Pentagon issues new guidance to address industry gripes about ATO process

KISSIMMEE, Fla. — In direct response to recent complaints from industry officials about how the authority to operate (ATO) process is hindering rapid technology and software innovation, Department of Defense leadership issued new guidance aimed at resolving risk management and cybersecurity reciprocity challenges.

Reciprocity essentially enables federal entities to reuse another internal or external organization’s assessments to share information — and ultimately reduce associated costs in time and investments that accompany approving IT systems to operate on the information networks.

During his keynote at the annual GEOINT Symposium on Wednesday, Pentagon Chief Information Officer John Sherman unveiled a new one-page memorandum signed by Deputy Defense Secretary Kathleen Hicks on May 2 that directs “testing re-use and reciprocity to be implemented [by DOD authorizing officials] except when the cybersecurity risk is too great.”

“This is coming from the deputy secretary on down that reciprocity should be a default. It should be the first choice as opposed to having to redo all the due diligence again. We’re trying to strike a balance in maintaining our [risk management framework-driven] cybersecurity, but to make sure that we are able to move more quickly and not have to basically check everyone’s homework,” Sherman told DefenseScoop in an interview after his keynote.

He provided a hypothetical scenario to help paint a picture of the key issues his team is trying to address and the type of acceleration they’re seeking to facilitate.

“If you have a company who’s already got a product that’s gone, say, through the Department of Air Force and got on an ATO there, then let’s say the Navy wanted to use it. By default, they should be willing to take the body of evidence of the authorizing official from the Air Force unless they look at it and there is a tangible, substantive reason why they don’t believe the ATO was done well enough — and then we have a bigger issue that we need to jump into. These Air Force and Navy examples are just hypothetical, but that’s what it does,” Sherman explained.

“If you have your company, you shouldn’t have to go through each different hoop and hurdle here. It should be more universally accepted,” he added.

Notably, Hicks’ memo also mandates that Pentagon components elevate any associated policy and implementation issues straight to Sherman and his team.

“DOD Components can request DOD CIO assistance in resolving reciprocity and other RMF policy, guidance, and technical issues by contacting the RMF Technical Advisory Group secretariat, within DOD CIO, at osd.pentagon.dod-cio.mbx.rmf-tag-secretariat@mail.mil,” Hicks wrote in the guidance.

During his keynote, Sherman spotlighted that elevation.

“I saw on LinkedIn, as recently as this morning, some folks talking about this. And I want to let you all know: We’ve heard you loud and clear on this within the DOD. I’m not going to say this is going to solve every bit of it, but it’s going to help us a bit,” he told the audience.

During the interview with DefenseScoop, he wouldn’t disclose exactly which industry representatives he was pointing to in that call-out.

“We’ve heard enough anecdotes. We need actual examples of where this is gumming up the process, because ATOs — which are necessary, you don’t want to not do these — but they have gotten a bad name as an innovation- or speed-stifler. So we’re going to take a little more direct involvement in this from the DOD CIO office,” Sherman said.

While this initial guidance is for the Pentagon, the CIO’s team is also going to generate and release similar recommendations for the intelligence community.

“That’s kind of our next hill to climb later, because of different classifications and where those bodies of evidence are kept on secret or top secret, versus unclassified databases and so on,” Sherman told DefenseScoop.

Acknowledging that “the software community is a very passionate community — and the ATO process, frankly, has been cumbersome,” the Pentagon’s top IT official confirmed that he opted to bring this up to Hicks for support.

“I’ll be very honest. We often, as a principal staff assistant, kind of pick where we need the big bosses to sign off. And we did believe on this one, yes, a CIO can do this, but [we should] have the deputy secretary send a very clear signal that this isn’t just CIO stuff. This is a department priority,” Sherman said.