Accelerating the ATO process with a platform approach

In our previous posts on building and managing technology platforms, we’ve focused on the experience of the developers who use them.

Successful platforms are built with developer enablement in mind. They provide a clear separation of responsibility between the team working on a software solution and the team managing the platform it runs on. This enables software teams to focus their efforts on meeting the needs of real users, rather than splitting their time across tasks that may be incidental to delivering a finished digital solution.

But software development teams are not the only audience for well-designed and well-managed platforms. There are other groups within federal agencies that have a stake in how people use platforms. These teams can directly influence if, how, and when digital solutions are deployed for use by the people who need them.

For example, Authorizing Officials (those specifically empowered to approve the operation of digital solutions by federal agencies) and other government security personnel may be less visible, but they are critically important “consumers” of well-run technology platforms. An efficient platform can accelerate their security approval process, thereby also speeding up the delivery of critical digital services to the public.

Building compliance into a platform

Every digital system deployed by a federal agency is required to meet Federal Information Security Modernization Act (FISMA) standards, which includes system authorization and an Authority to Operate (ATO) signed by an Authorizing Official (AO). The process to obtain an ATO for an agency solution is usually labor and time intensive and can have a direct impact on when a solution is deployed to users.

Preparing for and manually submitting an ATO for the first time is incredibly intensive. It requires writing multiple lengthy documents and responses to security controls that must meet the governing agency’s specific criteria. This authorization package includes validating software versions, ensuring security controls are in place, designing system security plans, validating contingency plans, and executing them. Then, organizations within the governing agency must review the authorization package to ensure that the documentation addresses any additional key concerns.

— Eric Isbell, Using a continuous ATO for better compliance and real-time data

Software development teams working on a digital solution will typically work with an Information Security Systems Officer (ISSO), who reports to an agency’s AO or other technology security leadership. Software teams will work with this ISSO to assess a digital solution’s security posture and assemble an authorization package that the AO will (hopefully) approve.

Just as a well-designed and well-managed platform accelerates the process for software teams to research, build, and test a new digital solution, a good platform can also accelerate the process by which an ISSO reviews and helps approve an ATO for that solution. Platforms can do this in three different ways.

Use inherited security controls

First, platforms can be (and often are) designed to implement security controls in such a way that they are “inheritable” by the solutions built on top of them. This means that software teams that leverage these platforms may not need to independently implement specific features to address controls if the platform has already implemented them. This separation of responsibility not only speeds up development time by reducing unneeded complexity in a solution to address security controls, it also speeds up the review and approval of that solution for ATO purposes.

For example, a technology platform may be designed to provide out-of-the-box monitoring and alerting features for applications that run on it. This can satisfy the specific security controls that require solutions to have these features. Since the platform already provides these features, independent solutions that run on top of the platform don’t need to separately implement monitoring and alerting approaches. The platform takes care of this requirement, and independent solutions can inherit it for ATO purposes.

Reuse existing work

Beyond explicitly inheritable controls, platforms can also provide an opportunity for ISSOs and other security officials to leverage previously granted ATOs for services running on a platform. Say, for example, that a software team implements a digital solution on a platform that enables that solution to inherit up to half of the required controls needed for an ATO. The way in which that team implements the remaining controls may be replicated for other teams using the same platform. Different teams using the same platform may be able to implement features to meet specific security controls in the same way; once one team does it, that knowledge can be shared with other teams. ISSOs can act as the critical bridge between these different teams, using the commonality of the platform as a way to reuse previously existing work to speed the ATO process.

Share platforms and common components

Finally, and maybe most importantly, platforms shared among multiple development teams can foster familiarity among ISSOs for the features of that platform. And though the notion of “familiarity” may feel hard to quantify, experience suggests that this can have a significant, measurable impact on the time required for the ATO process. The General Services Administration’s Technology Transformation Services looked at this issue a few years ago and found that the use of shared platforms and common technology components by different projects teams can significantly reduce the amount of time required to obtain an ATO.

Additional carrots and sticks

Being intentional about designing a technology platform and a governance strategy for how that platform is used can enable development teams to more quickly research, test, and build new digital solutions. But this approach can also apply to how a platform is leveraged by ISSOs and other security personnel within federal agencies.

As we discussed in one of our previous posts, successful platform governance requires building a set of “carrots and sticks.” The objective of this incentive structure is to make the right way of designing and building a digital solution the easiest way. FISMA requirements can be a powerful stick influencing how digital solutions get implemented because they carry the weight of law. Inheritable controls and other ATO accelerators of well-designed platforms discussed here can go a long way to providing the additional carrots needed to speed delivery of important digital services.

Beyond platforms

Embracing a platform approach is one way to speed the ATO process. But there are other strategies that can make the ATO process more efficient as well, including a continuous ATO approach. Where platforms can be designed to reduce the number of security controls that a software development team needs to implement, a continuous ATO approach can make documenting the remaining controls simpler and more efficient.

These approaches are not mutually exclusive and can be used together to reduce the time it takes to build and deploy critical digital services. ATOs are not fun, but they play a critical role in a federal agency delivering a digital service.

With foresight and planning that employs these strategies, we can help agencies lower barriers and more efficiently deliver important services to the public.