Risk Management Framework Optimization

The Risk Management Framework (RMF) is one of the primary ways in which new technology risks are adequately articulated and understood. The process has historically involved hundreds of security controls and has required nine months or longer before achieving an Authority to Operate (ATO).

Arlo partnered with USAF to develop the Fast Track ATO process which streamlines the previously cumbersome approval process.  Focusing on risk as opposed to compliance, Fast Track ATO isn’t necessarily new, but it’s a new way to look at an old problem: managing risk.

According to the Secretary of the US Air force (USAF), Fast Track ATO should be authorized for some key reasons, including:

“The Fast Track process gives Authorizing Officials the discretion to make an authorization decision based on review of the combination of a cybersecurity baseline, an assessment (e.g. Penetration Test), and an Information Systems Continuous Monitoring

“Authorizing Officials are expected to make operationally informed risk decisions to work closely with information systems owners and warfighters to find the appropriate balance between rapid deployment and appropriate level of risk assessment.”

Fast Track ATO reflects the National Defense Strategy’s focus on remaining relevant and innovative:

“Deliver performance at the speed of relevance. Current processes are not responsive to need; the Department is over-optimized for exceptional performance at the expense of providing timely decisions, policies, and capabilities to the warfighter. Our response will be to prioritize speed of delivery, continuous adaptation, and frequent modular upgrades. We must not accept cumbersome approval chains, wasteful applications of resources in uncompetitive space, or overly risk-averse thinking that impedes change. Delivering performance means we will shed outdated management practices and structures while integrating insights from business innovation.” – National Defense Strategy [1], page 10.

Learn More

Arlo’s Fast Track ATO approach streamlined the process for USAF

DevSecOps

DevSecOps describes the culture and practices that enable organizations to bridge the gap between their developers, security teams, and operations teams. Through effective DevSecOps,  you can improve processes through collaborative and agile workflows, drive for faster and more secure software delivery via technology, and achieve consistent governance and control.

There is no uniform DevSecOps practice. Each organization needs to tailor its culture and its DevSecOps practices to its own unique processes, products, security requirements, and operational procedures.

Just as there is no uniform DevSecOps practice, there is no uniform method of the Assessment & Authorization of this practice.  Arlo can assist your organization in obtaining continuous Authorization to Operate (cATO) by providing the resources and guides to assess and document the key components of achieving cATO:

  • Teams that create, build, test, secure and operate the software product using the authorized platform and DevSecOps process
  • Process for producing, testing, securing and operating the software product
  • Platform being used to build, test, secure, and operate the software product, including various platform layers
Advantage of DevSecOps

“The competitor that can realize software-defined military capability the fastest is at an advantage in future conflicts. We must shorten our development cycles from years to months so that we can react and respond within the observe–orient–decide–act (OODA) loop of the threats we face. Agile methodologies such as DevSecOps enable this rapid cycle approach.” – DIB SWAP, [2], page 5.

Arlo and our trusted partner(s) will assess the DevSecOps culture of your organization, develop an authorization way ahead including DevSecOps specific Body of Evidence templates and guidance, and act as a liaison between the authorizing official and the program office.

Learn More

Explore beyond cyber – discover Arlo’s comprehensive capabilities

Explore More: