search menu icon-carat-right cmu-wordmark

Achieving Continuous Authority to Operate (ATO)

November 2020 Podcast
Hasan Yasar, Shane Ficorilli

Shane Ficorilli and Hasan Yasar sit down with Suzanne Miller to discuss Continuous ATO, including challenges, the role of DevSecOps, and cultural issues that organizations must address.

“One of the biggest factors that really allow for continuous ATO to take place is the creation of all of your environments through infrastructure as code. That really helps both people on the operation side, the security side, and developers to get an environment in a scripted way that can be approved as code.”

Publisher:

Software Engineering Institute

Listen

Watch

Abstract

Authority to Operate (ATO) is a process that certifies a system to operate for a certain period of time by evaluating the risk of the system’s security controls. ATO is based on the National Institute of Standards and Technology’s Risk Management Framework (NIST 800-37). In this podcast, Shane Ficorilli and Hasan Yasar sit down with Suzanne Miller to discuss Continuous ATO, including challenges, the role of DevSecOps, and cultural issues that organizations must address.

About the Speaker

Hasan Yasar

Hasan Yasar

Hasan Yasar is the Technical Director of the Continuous Deployment of Capability group in the SSD Division of the Software Engineering Institute, CMU. Hasan leads an engineering group to enable, accelerate, ...

Hasan Yasar is the Technical Director of the Continuous Deployment of Capability group in the SSD Division of the Software Engineering Institute, CMU. Hasan leads an engineering group to enable, accelerate, and assure transformation at the speed of relevance by leveraging DevSecOps, Agile, Lean AI/ML, and other emerging technologies to create a Smart Software Platform/Pipeline. Hasan has more than 25 years’ experience as a senior security engineer, software engineer, software architect, and manager in all phases of secure software development and information modeling processes. He specializes in secure software solutions design and development in the cybersecurity domain, including data-driven investigation and collaborative incident management; network security assessment; automated, large-scale malware triage/analysis; medical records management; accounting; simulation systems; and document management. He is also an adjunct faculty member in CMU Heinz College and the Institute of Software Research, where he currently teaches “Software and Security” and “DevOps: Engineering for Deployment and Operations.”

 

His current areas of professional interests focus on

  • secure software development, including threat modeling, risk management framework, and software assurance models
  • secure DevOps processes, methodologies, and implementation
  • software development methodologies (Agile, SAFe, DevOps)
  • cloud-based application development, AI system development, deployment, and operations
  • software architecture, design, development, and management of large-scale enterprise systems
Read more