The 2023 State of Secure Development & ATO in U.S. Government Agencies

 

Introduction

In 2023, the state of cybersecurity within US federal agencies continues to face significant challenges as advanced cyber threats evolve and become more sophisticated. The adoption of new technologies, such as artificial intelligence, machine learning, and 5G, have increased the attack surface for threat actors to exploit. Given the increased reliance on remote work and online services. Federal agencies have been working diligently to improve their cybersecurity posture by implementing new standards and practices, but the growing complexity and scale of cyber threats demand constant adaptation and innovation.

The Authority to Operate (ATO) process within US federal agencies is a critical aspect of ensuring adequate cybersecurity measures are in place. ATO serves as a formal, documented approval from a senior agency official that authorizes an information system to operate within a specific security environment. This approval is granted based on a comprehensive risk assessment that includes testing and evaluation of the system’s security controls, as well as continuous monitoring to ensure ongoing compliance. In recent years, the ATO process has been streamlined and modernized to better adapt to the rapidly changing cybersecurity landscape, but challenges remain.

This report provides an overview of key findings on a comprehensive study of the topic commissioned by Security Compass. It is a follow up study to one conducted in 2021. The report quantifies the challenges and opportunities being confronted by US government agencies at the federal, state and local levels. Software development methods, security expertise, developer controls and mitigations, communication approaches, and current approaches to ATO compliant software development are explored.

Compliance and Shifting Security Left

A bar graph showing the agreement level with keeping up with compliance standards and the priority of “Shifting Security Left” across overall, federal, state, and local agencies for the years 2023 and 2021.

In the last two years there has been a significant rise in “shifting security left” as top priorities for government agencies. Fully over 90% of federal agencies now have it as one of their top priorities, up from 55% in 2021. Indeed, virtually all currently agree that their agencies are keeping up with compliance standards.

Improving Software Time to Market

Improving software time to market as a priority has almost doubled over the past two years among US government agencies.

A bar graph comparing the priority of speeding up time to market across federal, state, and local agencies for the years 2023 and 2021. The graph shows varying levels of priority, with a significant portion marked as top priority for federal agencies in 2023.

A growing proportion of all Agencies measure speed to market directly, with the remainder mostly doing so indirectly.

A bar graph displaying how speed to market is measured, with categories including focused metrics or tools, indirectly, and no measurement, comparing overall data with the specific context of agencies developing custom software and the speed priority for the years 2023 and 2021.

Ensuring Secure Coding Best Practices

A bar chart showing secure coding best practices across federal, state, and local agencies, including internal training, automated security testing, and secure code review.

 

A donut chart showing methods of delivering secure coding requirements: spreadsheets (38%), productivity tools/issue trackers (37%), email (18%), and other methods (3%).

Secure Code Reviews are now the most prevalent best practice, followed closely by Automated Security Testing and regular internal training. Along with these practices, productivity tools are now tied with spreadsheets for delivering requirements.

Time Requirements to Meet Security Standards

The length of time to define security requirements for projects has coalesced around the 1 to 13 day mark. Fewer are able to do it in less than a day, undoubtedly because of growing requirements and by the same token, far fewer are taking 14 days or more. As regulations have grown, so too the time researching and maintaining an understanding of requirements. Deployment times align closely with times to define requirements

A bar chart comparing the time spent annually researching standards and regulatory knowledge in 2023 and 2021 for Federal, State, and Local agencies. It shows time spent in less than 1 day, 1 to 6 days, 7 to 13 days, and 14 days or more.

 

A bar chart comparing the length of time to define security for projects between new and existing projects. It shows time spent in less than 1 day, 1 to 6 days, 7 to 13 days, and 14 days or more.

 

Implemented Controls

While an increasing number of Agencies are using toolsets, the majority still track implemented controls manually using spreadsheets. Tracking inherited security from supporting systems/infrastructure, a third use GRC tools.

 

A bar chart comparing tracking implemented controls between 2023 and 2021 for Federal, State, and Local agencies. It shows the use of spreadsheets, toolsets, and uncertainty.

 

A bar chart comparing tracking implemented controls between 2023 and 2021 for Federal, State, and Local agencies. It shows the use of spreadsheets, toolsets, and uncertainty.

 

Authority to Operate (ATO)

Overall, four out of ten Agencies are using Standard Continuous Authority to Operate (ATO) process. There has been improvement in the past two years in the time to achieve ATO and along with that, satisfaction with the ability to do so. 

 

A chart showing the current approach to achieving Authority to Operate (ATO) in 2023. It includes Standard ATO process (60%), Continuous ATO (33%), and others (7%). The chart also shows satisfaction with time to achieve ATO across various agencies.

Challenges and Developments

Budget constraints are the most frequently cited impediment Agencies at all levels of government are facing in implementing DevSecOps. Advancements in artificial intelligence are having a major impact on DevSecOps, although at the Federal level, Secure Software Supply Chain is a close second.

Side-by-side bar charts comparing challenges in implementing DevSecOps for 2023 and 2021, with categories such as budget constraints, managing legal/regulatory compliance, inadequate skill sets, challenges with ATO process/speed, lack of organizational agility, and securing DevSecOps infrastructure. It also ranks the top developments impacting DevSecOps, such as artificial intelligence, secure software supply chain and SBOM, containerization advancements, ATO reciprocity, and zero trust, with percentages for Federal, State, and Local agencies.

Conclusion

US government Agencies continue to modernize their approach to cybersecurity, “shifting left” in their approaches and working diligently toward new regulatory compliance standards. Along with adopting a maturing security posture, the majority are now undertaking formal measurement of their speed in development and deployment of new software. Secure code review and automated security testing are now prevalent, although ironically, spreadsheets remain a common method for delivering secure code requirements. Also, the majority still track implemented controls manually using spreadsheets however, an increasing number of Agencies are using toolsets.

With threats running unabated, and new compliance standards increasing, the time spent researching and maintaining the knowledge to stay current has increased. Nonetheless, the length of time to define security requirements for projects has improved as has the time to deploy new software. The time to achieve ATO and satisfaction with the ability to do so have improved in the past two years.

Budget constraints are the most frequently cited impediment Agencies are facing in implementing DevSecOps. Recent advancements in artificial intelligence are also having a major impact, although Secure Software Supply Chain is a close second.

US Agencies have made significant strides in the past two years, yet the challenges in meeting modern cybersecurity needs remain daunting. Automation remains key to delivering secure software.