Resilient Cyber - Episode 8 - Ray Letteer, DSc - Authorization to Operation (ATO) Process

Overview

In this episode of the Resilient Cyber Podcast, hosts Chris Hughes and Dr. Nikki Robinson engage in a compelling conversation with Dr. Ray Leteer, a seasoned expert in cybersecurity with over three decades of experience, including time spent in the military, working with the NSA, and leading cybersecurity initiatives for the Marine Corps. The discussion revolves around the evolution of cybersecurity practices within the Department of Defense (DoD), the challenges of implementing risk management frameworks (RMF), and the future of cybersecurity in the context of DevSecOps and continuous authorization.

Dr. Leteer shares his extensive knowledge on the development of the DoD's IT security certification processes, the importance of integrating cybersecurity early in the development process, and the need for a balanced approach to risk management. The episode also touches on the cultural and operational challenges that come with shifting security left in the development lifecycle and the necessity of adapting to the ever-evolving cyber threat landscape.

Highlights

• Background and Experience: Dr. Ray Leteer's journey in cybersecurity began over 30 years ago, with roles ranging from an intel analyst at the NSA to leading cybersecurity initiatives for the Marine Corps. His vast experience provides a unique perspective on the evolution of cybersecurity practices.

• Risk Management Framework (RMF) Challenges: Dr. Leteer discusses the challenges and misconceptions surrounding the RMF process, emphasizing that it's not just a compliance check but a crucial part of ensuring mission readiness and security.

• DevSecOps and Continuous Authorization: The conversation delves into the DoD's push towards DevSecOps, highlighting the importance of moving security to the left in the development process and the concept of continuous authorization, which aims to streamline the security process while maintaining robust protection.

• Cultural and Operational Challenges: Dr. Leteer addresses the cultural and operational hurdles in implementing new security practices, particularly the difficulty of balancing cost, schedule, and performance with security requirements.

• Importance of Inherited Security Controls: The episode also covers the critical role of inheriting security controls in expediting the authorization process, especially in cloud environments.

• Academic Perspective: Dr. Leteer and Dr. Robinson discuss the value of academic research in cybersecurity, particularly how it can help identify and solve complex problems in the field. They emphasize the importance of combining practical experience with academic rigor to improve cybersecurity practices.