Automated ATOs and cybersecurity
In the remote work environment spawned by the COVID-19 pandemic, more flexible, quicker methods of getting systems the authority to securely operate is more critical than ever, said a top IT advisor at the Department of Health and Human Services.
“Machine learning is critical in terms of fighting fire with fire. We can’t fight AI [artificial intelligence] or machine learning with spreadsheets or Word documents. You’re going to lose that battle” with hackers, said Oki Mek, senior advisor to the agency’s CIO and its ReImagine project.
HHS is one of the agencies at the center of the federal government’s response to the COVID pandemic. The agency is “getting hit hard” by hackers attempting to penetrate its networks, said Mek. Additionally, hackers and bad actors are leveraging AI to see how network users are interacting with infrastructure and systems, he said.
Mek’s made his remarks at an Oct. 14 webinar sponsored by the Institute of Critical Infrastructure Technology.
One area where AI and machine learning technology can provide a targeted lift for federal IT systems is speeding up the processes to obtain mandatory Authority To Operate certifications, said Mek.
The COVID pandemic, with its expanded IT threat vector with remote workforces, has only highlighted the need to speed up ATO processes, according to Mek.
Automated ATOs, leveraging machine learning and AI, said Mek, can shorten review of hundreds of security controls on a system and provide an assessment in hours or days, rather than months.
Automated ATOs, he said, could follow the same model as popular commercial machine learning and AI-based tax filing software. That software draws on previous year’s data.
For an automated ATO process, the software can ask basic questions, such as ‘are you building a new system, moving to the cloud, or making changes to the system?’ By asking a series of questions, said that common information can automatically fill in parts of the ATO system security plan.
IT systems operators could also develop a machine learning “confidence score” for cybersecurity.
“When you assess a system for an ATO, there are about 500 – 600 security controls. You could run machine learning against each requirement,” he said. A system owner would use machine learning to compare requirements and policies against the agency’s implementation statement to produce a confidence score. If the score is below 50 percent, then the owner should try again, he said.
An auditor’s ATO assessment process, which can take up to two months, could be shortened to a week or two depending on the score, according to Mek. The automation would also allow the ATO process to become mostly continuous, providing more timely cybersecurity, he said.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.