What does the continuous Authorization to Operate (cATO) concept have to do with a classic fable?
“The Tortoise and the Hare” presents a false dichotomy—especially for organizations that have to defend themselves against increasingly swift and sophisticated adversaries. They have to find a way to combine the resilience and deliberate nature of the tortoise with the speed and nimbleness of the hare. Orgs looking to do business with the DOD also have to contend with another obstacle: bureaucracy.
That’s where cATO comes in. The goal is to enable organizations to demonstrate their commitment to security (like the tortoise) while moving quickly enough to keep pace with attackers (like the hare) – without facing a lengthy approval process anytime a system has a material change. But before we talk about the benefits of cATO, we need to explore some of the drawbacks associated with the status quo.
Adversaries are fast; traditional ATOs are not
It doesn’t take attackers long to exploit publicly disclosed vulnerabilities. Mandiant analyzed 246 vulns disclosed in 2021 and 2022 and “found that exploitation was most likely to occur within the first month following the initial patch.” But that doesn’t mean organizations that make it through this initial period unscathed can continue to use vulnerable software without worry—the firm also said “there were still six n-days exploited over a year after their patch, including some that were not exploited until almost two years later.” Crossing your fingers and hoping threat actors move on to exploiting some other security flaw isn’t a viable defense.
The most common advice is to deploy patches as quickly as possible. The U.S. Cybersecurity and Infrastructure Security Agency even requires agencies within the federal civilian executive branch to patch software in the Known Exploited Vulnerabilities (KEV) catalog within one to three weeks. Yet the current Authorization to Operate (ATO) paradigm is largely compliance focused and doesn’t lend itself well to swiftly deploying new software when vulnerabilities are discovered in existing solutions.
ATOs are somewhat similar to vehicle inspections: they happen at regular intervals, and they’re effective at checking against specific benchmarks, but they can’t guarantee future performance. Sometimes a vehicle passes inspection right before a recall is issued because of a potentially fatal malfunction; sometimes a given piece of software receives its ATO right before a critical vulnerability is discovered and exploited by attackers. Such is the risk of point-in-time testing.
Unlike vehicle inspections, however, ATOs have the additional drawback of taking longer than anyone would like. The 18F digital services agency within the General Services Administration celebrated in 2018 when it brought its ATO process down from six months to 30 days. Other efforts to expedite the ATO process followed, with the Air Force introducing Fast Track ATO in 2019 and the Pentagon introducing new guidance that facilitates information sharing between agencies seeking ATOs for the same software in May, but the process still isn’t particularly fast.
Those initiatives also merely accelerate the flawed point-in-time-based approach that doesn’t reflect the current state of cybersecurity. That’s where cATO comes in.
cATO: Modern authorization for modern defense
The DOD said in February 2022 that cATO “represents a challenging but necessary enhancement of our cyber risk approach in order to accelerate innovation while outpacing expanding cybersecurity threats.” It expanded on its hopes for this paradigm with the publication of the cATO Evaluation Criteria in May, saying: “To maintain a competitive advantage, the [DOD] must develop and deploy software with increasing speed and agility, while improving security. Additionally, [DOD] must respond quickly to rapidly changing threats through the continuous integration and delivery of capabilities, cybersecurity, resiliency, and survivability.”
Among other things, the cATO Evaluation Criteria require organizations to regularly conduct security assessments. That includes penetration testing and attack surface reviews as well as static, dynamic and interactive application security testing. (For more on the differences between those approaches, check out our article, “DAST versus SAST? Glad You Asked about Application Security.”) That way organizations stand a better chance of identifying and remediating vulnerabilities in authorized software before their adversaries do.
This requirement doesn’t necessarily address the limitations of point-in-time testing, but organizations can use a Penetration Testing as a Service (PTaaS) provider like Synack to simultaneously meet cATO’s security assessment requirements and have their systems, networks and applications continuously tested by a community of expert security researchers. This approach goes beyond compliance and uplevels current thinking on Continuous Monitoring (CONMON) directives. Meeting the cATO requirements is just the first step towards delivering more resilient systems—the journey doesn’t end there, however, should program and system owners be brave enough to regularly understand the security of their internal and external attack surface.
Secure and swift, not “or”
Organizations shouldn’t have to choose between vetting the custom built and commercial technologies they’d like to adopt and moving quickly enough to address security problems in their existing tech stacks. cATO is the DOD’s way of allowing them to do both. Why be the tortoise or the hare when the best traits of both can be combined?
