Consider a narrative security approach

The Federal government could adopt a narrative approach to security that is more accessible and understandable than the traditional ATO process. Doing so would effectively encourage mission owners, developers, and security professionals to discuss system security and understand reasonable steps to be taken before, during, and after any potential security incident. Good examples include the United Kingdom’s basic risk assessment and management method and lightweight approach to cloud security. Both are effective at reducing the complexity of security assessments while encouraging a dialogue that ensures teams default to modern security practices.

This type of approach builds on the intent of agency and FedRAMP “lightweight” processes. Narrative security approaches build on the ideas of attesting to routine security processes and focusing more rigorously on key areas. This approach to simplification and plain language would improve communication and include more stakeholders in security discussions.

Narrative ATOs can be used in conjunction with or as a proxy for the control list in SP 800-53. For less technical practitioners, it can help teams focus on areas of concern, at which point security professionals could apply existing controls. Ideally, however, this approach would replace large sections of the Framework library and simplify ATOs to a point that they could be completed, read, and understood by both seasoned security professionals and non-technical project managers. A lighter-weight approach to the security process would also be significantly faster, helping the government keep pace with technological innovation.