Original broadcast 8/19/25
Presented by Iron Mountain & Carahsoft
Government agencies have long relied on annual security audits and periodic compliance reviews to verify that systems are safe. But with cyber threats evolving daily, that approach is no longer enough. Melissa Carson, Vice President and General Manager at Iron Mountain, says the future lies in continuous monitoring — and pairing it with strong data governance to ensure agencies truly understand and control their information.
Carson points to the Department of Defense’s push toward a continuous Authority to Operate (cATO) model as a prime example of this shift. Under traditional processes, even after earning an ATO, systems must go through the same laborious review each year. cATO replaces that cycle with ongoing, automated checks on a subset of security controls, allowing agencies to detect and respond to threats in real time.
Iron Mountain has been discussing this approach with both defense and civilian agencies, including the Department of Veterans Affairs. Carson says the key is not just automation, but partnership. Industry needs to bring forward insights from its work with commercial clients, emerging technologies, and its own internal security operations — and be transparent about risks from the very beginning of a project.
That transparency includes understanding an agency’s security requirements before new cloud applications or systems are even developed. This early alignment prevents costly and time-consuming rework when a system reaches the ATO stage. “In the past, we were operating in two different silos,” Carson says. “You’d get to the ATO, and suddenly it’s not compliant.”
Another challenge Carson sees is that, in moving to the cloud, many agencies have simply recreated their old data silos in a new environment. Without proper data governance — policies, ownership structures, and controls over how information is stored, accessed, and shared — these migrations can replicate the same problems that existed in legacy systems.
Iron Mountain’s approach starts with laying that governance foundation first. Once data is properly managed, it becomes much easier to secure, to monitor, and to use effectively. This also supports agility — giving agencies the ability to adopt new technologies faster without sacrificing security.
For Carson, success is measured not only in compliance, but in operational outcomes: how quickly agencies can deliver secure, mission-critical services to citizens, and how well they can balance speed with fiscal responsibility. “You can’t govern or secure what you cannot see,” she says. “The more visibility you have, the stronger your security posture will be.”
Key Takeaways:
Continuous monitoring replaces annual audits with real-time security oversight.
Strong data governance is essential to avoid recreating silos in cloud environments.
Early alignment between industry and agencies ensures security and compliance from the start.
Watch the full episode at InnovationInGov.com