The Article I chose to discuss this week is what can be considered a huge leap forward in cutting through bureaucratic red tape that surrounds any new procedural practice, technology adoption or upgrades.
For Summary purposes the article begins with identifying that the US Air Force, and what I assume is also going to be the US Space Force, recognizes that the practice of implementing new updates and changes to cybersecurity are ineffective. Whenever an update or change is ready to be introduced into a government system it has to go through the proverbial ringer of inspections, tests, audits, etc. The Approval of these acts is known as an “Authority to Operate” ATO. Essentially making sure that the introduction of the change or update won’t have negative effects on the system. Common sense from the Birds Eye view; however, the issues arises when you realize that the time required to do all that thus makes the change or update either outdated or ineffective. As the articles author, Byron Kroger, notes “cyber adversaries continue to unveil novel threats”. Much like the concept that when the latest I-Phone or Android hits the market, it’s already outdated technology.
The change to policy being introduced is that the US Air Force is working towards implementing a continuous Authority to Operate (cATO). This would mean that the fuse from inception to introduction would be greatly shortened with a few requirements:
- “Continuous Monitoring of security controls
- Active Cyber Defense Measures
- The Adoption of DevSecOps practices.”
In my unbiased opinion I think this is one of the most important things the DOD could do, if it wants to remain vigilant in safe guarding its information and systems. It might seem like a small change, and it is, but like any government entity sometimes bureaucratic practices get the better of a situation.
Respectfully
Eric A.