As cybersecurity threats evolve rapidly and timelines to address them shrink, the Department of Defense (DoD) is prioritizing Risk Management Framework (RMF) modernization to clear the roadblocks to rapid acquisition of commercial solutions while improving efficiency of RMF compliance. As we discussed in part one of our series on security compliance, leveraging advanced AI, automation, and robust security governance are crucial components of RMF modernization.
Success with these efforts will also depend on ensuring that defense programs can attract and successfully work with non-traditional vendors—opening the door to emerging technologies deployed at the speed of mission relevance. In practice, this is a significant hurdle because many (if not most) non-traditional tech vendors are unfamiliar with DoD security and compliance requirements—and the processes required to achieve them can be lengthy, costly, and overwhelming.
In part two of our series, we discuss some of the biggest security and compliance challenges that tech companies new to the federal market face, and how defense programs can help them overcome these barriers, getting cutting-edge technologies and capabilities to the field faster.
Supporting Non-Traditional Vendors Through ATO Hurdles
The Authority to Operate (ATO) process typically takes 10-18 months, but experts estimate that 80% of delays are simply time spent in queue—not technical issues. Requiring ATOs upfront can be an unintended barrier for non-traditional vendors, often forcing them to create separate “government versions” of their software. This can lead to antiquated technology that is compliant but not necessarily more secure. Instead, defense acquisition teams can help new vendors overcome ATO barriers by:
- Requiring ATOs for entry only when necessary for urgent needs and establishing rapid ATO pathways as part of the acquisition strategy
- Investing in dedicated technical assessors for the Authorizing Official, potentially reducing ATO timelines from 18 to six months by eliminating queue delays
- Planning the “path to production” early by understanding deployment requirements, classification levels, and infrastructure dependencies before writing solicitations
- Using alternative contracting mechanisms that allow prototyping while ATO processes run in parallel.
Modernizing RMF Processes to Reduce Barriers for New Vendors
The RMF approach itself can support rather than hinder non-traditional vendors in delivering defense innovation through two key strategies:
Maximize Common Control Inheritance
By leveraging cloud environments where applications inherit security controls from underlying infrastructure, defense programs can significantly reduce the security burden on new technology suppliers. Not only will new vendors essentially inherit a baseline of robust security controls from the cloud service provider (CSP), but defense programs will increase the return on these major cloud investments. This approach can effectively reduce individual application burdens for vendors from upwards of 1,300 security controls to approximately 100-200.
Embrace DevOps Practices and Automation
Proper RMF implementation supports DevOps practices—enabling organizations to achieve full compliance while maintaining weekly deployment cycles. This improves new vendors’ ability to achieve high levels of security without sacrificing speed. Organizations should:
- Follow RMF documentation thoroughly, relying on the clear guidance provided by NIST SP 800-37
- Establish thoroughness in execution of security controls to build trust and reduce delays
- Invest in automation tools to help accelerate RMF compliance and security checks
Helping Non-Traditional Vendors Understand FedRAMP: When and How to Invest
With authorization costs sometimes reaching $1M or more, the Federal Risk and Authorization Management Program (FedRAMP) unfortunately can create prohibitive barriers for non-traditional vendors, especially small businesses. When these vendors bear this high cost, they often are forced to build in risk padding that government agencies ultimately pay for. Others will simply not pursue the federal market. Instead, defense acquisition teams can support non-traditional vendors in this costly process by:
- Helping vendors understand which FedRAMP pathway is most appropriate to their contract situation (agency or Joint Authorization Board (JAB) authorization)
- Avoiding FedRAMP Marketplace presence as a contract bidding requirement as few non-traditional vendors will meet this benchmark at the outset
- Considering sponsoring vendor authorization after they have achieved agency-level ATOs to help offset costs and improve value proposition for new vendors with high-impact technologies
Planning Ahead and Remembering the Human Cost
Too often, security requirements are applied to all situations when actual mission needs require more nuanced strategy. Defense acquisition teams that take the time to understand requirements thoroughly and plan upfront will have a greater likelihood of helping non-traditional vendors avoid unintended barriers that often can be navigated with proper acquisition and contracting strategies. Ultimately, improving security compliance shouldn’t be about bureaucracy, but about getting better capabilities to warfighters faster while maintaining security. The bottom line is the lives on the line: the soldiers and civilians put at risk when compliance barriers stall defense capabilities before they can get to the field. Acquisition teams can work with non-traditional vendors to ensure security compliance is less a barrier and more an enabler of innovation, ensuring the best technology reaches those who need it most.
Learn More
For a deeper dive on this topic, check out Dcode CEO Meagan Metzger and Rise8 CEO Bryon Kroger in conversation in a continuing education session with Defense Acquisition University.
