Evaluating cybersecurity risk

2019 Government Innovation Awards

NGA speeds ATOs for low-risk systems

Anyone who has done business with the federal government knows how laborious it is to receive an authority to operate. That process can be even more cumbersome for contracts and projects in the intelligence community.

Risk Management Program

National Geospatial-Intelligence Agency

Government Innovation Awards icon

Click here for all the 2019 Public Sector Innovation winners

That reality spurred the Risk Management Division of the National Geospatial-Intelligence Agency to look for ways to streamline the assessment and authorization of their information systems. In 2018, the agency implemented a new policy that incorporates both waterfall and agile software development while automating parts of the ATO process and calculating risk scores that were tailored to evaluate readiness.

The division also reworked the National Institute of Standards and Technology’s Risk Management Framework to better group security and risk activities by areas of responsibility between the division and system operators.

Telos helped the agency automate parts of its ATO process, and Justin Ford, the company’s technical director for enterprise solutions, said the federal government has historically looked at governance versus compliance objectives as red tape. But “NGA looked at it a little bit differently, and rather than trying to make the RMF process simpler, they went even further and basically said: How can we make the RMF process support the mission…so you can get there not only faster but stronger and better?” Ford said.

NGA’s approach has received accolades from industry, dramatically shortened authorization for low-risk information systems and freed personnel to focus more on higher-risk systems. Under the new process, three out of every four projects have received an ATO within five weeks.

About the Author

Connect with the GCN staff on Twitter @GCNtech.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.