(Source – American Enterprise Institute)
Addressing Industry Grievances
Responding to widespread industry complaints about the sluggishness of the authority to operate (ATO) process hindering technological innovation, the Department of Defense (DoD) has taken decisive action. The ATO process, aimed at ensuring cybersecurity compliance before systems are allowed to operate on government networks, has faced scrutiny for its bureaucratic hurdles.
John Sherman, the Chief Information Officer (CIO) of the Pentagon, acknowledged the need for a balance between cybersecurity and expediency. He emphasized the desire to streamline processes without compromising security protocols. Industry stakeholders have long lamented the repetitive nature of assessments, leading to delays and increased costs.
Pentagon: In conversations with DefenseScoop, Sherman highlighted the challenges faced by both industry and government in navigating the ATO process. “We’re trying to strike a balance in maintaining our [risk management framework-driven] cybersecurity, but to make sure that we are able to move more quickly and not have to basically check everyone’s homework,” he explained, underscoring the need for reform.
New Directives to Streamline Processes
In a move to address these concerns, Deputy Defense Secretary Kathleen Hicks issued a one-page memorandum on May 2. The memorandum, presented by Sherman at the annual GEOINT Symposium, emphasizes the importance of reciprocity in assessments. Reciprocity allows federal entities to reuse assessments conducted by other organizations, thereby reducing redundant evaluations.
Under the new guidance, testing reuse and reciprocity are to be the default, except in cases where cybersecurity risks are deemed too significant. This shift in approach aims to accelerate the approval process while maintaining rigorous cybersecurity standards. Sherman illustrated this with a hypothetical scenario, highlighting the need for cross-organizational trust and efficiency.
Notably, Hicks’ memorandum also mandates improved communication and issue resolution mechanisms within the DoD. Components are directed to escalate policy and implementation issues to Sherman’s team promptly. This directive underscores the commitment to addressing industry grievances and fostering a more responsive environment.
Streamlining Communication and Future Steps
Sherman emphasized the importance of concrete examples to guide further improvements. While the initial focus is on the Pentagon, similar recommendations are in the works for the intelligence community. Acknowledging the passionate software community’s frustrations, Sherman stressed the need for concerted efforts to streamline processes across different classifications.
The overhaul of the ATO process signifies a significant step towards aligning cybersecurity protocols with industry needs. By prioritizing efficiency and collaboration, the DoD aims to foster a more innovative and responsive ecosystem while ensuring robust cybersecurity measures remain intact.
Looking ahead, Sherman expressed optimism about the potential impact of these reforms. “We’ve heard enough anecdotes. We need actual examples of where this is gumming up the process,” he said, highlighting the importance of feedback from industry stakeholders.
As the DoD continues to adapt to evolving technological landscapes, Sherman’s team remains committed to fostering a culture of innovation while upholding critical cybersecurity standards. The collaborative efforts between government and industry signal a promising shift towards a more agile and resilient defense infrastructure.
