“What we’ve had in the past was different program elements, different services, using that term in different ways, and it’s created some confusion,” he told reporters last week. One overarching goal is to make sure everyone who uses the term “continuous ATO” is speaking the same language, said Jason Weiss, DoD’s chief software officer. Secret Service and hear from people inside these organizations about what’s driving technology modernization efforts. Take a peek behind the scenes at NCIS, the U.S. Insight by Verizon: No federal law enforcement organization works alone. To get a cATO endorsed by the DoD CIO, system owners will also need to show they’re capable of defending their systems in real-time, and that they have a secure software supply chain. But the general belief is the approach also does a much better job of assessing cybersecurity in the real world, since the authorizations are based on current threats and vulnerabilities, not what the state of cybersecurity happened to be months or years ago, when an authorizing official finally gave a particular system a green light.Ī new memo from the DoD CIO’s office is focused on that second benefit, the continuous monitoring aspects of the NIST Risk Management Framework. For one, the emphasis on continuous monitoring, instead of rigorous, single-point-in-time security exams means new software and systems can get online much more quickly. The Defense components that have moved to continuous ATO models see at least two big benefits. In a new memo, the Pentagon said it wants to make them the “gold standard” for cybersecurity across department, while also bringing more commonality to how Defense organizations use them. The “continuous ATOs” (cATOs) that have taken their place in some quarters of DoD IT development community now have the full attention of the office of the DoD chief information officer. The general idea is that the old way of doing things, a point-in-time grant of an Authority to Operate (ATO) takes too long, and might have lost its relevance before the system actually gets up and running anyway. For the last several years, Defense agencies and military services have dabbled with reforms to their IT security approvals process that acknowledge the realities of modern software development and cyber threats.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |