Case Studies, Cybersecurity

Case Study: Fast Track ATO for USAF

April 22, 2021

Reducing Timeline for Authorization While Strengthening Cybersecurity

 

Background

 

Like other government agencies, the US Air Force (USAF) assesses the risks of all Information Technology (IT) before it is granted an Authority to Operate (ATO) on the network. The Risk Management Framework (RMF) is one of the primary ways in which new technologies risks are adequately articulated and understood. The process has historically involved hundreds of security controls and has required nine months or longer before achieving an ATO. USAF leaders envisioned a new approach that could significantly reduce the timeline and get crucial capabilities to the warfighter faster. Arlo Solutions brought that vision to life by leading the development of the details, processes and guides that would make up the Fast Track ATO process.  More than one year later, the Fast Track ATO process is the primary risk management mechanism for IT and cybersecurity acquisitions for the USAF.

 

Challenges

 

Shifting a Cultural Mindset

In the past, IT systems were developed by contractors in a lengthy process based on statutory guidance and policy. After focusing heavily on compliance and ensuring that these security controls were assessed and met, the technology would be deployed in the environment. However, the process was becoming antiquated because it was not aligned with the more contemporary, agile approach that most government acquisitions have adopted. While USAF personnel and partners acknowledged the need for improved and expedited acquisition of technology, some felt comfortable with the legacy process and its seemingly thorough safeguards and oversight steps. Arlo learned that to get the new process off the ground, it would need to change perceptions and mindsets.

 

Building Buy-in and Resources

USAF operations and cybersecurity teams had been operating in silos for many years. This presented a disconnect in the perception of what a thorough and effective ATO process entailed. Arlo actively listened to the concerns of both teams and developed strategies to build consensus. Arlo collaborated with USAF senior leaders to lead and track use cases to demonstrate Fast Track ATO’s ability to provide an alternate path to authorization that allowed for agility in the process and focused on assessing security in an operational environment for vice compliance checks.  Arlo attended open forums with thousands of USAF members to explain the solution and field questions.  Arlo worked extensively with USAF leadership to understand and document their guardrails and thresholds related to making risk-based decisions. They then translated this information into processes and procedures that the cybersecurity workforce could act upon which were both repeatable and scalable. Arlo also embarked on an extensive outreach campaign and worked in close collaboration with industry partners and leaders to develop resources and further strengthen trusted relationships.

 

Solution

 

In concert with USAF leadership, Arlo developed a swift, agile and innovative solution that delivered an ATO in approximately six weeks. It was beneficial for a variety of reasons, including that it:

  1. Downsized exhaustive and often unnecessary documentation of security controls
  2. Shifted the focus to demonstrable cybersecurity in an operationally relevant environment via the use of assessment methods such as penetration testing
  3. Relied on a customized, tailored list of security controls reflecting applicable vulnerabilities
  4. Delivered capabilities to agencies faster, empowering personnel to safeguard data with the latest and most secure technology
  5. Enabled the government to quickly identify and purchase technology made in US-friendly countries.

 

Approach

 

Arlo leveraged the insights of its experts, including Lonye Ford, Arlo CEO, who is a USAF veteran with an extensive cybersecurity background. Through collaboration and strategic communication, the Arlo team deliberately addressed concerns received from across the agency and ensured feedback was considered and integrated throughout the process.

The Fast Track ATO process allows cybersecurity leaders the discretion to make an authorization decision based on review of a combination of a Cybersecurity Baseline, an Operational Assessment (e.g. Penetration Testing) and an Information Systems Continuous Monitoring Strategy. The goal of the Fast Track ATO processes is to facilitate operationally informed risk decisions versus decisions based only on compliance checks.  Authorizing Officials are expected to work closely with Information System Owners and Warfighters to strike an appropriate balance between rapid deployment and appropriate level of risk assessment.

 

Results

 

The success of the Fast Track ATO process is transforming the USAF’s risk management process by fostering risk-based decision making based on operationally relevant assessments. Obtaining new technology no longer requires seemingly endless paperwork and up to a year of time.

Fast Track ATO allows USAF to purchase mission-related items more easily and get them into the  hands of the warfighter sooner. For example, USAF used the Fast Track process on three off-the-shelf Unmanned Aircraft Systems. Now, there are five fully credited drones on the GSA schedule. Any agency can purchase them with the knowledge that they have been security tested and vetted through Fast Track ATO process. This was an entry point into more safe off-the-shelf purchasing for USAF.

The Fast Track ATO process can be applied to many other agencies for a wide variety of capability acquisitions. Arlo is engaged to lead this process with USDA and is building its portfolio of other government clients and partners in the defense and intelligence arena and beyond.