As taxpayers are aware, the public sector isn’t known as a bastion of efficiency. Security approvals for new software are no exception. While security is essential for military operations, security approvals for software duplicate existing work. For example, after years of a company working to gain approval to sell software to the Navy, that company must again undergo an arduous process of approval to sell the same software to the Army. Costs go up, and software can quickly become obsolete.
To streamline this process, lawmakers should implement reciprocity agreements for these critical security approvals to reduce bureaucracy, save taxpayers money, and keep software state of the art while improving government efficiency.
To incorporate a new piece of software, a military agency must first acquire an Authority to Operate (ATO) for the software to demonstrate it is secure. While a vital aspect of military cybersecurity, the system repeats the same work each time software is considered for use.
The Federal Risk and Authorization Management Program (FedRAMP) sets the standards for military cloud computing software. Estimates on the cost vary, but the budget for a FedRAMP Authority to Operate can range from $250,000 to $3 million. These bills are ultimately passed on to taxpayers. Depending on the agency, the time for assessing an ATO can vary. It can take three to nine months at some agencies, whereas at the Department of Defense, it can get as high as three years.
Each of these costs delays new technologies and can disincentivize competition. Barriers to entry create a lock-in effect for older technologies by limiting how new technologies can replace them. They also tend to disadvantage smaller competitors that cannot bear the increased costs and time. Using older software too long could potentially increase cyber security vulnerabilities by preventing innovative technologies while costing taxpayer dollars.
Given these problems, it is promising that one bill making its way through Congress would address these them. One provision in a bill that has passed the House of Representatives requires military departments reviewing cloud-based software for an ATO to defer to decisions made by prior departments, assuming the software will be used similarly.
Read the full article here.
Justin Leventhal is a senior policy analyst for the American Consumer Institute, a nonprofit education and research organization. For more information about the Institute, visit www.TheAmericanConsumer.Org or follow us on Twitter @ConsumerPal.