The U.S. Air Force recognized that its implementation of the Authorization to Operate (ATO) approval process had become very resource-intensive, adhering to an antiquated checklist/compliance-based behavior compared with outcomes not keeping pace with the latest cyber threats that affected its weapon systems. While the ATO process is an important contributor to the critical tasks of implementing cybersecurity and managing cyber risk, delays in fielding new systems bring their own risks by extending the use of legacy (often less secure) capabilities. This represented a gap in the ability for the Air Force to move toward more agile, operationally focused, risk-based outcomes. The development of the Air Force Fast-Track process addresses this identified gap.
The Fast-Track process gives authorizing officials (AOs) the discretion to make decisions based on foundational systems-engineering-based evidentiary data and analysis. With an independent review of the combination of a cybersecurity baseline, a risk assessment, and a continuous monitoring strategy, AOs are given the ability to make operationally informed risk decisions. Working closely with the acquisition community, the information system owners and warfighters Fast-Track applications seek to find an appropriate balance between rapid deployment and an appropriate level of risk identification and management. The foundations of this Fast-Track philosophy is to understand the systems: how they work; how they operate; the data that is imported, generated, and exported; and where the systems present cyber risks in order to better inform AF decision makers on usage risks.
After more than two years of pathfinder implementation on over 80 weapon systems, including command and control, aircraft, radar, DevSecOps applications, experiments and exercises, and cloud infrastructure and applications, documenting the increased mission assurance to missions and reduction in time and resources, the AF Under Secretary directed Fast-Track ATO as the primary process for the Department of the Air Force to assess risk for new IT, new platform systems, and for renewing ATOs on October 19, 2020.
The pathfinders demonstrated the cyber risk management process can be more effectively and efficiently executed based on solid, foundational systems engineering and treating cyber risks equally with other program risks. The spirit of the Fast-Track ATO process calls for integrating the acquisition, test, and operations communities toward a single objective of assessing and determining the risk of use of systems and missions to (1) better inform mission owners, and to (2) demonstrate that the Air Force can document improvement over time in making our systems more secure today than yesterday.
The Fast-Track ATO process is designed to be a living process, compared to compliance to another set of static, specific steps. AOs are given the ability to best implement the spirt of the Fast-Track ATO process to effectively implement aspects of the Risk Management Framework, focus on operationally informed risk identification, and ensure clinical risk assessments for AF systems and missions.
This story appears in the December 2020 issue of Getting It Right, Collaborating for Mission Success.