
Compliance as Code and Improving the ATO Process
Summary
A wide-scale cyber-attack in 2020 impacted a staggering number of federal agencies, including the agency that oversees the United States nuclear weapons arsenal. Government officials are still determining what information the hackers may have accessed, and what they might do with it.
The fundamental failure of federal technology security is the costly expenditure of time and resources on processes that do not make our systems more secure. Our muddled compliance activities allow insecure legacy systems to operate longer, increasing the risk of cyber intrusions and other system meltdowns. The vulnerabilities introduced by these lengthy processes have grave consequences for the nation at large.
In federal technology, the approval to launch a new Information Technology (IT) system is known as an Authority to Operate (ATO). In its current state, the process of obtaining an ATO is resource-intensive, time-consuming, and highly cumbersome. The Administration should kick-start a series of immediate, action-oriented initiatives to incentivize and operationalize the automation of ATO processes (also known as “compliance as code”) and position agencies to modernize technology risk management as a whole.
ARPA-I is the newest addition to a long line of successful ARPAs that continue to deliver breakthrough innovations across the defense, intelligence, energy, and health sectors.
Do you have ideas that could inform an ambitious project that FESI has a comparative advantage pursuing? We want to hear it.
Friends of FESI have identified priority use cases to inform project ideas.
The CHIPS and Science Act establishes a compelling vision for U.S. innovation and place-based industrial policy, but that vision is already being hampered by tight funding.