Sign up to save your podcasts
Or
Share ATOs Suck
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
ATOs Suck
Today’s episode takes you on a (somewhat procedural) ride through the world of government security authorizations. Matt Triner and Chris Sowards, a GRC (Governance, Risk, and Compliance) expert at Hunter Strategy, break down the Authority to Operate (ATO) process using a relatable analogy: buying a car. Just like how buying a car is a decision that involves cost, efficiency and risk, the government needs to use a multitude of factors to review the security risks before allowing a system to operate.
We'll explore the differences in ATO processes between agencies, how they handle risk tolerance, and the challenges companies face, like dealing with non-essential controls and navigating compliance culture. Matt and Chris talk through a range of topics offering advice for new companies and discuss the struggles of FedRAMP accreditation. They’ll even touch on the specific challenges faced by software vendors in obtaining ATOs.
Don't miss this episode if you're interested in government risk and compliance, selling software to the government, or wonder why it takes so long for the government to get new systems online!
Chapters:
00:00 Introduction to ATO Process
01:29 ATO Process Analogy: Buying a Car
03:02 Different ATO Processes for Different Agencies
04:55 Different Risk Tolerance for Different Agencies
06:10 Challenges in the ATO Process
08:02 Dealing with Non-Applicable Controls
09:30 Navigating ATO Process for New Companies
11:09 Bizarre Situations in ATO Remediation
12:31 Navigating Compliance and Mitigating Controls
13:23 Teaching Assessors about System Security
14:45 Advice for Companies Selling to the Government
17:23 ATO for On-Prem Software in the Cloud
19:19 Challenges with Cloud-Based Systems
21:33 Struggles with FedRAMP Accreditation
25:02 ATO for Software Providers
27:09 ATO Challenges for Atlassian Suite
28:58 Using AWS Infrastructure for On-Premise Jira
29:57 Challenges in Assessing SAS Applications
30:36 The Role of Third-Party Assessors
31:24 Conclusion and Future Topics
View all episodes
By Hunter StrategyToday’s episode takes you on a (somewhat procedural) ride through the world of government security authorizations. Matt Triner and Chris Sowards, a GRC (Governance, Risk, and Compliance) expert at Hunter Strategy, break down the Authority to Operate (ATO) process using a relatable analogy: buying a car. Just like how buying a car is a decision that involves cost, efficiency and risk, the government needs to use a multitude of factors to review the security risks before allowing a system to operate.
We'll explore the differences in ATO processes between agencies, how they handle risk tolerance, and the challenges companies face, like dealing with non-essential controls and navigating compliance culture. Matt and Chris talk through a range of topics offering advice for new companies and discuss the struggles of FedRAMP accreditation. They’ll even touch on the specific challenges faced by software vendors in obtaining ATOs.
Don't miss this episode if you're interested in government risk and compliance, selling software to the government, or wonder why it takes so long for the government to get new systems online!
Chapters:
00:00 Introduction to ATO Process
01:29 ATO Process Analogy: Buying a Car
03:02 Different ATO Processes for Different Agencies
04:55 Different Risk Tolerance for Different Agencies
06:10 Challenges in the ATO Process
08:02 Dealing with Non-Applicable Controls
09:30 Navigating ATO Process for New Companies
11:09 Bizarre Situations in ATO Remediation
12:31 Navigating Compliance and Mitigating Controls
13:23 Teaching Assessors about System Security
14:45 Advice for Companies Selling to the Government
17:23 ATO for On-Prem Software in the Cloud
19:19 Challenges with Cloud-Based Systems
21:33 Struggles with FedRAMP Accreditation
25:02 ATO for Software Providers
27:09 ATO Challenges for Atlassian Suite
28:58 Using AWS Infrastructure for On-Premise Jira
29:57 Challenges in Assessing SAS Applications
30:36 The Role of Third-Party Assessors
31:24 Conclusion and Future Topics