By Jamel Sparkes, Senior Director, Maximus

This article originally appeared in G2xchange Health, which you can find here.

In today’s rapidly evolving technology landscape, federal agencies face multiple challenges. They must stay current with the latest digital innovations, keep pace with regulations, respond to demand for improved services, accommodate ever-changing citizen needs, and support an increasingly virtual workforce. These challenges require agencies to foster a culture of successful and sustained change rooted in a foundation of robust cybersecurity practices. This is especially important for federal health agencies where data availability impacts the timeliness of health services and care. However, traditional Authorization to Operate (ATO) approaches, in which the federal government approves an IT system for a set period based on a one-time security evaluation, can leave agencies vulnerable to threats in between reassessments that are typically every three years – an especially long time in today's threat environment.

With continuous Authorization to Operate (cATO), federal agencies establish a software factory that encompasses all necessary tools and processes to develop applications securely. Once an application is deployed, it undergoes continuous monitoring and testing to detect and address any new security threats. Through this continuous approach, vulnerabilities are mitigated, and critical operations remain uninterrupted. By subjecting the software factory to regular assessment, validation, and monitoring, federal technology leaders know that all systems are secure and can automatically receive an ATO.

The cATO process offers another benefit: it is a catalyst for overall cultural change, particularly for federal health agencies and the volume of data they process. cATO accelerates the shift to applying agile principles and DevSecOps practices as a foundation for development. The speed, scale, and security of this nimbler approach improves data protection and usability, which helps drive successful change initiatives at federal health agencies like the Centers for Medicare and Medicaid Services (CMS), the Centers for Disease Control and Prevention, and the Veterans Administration.

Empowering Federal Health Agencies for Secure Digital Transformation

As cATO introduces security innovation and expedites change across the enterprise, agencies find other benefits that impact their mission. For health agencies in particular, the benefits of cATO may contribute to better health outcomes and equity by providing:

• Timely availability of health data and insights
• Reduced vulnerabilities of interconnected medical devices
• Uninterrupted access to data, systems, and applications
• Enhanced efficiencies and better customer experiences

This proactive approach positions agencies for innovation and continual protection against the mounting security threats of our modern world. It also ensures consistent use of cybersecurity best practices with automated validation and monitoring of the organization’s security posture. With this foundation, agencies establish a model for efficiency with:

• Rapid rollout of new applications, software, systems, and technology capabilities
• Improved speed of service and delivery
• Workforce empowerment to address cybersecurity at all levels
• Consistent application of cybersecurity best practices
• Automated validation and monitoring of the security posture
• Real-time incident identification and tracking
• Dynamic, automated testing for new attack vectors
• Streamlined compliance
• Potential to lower long-term cybersecurity and maintenance costs

It should be noted that, while the up-front costs of cATO can be high, a robust and thoughtfully executed cATO approach pays dividends in the long run. This is because cATO allows federal agencies to adapt and evolve their security practices throughout the application and software development lifecycles. They keep pace with an ever-changing threat landscape and can avoid larger security threats and emerging cyber attacks.

Shifting Mindset for Cybersecurity Culture Change

A challenge for many federal health agencies is shifting their mindset to embrace ongoing change as an enabler for delivering better outcomes while still ensuring security. cATO addresses this by bringing security to the forefront in the application and software development life cycle (SDLC). Rather than being a hindrance to progress, cATO instills a culture of speed and agility to deliver enhanced services to citizens.

Adopting a cATO framework requires a shift to an agile methodology that prioritizes security at each stage of development. cATO takes the acceleration of the SDLC to another level, ensuring that cybersecurity keeps up with development. Cybersecurity becomes the responsibility of all, not just some. Each team member receives training, creating tight-knit collaboration between engineering, operations, and security teams.

Implementing a Successful cATO Process

cATO blends advanced technologies, robust security processes, and a culture of security to improve the end-to-end protection of applications and environments.

Leverage a Secure Software Factory and Automated Security Validations

With cATO, agencies can leverage a software factory that blends risk management and agile development practices. DevSecOps tools create an automated pipeline to discover vulnerabilities before application deployment, enabling rapid resolution without compromising systems or data. In addition, a secure application development approach based on a Scaled Agile Framework (SAFe) with an enhanced focus on cybersecurity guards the software supply chain against attacks and vulnerabilities. This approach removes exposure to single points of failure by overlapping each individual security control.

Assess, Validate, and Monitor for Continuous Improvement

Assessment, validation, and monitoring of the Software Factory give federal IT leaders assurance that all products and systems coming out of it are secure as a result of the cATO approach. An open monitoring and reporting dashboard is a key component of any cATO process to provide a real-time, granular view of application security for rapid issue identification and tracking remediation. Once deployed, applications are continuously monitored and tested against new security threats while vulnerabilities are mitigated for uninterrupted mission operations.

Embrace a Modern Approach to Application Development

With a modular application development process, agencies can build control inheritance, continuous security checks, and Zero Trust security protocols into every stage of application and system design. Authorizing officials can approve sections of an application so that the whole application becomes accredited, allowing for individual sections to be updated as necessary without discrediting the entire system.

Ensure Validated, Secure Processes

While managing security controls using agile processes is vital at every phase of the SDLC, it is also important to validate development processes. Dcybersecurity frameworks including Open Web Application Security Project’s Software Assurance Maturity Model (SAMM) and the Building Security in Maturity Model from Synopsis.

cATO is critical to improved cybersecurity and a catalyst for change in development, processes, and resourcing. With touch points and stakeholders across agencies, cATO generates momentum toward greater agility and responsiveness while driving much needed secure transformation. Agencies can expect this combination of benefits to provide a positive cultural change that meets expectations for government efficiency.