Congressman sees broader role for DHS in state and local cyber efforts

Automating the ATO

When Greg Elin worked at the Federal Communications Commission as chief data officer, he was frustrated by how long it took to get applications and services approved for agency use.  In 2014 he left his job and founded GovReady, a public benefit corporation that offers an open-source toolkit to help automate the security compliance process.

GovReady found the biggest problems came from the “sheer amount of documentation” that agencies must provide in their system security plans to get an authority to operate. After a series of experiments to determine how agencies created their SSPs, GovReady worked with developers to create component-centric guidance and build apps that map system components to compliance controls and include compliance documentation. When users select apps to build their systems from the GovReady-Q Compliance Server, their SSP automatically populates.

“We came up with different explanations of what is like to go through the ATO and developed diagrams and representations of the process,” Elin told GCN.  “We shared those with various parties and looked for levels of agreement and set up the maps in comparison with the [Risk Management Framework] to determine the biggest problems.”

The company’s early work was supported by a $1.1 million grant from the Department of Homeland Security’s Science and Technology Directorate in March 2016.

“When it comes to the certification and accreditation, we want to look into how technology can be preconfigured or preloaded with requirements that are necessary,” Vincent Sritapan, program manager for S&T’s Cyber Security Division, told GCN.  “We want to be able to automate and streamline the ATO process so every three years the process can be reduced.”

GovReady recently completed a proof of concept with the DHS Office of the CTO that showed how scanning and automatically updating SSPs could be conducted as part of a continuous integration pipeline.

S&T plans to award another contract to GovReady to integrate its platform into existing agency systems and accelerate the ATO process for other government agencies.

“For me, the ATO process is the primary constraint of modernizing, delivering services and incorporating innovation into government,” Elin said. “If we are able to accelerate the ATO process, then we could accelerate modernization and the rightsizing of the federal government.”

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at [email protected] or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected