Automated ATOs and cybersecurity

Software to automate the system authorization process at agencies could work along the same lines as tax filing tools, according to one senior IT advisor at HHS.

automated security (Alexander Supertramp/Shutterstock.com)
 

In the remote work environment spawned by the COVID-19 pandemic, more flexible, quicker methods of getting systems the authority to securely operate is more critical than ever, said a top IT advisor at the Department of Health and Human Services.

"Machine learning is critical in terms of fighting fire with fire. We can't fight AI [artificial intelligence] or machine learning with spreadsheets or Word documents. You're going to lose that battle" with hackers, said Oki Mek, senior advisor to the agency's CIO and its ReImagine project.

HHS is one of the agencies at the center of the federal government's response to the COVID pandemic. The agency is "getting hit hard" by hackers attempting to penetrate its networks, said Mek. Additionally, hackers and bad actors are leveraging AI to see how network users are interacting with infrastructure and systems, he said.

Mek's made his remarks at an Oct. 14 webinar sponsored by the Institute of Critical Infrastructure Technology.

One area where AI and machine learning technology can provide a targeted lift for federal IT systems is speeding up the processes to obtain mandatory Authority To Operate certifications, said Mek.

The COVID pandemic, with its expanded IT threat vector with remote workforces, has only highlighted the need to speed up ATO processes, according to Mek.

Automated ATOs, leveraging machine learning and AI, said Mek, can shorten review of hundreds of security controls on a system and provide an assessment in hours or days, rather than months.

Automated ATOs, he said, could follow the same model as popular commercial machine learning and AI-based tax filing software. That software draws on previous year’s data.

For an automated ATO process, the software can ask basic questions, such as 'are you building a new system, moving to the cloud, or making changes to the system?' By asking a series of questions, said that common information can automatically fill in parts of the ATO system security plan.

IT systems operators could also develop a machine learning "confidence score" for cybersecurity.

"When you assess a system for an ATO, there are about 500 – 600 security controls. You could run machine learning against each requirement," he said. A system owner would use machine learning to compare requirements and policies against the agency's implementation statement to produce a confidence score. If the score is below 50 percent, then the owner should try again, he said.

An auditor's ATO assessment process, which can take up to two months, could be shortened to a week or two depending on the score, according to Mek. The automation would also allow the ATO process to become mostly continuous, providing more timely cybersecurity, he said.