The Department of Defense’s Office of the Chief Information Officer has released a document meant to serve as guidance for defense agencies seeking to achieve continuous authorization, or cATO, to operate for DevSecOps platforms and other applications produced by a software factory as part of efforts to counter cyberthreats.
The DevSecOps Continuous Authorization Implementation Guide states that the authorizing official should demonstrate three competencies to reach cATO: continuous monitoring of risk management framework controls, active cyber defense and use of an approved DevSecOps reference design for a software factory with a secure software supply chain.
A cATO assessment ensures the software factory includes a holistic set of information to enable continuous risk analysis against agreed-to risk tolerances, feedback from cyber operations on unexpected changes in incident analysis, security configurations and other factors and continuous security posture and risk reporting, according to the document that was cleared for publication Thursday.
The guidance has classified key practices into three categories: DevSecOps platform, cATO process and DevSecOps team or people.
For instance, several cATO practices apply with regard to the DevSecOps platform, including the use of a cybersecurity service provider for monitoring the system single authorization boundary for malicious threat actor actions, development of a continuous monitoring strategy and use of security automation for tracking the application security posture within the production system.
In February 2022, the Pentagon issued a memorandum providing guidance on the necessary steps to do to allow systems to operate under a cATO state.
Register here to join the Potomac Officers Club’s 5th Annual CIO Summit on April 17 and learn more about the latest modernization strategies and how industry can help meet the priorities of federal CIOs.
