The American Council for Technology-Industry Advisory Council is calling for the adoption of Open Security Controls Assessment Language, or OSCAL, an open standard framework for automating the authority to operate risk assessment processes for software systems, Federal News Network reported Monday.
Table of Contents
ATO-as-Code Maturity Model
In a white paper, ACT-IAC presented a five-level operational maturity model designed to help organizations adopt and scale OSCAL and implement ATO-as-code. The paper noted that the model requires market advancement of security tools and capabilities.
Dan Jacobs, the cloud portfolio manager at the Office of Personnel Management and member of the ACT-IAC Cybersecurity Community of Interest ATO-as-code project team, said the model informs organizations of the step-by-step actions needed to achieve a fully automated ATO risk management process.
Organizations committed to adopting OSCAL must integrate the automated process into their acquisition cycle in a way that vendors will support the new method, which should involve an OSCAL-ready governance, risk and compliance tool, Jacobs added.
OPM’s ATO-as-Code Adoption
OPM has begun implementing the ATO-as-code strategy. According to the cloud portfolio manager, the open standards will enable the agency to assure its federal government customers that their data collected from logging, continuous integration and continuous delivery pipeline, cloud-based application programming interfaces and other tools are treated securely.
ATO-as-code will also support OPM’s development of an integrated risk management and enterprise risk management function. “We recognize we cannot do that using manual means,” Jacobs explained. “It must be automated and that automation is not going to happen through proprietary systems because our customers are the entire federal government and any proprietary solution simply is not going to work.”