Summary

A wide-scale cyber-attack in 2020 impacted a staggering number of federal agencies, including the agency that oversees the United States nuclear weapons arsenal. Government officials are still determining what information the hackers may have accessed, and what they might do with it.

The fundamental failure of federal technology security is the costly expenditure of time and resources on processes that do not make our systems more secure. Our muddled compliance activities allow insecure legacy systems to operate longer, increasing the risk of cyber intrusions and other system meltdowns. The vulnerabilities introduced by these lengthy processes have grave consequences for the nation at large.

In federal technology, the approval to launch a new Information Technology (IT) system is known as an Authority to Operate (ATO). In its current state, the process of obtaining an ATO is resource-intensive, time-consuming, and highly cumbersome. The Administration should kick-start a series of immediate, action-oriented initiatives to incentivize and operationalize the automation of ATO processes (also known as “compliance as code”) and position agencies to modernize technology risk management as a whole.