The Department of Defense (DoD) is giving defense agencies fresh direction on achieving continuous authorization for DevSecOps platforms.
The DoD Chief Information Officer (CIO) on April 11 released the DevSecOps Continuous Authorization Implementation Guide which seeks to guide defense agencies to achieve continuous authorization (cATO) to operate DevSecOps platforms and other applications produced by a software factory as part of efforts to counter cyber threats.
For defense agencies to deliver new features rapidly, they need an authorization process that keeps pace with continuous change for a developing capability — a cATO. Many defense agencies have identified obtaining a “authorization to operate” as the longest step in developing and deploying software.
“An organization with a cATO is allowed to continuously assess and deploy subsystems that meet the risk tolerances for use within a system authorization boundary,” the document reads.
A cATO assessment ensures a “software factory includes a holistic set of information to enable continuous risk analysis against agreed-to risk tolerances, feedback from cyber operations on unexpected changes in incident analysis, security configurations and other factors and continuous security posture and risk reporting,” the guidance states.
To achieve cATO, authorizing officials must demonstrate three competencies: continuous monitoring of risk management framework controls, active cyber defense, and use of an approved DevSecOps reference design for a software factory with a secure software supply chain.
Additionally, systems seeking a cATO must have already achieved authorization and have entered the Risk Management Framework monitor stage.
In addition, the cATO memo calls out the need for a Secure Software Supply Chain (SSSC) “to prevent any combination of human errors, supply chain interdictions, unintended code, and support the creation of a software bill of materials (SBOM), the adoption of an approved software platform and development pipeline(s) are critical,” the document reads.
