18F slices ATO times to from 6 months to 30 days
Finding more efficiency in the process the federal government uses to authorize a software solution has been a conundrum for both public and private sector officials. But an 18F team thinks it has finally cracked it.
In a July blog post, an official from the General Services Administration’s innovation arm explains how his sprint team has been able to reduce the time it takes to process an authority to operate (ATO) from more than six months down to 30 days with a series of collaborative strategies.
“ATOs across government have traditionally taken 6-18 months, with a lot of slow back-and-forth between system owners and the assessors,” said 18F developer Aidan Feldman in the blog post. “The ATO Sprinting Team brought the assessors and the project teams ‘into a [virtual] room’ for focused sprints to get through one ATO at a time, with near-full-time focus.”
The ATO process has been seen as a persistent hurdle for both cloud adoption and IT modernization because it is the regulatory framework that vendors have to navigate to offer new services to the federal government.
The Federal Risk and Authorization Management Program (FedRAMP), the office within GSA that oversees ATOs for cloud adoption across the federal government, has crafted a tailored set of processes to trim both timelines and industry costs for obtaining ATOs, which have been estimated to average as long as four-to-six months and cost between $300,000 and $700,000.
While significantly faster, the FedRAMP Tailored processes were still projected to take four to eight weeks to complete.
18F was tasked with finding a way to streamline the ATO process last year as part of its Project Boise.
The innovation office’s plan relies on both reducing complexity and promoting collaboration by forming an ATO sprinting team composed of a developer from GSA’s Technology Transformation Service, security officials and an ATO specialist to assist.
By honing in on the authorization requirements of small software systems as opposed to large, complex packages, reducing the lag time of multitasking between multiple projects and using standard security practices, 18F was able to make the ATO compliance process much more efficient.
“Almost all of the systems run on top of cloud.gov, a Platform-as-a-Service with a FedRAMP authorization, which handles a lot of the compliance at the platform level,” Feldman said. “For the parts that are the responsibility of the customer system, we worked with GSA Security to develop a System Security Plan (SSP) template for systems running on cloud.gov, which cut out the security controls handled by the platform.”
The sprinting team also had its ATO assessors and security team work in concert to reduce the fits-and-starts of the authorization, while also leveraging TTS technology stacks to standardize some of the solutions used in a system.