Policy says move faster. So why are ATO timelines still stalling mission software?

Modern defense missions run on software. From weapons systems to logistics platforms to command and control, operational advantage is increasingly defined by the code systems run and the data they consume. As Secretary of War Pete Hegseth emphasized in a 2025 memorandum, “software is at the core of every weapon and supporting system we field to remain the strongest, most lethal fighting force in the world.”

That reality has elevated software delivery to a strategic priority. In the Department of War’s 2026 AI strategy, leadership explicitly called for “rapid ATO (Authorization to Operate) reciprocity,” signaling that the ability to quickly approve and reuse security authorizations is now considered mission-critical.

And yet, despite clear policy direction, the DOW continues to struggle to deliver software at speed.

At the center of that challenge is reciprocity.

In theory, reciprocity allows one organization to reuse another’s ATO, eliminating redundant security reviews and accelerating deployment. In practice, that promise remains largely unrealized.

Matt Conner, chief information security officer for Second Front Systems has seen this challenge first-hand. He spent more than 20 years in the DOW and intelligence community, including serving as CISO and Authorizing Official at the National Geospatial-Intelligence Agency and later as the Intelligence Community’s CISO under Avril Haines.

“There is a disconnect between what people expect about shortening these timelines and reciprocity and what’s actually happening,” said Conner.

In fact, Second Front commissioned GovExec Intelligence to conduct a blind survey of 200 DOW decision makers who are actively involved in the ATO process, which revealed 97% of respondents say increased use of reciprocity would improve ATO approval time. However, 44% think of presumptive reciprocity as largely “aspirational” and 9% think it’s impossible.

That disconnect persists even as policy has grown more explicit. The DOW has published guidance, including a reciprocity playbook, and Congress has reinforced the mandate through the National Defense Authorization Act, which enshrines presumptive reciprocity.

The authorization bottleneck we can’t afford

The GovExec Intelligence report revealed that traditional ATO timelines still range from 12 to 18 months or longer. Notably, none of the surveyed federal IT decision-makers reported authorization timelines under six months — even among organizations that say they are using reciprocity.

That’s a warning sign.

Every month spent reauthorizing systems that have already been vetted elsewhere delays fielding. It slows joint operations, fragments data environments and limits the Department’s ability to respond to rapidly evolving threats.

As Hegseth has noted, when the Department continues to apply hardware-era processes to modern software, “the warfighter pays the price.”

When it works, reciprocity enables software authorized in one environment to be rapidly deployed across the Army, Navy, Air Force, Marine Corps, Space Force and defense agencies — supporting interoperability and shared situational awareness. When it fails, each organization acts as an island, forcing teams to start from scratch.

Many decisions rely on personal relationships and ad hoc validation rather than standardized, repeatable workflows. And fragmented authorization environments across cloud, on-premises and SaaS systems make reuse even more difficult. In many cases, “reciprocity” still involves re-running large portions of the Risk Management Framework process, undermining its intended value.

“If we didn’t do it, I don’t trust it,” Conner said, describing a common mindset across agencies.

Modernizing reciprocity for the speed of mission

Overcoming these challenges requires more than policy mandates. It requires a shift in how the Department approaches risk, trust and speed.

“Successful reciprocity begins with leadership prerogative and commander’s intent to say ‘I want to go faster. I want to be more efficient. I want to reuse as a default, not as a fallback,’” Conner explained. 

It also requires modernization.

“Reciprocity at the speed of relevance is automated,” he said. “It’s machines talking to machines… analyzing telemetry and actual indicators of security posture and presenting a provisional risk recommendation to a decision maker. It’s not sending spreadsheets and PDFs in email.” 

Second Front is working to help drive that shift across the DOW. Through research, collaboration with policymakers and direct engagement with authorizing officials and program teams, the company is working to close the gap between reciprocity policy and operational reality. Plus, through their Game Warden platform, they are automating the security, compliance and deployment workflows that enable reciprocity in practice — helping software move across authorized environments without restarting the approval process from scratch.

For Conner, the goal is to equip warfighters with better visibility, automated tooling and standardized processes that allow them to make informed risk decisions faster. The broader mission is to help reduce deployment timelines from years to weeks so critical software can reach operators at the speed modern missions demand.

Because ultimately, the stakes are clear.

In an era of accelerating technological change and intensifying global competition, speed is a strategic advantage. Getting the best technology into the hands of warfighters faster, more securely and at scale depends on rethinking how software is authorized and deployed.

Reciprocity is a critical part of that transformation.

See how Second Front Systems is helping deploy and field capability to our warfighters.