In a software-defined world—where everything from cars, to aircraft radars, to weapons systems runs on software—speed is everything. When software development lags, there are consequences.
When new technology is introduced to the military and government environment, it must survive a series of tests and checks before it gains the necessary “Authority to Operate” (ATO). Each time major elements are updated, the ATO must be renewed, adding time and expense to the software delivery process. It’s not hard to understand why; when a recent update from the cybersecurity firm CrowdStrike went awry, faulty code crashed computers worldwide.
“Traditionally, any change in a line of code into production in the Air Force is a six-month minimum to get through the process—usually closer to 18,” Kroger said.
Those delays can cost lives. In one instance Kroger experienced while still serving as an Active duty intelligence officer, fixes were in place for a known software flaw—but the bad code remained in action due to the clunky, legacy updating process.
The incident changed Kroger’s career path and led him to be among the co-founders of the Air Force’s Kessel Run, DOD’s first software factory. There, he helped pioneer a process to develop a continuous ATO or ongoing authorization for continuous delivery after achieving initial ATO. Kroger dubbed this “cATO” and the new process ensured that through continuous compliance, software updates could push from development to production in days or even hours, rather than waiting weeks, months, and years.
The legacy process “is causing risk,” Kroger said. A continuous ATO is all about “decreasing risk—and making the mission more effective.”
A cATO replaces conventional point-in-time security and stability reviews with continuous risk assessment and monitoring, employing automated tests into the development process. Properly implemented, apps can rapidly respond to mission need with no risk to security or reliability.
How do you obtain a cATO?
A Defense Department methodology for cATOs is already defined. It requires an assessment plan, processes to support ongoing assessments, and continuous risk monitoring.
Yet Kroger said organizational and cultural design also need to be part of the story. To iterate software in quick one-week sprints, developers and users need to work closely together, and the developer should fully integrate the Risk Management Framework, a National Institute of Standards and Technology (NIST) standard, into development and test procedures.
Short sprints reduce the number and complexity of changes in each iterative version of the software, enabling faster turnaround.
“As you incentivize smaller changes, then people start releasing much more quickly,” Kroger said. To support that, developers should forge cross-functional DevOps teams, combining security, compliance, and the testers themselves. “At Kessel Run,” Kroger said, “we actually had the test squadrons embed their testers into our software development teams.”
These structural changes create a “virtuous cycle, whereby when you need software updates — like let’s say you discover a security vulnerability — I can get a fix out in minutes,” he said. “That fundamentally changes your paradigm.”
What makes cATO challenging?
Automated test is a major time saver. In traditional waterfall development, “most of the work we have the test squadrons doing [is] catching software regressions—things that machines should and could be doing,” Kroger said. Automation can incorporate Risk Management Framework requirements into the test and integration process, enabling test squadrons to “work on the harder problems.”
Developers and program managers like the approach—once they get used to it. But until they have firsthand experience with it, they can be leery.
“People learn through doing,” Kroger explained. “The best culture transformation happens through doing.”
Program Managers and Executive Officers need not wring their hands trying to figure it all out, he advised. At Rise8, the approach is to build confidence slowly and intentionally.
“Let’s pick an application on a production environment, and let’s go through the process together,” Kroger said. “We’ll give you access to our work backlogs, our code repositories, the scanning tool sets that we’re using, the pipelines. We’ll even let you control the rule sets. We’re going to give you more access than you’ve ever had before.”
With hands-on experience, he said, DOD development, security, integration, and compliance teams will discover the power in a continuous Authority to Operate and how it answers urgent warfighter needs.
“The process works if you’re very disciplined about it,” Kroger said. “You do it in a way that is concurrent with your software development lifecycle.”