Air Force pushes fast-tracked ATOs

shutterstock ID: 377287183 By Rei and Motion Studio 

The Air Force plans to migrate 100 applications to the cloud this year with the hope that most of them will use a new streamlined process to obtain authorization to operate certification.

Getting an ATO can take around six to 18 months, Air Force Deputy CIO Bill Marion said May 7 during a keynote speech at an BMC Federal Exchange event. The goal is to get as many cloud-bound applications using the Fast-Track ATO pilot, which Marion announced via memo in March.

"Imagine if you will an Air Force software ecosystem where these major factories are baking in security -- the things that we’ve talked about for a decade -- truly baking in security and remediation and pen testing [and sensors] into the process,” he told FCW following the event.

Kessel Run, the Air Force’s popular software factory, has undergone penetration testing to see if rapid ATOs can be secure. And they have, Marion said.

"It basically validated the processes that we were performing were the right oversight process when developing code and looking at code," he said of the testing. "We've had to continue to refine and improve, but that's any software pipeline."

Marion said the vulnerabilities that were found were more or less expected and related to maturity rather than any "big smoking hole in our process."

Fast-Track ATO approvals involve a cybersecurity baseline, penetration testing and a plan for continuous monitoring. The Air Force is using Fast-Track alongside two existing pathways to approval -- the old Risk Management Framework and a phased framework called Operational Risk Tolerance Baseline. The USAF memo specifies that systems that "aren't prepared to endure as strong penetration test" are not good candidates for Fast-Track.

"What we’re doing is baking the right types of security into the process," Marion said.

The testing will continue, and Marion said he expects to have more data later this year.

About the Author

Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.