To keep up with the commercial marketplace, where software, system, and app development evolves at a dizzying pace, Federal agencies are embracing a shift to Agile development methodologies. Faster time to market, lower development and operational costs, greater efficiencies and collaboration – the benefits are clear. But security compliance is often a neglected and far less Agile process, one that can delay or stall deployment. If you’re looking to launch software or technology in support of the Federal government, it’s time to rethink the Waterfall and embrace Agile methods to secure an ATO.
A Word on ATO
Each system developed to store, move, or process Federal information is required to complete the Risk Management Framework created by the National Institute of Standards and Technology. This rigorous vetting standardizes the base-level security infrastructure and due-diligence expected of the final product and developing team, thereby limiting any associated risk to the Federal government and its operations. Successful projects are granted a formal, signed declaration – an Authority to Operate (ATO) – for the approved system. This process, however, is notoriously slow and requires significant investment in manpower, documentation, and assessment to validate and continually monitor the security of the system.
Given the need for new cloud infrastructure and IT systems to alleviate the public’s growing demand for government services, the ability to overcome slow ATO requests becomes increasingly critical. Early and continuous delivery of new software and technology solutions is the industry’s best answer to the government’s problems, but how can security keep pace?
Our 15 Principles and Best Practices to Make Agile ATO the New Standard
Agile can work for government. Iterative and incremental development creates a culture of persistent and fluid technological advancements, but this only works for Federal services if security infrastructure advances at the same speed. Here are our top 15 proven principles for certifying the security of new IT systems – and making Agile ATO part of your organization’s modus operandi.
- Shift your focus from “doing Agile” to “being Agile,” so that best practices are deliberately adopted and implemented at all levels.
- Document organization-wide security standards and ensure teams remain committed to adherence throughout the development lifecycle.
- Shorten the learning curve for assessors by using consistent tooling and processes for all systems, making it easier to evaluate ongoing compliance requirements.
- Prevent lost efficiency by focusing an individual’s efforts on specific, defined deliverables. Limit the need to multitask.
- Emphasize simplicity from the very beginning. The larger and more complex the final product, the more burdensome the ATO documentation will be.
- Reuse a proven FedRAMP-approved technology stack when possible, primed for Agile and DevOps, to shorten assessment and authorization timelines.
- Determine metrics for success and establish a baseline at the beginning of the project. Review progress against these benchmarks regularly.
- Consider security early in the requirements gathering phase, rather than at the end of a project.
- Secure an ATO at the first opportunity, or at minimum product viability, and then increment that ATO as new components are developed.
- Schedule more frequent sprint reviews.
- Identify and resolve issues quickly by integrating the security team across multiple sprints. Assign security engineers to scrum team rosters for constant scrutiny and buy-in.
- Prioritize information sharing by opening access to the latest content to all team silos.
- Break large content into component sections for iterative development, further enabling compartmentalization and easy reference.
- Streamline the tracking and subsequent review of changes with baked-in version control and alerts.
- Document and validate vulnerabilities thoroughly, and then prioritize these based on risk. Address all incidents before building additional complexity.
It’s been said that security isn’t a sprint, it’s a marathon – a marathon that doesn’t end. New applications and systems must evolve to adapt to new challenges, emerging threats, and shifting user needs. While security has always been a key component of system considerations for the Federal government, the rapid development of new technologies is making security a much more crucial component (one that can make or break a successful ATO). That’s why Agile methodologies are the new standard for information assurance and system security. At GovDataHosting, we embrace this real-time development and feedback loop, and are proud to support our customers with comprehensive cloud security assessment, authorization, and monitoring services. If you have questions, we have answers. Speak with a cloud solution engineer from GovDataHosting to accelerate your shift to Agile ATO.