“It looks like you’re trying to get an ATO. Would you like help with that?”
A team of innovation specialists at the Census Bureau is working to speed up the process for getting security authorizations—known as an authority to operate, or ATO—for new systems and applications. Among their potential solutions: Developing an artificial intelligence bot that offers wisdom from successful ATOs, akin to Microsoft’s much-maligned Clippy office assistant.
Security officials focused on the ATO process have long urged agencies to reuse authorizations for like-for-like systems. While leaders have said that is happening more often, program managers are often reticent to reuse an authorization that might not track exactly to the app they are standing up.
But for a given security control, there is language and considerations for how the documentation is put together that can easily be borrowed from one authorization to the next, according to the Census FISMAtic project team.
“The goal is to take all the ATOs the Census Bureau has done … and write some natural language processing tools that look through those looking for commonalities in the way responses are written,” explained Alex Cohen, program manager for Census’ Center for Applied Technology.
For example, the tool may check the response to an access control on the status of role-based authentication. If the tool finds something along the lines of, ‘Yes, this is enabled,’ which aligns with other responses that have been approved, the documentation for that control is probably sound. However, if the response is something like, ‘I don’t know what this means,’ or, as Cohen suggested, some kind of nonsense like, ‘System supports access control on a Wednesday,’ then the automated system will flag that response as unlikely to pass.
“There’s more nuance you can get into, too,” said Aidan Feldman, a Census IT specialist working on the FISMAtic project. “Even if you say, ‘OK, I’m using Amazon Web Services to do X,’ that could have been described a number of ways in past security plans. You could say, ‘Hey, it looks like you’re describing this particular product that was also described in these sorts of ways, so you might consider phrasing it like this,’” and offer examples of past responses that have been approved.
Finding usable examples to work off of can be especially difficult when it comes to ATOs, as those documents are often considered sensitive and are not easily shared, Feldman pointed out.
“The main pain point that came up was around having access to examples,” he said. “Filling out this documentation can be really challenging if you don’t have experience in it.”
If you do get access to a document that can be used as a template, they are often in PDF form and rarely machine-readable, Feldman added.
“If we can get enough data, we can create [a tool that says], ‘Hey, looks like you’re responding to [a specific security control], would you like to …’ and here are your choices. What really started this idea was Clippy for ATOs,” Cohen said, referencing an often ridiculed automated assistant included with Microsoft Office products from 1997 to 2007.
“As much as Clippy gets some real heat, it did back-format documents and provided some real help if you didn’t know what you were doing,” Cohen said. “The problem with Clippy is it annoyed people who did know what they were doing. But if you’d never done an ATO before, Clippy would be really helpful.”
Exactly what that tool will look like—and whether machine learning and artificial intelligence technologies are advanced enough to accomplish the goal—is still up in the air, according to Cohen.
“This is very preliminary stuff. But the most important finding is we need to take a look at the data,” Cohen said, which means collecting lots of sample ATOs from across Census that can be used to train a machine learning app.
“We think we’re in a good spot to solve” the problem of long lead times on ATOs, he said, “But we’re just getting started.”
And Clippy for ATOs is one of a number of potential solutions that came about as part of a user/market research exercise by the FISMAtic team that solicited feedback from public and private sector stakeholders. The team posted a summary of the responses to GitHub, though they stressed that this was not a scientific survey or an official Census document, but merely the team’s notes on preliminary research.
"Security assessments are very important but can be long and complex, resulting in frustration on both sides,” Feldman said, referencing the divide that often occurs between development and security teams. “If this project works well, this is going to really make things better for everyone.”
The FISMAtic project was born out of the Innovation and Operational Efficiency, or IOE, program, which annually polls Census employees on areas they would like to see improved, according to Program Manager Carlos LaCosta. After two weeks of submissions, the ideas are taken to internal subject matter experts, who then present the issues to an executive committee of senior leadership.
That committee picks a number of ideas to move forward—the 2019 cohort includes six projects. From there, a project team is put together and given one year to investigate the issue. If it’s something worthy of further exploration, the project can be extended for an additional two years while Census experts work on improving that pain point.
The ATO process was chosen as a 2019 project in April.
“It’s really an employee-driven innovation program here at Census,” LaCosta said.
Editor's Note: This story has been updated to correct the spelling of LaCosta's name.