Skip to content
cATO Playbook
6. Mythbusting
Initializing search
cato-playbook
README
Introduction
Recommended Approach
Plays
cATO Playbook
cato-playbook
README
Introduction
Introduction
The Why
History
Laws and Regulations
Myths
Common Misconceptions
Recommended Approach
Recommended Approach
Overview
People
Policy
Integrated Process & Technology
Integrated Process & Technology
Prepare (for a zero-based review)
Categorize
Control Selection
Implement & Assess
Initial Authorization
Monitor
Ongoing Authorization
Measuring Outcomes
Community & Continuous Improvement
Plays
Plays
1. Organizing teams and platforms for success
2. Hire independent technical assessors
3. Develop a communications strategy & plan
4. Employ user centered design on all the users… especially neglected assessors and authorizers
5. Start an education and training campaign during the prepare step
6. Mythbusting
7. Converge RMF with your SDLC
8. Maximize common control inheritance
9. Enable modularity of common control inheritance through automation
10. Implement the “GRC as code” agreement
11. Incorporate OSCAL as you automate
12. Build controls into a secure release pipeline
13. Automate control implementation workflows
14. Embed technical assessors into the SDLC at a reasonable ratio
15. Actually document things (no, for real)
16. Assess in real time and impose assessor SLAs
17. Scan on every commit
18. Scan applications at runtime
19. Enforce best technical practices (DORA)
20. Periodic spot checks and pen tests
21. Advanced: Automated checks and pen tests
22. Zero-based review to Ongoing Authorization
23. Quarterly renewal frequency, immediate notification
6. Mythbusting
See
here
.