Federal cybersecurity leaders said on Thursday that the authority to operate (ATO) process – often blamed for slowing technology adoption – can move faster if agencies shift their approach to risk management, culture, and decision-making.
Speaking at the Bethesda AFCEA Energy, Infrastructure and Environment Summit, officials from the National Institute of Standards and Technology (NIST), Office of Management and Budget (OMB), and the Department of Agriculture (USDA) pointed to cultural and procedural barriers as the primary cause of delays.
The push signals a broader federal effort to accelerate technology adoption by rethinking how agencies assess and authorize risk.
At OMB, officials are focusing on improving decision-making speed within the ATO process. Nick Polk, director of cybersecurity at the Office of Management and Budget (OMB), said that Federal CIO Greg Barbaccia has been working to improve the ATO process by engaging with agencies.
“One thing I personally heard a lot … when we’re doing ATO, you don’t hear ‘no,’ a lot. Nobody ever says no, but nobody ever says ‘yes,’” Polk said.
“So, a lot of what we’re looking at is making sure those decisions are made distinctly early, and that we can really get the folks that are working on that process to a final decision quicker, so that they can either get that system up and running or reassess and find what went wrong and start … again,” Polk continued.
While Polk did not provide a firm timeline for ATO modernization efforts, he said agencies should expect progress in the coming months as OMB evaluates policy changes and technical solutions.
Polk added that he and Barbaccia are working at different possible policy vehicles and technological solutions to “facilitate some of the policy, the people, and the processes that need to change to really get at the problem.”
Victoria Yan Pillitteri, cybersecurity lead at NIST, said agencies frequently misinterpret ATO requirements by treating them as rigid compliance checklists rather than risk-based frameworks.
“I would dare say that if you think ATO is a bottleneck, that means it’s a cultural problem,” Pillitteri said. “You are not implementing good risk management. You have become a compliance shop where you’re trying to do every single thing on the list, and that’s not managing risk.”
Pillitteri explained that security controls are intended to be tailored to mission needs, not applied universally. Agencies that align ATO decisions with risk tolerance and mission priorities can move significantly faster, she said.
“If there are mission drivers … you could do an ATO very quickly,” she said.
The federal average ATO timeline stands at 210 days, according to Tony Brannum, associate chief information officer (CIO) at USDA. However, Brannum said USDA has reduced approval times to as little as two months in some cases.
He said that ability has come from recent policy changes, including streamlined FedRAMP authorizations, which are easing a long-standing bottleneck by fast-tracking approvals despite ongoing vendor reluctance to navigate the process.
Brannum said federal cybersecurity leaders have been looking to improve ATOs by sharing reusable ATO packages across agencies and automating labor-intensive processes. That could cut months of manual documentation and enabling real-time control validation during system builds, he explained.