USDA, Energy Taking a Page Out of DoD’s IT, Cyber Playbooks
The Agriculture Department is creating a software factory where security is built in on the front end.
The Energy Department is testing out a rapid authority to operate, or ATO, process to focus on risk management.
Both of these efforts are based on the successes of the Defense Department.
Venice Goodwine, the chief information security officer for the Agriculture Department, said the software factory uses the DevSecOps process and provides a platform that already meets the agency’s security rigor. She said USDA’s software factory is similar to what the Air Force is doing with Platform One.
“What we’re doing is we have 29 different agencies and they all have developers. So of course, they’re developing in their own way. So imagine that as a CISO having to issue an authority to operate for all of those applications. It is more prudent and easier if I could just certify the process, meaning that if I certify the end-to-end process, what comes out of the process then becomes certified, so I don’t have to do every application, I just do the process. And so and that’s what we’re doing at USDA is creating the software factories,” Goodwine said at a recent AFCEA Bethesda panel on security, an excerpt of which played on Ask the CIO. “It starts with having one certified platform to develop on and it’s on a FedRAMP certified cloud. So we’ve created an environment for development within our platform-as-a-service environment. So that’s already certified. That was the first step.”
The second step, she said, was creating the technology stack to incorporate the planning, development and deployment phases for new software capabilities.
This continuous integration, continuous delivery (CICD) pipeline includes orchestration and automation to simplify the process.
“When you have a software factory, there are thresholds set to help you identify that something has gone wrong and that product that comes out on the end may be a defect. But the automation to that is the key, and having one certified platform to develop, having the automation to ensure that you remove some of the manual processes in development, and so on, lets my agencies develop and deliver services that is fast and at the speed of need,” Goodwine said. “That is what the software factory is going to give them. It’s going to allow the developers to be able to provide those products quickly in those instances.”
Fast-track ATO pilot
The Energy Department is trying to solve a similar challenge of accelerating applications and capabilities to the mission areas without losing any security rigor.
Emory Csulak, the principal deputy CIO at the Energy Department, said the agency started piloting a new rapid ATO process, based on some of the work they saw at the Navy.
“We had three kind of goals that we wanted to take a look at. We wanted to rethink compliance. One of the things I’ve seen every time I’ve gone into a new federal organization is a compliance program that is based on decades of audit reports and decades of compliance managers, thinking that this is the best way to eliminate this risk. And it’s not really managing the risk, it was often the process of eliminating all opportunities for making a failure. So you’ll see people saying, ‘Well in order to create a plan of action and milestone, you have to formalize it, you have to have it reviewed, you have to have it closed out.’ And these processes, over the last 20 years have just grown so burdensome, that an ATO by itself and the paperwork on that has become enormous,” he said. “Something I’ve told people in previous positions, there has not been a time in the entire universe that leadership has ever asked me how I’m doing on my low-risk systems. So why are we tracking them to this level of detail, and so forth? So I think the first part is just stepping back and saying, ‘how many of these decisions that we made 20 years ago or 10 years ago, are still relevant?’”
Csulak said the goal of these pilots is to help authorizing officials make better risk-based decisions through new approaches.
“We deployed an enterprise contract for crowdsource penetration testing last year. We’ve incorporated that and made it available to anybody at any time that they want to deploy it. They can use that for better informing their operational risk, rather than their paperwork risk,” he said. “It’s also about bringing in new investments, new technologies, literally doing 100% review of our investments. Are we making the best investments that we can? And then incorporating this third part into our deployment that we did last year, which is deploying our big data platform, making sure that the latest tools and technologies are feeding our big data platform with cyber sensor data across the organization, both at the perimeter and internally, so that we can do more advanced work.”
This advanced work includes applying artificial intelligence and predictive analytics to help authorizing officials think differently and more holistically about risk and not just about audits, plans of action and milestones.
“We published a new risk assessment methodology for cybersecurity last year. So we are making sure that when you talk about these things, that we’re making decisions in an educated, informed way,” Csulak said. “We want to make sure people are empowered to make decisions where it affects their mission.”
Application modernization underway
USDA’s Goodwine echoed Csulak’s view that the focus shouldn’t be on security, but reducing the friction on the mission areas.
The software factory currently is helping the Forest Service and the Rural Development agency with projects.
Goodwine said the pilots will help show how the software factory can decrease the time to deliver security capabilities.
“With our Forest Service pilot, we’re starting with a product that we already had and are modernizing it. We have an application that’s designed to order all the resources we need for firefighting. It’s about how do I make sure that we could add features and functions that the end user community is asking of us and deploy it in a short amount of time? It’s not just about security, it’s all about the speed of need as well,” she said. “Rural Development has a portfolio the size of the fourth largest bank, so imagine the customers that they have. How do you create applications to compete with typical banks? I mean, think about your own bank, how many new features and functions do you see on your mobile app or on the desktop app? So we’re trying to really compete with the services that our customers in that community would receive from a typical bank, as well as we partner with banks as well.”