In today’s rapidly evolving battlefields, the Department of Defense (DoD) faces a paradox: It is awash with advanced technologies, yet warfighters often wait months, even years, for approval to use the software they desperately need. Why? The bottleneck often lies in a well-intentioned but outdated process: the Risk Management Framework (RMF) and the painful path to achieving an Authority to Operate (ATO).
The ATO process, designed to safeguard national security systems, is rooted in sound principles. But in practice, it has become a procedural obstacle course—one that sidelines innovative software with lengthy, bureaucratic delays. Having gone through my fair share of ATOs across the Air Force, Army, and Marine Corps, I can attest that this process needs serious reforms. From mission planning tools to logistics dashboards, critical capabilities are too often stuck in limbo because of inconsistent, manual, and subjective risk determinations. For instance, this process has stalled the use of critical Identity Access Management software such as Okta. These software enable zero trust enforcement, rapid user authentication, and centralized access control across multi-domain, cloud, and on-premise environments without significant delays and bandwidth constraints into key warfighting systems.
To ensure US warfighters receive the tools they need in a timely fashion, the DoD should invest in updated technical training for cybersecurity professionals and implement automated, continuous security checks on software. But for these reforms to succeed, the DoD will need to institute a broader cultural shift among the cybersecurity and acquisitions workforces toward recognizing compliance as the crucial aspect of US national security policy that it is.
A subjective standard of risk
RMF is the US government’s structured approach to ensuring information systems are secure and resilient before they are allowed to operate within government networks. It was designed to replace checklist-style compliance with a risk-based decision-making process. Under RMF, systems go through several stages—categorization, control selection, implementation, assessment, authorization, and continuous monitoring. At the heart of the process is the ATO—a formal decision by an authorizing official that a system’s security posture is acceptable for use. To reach this decision, program teams must document security controls, undergo assessments by independent cybersecurity experts, and respond to findings. The intent is to ensure systems are secure before they are fielded—but in practice, the process often results in extended delays, overly cautious reviews, and inconsistent standards across organizations.
One of the most challenging aspects of the ATO process is the subjectivity of risk determination. What is deemed an acceptable risk by one authorizing official may be an unacceptable liability to another. With no shared standard of risk tolerance, system owners must often start from scratch depending on who sits in the approval seat. This variability leads to costly rework, long delays, and disillusioned program teams. Worse, it creates a culture where innovation is stifled not by bad technology, but by indecision and fear.
This is not just a bureaucratic issue; it’s a mission-impact issue. Delays of twelve to eighteen months for an ATO mean that a new targeting application, mission planning software, or AI-enabled intelligence tool never reaches the unit that needs it. When marines or soldiers are using outdated or spreadsheet-based tools while Silicon Valley technologies sit behind compliance gates, something is broken. Compliance activities do have their place. They provide a framework and a set of standards that system owners should utilize. But compliance activities make up only one facet of a resilient security posture.
When it comes to the documentation for this process, the only thing consistent about it is its inconsistency. Each security control assessor, information systems security manager, and authorizing official has their own preferences for how security controls, and security requirement guides should be documented. Even when software as a service systems have received accreditation in one military service, the ATO often does not carry over to other services, requiring the process to start over again at each service.
Across most systems in the DoD, ATOs are manual one-time reviews that only look at a snapshot in time rather than monitoring software continuously. What’s more, this inadequate review takes a significant amount of time, labor, and resources. It requires a team of cybersecurity professionals to manually review and analyze all ATO documentation to meet compliance thresholds. Because there are few security assessor teams across the DoD, there is often a delay in getting the third-party assessor on schedule to conduct the manual review.
These one-time ATO reviews, which often approve a software for one to three years, are not useful for tracking a system’s long-term security posture. In fact, leaving a system approved for this long without further review increases its security risk. Continuous monitoring is a key step in the RMF, but it is often haphazardly implemented, with security scans sometimes occurring only monthly or even quarterly. Moreover, authorizing officials ultimately accept the risk with critical or high vulnerabilities to keep systems available for users. Instead, ATO and security posture should be continually assessed through an agreed-upon standard for security guardrails and thresholds. This continual assessment should in no way be manual. Rather, it should be baked into the day-to-day software development lifecycle through automated regression, quality, and security testing with each delivery of code.
The talent gap in modern cybersecurity
Compounding the problems with the ATO process is a talent management challenge. Many cybersecurity professionals tasked with evaluating and authorizing systems are not trained in modern software development or cloud-native architectures. Developments such as the shifts to hybrid cloud, containerized applications, and infrastructure as code have dramatically outpaced cybersecurity workforce training.
Security professionals steeped in legacy systems may treat every cloud deployment as a threat, rather than an opportunity for enhanced resilience, scalability, and automation. As a result, the process designed to manage risk often ends up misunderstanding it—focusing on outdated indicators instead of real attack vectors. In one of the ATO renewals I supported, our cybersecurity assessor subject matter experts didn’t know about cloud-hosted Kubernetes technologies, which are widely implemented across DoD software organizations. They also did not understand how to implement the Kubernetes security technical implementation guide, even though they were supposed to be assessing our security compliance. As a result, the first few days of the assessment were spent teaching assessors about containers, Kubernetes, microservices, and ephemeral IP ranges before the ATO process could move forward.
The DoD can’t automate trust, but it can automate verification. And that’s where the changes to the process must begin.
Recommendations for reform
To speed up the delivery of secure software, the DoD must rethink how it defines and manages risk. The following actions would make the ATO process more efficient, ensuring that warfighters can use the software they need to meet mission success.
- Invest in talent management and training. The DoD must invest in a new cadre of cyber professionals who understand development security and operations, continuous integration/continuous deployment pipelines, and cloud-native patterns. This starts with developing targeted training, incentives for continuous learning, and career pathways that reward technical skills over legacy tenure. It also requires an incentive structure that holds authorizing officials accountable for delayed ATO timelines, especially for software-as-a-service products that have already received ATOs in other organizations.
- Automate guardrails and thresholds. To embrace a continuous ATO framework, programs should implement automated security checks that enforce zero trust principles, identity policies, and vulnerability scanning. They should also require logging standards directly in the pipeline. When software is built with these guardrails from the start, this reduces the need for manual reviews, bolstering confidence in the system. That way, when code is pushed and meets the predefined security guardrails, it can go straight into production environments.
- Reduce redundant documentation. Much of the RMF burden is paperwork for paperwork’s sake. By adopting living documentation generated from automated pipelines—like real-time architecture diagrams, test coverage, and security telemetry—the Pentagon can save thousands of hours that are currently being wasted on static Word documents no one ever reads.
The SWFT strategy: A moment for culture change
The DoD’s new Software Fast Track (SWFT) methodology, announced on May 5, offers a hopeful roadmap. SWFT aims to make software development more agile by implementing regular software releases, modern and modular architectures, and outcomes-based measures that meet warfighter needs. But to be truly transformative, it must be paired with a culture shift across the acquisition and cybersecurity communities.
Acquisition and cybersecurity personnel must move away from compliance as a box-checking exercise and toward compliance as a byproduct of good engineering. The future lies in continuous ATOs, risk quantification tools, and AI-assisted cybersecurity—if the Pentagon is willing to invest in people and process changes.
If the DoD wants to outpace its adversaries and empower its warfighters with the tools they need, it must treat secure software delivery as a warfighting imperative—not a compliance chore. The ATO process, as it stands today, is a bottleneck the United States can no longer afford.
The call to action is clear: upgrade the workforce, automate security, and embrace a cultural change toward cybersecurity compliance. SWFT provides an opportunity—now it’s time to put it into practice.
Hannah Hunt is a nonresident senior fellow with the Atlantic Council’s Forward Defense program within the Scowcroft Center for Strategy and Security and a distinguished technical fellow at MetroStar Systems. She was previously the chief of product at the Army Software Factory under Army Futures Command and chief of staff at the US Air Force’s Kessel Run.
Further reading
Tue, Apr 1, 2025
The Department of Defense has a user experience problem
New Atlanticist By
To solve military technology user experience challenges, the Defense Department must align its software development practices with the needs of warfighters.
Tue, Apr 29, 2025
To fund US military modernization, Congress needs to pass on-time annual defense budgets
New Atlanticist By Jongsun Kim
The longer Congress relies on continuing resolutions to fund the military, the further the Pentagon will drift from its defense spending goals.
Wed, May 21, 2025
Golden Dome creates a new missile defense bargain with US partners
New Atlanticist By Léonie Allard, Jean-Loup Samaan
As it works toward realizing its Golden Dome initiative, the Trump administration should hold a revived missile defense dialogue with its allies and partners in Europe, Asia, and the Middle East.
Image: The Pentagon building is seen in Arlington, Virginia, U.S. October 9, 2020. REUTERS/Carlos Barria.