A new study reveals the challenges and progress of secure software development and ATO practices across federal, state, and local U.S. government agencies.
What Was the Goal of This Study?
The research aimed to benchmark secure development and ATO maturity across different levels of U.S. government.
Over 120 respondents from federal, state, and local agencies participated. The study targeted professionals actively involved in software development, cybersecurity, and compliance. It assessed adoption of DevSecOps, challenges in achieving ATO, and the role of tools and automation in secure development.
Key Challenges in Government Software Development
Budget constraints remain the top obstacle, affecting security, tooling, and compliance initiatives.
| Challenge | Commonality Across Agencies |
|---|---|
| Budget constraints | Most frequently cited issue |
| Tool fatigue and integration issues | Widespread |
| Legal and regulatory compliance | Ongoing complexity |
| Securing DevSecOps pipelines | Increasingly critical |
Most agencies use 5–9 tools in their development workflows. Yet many still track requirements manually via spreadsheets and email, making traceability and consistency difficult.
DevSecOps Adoption and Shifting Security Left
Over half of agencies now prioritize shifting security left and increasing delivery speed.
| Initiative | Percentage Prioritizing |
|---|---|
| Shifting security left | 55% |
| Accelerating app deployment | 52% |
| Measuring development speed | ~40% actually do it |
While DevSecOps adoption is rising, many organizations lag in tracking speed metrics or defining security requirements efficiently, often taking more than a week for each.
The State of ATO: Fast Track, Continuous, or Stalled?
ATO remains a major bottleneck, with most agencies requiring over 3 months to achieve it.
| ATO Model Used | Most Used By |
|---|---|
| Continuous ATO | 33% of federal agencies |
| Fast Track ATO | Gaining adoption |
| Traditional (Waterfall) ATO | Still used by many |
| Time to Achieve ATO | Percentage of Agencies |
|---|---|
| Under 1 month | 18% |
| 2–3 months | 31% |
| 4+ months | 28% |
Despite progress, a majority of respondents remain dissatisfied with how long it takes to reach ATO, pointing to a clear need for better automation and process improvements.
Compliance: Time-Consuming and Manual
Tracking and proving compliance is still mostly manual, error-prone, and labor-intensive.
| Activity | Time Investment (Annually) |
|---|---|
| Staying current on standards | 7–14+ days for most |
| Defining security requirements (new software) | Often > 7 days |
| Providing controls for each release | 3–4 days or more |
Nearly half of agencies still use spreadsheets or emails to deliver secure coding requirements, posing challenges in traceability and audit-readiness.
How SD Elements Streamlines Secure Development and ATO
SD Elements automates control generation, integrates with dev toolchains, and provides auditable compliance evidence.
Key capabilities demonstrated:
-
Risk-based survey: Automates control generation based on project and compliance context
-
Developer guidance: Step-by-step solutions, code samples, and just-in-time training
-
Tool integration: Pushes requirements into Jira and other platforms
-
ATO enablement: Provides traceability, scanner integration, and compliance reporting
| Feature | Benefit |
|---|---|
| Just-in-time training | Increases developer effectiveness |
| Control traceability | Enhances auditability and ATO readiness |
| Real-time compliance reports | Reduces manual effort, accelerates approvals |
Future Outlook: Cloud, Automation, and Continuous ATO
Cloud innovation and ATO modernization will define the next evolution in government DevSecOps.
Top-impact trends identified by respondents:
-
Cloud advancements
-
DevSecOps acceleration
-
Continuous ATO enablement
-
SBOM (Software Bill of Materials) standardization
With continuous ATO gaining traction, more agencies are recognizing the value of secure-by-design platforms that support speed, scalability, and compliance from day one.