Recently, both Pentagon CIO John Sherman and the House Armed Services Committee (HASC) have advocated for new policies to expedite the Department of Defense’s (DoD) adoption of commercial software.

While these efforts are commendable, DoD and industry officials emphasized at a recent conference that cutting red tape alone is insufficient.

Officials responsible for certifying commercial software as cybersecure and safe for government networks also need advanced technical tools and computing environments to properly test the software. The critical bottleneck in this process is known as Authorization To Operate (ATO).

When the Pentagon wants to use commercial software, a government Authorizing Official (AO) must formally approve it as secure enough to be used on government networks. This process is often hindered by bureaucratic challenges.

Sherman’s new policy and HASC’s draft legislation aim to reduce these hurdles by requiring authorizing officials across different DoD networks to accept each other’s ATOs—a principle called “reciprocity.”

This would eliminate redundant checks on the same software, although exceptions exist for software moving from unclassified to classified networks.

However, ATO is not just a bureaucratic task but a highly technical one that requires verifying the software’s functionality and security.

Experts suggest stress-testing software in realistic, isolated computing environments—“sandboxes”—that mimic actual DoD networks but aren’t connected to sensitive data.

These environments allow developers to experiment with new code, get user feedback, and refine the software quickly.

Setting up such infrastructure requires time, money, and expertise, creating another potential bottleneck.

At the Offset Symposium, Donald “Chee” Gansberger from AFWERX highlighted the progress in software modernization but noted that the ATO process remains challenging.

He mentioned recent policy changes aimed at improving this, including more agile software development methodologies and advanced testing systems like Second Front’s Game Warden.

Steve Escaravage of Booz Allen Hamilton concurred, noting that access to accredited testing environments, data, and operational feedback has historically impeded the adoption of emerging technology. He expressed optimism about recent advancements but acknowledged ongoing hurdles.

Despite these improvements, not all AOs have access to high-tech tools, according to Derek Strausbaugh from Microsoft.

He criticized the reliance on outdated methods like Excel spreadsheets and Word documents for system authorization, emphasizing the need for better infrastructure and support.

Relevant articles:
– Pentagon should streamline software adoption with more testing enclaves, experts urge, Breaking Defense
– Pentagon announces new reciprocity guidance to streamline software adaptation, Breaking Defense
– Proposed legislation would push Pentagon to streamline ATO process for cloud-based capabilities, DefenseScoop
– Atlantic Council Commission on Defense Innovation Adoption: Final report, Atlantic Council