| Attachment | Size |
|---|---|
| ATO as Code.pdf | 1.34 MB |
Abstract
ATO as Code: Enabling Cybersecurity Modernization Through Risk Management Framework Compliance Automation
Developed by the Cybersecurity Community of Interest
Date Published: March 26, 2024
This ATO-as-Code report issues a call to action for a unified approach for modernizing the Authorization to Operate (ATO) process or Risk Management Framework (RMF) implementation. This report articulates the significance of intelligent automation in bolstering the efficiency and effectiveness of compliance efforts, thereby enhancing cybersecurity risk management. It underscores the necessity for standardized data communication and advocates for the adoption of Open Security Controls Assessment Language (OSCAL), an open framework for automating assessments.
To that end, the report introduces the Compliance Automation Process Maturity Model (CA PMM), a five-tier framework for organizations to adopt and scale the OSCAL. The report concludes with strategic recommendations for key entities including Congress, the Cybersecurity and Infrastructure Security Agency (CISA), the General Services Administration (GSA), the National Institutes of Standards and Technology (NIST), and other Federal agencies. This work holds significant implications for both cybersecurity experts and policymakers, providing a roadmap for modernizing and automating compliance processes.