Achieving an ATO is a Team Sport
Going through an accreditation and achieving an ATO is a team process and team goal. It takes a team of people all doing their part of the process to get the final product and achieve the required end results.
At Soteria Software, we enable organizations to use their team efficiently with proper collaboration and automation. To get past individuals doing their specific piece manually, without knowing what comes before, after, happens at the end, or anything in between.
Run your accreditation as a team game. Here is how.
Understanding the Desired End Result
Do you like herding cats!?!? Feeling your blood pressure go up when going through ATOs and accreditations? Or you just like to micromanage and want to be the superman/wonder woman all to yourself when going after an ATO? If so, stop here and good luck!
If you are like most folks, however, you want to do the right job the best way you can. And you want to not just do it, you want to do proper cyber hygiene and proper cyber security.
If so, invest in yourself for 5 minutes and keep reading on.
We see too many people (individuals) when going through accreditations just doing their manual job / task (scan, patch, track POAM, generate compliance) and then sending on the result. There is no knowledge of the before, after, end result, or what it even took to get there.
Getting the job done is important. Making sure you understand all the inputs, outputs, and goal in mind is equally important. And makes the process and impact understood.
So here are some main steps we use at Soteria Software that we coach organizations on using with their team / organization across all accreditations. And how you can adjust your ATO and accreditation process toward a more team-focused collaboration. I will use our OpenRMF Professional solution to showcase ideas.
However you do this, automate and give your people time / solutions / information to be successful!
And discarding the normal “herding cats and burning people out” playbook.
People Need to Know Their Position and Role
Make sure each “player” knows the “playbook”, their part in it, and the play you are running to get the job done. And know what the end result it. Sports metaphors seem to work well, so we are “running” with that (see what I did there??)
We are not saying you need every single person to know every single nuance of RMF / FedRAMP / CMMC / etc. They need to know inputs, outputs, their job and role, communication paths and what their work is impacting at a larger level.
If we are patching and scanning, we need to know that the devices are more secure. And that our POAM of open items is shrinking. And our risk is lower based on a better security posture.
And we need to automate scanning and ingest as much as possible.
If we are tracking compliance on devices, processes and procedures we need to know how they work. What they talk to (high level families of controls). Why they fall under that. And how they again lower risk across our network, boundary, and systems. Not just “We need an access control policy!”. Explain why, how, where it fits, and how it helps achieve the end goal.
Using our OpenRMF Professional solution as an example, all team members have their roles and permissions, their features and functions they perform, and they see all the plays combine in front of them.
It is like watching a US football or soccer (int’l football!) game on the screen. Each player, doing their part, for the end result. And knowing how to work as a team to get to that result. And adjust as you play the game.
Have a Captain, Leads, and Role Players
Whether smaller, mid-sized or enterprise level you need to have the right player and roles defined. You need the captain (PM or ISSO). You need your leads for technical, compliance, and plan of actions (POAM) tracking and usage. And you need the role players to help get the data into the automated pipeline to get moving.
Again showing automation with OpenRMF Professional, you and your team ingest scan data and watch the automation kick in. How many open patch vulnerabilities do we have. How many compliance vulnerabilities? What does our POAM look like?
What is our burndown on vulnerabilities? What items are scheduled to complete? Where are we on total compliance?
All of that can be automated with a solution like OpenRMF Professional. So you get the information immediately! Then you and your team act on it quickly.
Communicate, Collaborate, Coach
Communication from all levels in all directions is key to success. Having a way to share that data, see it from different angles and see its relationships easy.
Automatic collaboration and communication is missing from a lot of teams going through the accreditation process. That is one thing Dave Gould and I noticed over the last 20+ years being on different teams going through accreditation.
So we designed OpenRMF Professional from the ground up to solve this.
All data ingested and automatically used where it needs to be used. Tracking history. Showing the current state as well as how we got here. And run reports, update dashboards, and make sure the whole team can collaborate easily no matter where they are.
Define the Plays and Execute Them
When you have the information all in one spot and linked, displayed and setup for the whole team, now you can “see the field”.
And then you can call the right play.
What items are critical and have to be done now? What items have high risk? What other items are mitigated down to lower risk but still need to be worked? What is scheduled to be completed?
How are we tracking on compliance? What are the devices / areas causing us the most heartache, where we can get the best “bang for the buck?” so to speak.
All that is easy to accomplish when you can see the field and all the players, positions, information, and issues.
Learn What Works and Does Not
With the history, data, notifications, journal, dashboards and reports now you can see where you were. Where are you are. What is working. And what is not working.
Based on this automated instant data, you can “right the ship” so to speak. Adjust people and plays. Then call the next play.
And wash, rinse, repeat as you move toward accreditation. While finding time for proper cyber hygiene and cyber security as well.
What’s Next
Want to learn more? Check out our demo site.
Get a live interactive demo with our technical team.
Or download and evaluate for yourself with our software, documentation, and online video training site.
See for yourself how we can help your team automate cyber compliance!
