The Framework does not align with how technical vendors work

Despite the adoption of many agile development best practices in the government, commercial products that are submitted for ATO approval cannot be updated easily. When a new feature is commercially available, government customers will receive it only after it has been reviewed. In some cases, there is additional delay while code is transitioned into government specific infrastructure and that infrastructure is submitted for review by an Authorizing Official.

“Right now I hear that it’s six months before you can get an audience with the Program Management Office.”

This can lead to times when the government does not immediately benefit from security updates to this software. Furthermore, there are some features that will likely never be made available to the government because of the burden of security compliance.

This is a problem for both the government and the vendor. The government is not able to take advantage of the latest security features and the vendor is not able to provide them. This is a lose-lose situation.

“I totally empathize with the agencies, like they’re just trying to meet their requirements and make sure that they’re shored up… our customer wants to know if they can check the box and say they meet a specific control with our software and I’m like, ‘Okay. Well, it’s not a quick ask.’”