Government operations require tight security protocols. While these protocols protect agencies from malicious attacks and poorly performing products, they delay new software systems from reaching the production environment. This can lead to employee frustration, wasted investments on unapproved software, and more.
Traditional ATO Processes (and Their Pitfalls)
ATO is an essential part of the Risk Management Framework used by the government and private sector. Under the Federal Information Security Management Act (FISMA), software systems must be authorized by the process of ATO to be approved for agency use. This authorization certifies that a system’s hardware, software and connections are well established, that it has clear purpose or use for the organization, and that the benefits of adopting the system outweigh the risks.
Authorizing an ATO is a multi-step process. As a part of the Risk Management Framework, general steps of achieving an ATO include:
- assessing any potential adverse risks for the organization, i.e., consequences of a potential data leak
- selecting relevant security controls to monitor for known vulnerabilities
- implementing and assessing the effectiveness of selected security controls
- authorizing the ATO and continuing to monitor the system after
ATO assesses the type of data which is used by the software, and the level of risk in which said data would be compromised. From there, security controls are tested and implemented to safeguard the software system for employee use.
Extensive labor goes into a manual ATO. Each step requires multiple senior individuals such as the authorizing official, tech leads, and information systems security officers to routinely meet, discuss, and evaluate each step of the ATO. When agencies are short staffed, this creates another obstacle towards achieving ATO. The entire ATO authorization process takes an average turnaround time of several months, but it can even take years to complete. Only at the end of this cycle can the software product be approved for use. In the meantime, bought and paid for software may spend months or years unused, and at the end of the ATO process, it could also be deemed unsuitable for use. The process is never truly complete: changes to the system can call for a new ATO process all over again.
This reality causes frustrations from the delayed progression for the agency’s production environment to unusable licenses. A lengthy ATO steals a huge amount of time that could be put towards innovation because it redirects bright minds to a meeting room rather than the production floor. The frustration of a manual ATO fuels the phenomenon of shadow IT, where employees turn to using unapproved IT systems, services and applications without explicit knowledge from their IT department (triggering major security risks).
What’s Next?
Investing in a continuous ATO can curtail many of the negative side effects of a manual ATO process. This process, which was first implemented by the Air Force, is a promising opportunity for other government agencies aiming to innovate and improve their processes. To learn more about this risk innovation, read our upcoming blog post “How Achieving Continuous ATO Can Elevate the Production Environment”.
ITC is well positioned to evaluate existing ATO and risk-management processes. Our staff includes many experienced project managers and consultants who are able to evaluate existing ATO processes and innovate on them.