Security Compass Releases Research Report: The State of Secure Development & ATO in U.S. Government Agencies in 2021

Comprehensive study finds that U.S. Government Agencies face numerous challenges balancing software time to market with enhanced security

TORONTO–(BUSINESS WIRE)–Security Compass, developer of the industry’s first Balanced Development Automation (BDA) platform, today published the results of a new report, “The State of Secure Development & ATO in U.S. Government Agencies in 2021”. The comprehensive study provides an overview of the current state of secure software development within U.S. government agencies and the challenges they face in scaling secure development. Survey results are based on responses from cybersecurity professionals at federal, state, and local government agencies with expertise in current secure coding standards and regulations.

According to the report, “shifting left” and improving software time to market are top priorities for government agencies at all levels. However, budget constraints were cited as the biggest roadblock to meeting these goals, with over half (57%) of respondents noting that monetary issues inhibited their DevSecOps initiatives. Additionally, while many agencies feel their teams manage to meet evolving compliance regulations (87%), the tasks needed to do so require time that could be more valuable if used elsewhere. The report also highlights that the need for automated solutions that enable secure software development is becoming increasingly prevalent across federal, state, and local government agencies.

Key findings of the report include:

  • Increased software time to market is a priority
    • Over half of respondents (55%) indicate that “shifting left” is either a top priority or one of the top three priorities in the software development process within their organization.
    • Over a third (34%) of respondents in federal agencies indicate that improving software time to market is the top priority for their team this year.
    • A quarter of respondents (24%) indicate that they do not track the speed with which their teams produce software, and another 7% are unsure if or how it is done.
    • Of respondents that track the speed with which their teams produce software, 72% indicated that increasing the speed at which their team onboards or develops and deploys applications in their organization is the top priority.
  • Ensuring secure coding best practices is still a manual process
    • 42% of all respondents said that their teams still use manual security testing; this figure was even higher (52%) in federal government agencies.
    • Federal agencies were the highest users of automated security processes compared to state and local agencies, with 72% indicating that this was used on at least some of their applications.
    • Delivering secure coding requirements to developers is a very manual process; 47% use spreadsheets, to do so and 46% use email.
    • 24% of federal respondents spend 14 or more days per year staying on top of compliance requirements.
    • Worryingly, once controls have been implemented, a high percentage of respondents (30%) indicated that they don’t know how implementation of these controls are tracked.
  • There are benefits to tracking security controls and using Continuous Authority to Operate (ATO)
    • 59% of respondents indicate that the ability to track inherited security controls (for example, from third party software providers) would help improve software time to market.
    • Only one third (33%) of federal agencies use Continuous ATO.
    • Another challenge for government agencies is the time to achieve ATO, with over a quarter of respondents (28%) indicating that it takes them four months or more to do this. This figure was highest within federal agencies (38%).
    • 23% of respondents indicated that they are only partially satisfied or dissatisfied with their ATO process.

“This primary research report highlights the challenges and opportunities U.S. federal, state and local agencies face in adopting proactive cybersecurity software development processes; what we call “shifting left”, or integrating security early on in the software development process,” said Jay Ryan, Program Manager, U.S. Federal Government, Security Compass. “Our hope is that the results of this study will provide helpful insights U.S. government agencies can use to better understand security gaps in their current software development lifecycle process, as well as how to address these gaps. Through the report, agencies should be able to see where their organization sits in relation to their peers.”

For more information, and to view the full State of Secure Development & ATO in U.S. Government Agencies report, click here. To learn more about how Security Compass accelerates ATO processes and streamlines DevSecOps adoption, click here or register for the upcoming webinar 2021 State of Secure Development & ATO in U.S. Government Agencies: Key Findings & Recommendations taking place on Tuesday, October 26 at 2:00pm EST.

About the Survey

Security Compass commissioned Golfdale Consulting to conduct this survey research project. The survey was conducted online from August 9, 2021, through August 24, 2021, with 122 respondents from various levels of government (43% federal, 33% state and 24% local). Those surveyed were from relevant key functional areas with self-reported expertise in current secure coding standards and regulations. Fieldwork was conducted via two online survey panels by Maru and Dynata. Two field houses were utilized due to the challenges of obtaining responses from US government employees.

Read more…