Military cybersecurity certification (ATO) takes 12-18 months — by the time software is approved, it is already obsolete

A defense contractor builds a new logistics tracking application. Before it can run on a military network, it needs an Authority to Operate (ATO) under the Risk Management Framework (RMF, NIST SP 800-37). The ATO process requires: documenting 300-800 security controls, running vulnerability scans, penetration testing, writing a System Security Plan (100+ pages), and review by an Authorizing Official. This takes 12-18 months. The application was built on React 17 and Node 16. By the time the ATO is granted, React 19 and Node 22 are current. The approved versions have known CVEs. The application is 'certified secure' but actually less secure than the current versions it is not allowed to use. Updating to new versions requires a new ATO. So what? The military's software security process guarantees that every system is running outdated, vulnerable software. The 12-18 month certification cycle was designed for hardware systems that change every 5-10 years. Modern software releases weekly. The ATO process cannot keep up. The result: military networks run Windows Server 2012, Java 8, and Internet Explorer 11 because those are the 'approved' versions. Each unpatched system is a known vulnerability that adversaries can exploit using publicly available CVEs. Why does this persist? The ATO process is mandated by federal law (FISMA) and DoD policy (DoDI 8510.01). Changing it requires Congressional action or a DoD policy revision, both of which take years. The process was designed when software was delivered on CD-ROMs, not deployed continuously. DevSecOps and Continuous ATO (cATO) programs exist but cover less than 5% of DoD systems. The other 95% are stuck in the 18-month cycle.