18F Thinks Security Authorizations Should Be Agile Too

Omelchenko/Shutterstock.com

The government’s digital consultants are working with agencies to develop an iterative process for certifying the security of new IT systems.

It’s said business eats cybersecurity for breakfast. But when it comes to agile development, security is integral to the process, and that means security has to be agile, as well.

Federal agencies have been embracing a shift to agile development methodologies—releasing projects in stages to get user feedback and rectify bugs early in the process and continuing to iterate and improve over time. But security is often a far less agile process, particularly when it comes to getting an authority to operate, or ATO—an arduous process that can stall deployment of even small-scale systems.

The developers at 18F—an internal digital advisory group based out of the General Services Administration—are taking this challenge head-on, developing an agile ATO process for agencies that puts the security work up front, rather than at the tail end of a project.

“Something that has been very, very difficult for us is to work with the security teams at agencies to work in an iterative way,” said Michael Torres, director of product at 18F. “What we’re used to seeing is the ATO—authority to operate—not being granted until the very end of the project. What we try to do is at the very beginning of the project, the first few weeks, we get an ATO. And then every piece after that, we increment that ATO so it covers more and more of the system.”

That initial ATO can be a small mountain to climb—it includes the initial product plus the underlying infrastructure and third-party support systems—but still much easier to summit than the full process. This is especially true if the security team is not included in the conversation until the very end.

“It’s been a huge cultural shift for a lot of the security offices at agencies but it is possible,” Torres told Nextgov after speaking at the Forrester CXDC event on May 31. “I think that there’s a tendency because security has always been left to the end and because security people have been burned so many times, I think they, rightly so, are pretty shell-shocked when dealing with a new technology. So, they want to cover all of their bases initially so that they don’t have to worry about it.”

As with the rest of the development process, 18F is trying to change that mentality.

“What we’re advocating is to help them and help the program team just focus on this small piece that we’re releasing so that we can make sure that that’s secure and also put in processes and maybe some infrastructure to make sure the next time we release there’s a process for an iterative ATO that doesn’t take as much time and is not as daunting,” Torres said.

The ATO process is notoriously slow, as it requires reams of documentation and an authorized third-party assessment organization, or 3PAO, to validate the security posture of a system. The Federal Risk and Authorization Management Program, or FedRAMP—the program that oversees the process, grants provisional ATOs for cloud services and validates agency-issued ATOs —has been working to streamline the process, which can take many months and millions of dollars.

“As soon as you have an MVP, or minimum viable product, that has some real value for users that you want to test, that’s when you should get your ATO,” Torres said.

Product development cannot truly be agile without that security component, he said, as developers aren’t able to get the product into the hands of real users until a security layer is in place. Without that real-world feedback, developers can’t truly apply the user-centered design tactics that make the agile process so valuable.

“You can be agile all the way up to beta” without including security, he said. “And then when you’re finally releasing at beta, you’ve basically done a waterfall release because you haven’t shown it to users until the very end and you haven’t actually been using production data.”

“The ATO process can work in a variety of ways, and can effectively be implemented in an agile manner during the development of a system,” FedRAMP Director Matt Goodrich told Nextgov. However, that approach is only viable during the development of a new system. The agile process doesn’t apply as well when getting an ATO for an existing system or one undergoing upgrades.

“Since many systems were built prior to beginning any ATO work, an iterative approach may be more challenging because the system is already functional and sometimes requires retrofitting the system to meet new security requirements,” Goodrich said. “While an iterative approach to existing systems can be effective, it is often not as easy or straightforward as implementing the ATO process during the development phase of a system.”

But for new systems, 18F’s approach is a good one, he said, adding that FedRAMP’s Joint Authorization Board, or JAB, is using agile methods for its review process.

“As FedRAMP continues to evolve and improve the ATO process, we will continue to identify new ways to implement agile methodologies,” Goodrich said.

“This is where we’re going,” Torres said. “We have not had a lot of opportunity to do this because we’ve just started talking about this. But this is where we’re hoping things move.”

Torres said the 18F team initially developed this agile ATO process while working on one agency’s project and are currently trying it again with a second.

“We’re very optimistic that this is a great way to ensure that agile can work in government,” he said.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.