Obtaining ATO and cATO in the U.S. Federal Government: Software Security Best Practices & Lessons Learned

Obtaining an Authority to Operate (ATO) or a Continuous ATO (cATO) in the U.S. federal space requires a mature, agile, and security-first development approach, grounded in DevSecOps best practices.

This expert panel explored the state of secure software development maturity in the federal government, key barriers to adoption, and the innovative strategies helping agencies accelerate compliance and mission impact.

What Is the Current Maturity of Secure Software Development in the U.S. Federal Government?

Secure software development maturity is accelerating across the DoD and federal agencies, driven by DevSecOps adoption and mission-aligned software strategies.

Key Trends Driving Maturity:

  • Adoption of DevSecOps across Air Force units like Kessel Run and Platform One

  • Increased emphasis on shifting security left through test-driven development and automation

  • Integration of infrastructure as code (IaC) and configuration as code (CaC)

  • Growing acceptance of open-source and commercial software solutions

  • Strategic recognition by senior leaders that software underpins mission agility

What Are the Biggest Barriers to ATO, cATO, and DevSecOps Adoption?

Resistance to change, skill gaps, organizational silos, and inadequate tooling slow DevSecOps implementation and ATO acceleration.

Common Challenges:

  • Lack of design thinking and enforceability in system architecture

  • Organizational resistance due to legacy workflows and waterfall methods

  • Insufficient security and DevOps cross-training

  • Immature DevOps pipelines or fragmented toolchains

  • Need for champions to drive cultural and process transformation

What Innovations and Best Practices Enable Faster ATO and Better Software Security?

Cross-functional collaboration, design-centric development, automated tooling, and reusable components are key to innovation.

Best Practices Shared:

  • Use of penetration testing and red teaming in cATO validation

  • Tools like VivSoft’s enBuild for simplified deployment

  • Reusability of microservices to avoid redundant development

  • Strong integration between SD Elements and tools like JIRA for traceable compliance

  • Cross-training between Dev, Sec, and Ops roles to build empathy and efficiency

Table: Key Innovations vs. Traditional Practices

Practice Area Traditional Approach Modern DevSecOps Approach
Compliance Tracking Excel/Manual SSP Automated via SD Elements, Jira
Deployment Manual, waterfall release CI/CD with GitOps
Testing One-time security testing Continuous testing and red teaming
Authorization Static ATO every 6-12 months Continuous ATO (cATO)
Team Collaboration Siloed roles Cross-functional, integrated teams

How Can Agencies Scale Secure Software Development?

Scaling secure software requires smart tooling, automation, data-driven processes, and continuous authorization pipelines.

Recommendations:

  • Invest in developer-friendly tools like Snyk for SAST and SCA

  • Automate artifact generation and pipeline integration

  • Embrace GitOps for consistent, repeatable deployments

  • Use continuous ATO to reduce cost, time, and risk variability

  • Leverage reciprocity and shared compliance stacks across agencies

What Challenges Are on the Horizon for Traditional ATO Models?

Edge deployments, hybrid environments, and increasing geopolitical threats demand adaptive and scalable secure development strategies.

Emerging Challenges:

  • Extending DevSecOps practices to embedded systems and edge computing

  • Establishing reciprocity and audit trails for cross-environment assurance

  • Anticipating shifts in cyber policy due to global threat events

  • Integrating Zero Trust principles into DevSecOps workflows

Final Thoughts

To meet tomorrow’s software demands, federal agencies must continuously evolve their DevSecOps capabilities, reduce ATO friction, and scale compliance through automation, design rigor, and collaboration.

Security Compass, through SD Elements and active partnerships with industry and federal leaders, plays a pivotal role in this transformation.