Air Force pushes fast-tracked ATOs

shutterstock ID: 377287183 By Rei and Motion Studio 

The Air Force plans to migrate 100 applications to the cloud this year with the hope that most of them will use a new streamlined process to obtain authorization to operate certification.

Getting an ATO can take around six to 18 months, Air Force Deputy CIO Bill Marion said May 7 during a keynote speech at an BMC Federal Exchange event. The goal is to get as many cloud-bound applications using the Fast-Track ATO pilot, which Marion announced via memo in March.

"Imagine if you will an Air Force software ecosystem where these major factories are baking in security -- the things that we’ve talked about for a decade -- truly baking in security and remediation and pen testing [and sensors] into the process,” he told FCW following the event.

Kessel Run, the Air Force’s popular software factory, has undergone penetration testing to see if rapid ATOs can be secure. And they have, Marion said.

"It basically validated the processes that we were performing were the right oversight process when developing code and looking at code," he said of the testing. "We've had to continue to refine and improve, but that's any software pipeline."

Marion said the vulnerabilities that were found were more or less expected and related to maturity rather than any "big smoking hole in our process."

Fast-Track ATO approvals involve a cybersecurity baseline, penetration testing and a plan for continuous monitoring. The Air Force is using Fast-Track alongside two existing pathways to approval -- the old Risk Management Framework and a phased framework called Operational Risk Tolerance Baseline. The USAF memo specifies that systems that "aren't prepared to endure as strong penetration test" are not good candidates for Fast-Track.

"What we’re doing is baking the right types of security into the process," Marion said.

The testing will continue, and Marion said he expects to have more data later this year.

About the Author

Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at, or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.