Why? The Need for cATO
The DevOps Research and Assessment (DORA) organization has nearly a decade of research showing that there is no tradeoff between speed and stability nor speed and security in high performing software organizations. In fact, both stability and security are positively correlated with speed. In other words, organizations with high software deliver performance experience a virtuous cycle between speed and security.
The True Cost of Delay
At the same time, both our citizens and our soldiers are paying the price of an immense cost of delay imposed by the way we currently approach the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) and obtaining Authorization to Operate (ATO). Unlike the commercial sector, in government the cost of delay is often measured in lives. Our security and privacy risk management processes are creating downstream risk to operations. The delay of capability to the battlefield, the operating table, and even in the distribution of government benefits is literally killing people.
Continuous Delivery as a Risk Mitigation
But aren’t we doing Agile, now? It has become popular to adopt Agile Software Development rhetoric in the Federal, however it is rarely executed. This is evidenced by the fact that the first principle from the Manifesto for Agile Software Development states, “Our highest priority is to satisfy customers through early and continuous delivery of valuable software.” That is to say that if delivery is not early and continuous, then ‘agile’ clearly has not manifested. When we say continuous delivery, we mean it.
In their book Continuous Delivery, Dave Farley and Jez Humble define continuous delivery as, “The ability to get changes, features, configuration changes, bug fixes, experiments into production safely and quickly in a sustainable way.” In this way, continuous delivery becomes an exercise in risk reduction not only to security and privacy risk, but especially to operational risk. To realize this benefit, production cannot be an arbitrary designation; production is the setting where software is put into operation for its intended uses by end users. Getting to such a production environment in Federal requires an ATO within the RMF. Continuously delivering to production would require a continuous ATO, which would require continuous application of the RMF. Thankfully, this can be accomplished within existing laws and NIST guidelines.
Improve security posture and lower risk
- Reduce the number of security defects through threat analysis and secure coding practices
- Continuously detect and remediate application vulnerabilities quickly via the Secure Release Pipeline
- Cybersecurity and vulnerability education is available to application development teams simply by utilizing the secure release pipeline
Increase transparency and trust
- Default access to all body of evidence artifacts throughout the software development life cycle (i.e. source code, documents, diagrams) for security control assessors and cybersecurity personnel to support continuous monitoring (e.g. assessment and evaluation)
- Incrementally automating risk assessment via secure release pipelines
Reduce costs & increase delivery of value to organizations and end-users
- Reducing the number of security defects and risks
- Leveraging a cloud environment
- Shipping software can be accomplished in hours or days, instead of weeks, months or even years
What's Really at Stake
In the digital era, both the warfighting domain and policy domain are digital. Both demand the early and continuous delivery of valuable software:
- We cannot afford to be disrupted on the battlefield–our democracy will be toppled from without.
- We cannot afford to fail to deliver on promises to our citizens–our democracy will be toppled from within.
The early and continuous delivery of software requires continuous ATO. Why do we need that? Because our democracy hangs in the balance.