18F slices ATO times to from 6 months to 30 days

Finding more efficiency in the ATO process has been a conundrum for public and private sectors, but an 18F team thinks they may have finally cracked it.
(Ted Eytan / Flickr)

Finding more efficiency in the process the federal government uses to authorize a software solution has been a conundrum for both public and private sector officials. But an 18F team thinks it has finally cracked it.

In a July blog post, an official from the General Services Administration’s innovation arm explains how his sprint team has been able to reduce the time it takes to process an authority to operate (ATO) from more than six months down to 30 days with a series of collaborative strategies.

“ATOs across government have traditionally taken 6-18 months, with a lot of slow back-and-forth between system owners and the assessors,” said 18F developer Aidan Feldman in the blog post. “The ATO Sprinting Team brought the assessors and the project teams ‘into a [virtual] room’ for focused sprints to get through one ATO at a time, with near-full-time focus.”

The ATO process has been seen as a persistent hurdle for both cloud adoption and IT modernization because it is the regulatory framework that vendors have to navigate to offer new services to the federal government.


The Federal Risk and Authorization Management Program (FedRAMP), the office within GSA that oversees ATOs for cloud adoption across the federal government, has crafted a tailored set of processes to trim both timelines and industry costs for obtaining ATOs, which have been estimated to average as long as four-to-six months and cost between $300,000 and $700,000.

While significantly faster, the FedRAMP Tailored processes were still projected to take four to eight weeks to complete.

18F was tasked with finding a way to streamline the ATO process last year as part of its Project Boise.

The innovation office’s plan relies on both reducing complexity and promoting collaboration by forming an ATO sprinting team composed of a developer from GSA’s Technology Transformation Service, security officials and an ATO specialist to assist.

By honing in on the authorization requirements of small software systems as opposed to large, complex packages, reducing the lag time of multitasking between multiple projects and using standard security practices, 18F was able to make the ATO compliance process much more efficient.


“Almost all of the systems run on top of, a Platform-as-a-Service with a FedRAMP authorization, which handles a lot of the compliance at the platform level,” Feldman said. “For the parts that are the responsibility of the customer system, we worked with GSA Security to develop a System Security Plan (SSP) template for systems running on, which cut out the security controls handled by the platform.”

The sprinting team also had its ATO assessors and security team work in concert to reduce the fits-and-starts of the authorization, while also leveraging TTS technology stacks to standardize some of the solutions used in a system.

Carten Cordell

Written by Carten Cordell

Carten Cordell is a Senior Technology Reporter for FedScoop. He is a former workforce and acquisition reporter at Federal Times, having previously served as online editor for Northern Virginia Magazine and Investigative Reporter for, Virginia Bureau. Carten was a 2014 National Press Foundation Paul Miller Fellow and has a Master’s degree from the Medill School of Journalism at Northwestern University. He is also a graduate of Auburn University and promises to temper his passions for college football while in the office.

Latest Podcasts