DEFENSE AGENCY AND DOD FIELD ACTIVITY DIRECTORS - MEMORANDUM PENTAGON LEADERSHIP
SUBJECT: Continuous Authorization To Operate (cATO)
The Risk Management Framework (RMF) establishes the continuous management of system cybersecurity risk. Current RMF implementation focuses on obtaining system authorizations (ATOs) but falls short in implementing continuous monitoring of risk once authorization has been reached. Efforts in the Department are attempting to emphasize the continuous monitoring step of RMF to allow for continuous authorization (cATO). Real-time or near real-time data analytics for reporting security events is essential to achieve the level of cybersecurity required to combat today’s cyber threats and operate in contested spaces. The purpose of this memo is to provide specific guidance on the necessary steps to allow systems to operate under a cATO state.
cATO represents a challenging but necessary enhancement of our cyber risk approach to accelerate innovation while outpacing expanding cybersecurity threats. In-order to achieve cATO, the Authorizing Official (AO) must be able to demonstrate three main competencies: Ongoing visibility of key cybersecurity activities inside of the system boundary with robust continuous monitoring of RMF controls; the ability to conduct active cyber defense in order to respond to cyber threats in real-time; and the adoption and use of an approved DevSecOps reference design.
Continuous Monitoring (CONMON)
RMF requires a CONMON strategy for each system. This strategy describes how the System Owner, in coordination with Service Providers, will continuously monitor and assess all security controls within the information system’s security baseline, including common controls. The specific plan will vary based on component monitoring infrastructure, the specific technologies used by the system, and the application of the system. Automated monitoring should be as near real-time as feasible. Manual controls will have different timelines associated and must be included in the overall monitoring strategy. It is critical that System Owners in coordination with Service Providers demonstrate the ability to effectively integrate the automation and monitoring of all security controls prior to entering into a Continuous Authorization To Operate status.
Systems are rarely produced or deployed as a singular system; they operate as a system of systems. The goal of a cATO is to formalize and monitor the connections across these systems of systems to deliver cyber resilient capabilities to warfighters at the speed of relevance. CONMON requires the AO to have the ability to monitor the cumulative set of security controls that span the AO's area of responsibility (AOR) to make real-time risk decisions. The AO must approve, manage, then support an organization’s CONMON plan for all applications.
OFFICE OF THE SECRETARY OF DEFENSE
1000 DEFENSE PENTAGON
WASHINGTON, DC 20301-1000
For cATO, all security controls will need to be fed into a system level dashboard view, providing a real time and robust mechanism for AOs to view the environment. Using this information, the AO will be better positioned to make real time and informed risk decisions as to the threat level posed to the system. This view will also enable defensive cyber operations elements to conduct response actions based on current system posture.
Active Cyber Defense
Active cyber defense is the ability to respond to cyber threats in real, or near real-time. As the Department adopts a data-centric model, so too must our cyber defenses. The focus should be on using threat-driven dashboards and metrics to establish patterns and discern threats before they are able to wreak havoc on DoD domains.
Simply conducting scans and patching does not meet the threshold for active cyber defense. Systems must be able to show a real, or near real-time ability to deploy appropriate countermeasures to thwart cyber adversaries. AO’s/AODR’s must be in constant communication with the various cyber operational components, including Cybersecurity Service Providers (CSSP), component cyber operations forces, JFHQ-DoDIN, and United States Cyber Command. These communication channels are essential to ensuring operations within each system boundary rapidly ingest cyber threat intelligence and take appropriate actions. These communications will also serve to share indicators that may prevent intrusions in other DoD environments.
Secure Software Supply Chain
The number of components required to build, deploy, operate, and secure modern systems continues to expand rapidly, where underlying software architectures and deployment topologies have moved well beyond a single binary installed from physical media. These advancements are too often invisible to the end-user, where modern software applications are backed by an array of additional network services that include remote configuration updates, advanced data analytics, artificial intelligence (AI)-powered rulesets that update cyber defense systems automatically, etc. As the Department’s operations become increasingly dependent on software, we must ensure that this software is created in a secure, protected, and controlled environment that instills confidence in the user base that it will perform as designed. To prevent any combination of human errors, supply chain interdictions, unintended code, and support the creation of a software bill of materials (SBOM), the adoption of an approved software platform and development pipeline(s) is critical.
To achieve a cATO, a system must embrace the DoD Enterprise DevSecOps Strategy, aligning to an approved DevSecOps Reference Design. This strategy creates a cultural change that implements the full and open agile collaboration of what have traditionally been separate disciplines. Incorporating development, security, and operations together closes gaps with baked-in safeguards and monitoring functions that span the entire software supply chain. The DevSecOps Strategy supports a "Pathway to a Reference Design" whereby new architectures can be submitted for evaluation.
If an AO determines its system provides the required real-time risk posture to achieve a cATO, the AO will notify the component CISO of the intention to move that system to a cATO status. Together the AO and component CISO will present this request and the supporting body of evidence to the DoD CISO for consideration. Systems desiring to move from a traditional ATO model to a cATO model must demonstrate:
- A complete understanding of activities inside of their AO boundary with robust continuous monitoring of RMF controls;
- The ability to conduct active cyber defense in order to respond to cyber threats in real-time;
- The adoption and use of a specific DoD Enterprise DevSecOps Reference Design.
DoD CISO-approved cATOs do not have an expiration date and will remain in effect for as long as the required real-time risk posture is maintained. The cATO determination does not affect the underlying system ATO. Rather, it modifies requirements for re-authorizing that system’s ATO. cATOs are a privilege and represent the gold standard for cybersecurity risk management for systems. They represent a raise the bar effort for system risk monitoring and management.
Shortly following this memo DoD CIO-CS will coordinate and publish guidance on the implementation and evaluation of reaching a cATO state. Published cATO guidance is intended to be agile as threats mature so cATO evaluation criteria will also be updated to outpace the threats we face. DoD CIO will iterate with the community to ensure that guidance is up to date and commensurate with cybersecurity best practices.
The approval of cATO does not guarantee a system will stay in that state, systems that have been granted permission to operate under a cATO may have this revoked for several reasons. This may include, but is not limited to:
- poor cybersecurity posture as identified through continuous monitoring or external assessments;
- changes in risk tolerance;
- or a cybersecurity incident resulting from poor adherence to cybersecurity practices.
A system can temporarily lose its cATO privilege without any loss of existing ATO.
Pentagon: Begins Continuous Vetting of All Troops for Insider Threats, Extremism; Social Media May Come Next
All Defense Department personnel are now subject to “continuous vetting” designed to spot extremists and other insider threats, with surveillance of their public social media postings, per Pentagon officials.
The new system will raise flags when new information arrives, such as when a DoD employee is arrested. It arrives as the department grapples with extremism among uniformed and civilian personnel. Screening troops’ and DoD employees’ social media posts for extremist views or behavior will become part of the vetting, led by the Defense Counterintelligence and Security Agency stating that several pilot programs are intended to help determine how useful it might be to track social media activity in various ways.
Whether it's an event-driven look at social media, whether it's a regular continuous look at some social media or whether it's a one-time (when they're investigated) look at social media, there are different ways you could use some of the social media, search capabilities that are out there. They are right now analyzing how much value they think there is.
The department has been working to implement continuous vetting for years, as mandated almost a decade ago by executive order, following shootings at Fort Hood and Army Pfc. Bradley (now Chelsea) Manning’s 2010 arrest for passing top-secret files to Wikileaks.
The department still faces big questions about what data is useful for what outcome. Some records, such as an arrest report or an internal report from a separate security agency, lend themselves to swift action. In January, the agency received an alert that a particular person was under investigation for ties to a terrorist group. DCSA highlighted the alert as an example of what continuous vetting would allow the Department to do, and when asked, the individual was not flagged as part of the investigation.
But social media postings, even those that hint at an indication of violence or anti-government action, are much more difficult to analyze since any threat is much more likely to be hyperbolic than literal. DCSA stated that’s part of the reason why the Defense Department wants to bring in more data and continues to fill out the picture before taking additional action.
DCSA is using contractors as a part of various pilot projects to help determine how to incorporate more information into that evaluation process. But DOD officials will retain the ultimate decision of what to do when specific cases or items of concern pop up.
The Defense Counterintelligence and Security Agency (DCSA) has selected to advance its digital transformation.
DSCA is responsible for background investigations, continuous vetting, and clearance adjudications across the federal and contractor workforce. DCSA conducts background investigations for 95 percent of the federal government, including 105 departments and agencies, and handles 70 percent of the federal government’s adjudicative determinations. It clears 12,500 industry facilities and conducts two million background investigations each year.
When consolidating its legacy Department of Defense IT systems, DCSA saw significant opportunities to accelerate its digital transformation efforts, beginning with transforming its data archives into a tightly governed AI-ready database. This proved challenging, given some of this data existed in analog and non-machine-readable formats dating back decades.
DCSA will enable implementation of an AI-powered clearance adjudication application that can integrate information from clearance applications and other data sources, including non-machine-readable formats. The AI Application Platform will also enable use of AI and machine learning (ML) pipelines to support analyst workflows, expediting the adjudication of clearances. DCSA plans to leverage these capabilities to support its continuous evaluation of clearances.
Improve Security Posture with Continuous Diagnostic and Mitigation (CDM) Adoption
Federal agencies spend significant resources collecting data to satisfy the CDM Security Capability. CDM mandates that agencies continually monitor hardware and software assets, as well as manage configuration settings and vulnerabilities. By connecting to your existing security and IT tools, CDM tools discover managed and unmanaged assets, enabling federal security teams to validate security controls, find vulnerabilities and misconfigurations, and automatically enforce policies.
Trends in Asset Visibility
Seventy-four percent of DoD IT and security leaders say they have a gap between what they can easily see about their end-user devices vs what they would like to see. While organizations with better asset visibility experience up to 50% less incidents.
Comprehensive asset visibility supports Zero Trust efforts, makes incident response easier, and reduces manual work on your security team. While policies, standards, and procedures form the foundation of any cybersecurity and data protection program, there are many other components that build from those documents:
- Risk management
- Vulnerability management
- Incident response & crisis management
- Supply chain risk/vendors/third-party management
- Privacy & secure engineering
Agencies are rolling out aspects of the Continuous Diagnostics and Mitigation (CDM) Program with varying degrees of speed and success, but the inherent benefits of the program are not being questioned.
Tuesday’s Congressional hearing on CDM provided a glimpse of both sides of the spectrum: agencies that are already reaping cybersecurity gains, and those that have encountered logistical challenges in their rollouts. Regardless of where agencies sit in enacting CDM’s phases, there seems to be agreement that the tools are aiding agency security prerogatives.
CDM aims to make network visibility and control a standard for all agencies–too many agency IT leaders do not have a good picture of what’s on their network. The CDM program manager at the Department of Homeland Security, pointed out a noteworthy statistic. Findings indicate a 75 percent increase in terms of the total number of assets (agencies have on their networks) once we got automated tools into the environment.
With greater knowledge of what’s connected, the National Protection and Programs Directorate (NPPD) at DHS has more confidence in managing threats, compared to the previous system of agency self-reporting.
The CDM is changing this model, enabling NPPD to immediately view the prevalence of a given software product or vulnerability across the federal government and the real key is to get from a reactive stance to a proactive stance.
In addition to giving DHS the monitoring tools to serve as an effective agency watchdog, Continuous Diagnostics and Mitigation is also inspiring confidence in the top dogs at the agencies themselves. The CIO at the Office of Personnel Management (OPM) is very confident we know who and what is on our networks, but does not think you can ever get to 100 percent, but is as confident as can be in the defenses that have been put in place and a large portion of that has been hand-in-glove with the CDM program.
The massive OPM breach in 2015 that compromised millions of Federal worker records put the impetus on the agency to make radical changes to its network permissions, architecture, and defense platform. That crisis really did initiate a bit of a culture change. There is currently a 100% PIV authentication for network access and have micro-segmentation. You can’t get onto OPM’s networks unless we know you’re on.
OPM was lauded for the quick turn-around, and being able to initiate Continuous Diagnostics and Mitigation rollout of network sensors and agency dashboards has provided myriad benefits. OPM was able to see across the spectrum and can see items that are requiring patches. OPM can see operating systems at our end-of-life and the progress made with our patch updates as well.
The hearing also gave notice that the adoption of CDM might be more complicated for some agencies. The CIO at the Department of Energy (DoE), was candid in acknowledging his agency’s shortfalls. He indicated they are behind because they have focused on a very small part of the department where they have CDM installed is limited at this point.
Expecting the same progress on CDM from all agencies might be a tough ask for an agency like DoE, with its industrial control systems and complex networks. But the hearing called attention to the vital national security interest of securing the power grid run by those systems. Thankfully, there are avenues to make a change. The CIO at the Department of Energy (DoE) stated he is empowered to make investments necessary to actualize CDM goals. He reports directly to the secretary and deputy secretary, in keeping with FITARA efforts to promote CIO empowerment. They have made cybersecurity a priority not only for our internal networks but also in our role as a sector-specific agency to the energy sector.
DHS is clearly aware that implementations vary and needs can change quickly. Agencies can execute different tasks in parallel, for example, working on phase three or four, while at the same time adding a tool or process into phase one or two.
Meet evolving procurement needs with long-term task orders of five to six years. An integrator can meet DHS requests for different types of technologies more quickly than if they had to re-compete a new contract each time.
The recognition that getting agencies’ network protection through all four phases of CDM will require guidance and oversight is shared by appropriators, it seems because DHS is footing the bill.
DHS will fund the foundational year of the licensing, plus the first maintenance year then will transition the maintenance of those tools over to the agencies acknowledging the guiding hand of DHS in early CDM adoption. In those first two years, DHS will also provide integration support to help with the deployment of those CDM tools. So while the task may be taller for some agencies, the tools and support are in place to tackle the wide range of their needs.