Innovation in Government from the ATO and Cloud Security Summit

Original broadcast 8/19/25

Presented by Carahsoft

The latest episode of Innovation in Government from the ATO and Cloud Security Summit explores how government and industry leaders are working together to advance cybersecurity, accelerate Authority to Operate (ATO) processes, and enable secure innovation. The program covers modernization efforts in cloud security, the use of artificial intelligence to streamline business systems, strategies for managing multiple security frameworks, the shift to continuous visibility and automation, procurement and supply chain security improvements, embedding security into state and local contracting, strengthening data governance, applying flexible risk management processes to emerging technologies, and adaptive compliance approaches for evolving federal requirements. Together, these conversations provide a comprehensive view of how collaboration, policy evolution, and technology adoption are shaping the future of secure government operations.

Accelerating Modernization Through ATO Innovation

Alex Whitworth, Director of Sales at Carahsoft, highlights the momentum in federal modernization as agencies work to reduce bureaucracy, accelerate technology adoption, and improve security through automation. Initiatives like FedRAMP 20x and the Department of Defense’s Software Fast Track are reshaping how quickly new solutions can be brought into government environments. Whitworth notes that these efforts not only speed the Authority to Operate process but also create opportunities for companies that provide ATO accelerators and automation tools. While navigating multiple frameworks can be complex, he emphasizes the growing availability of knowledgeable advisors and a more common-sense approach to processes. Looking ahead, Whitworth sees increased use of commercial capabilities to automate continuous monitoring, allowing agencies to maintain compliance and security without redoing extensive documentation.

Key Takeaways:

• FedRAMP 20x and DoD Software Fast Track aim to speed secure technology adoption.

• Advisors and consultants can help companies navigate complex accreditation processes.

• Automation of continuous monitoring will be central to future compliance strategies.

Driving Efficiency in Defense Business Systems with AI

Katie Arrington, PTDO CIO at the Department of Defense, explains how AI is being applied to streamline more than 1,800 disparate business systems across the department. As chair of the Defense Business Council, Arrington’s goal is to collapse redundant systems, improve interoperability, and achieve audit readiness by 2027. AI tools analyze business processes, align rules, and help determine where duplication is unnecessary. Special operations and other unique missions may require exceptions, but overall, the effort seeks to free resources for warfighter needs. Collaboration between the CIO’s office, the comptroller, and other leaders ensures that changes meet legal requirements and operational demands. Arrington’s vision includes reducing systems to a manageable number per service and making financial and operational data instantly accessible for decision-making.

Key Takeaways:

• AI is critical for identifying and reducing redundant business systems.

• Cross-department collaboration ensures interoperability and compliance.

• The ultimate goal is efficiency and redirecting savings to warfighter priorities.

Navigating Cloud Security Frameworks Through Industry Partnership

Penny Klein, CISO at SAP NS2, discusses the evolving landscape of cloud security frameworks, from FedRAMP and the Risk Management Framework to endpoint security and insider threat protections. She warns of the risk posed by too many frameworks, which can divert focus from actual security to compliance paperwork. Klein calls for stronger industry participation in shaping policies, emphasizing that technology providers must be at the table to influence frameworks positively. She also urges government to share upcoming policy directions and concerns, enabling industry to proactively address risks. By building trust and focusing on the intent behind security controls, both sides can enhance security while adapting to the realities of cloud-native environments.

Key Takeaways:

• Multiple overlapping frameworks can create compliance burdens without improving security.

• Industry input is essential to ensure frameworks are practical and effective.

• Government transparency about future policies helps industry prepare and innovate.

Moving to Continuous Cloud Security Visibility

Josh Krueger, CISO at Project Hosts, outlines the shift from point-in-time security assessments to continuous visibility and risk posture management in the cloud. Agencies increasingly want real-time alerts about vulnerabilities or configuration changes rather than relying solely on monthly reports. This transition aligns with initiatives like FedRAMP 20x and DoD’s Software Fast Track. Krueger stresses the importance of industry and agencies participating in working groups and giving feedback early, before guidance is finalized. He also highlights the role of automation in reducing exploitable vulnerabilities and ensuring that security is proactive, not reactive.

Key Takeaways:

• Agencies are moving from annual assessments to continuous monitoring.

• Early participation in working groups helps shape effective security programs.

• Automation is essential for real-time risk mitigation and compliance.

Streamlining Acquisition and Supply Chain Security

Theresa Kinney, Senior Deputy Program Director for NASA SEWP, explains how her team helps agencies streamline procurement while addressing cybersecurity and supply chain risks. Through the creation of customizable “storefronts,” agencies can predefine products and ensure compliance with standards like CMMC, FedRAMP, and ISO 20243. This reduces repetitive checks and speeds delivery. Kinney emphasizes fostering collaboration between government and industry to resolve contractual and compliance challenges, particularly in software procurement. She also notes the importance of onboarding new industry players efficiently, as it can take years to fully understand federal processes. Ongoing quarterly meetings with partner agencies support information sharing and continuous improvement.

Key Takeaways:

• Customizable storefronts simplify compliance and speed acquisition.

• Open government-industry dialogue resolves procurement challenges.

• Education and onboarding are key for new vendors entering the federal market.

Embedding Security in State and Local Procurement

Leah McGrath, Executive Director of GovRamp, details progress in integrating third-party security validation into state and local procurement contracts. Working with organizations like NASPO and the Center for Digital Government, GovRamp has developed a best practices toolkit to guide agencies in embedding security requirements into terms and conditions. This ensures that security measures are enforceable and actionable. McGrath highlights innovative steps like the Snapshot and Core Status programs, which provide early transparency into a provider’s security posture before full authorization. Continuous monitoring portals and escalation policies keep agencies informed of changes without daily oversight. These efforts foster collaboration, enable secure innovation, and accelerate procurement timelines.

Key Takeaways:

• Security requirements must be embedded in contracts to be effective.

• Early-stage validation programs help agencies assess providers before full authorization.

• Continuous monitoring tools improve transparency and responsiveness.

Continuous Monitoring and Data Governance in Government IT

Melissa Carson, VP & GM at Iron Mountain, discusses how continuous Authority to Operate (cATO) concepts can strengthen security by replacing annual audits with ongoing, automated monitoring. She emphasizes that cyber threats evolve daily, making real-time oversight essential. Carson also underscores the need for robust data governance, noting that without it, cloud migrations risk replicating old silos in new environments. Building strong industry-government partnerships from the earliest stages of development ensures that security requirements are met and that mission-critical technology can be deployed quickly. Success is measured by the ability to deliver secure solutions with both speed and fiscal responsibility.

Key Takeaways:

• Continuous monitoring improves security compared to annual audits.

• Strong data governance prevents recreating silos in cloud environments.

• Early partnership ensures security and speed in technology deployment.

Applying the NIST Risk Management Framework to Emerging Technologies

Victoria Yan Pillitteri, Manager of the Security Engineering and Risk Management Group at NIST, explains how the NIST Risk Management Framework (RMF) provides a technology-agnostic process for managing cybersecurity risks across both government and private sector organizations. She stresses that RMF is not a checklist but a flexible methodology tailored to each organization’s needs. Public feedback plays a key role in refining security and privacy controls, with NIST accepting comments year-round. Looking ahead, Pillitteri outlines plans to develop security control overlays for different AI use cases—predictive, generative, and agentic—leveraging existing standards and building a community of interest to address unique AI risks.
Key Takeaways:

• NIST’s RMF is a flexible, technology-agnostic process for risk management.

• Public feedback is essential to improving security and privacy controls.

• Upcoming AI-specific overlays will address diverse AI system security needs.

Clarifying Shared Responsibility and Strengthening Cyber Resilience

Dale Hoak, CISO at RegScale, emphasizes the importance of clear government requirements in enabling industry to deliver secure, innovative solutions quickly. He notes that when agencies clearly define goals, budgets, and expectations, industry can more effectively build to those needs and remove barriers to innovation. Initiatives like FedRAMP 20x and zero trust principles are making requirements clearer and helping smaller providers enter the market. Hoak encourages vendors to publish software bills of materials, avoid cutting corners, and make it easy for government to approve secure products. He also stresses shifting from point-in-time compliance checks to real-time cyber defense, with the goal of achieving resilience rather than just regulatory alignment.

Key Takeaways:

• Clear requirements empower industry to deliver secure, innovative solutions.

• FedRAMP 20x and zero trust principles help clarify expectations and speed adoption.

• Real-time security and resilience should be prioritized over point-in-time compliance.