Policy recommendations for improving the ATO process through Compliance as Code

How federal agencies can remove barriers to better, faster security

Fen Labalme


Photo by Carlos Alberto Gómez Iñiguez on Unsplash

It’s no secret that federal technology security processes need to be modernized and automated in order to protect the sensitive data that government agencies use to serve the American people. There’s an urgent need to fix the bureaucratic and paper-based regulatory processes that are currently used to “ensure the safety” of new IT systems — while actually increasing risk by allowing old technologies to keep running while they wait for permission to upgrade.

There’s an urgent need to fix the bureaucratic and paper-based regulatory processes that make ATO compliance a burden.

We’ve been working alongside federal agencies for several years to develop a modern and agile approach to security compliance. And lately, more conversations are picking up around this topic, which is good news for agencies and vendors who hate the cumbersome and under-performing ATO process — as well as anyone who is rightly concerned about the security of government data and systems.

We recently partnered with the Day One Project to lay out some actionable steps that can be taken in 2021 to improve IT security compliance on a national scale through initiatives by the Office of Management and Budget (OMB), Office of Federal CIO (OFCIO), General Services Administration (GSA), Technology Transformation Service (TTS), and other agencies.

From the report:

“In federal technology, the approval to launch a new Information Technology (IT) system is known as an Authority to Operate (ATO). In its current state, the process of obtaining an ATO is resource-intensive, time-consuming, and highly cumbersome. The next administration should kick-start a series of immediate, action-oriented initiatives to incentivize and operationalize the automation of ATO processes (also known as “compliance as code” or “ongoing authorization”) and position agencies to modernize technology risk management as a whole.”

Our proposed plan calls for cross-agency collaboration and localized innovations that can be tested and perfected before scaling government-wide.

Recommendations include:

  • Instruct Cabinet-level agencies to draft exploratory implementation plans for how they might adopt compliance as code to increase security efficiency, through approaches like DevSecOps and automated System Security Plans (SSPs).
  • Create a Cybersecurity Compliance Center of Excellence to analyze current compliance processes and facilitate cross-agency knowledge sharing of best practices and improvements.
  • Draft new IT system acquisition rules that require software and hardware vendors to provide ATO-relevant, machine-readable compliance information to customer agencies — saving time and taxpayer dollars spent in the duplicative creation and maintenance of control implementation guidance for common inventory assets.
  • Appoint a task force charged with improving the utility and reciprocity of System Security Plans (SSPs) — the documentation that proves an IT system is compliant — so that federal agencies can collectively reduce their time-to-ATO.
  • Stand up a Federal Compliance Component Library with vetted pre-sets, templates, and baselines for various IT systems to accelerate the cross-agency sharing of compliance documentation and provide trusted storage for compliance components.
  • Explore the value of mandating the conversion of SSPs to machine-readable code such as the Open Security Controls Assessment Language (OSCAL) currently being developed by the National Institute of Standards and Technology (NIST), which facilitates automated compliance monitoring and verification.

Like all other aspects of modernizing government services, bringing IT security compliance into the 21st century is absolutely possible if the federal government will set the standard and empower agencies to take deliberate steps towards better and smarter ways of working, sharing their knowledge and assets along the way to reduce overall cost and burden for everyone.

Bringing IT security compliance into the 21st century is absolutely possible.

Read the full policy paper here — and let’s make 2021 the year we learned to love the ATO process by making it work the way it should.



Fen Labalme

CISO @civicactions developing FISMA compliance automation. OpenPrivacy.