity framework built on the “never trust, always verify” principle. RMF is a systematic structure that authorizes and manages risk in the Department of War’s systems. Helping West Point Enhance Zero Trust Posture According to the Army, the mapping developed
The Federal Acquisition Regulatory Council on Thursday issued new model deviation text for four parts of the FAR as part of the Revolutionary FAR Overhaul, or RFO, initiative. In April, President Donald Trump signed an executive order directing his administration to amend FAR to streamline the federal procurement process and eliminate barriers to doing business with the government. The FAR Council released new text for Part 3 – Improper Business Practices and Personal Conflicts of Interest; Part 17 – Special Contracting Methods; Part 27 – Patents, Data, and Copyrights; and Part 45 – Government Property. These parts are open for
MITRE has released a report highlighting the need for the defense acquisition system, or DAS, to be more warfighter-centric to facilitate the delivery of capabilities that keep pace with the rapidly evolving battlefield conditions. The nonprofit corporation said Friday uniformed engineers and scientists should have sufficient acquisition training and authorities to rapidly innovate and address emerging problems at the tactical edge. Extreme Product Ownership MITRE cited U.S. Special Operations Command’s adoption of “Extreme Product Ownership,” an agile approach that focuses on users and value to reduce risks to development and combat operations. In the report, MITRE mentioned the 160 Special