Accelerating technical training, equipping and empowering Airmen for the battlespace is a strategic goal for the Air Force. Commands, Wings, and Users want to leverage training applications coupled with mixed reality devices as it saves training time, makes it more accessible, and saves costs. However, training applications and devices are delayed for operational use due to the navigating the inscrutable Authorization to Operate (ATO) process.
The DoD adopted the Risk Management Framework (RMF) to empower services to assess, manage, and validate cybersecurity risks. The RMF process is directed to be used for DoD Assessment and Authorization (A&A) processes. However, these processes are exhaustive, resource-intensive, requiring a sophisticated skillset, and often not considered until the application is ready to deploy, significantly delaying timely delivery of today’s technology to the warfighter. In fact, RMF implementation can take a year or longer for an application to get an ATO. This creates significant problems with industry costs and effective risk management.
The military member responsible for performing the A&A activities must accomplish the mysterious ATO process without the training and experience needed to achieve success while tackling the many misconceptions, fallacies, and esoteric rules.
DoD must shift from a cybersecurity “snapshot in time” and paper drill compliance culture to a culture where automation is tightly coupled with real-time continuous risk monitoring.
Thought leaders have expressed ways in which to combat the A&A challenges. An analysis of these processes is necessary to identify the best approaches to enable agile authorization.
Innovative solutions that enable real time risk management must reduce lead time for compliance by assessing applications with an agile, DevSecOps approach, and marginalize the labor and financial costs for obtaining an ATO.
Keywords
AUGMENTED AND VIRTUAL REALITY (AR/VR), CYBER, MIXED REALITY, READINESS, RISK ASSESSMENT, SECURITY, SIMULATORS, TECHNOLOGY
Additional Keywords
Assessment and Authorization, Risk Management Framework, Real-time Risk management, DevSecOps