Air Force looks to speed up ATOs for SaaS business applications
The Air Force is exploring ways it can more rapidly accredit Software-as-a-Service (SaaS) applications to handle its unclassified and non-national-security information, a senior cybersecurity official said Thursday.
Lauren Knausenberger, Air Force’s director of cyberspace innovation, detailed a new pilot she is developing with CISO Wanda Jones-Heath that is focused on the “rapid assessment of SaaS offerings,” particularly those that deal with business processes and information at the Department of Defense’s cloud security Impact Level 4 or lower. It could cut the authorization process for those systems down from more than a year to less than a month, she said.
IL4 cloud services are approved to handle controlled unclassified information like personally identifiable information (PII), health data, export control information and other sensitive collections, not including national security information.
The effort, Knausenberger told FedScoop, is based on the belief that “we should be adopting SaaS as broadly as we can within our business systems and using it to make a lot of the processes we do daily much easier.”
“If we’re talking PII, it’s the same thing banks and medical providers have to deal with,” she said at the Security Through Innovation Summit, presented by McAfee and produced by FedScoop. “So why can’t we just adopt whatever business system anyone else has adopted and the processes that go with it? But we’ve had trouble with that, especially in the DOD, because of the level of control” the department requires.
The Air Force believes it can expedite the time to the authorization of a SaaS offering by streamlining a few processes on the front end, much like it did for its own internal systems with its new Fast Track ATO.
“Part of it is looking at where did the company come from and ownership,” Knausenberger said. “Part of it is doing an actual test of the software — if they have an ongoing bug bounty program, that might meet that requirement. And also talking about how they continuously update their software from a security perspective. But this is something where we could do a little bit of testing, a little bit of documentation and an authorizing official could say we’re going to go forward with this.”
It probably won’t work for every company, especially new startups that are more worried about building a product than securing it, she said. “There will always be some level of question of the pedigree of the company. If it’s a household name that’s serving half the Fortune 500, there’s a little bit less inherent risk there. If it’s a brand new company that just came out of nowhere, a lot of startups aren’t quite there yet on the security front, they had to focus on getting a product out the door first. Some of those folks won’t be ready for us, but some of them will.”
Not only can it save those companies a lot of money — “some companies spend millions of dollars to be able to certify their whole stack,” Knausenberger said — but it could save them a lot of time, too.
“Vendors tell me that it’s a year or more” to accreditation for IL4 SaaS applications, she said. “I expect that we will be able to accredit some SaaS offerings in a month or less. It could be faster if they had everything ready to go and we had a team ready to go test anything that was needed to be tested.”
The best example of the systems the Air Force is looking to pilot this new process with are those that use military medical data or Social Security numbers for members of the DOD, Knausenberger said. “We’re starting small and then we’ll learn from that process and hopefully we can look at something where there is a little bit more of a fast track to getting these offerings approved.”
And while the Air Force has been making great momentum speeding up processes around authorizing its own systems, this is different because the service must make a quick decision on the risk of trusting a commercial cloud provider with its data.
“With SaaS, we have lost control,” Knausenberger said. “It’s on someone else’s infrastructure, and we’re entirely trusting that vendor and their reputation and their ability of their cybersecurity team to do all of the things that we normally do. So it’s a different risk assessment, and that’s why it does require a little bit more of a partnership with the company, a little bit more of, ‘Ok, do we trust you? Do we trust the competency of your security team? Do we trust your tech stack to automatically catch a lot of the things that we’re looking at?’”