The last 18 months have been among the most challenging times to develop and deploy software for federal, state and local government agencies. Before COVID-19, consumers increasingly expected the same seamless service from government agencies that they received from the private sector. However, with the outbreak of COVID-19, online government services went from being a “nice-to-have” to an “absolute requirement."
The Software developers serving federal, state, and local government agencies are among the many unsung heroes of the pandemic. They've worked furiously in the background to enable government agencies to shift services from in-person to online in a matter of weeks – not months or years. But, despite the accelerated shift to online government services over the last 18 months, many challenges to deploying secure software remain.
In the summer of 2021, Security Compass commissioned an in-depth, primary research survey targeted at U.S. federal, state, and local government agencies responsible for following government secure coding standards and regulations. This study was designed to examine the state of secure software development and Authority to Operate (ATO) in U.S. government agencies. It provides a comprehensive overview of the current state of secure software development within federal, state, and local agencies, as well as the challenges they face in scaling secure software development.
The study also allows readers to compare their agency’s practices with their peers in federal, state and local government agencies.
It wasn’t too long ago that developing software, especially in the federal government, meant writing code using the old-fashioned “waterfall” model that has ruled for decades. This approach is slow, risk-averse, inflexible, and a hindrance for organizations needing to move quickly. Over time agencies have worked to adopt agile, with some federal agencies moving toward DevOps around 2017 to truly work toward delivering software faster.
Much progress has been made over the last five years to speed software delivery, largely as a result of DevOps adoption. However, as the study found, much work remains. Increasing software time to market continues to be a high priority, with 54% of respondents indicating that improving software time to market is either a top priority or one of the top three priorities of their team.
In addition, while increasing the speed of software releases is a high priority, a quarter of respondents in the study – 24% – indicate that they do not track the speed with which their teams produce software. Another 7% are unsure if or how it is done – a troublesome finding.
Time Required to Attain ATO
Every federal information system must go through NIST's Risk Management Framework (RMF) before it can be used to process federal information. A growing number of state and local governments are using the same requirements to evaluate the security posture of software designed for their agencies prior to deployment
The complex, multi-step ATO process culminates in the issuance of a signed ATO, which is a formal statement of acceptance of a system’s security risk. However, while ATO is a mandatory part of NIST RMF, 23% of respondents indicated that they are only partially satisfied or dissatisfied with their ATO process.
Another challenge for government agencies is the time to achieve ATO. Despite pressure on government agencies to deliver software faster, over a quarter of respondents (28%) indicated that it continues to take them four months or more to attain ATO. This figure was highest within federal agencies (38%).
Manual Approaches to Software Security
Software provided by U.S. federal, state, and local governments must be secure. The onus rests on each agency to ensure software delivered to constituents employs secure coding best practices to protect data and minimize risk. Keeping critical data – including the personal data of the constituents each agency serves secure – is a major priority.
However, as the research study found, ensuring secure coding best practices are implemented is still a very manual process.
Requirements delivery. Delivering secure coding requirements to developers remains a very manual process. Forty-seven percent of survey respondents still use spreadsheets to deliver requirements. Forty-six percent still use email. This is a surprising finding, as automated delivery of secure code requirements is one of the best ways to speed up release cycles and reduce the time required for assessment and attainment of ATO.
Security control tracking. Tracking security compliance is also a major factor when government agencies release software, and survey results reflect this. Twenty-four percent of federal respondents report they spend 14 or more days per year staying on top of compliance requirements. However, despite this initial investment, once controls have been implemented a high percentage of respondents (30%) indicated that they don't know how the implementation of these controls are tracked – a very worrying statistic.
U.S. federal, state, and local government agencies and contractors with applications that process or store federal data must meet secure software development requirements while also delivering software faster than ever before.
To learn more about the current state of secure development and ATO and compare yourself to your peers:
- Download the full report here.
- Register for our October 26th webinar, 2021 State of Secure Development & ATO in U.S. Government Agencies: Key Findings & Recommendations here.