Obtaining an Authority to Operate (ATO) or a Continuous ATO (cATO) in the U.S. federal space requires a mature, agile, and security-first development approach, grounded in DevSecOps best practices.
This expert panel explored the state of secure software development maturity in the federal government, key barriers to adoption, and the innovative strategies helping agencies accelerate compliance and mission impact.
What Is the Current Maturity of Secure Software Development in the U.S. Federal Government?
Secure software development maturity is accelerating across the DoD and federal agencies, driven by DevSecOps adoption and mission-aligned software strategies.
Key Trends Driving Maturity:
-
Adoption of DevSecOps across Air Force units like Kessel Run and Platform One
-
Increased emphasis on shifting security left through test-driven development and automation
-
Integration of infrastructure as code (IaC) and configuration as code (CaC)
-
Growing acceptance of open-source and commercial software solutions
-
Strategic recognition by senior leaders that software underpins mission agility
What Are the Biggest Barriers to ATO, cATO, and DevSecOps Adoption?
Resistance to change, skill gaps, organizational silos, and inadequate tooling slow DevSecOps implementation and ATO acceleration.
Common Challenges:
-
Lack of design thinking and enforceability in system architecture
-
Organizational resistance due to legacy workflows and waterfall methods
-
Insufficient security and DevOps cross-training
-
Immature DevOps pipelines or fragmented toolchains
-
Need for champions to drive cultural and process transformation
What Innovations and Best Practices Enable Faster ATO and Better Software Security?
Cross-functional collaboration, design-centric development, automated tooling, and reusable components are key to innovation.
Best Practices Shared:
-
Use of penetration testing and red teaming in cATO validation
-
Tools like VivSoft’s enBuild for simplified deployment
-
Reusability of microservices to avoid redundant development
-
Strong integration between SD Elements and tools like JIRA for traceable compliance
-
Cross-training between Dev, Sec, and Ops roles to build empathy and efficiency
Table: Key Innovations vs. Traditional Practices
| Practice Area | Traditional Approach | Modern DevSecOps Approach |
|---|---|---|
| Compliance Tracking | Excel/Manual SSP | Automated via SD Elements, Jira |
| Deployment | Manual, waterfall release | CI/CD with GitOps |
| Testing | One-time security testing | Continuous testing and red teaming |
| Authorization | Static ATO every 6-12 months | Continuous ATO (cATO) |
| Team Collaboration | Siloed roles | Cross-functional, integrated teams |
How Can Agencies Scale Secure Software Development?
Scaling secure software requires smart tooling, automation, data-driven processes, and continuous authorization pipelines.
Recommendations:
-
Invest in developer-friendly tools like Snyk for SAST and SCA
-
Automate artifact generation and pipeline integration
-
Embrace GitOps for consistent, repeatable deployments
-
Use continuous ATO to reduce cost, time, and risk variability
-
Leverage reciprocity and shared compliance stacks across agencies
What Challenges Are on the Horizon for Traditional ATO Models?
Edge deployments, hybrid environments, and increasing geopolitical threats demand adaptive and scalable secure development strategies.
Emerging Challenges:
-
Extending DevSecOps practices to embedded systems and edge computing
-
Establishing reciprocity and audit trails for cross-environment assurance
-
Anticipating shifts in cyber policy due to global threat events
-
Integrating Zero Trust principles into DevSecOps workflows
Final Thoughts
To meet tomorrow’s software demands, federal agencies must continuously evolve their DevSecOps capabilities, reduce ATO friction, and scale compliance through automation, design rigor, and collaboration.
Security Compass, through SD Elements and active partnerships with industry and federal leaders, plays a pivotal role in this transformation.