A dev’s guide to navigating ATO
A long and winding road to Authorization to Operate (ATO) made easy
What’s inside:
“A long and winding road to ATO made easy”Resources: Iron Bank (secure container image repository) documentation, National Vulnerability Database (NVD)Take note: Governance, risk, and compliance (GRC) engineering explained, Cybersecurity Risk Management Construct to replace Risk Management Framework, and don’t miss an interview with Dave Raley, Digital Program Manager at Marine Corps Community Services (MCCS) and pioneer of DevSecOps platform Operation Stormbreaker
A long and winding road to ATO made easy
You’ve built a prototype. It’s brilliant. It could transform national security missions.
But there’s one roadblock standing in the way. Three big letters: ATO.
As Dave Raley, Digital Program Manager at Marine Corps Community Services (MCCS), explains: ATO, Authorization to Operate, means “getting a system authorized to run in production in the government.”
It’s designed to manage risk, enforce strict security standards, and ultimately requires a designated authorizing officer (AO) to sign off before anything goes live.
Dave Raley, pioneer of Operation Stormbreaker, shares how the DevSecOps platform accelerates missions and gets software to market faster in “A Tale of Two ATOs” on the VIA Knowledge Hub podcast.
The ATO process can seem like a black hole. It can drain years and millions, with processes buried in paperwork, static snapshots, and frustration.
Use a DevSecOps platform that already has an ATO
We caught up with two seasoned VIAneers, Ashley DaSilva, Vice President, Applications, and Jesus Cardenes, Senior Vice President, Product Architecture, who offered the ultimate pro-tip:
Use a DevSecOps platform built for ATO.
The platform already has its own ATO that covers many of the infrastructure security requirements your application would have to address, anyway.
Your applications inherit the platform’s approval when they run on it.
Security reviews happen through the platform.
The platform acts as a liaison between your team and the AO.
While you still need to continuously address application security, your application can run on the DevSecOps platform indefinitely.
The result: faster approvals, less frustration, and more time to focus on building your products.
Make the most of the DevSecOps platform
Here are Ashley and Jesus’s tips for managing stakeholder expectations and making the most of your experience with the DevSecOps platforms you use:
Manage release timeline expectations. The ATO process stretches timelines for big releases (architecture changes, new external data connections, etc.). Instead of two- or three-week sprints like in commercial software, expect closer to ten weeks before deployment.
Shift left. Think security-first, from the first step to the last. Establish a process to continuously scan for and address common vulnerabilities and exposures (CVEs) as part of every sprint so changes don’t introduce nasty surprises. “We can plan for CVEs as a part of every sprint,” says Ashley, “and determine if making a change introduces something unexpected.” Added bonus: this prep can turbocharge the ATO process.
Stay agile with intentional architecture design. Major architecture changes take longer to clear the ATO process. Build a solid foundation upfront, so smaller features and security pushes can glide through the process much faster. With continuous scanning already in place, you’ll speed up the ATO process dramatically.
Stay lean. Containerize your solution and build on top of secure and lean base images. Start by using hardened base images with minimal vulnerabilities. Choose third-party software carefully, as you inherit their vulnerabilities. Check out “A dev’s guide to hacking DoD compliance” for five more helpful tips.
Where possible, design stateless software. Not storing any prior interaction data, or “state,” between requests makes software scalable, resilient, and more secure.
With security built in from the start, lean practices, and DevSecOps platforms tailored for ATO, teams can move from paperwork purgatory to rapid, secure deployment.
Need to know
You have pressing compliance questions…we have answers. So you can build faster and get back to shipping. Check out the resources below.
Even if you don’t use Iron Bank (the secure container image repository part of the U.S. Air Force’s Platform One DevSecOps ecosystem) it’s still worth exploring the documentation. It’s a great window into how defense and other high-assurance environments think about container hardening and supply chain security. Start with the FAQ to get the big picture, then dive into “Getting Started.”
National Vulnerability Database (NVD)
Most vulnerability scanners point you here for the details, and for good reason. Maintained by the National Institute of Standards and Technology (NIST), the NVD is the go-to hub for tracking and understanding known CVEs. Keep it bookmarked; you’ll visit it more than you think.
Take note
With all the information swirling around, it’s hard to know where to focus. Don’t worry, we’ve sorted through current headlines, insights, and events and handpicked what should be on your radar for the week.
Worth your time
Watch this short video to see why GRC engineering is definitely not just about paperwork. Instead, governance, risk, and compliance engineering ensures a system’s security is continuously monitored, measured, and improved.
This just happened
Cybersecurity Risk Management Construct
The Department of War announced the new Cybersecurity Risk Management Construct (CSRMC) will replace the previous Risk Management Framework (RMF). The CSRMC emphasizes continuous monitoring, as opposed to point-in-time snapshots. It champions DevSecOps, with automation baked in. CSRMC runs across 5 phases: Design, Build, Test, Onboard, and Operations.
Don’t miss this
What if it took just fifteen minutes to get your system authorized (ATO) to run in production in the government? For Dave Raley, that’s not just a dream. He’s making it a reality.
In our latest podcast episode, Dave Raley, Digital Program Manager at Marine Corps Community Services (MCCS), reveals how Operation StormBreaker is transforming the government’s ATO process.
