Compliance as Code and Improving the ATO Process

Authors: Mary Lazzeri, Dayton Williams, Greg Elin, and Fen Labalme


A wide-scale cyber-attack in 2020 impacted a staggering number of federal agencies, including the agency that oversees the United States nuclear weapons arsenal. Government officials are still determining what information the hackers may have accessed, and what they might do with it.

The fundamental failure of federal technology security is the costly expenditure of time and resources on processes that do not make our systems more secure. Our muddled compliance activities allow insecure legacy systems to operate longer, increasing the risk of cyber intrusions and other system meltdowns. The vulnerabilities introduced by these lengthy processes have grave consequences for the nation at large.

In federal technology, the approval to launch a new Information Technology (IT) system is known as an Authority to Operate (ATO). In its current state, the process of obtaining an ATO is resource-intensive, time-consuming, and highly cumbersome. The Administration should kick-start a series of immediate, action-oriented initiatives to incentivize and operationalize the automation of ATO processes (also known as “compliance as code”) and position agencies to modernize technology risk management as a whole.

Download PDF

About the Authors

Mary Lazzeri is the Federal Strategy Director at CivicActions. She served as a technology advisor for the Office of Management and Budget and the United States Digital Service under the Obama Administration. She has led digital transformation initiatives across the Federal Government and has co-authored federal security, privacy and cloud policies.

Dayton Williams is an Associate Developer and Policy Lead at GovReady PBC. Mr. Williams has supported GovReady PBC’s compliance initiatives in various federal agencies and specializes in RMF compliance automation.

Greg Elin is the Founder and CEO of GovReady PBC, a company focused on shifting cybersecurity and compliance left in the System Development Life Cycle. Mr. Elin was previously the Chief Data Officer for the Federal Communications Commission where he established trends for open data, APIs and the role of CDOs in federal agencies. He is currently working with DHS, CMS, USDA, and others on compliance automation.

Fen Labalme is the Chief Information Security Officer at CivicActions. His current mission is to empower better government by delivering free and open source software (FOSS) security and compliance solutions that improve upon previous proprietary systems. He’s also working on automating the ATO process, making it easier for agencies to do business securely. Fen is a long-time advocate of handling information wisely. His Computer Science and Electrical Engineering thesis at MIT presaged the privacy concerns facing today’s Internet and social media platforms.