Federal cybersecurity has reached a breaking point.
Agencies are responsible for defending some of the most sensitive systems in the world, yet the processes we rely on to secure them are stuck in the 1990s. We continue to rely on manual checklists, spreadsheets, complex audit documentation, and Authority to Operate (ATO) packages that take months or years to complete.
The result is a compliance paralysis that is not only outdated, but actively putting our national security at risk. We are trying to counter modern, adaptive threats using a playbook designed for a slower, more predictable client-server world that no longer exists.
The problem is not that we lack standards or frameworks; it’s the fragmentation of them. Agencies today navigate CISA advisories, NIST frameworks, NERC CIP, FISMA, FedRAMP, and dozens of other standards. Most of them cover the same core security principles, yet each introduces its own documentation, validation, and assessment cycles.
The result is a system where overlap can reach 80 to 90 percent, but the workload compounds rather than consolidates.
Allocating Time and People
This dynamic drains the very resources needed to improve security. Teams spend more time generating evidence than strengthening controls. Compliance sprawl results in the government spending as much time describing its security as it does operationalizing it where it has actual impact.
The proliferation of parallel frameworks spreads already limited cybersecurity talent across duplicated efforts, while adversaries move faster than the paperwork can be completed. The intent is stronger security, but the outcome is operational drag at the exact moment agencies need real-time agility.
At the same time, the technology environment we are trying to secure looks nothing like the one these frameworks were originally built to govern. Most of the federal compliance standards we rely on today were designed between the late 1990s and mid-2000s, in an era defined by on-prem servers, static networks, and predictable system boundaries.
The federal enterprise is now cloud native, distributed, automated, mobile, containerized, and increasingly ephemeral. Infrastructure is created and destroyed in seconds. Applications are updated continuously. Identity and data move across boundaries that were once fixed. And now AI-driven infrastructure, autonomous code generation, and rapidly scaling non-human identities are reshaping environments even faster than the cloud once did.
The pace and nature of change have outgrown the ability for regulators to keep up with their control frameworks.
Trying to capture the security state of such an environment using a thousand-page compliance document is like trying to photograph a hummingbird with a pinhole camera. By the time you finish the documentation, the environment has changed, the threats have evolved, and the evidence is outdated.
In this threat landscape, paperwork does not equal protection. We need a model that can continuously and automatically verify control effectiveness, not just once a year or only when an audit deadline approaches but near real-time and with little or no human intervention..
However, any shift away from traditional compliance models must be done carefully. It cannot simply reduce security requirements or weaken governance in the name of speed. Security outcomes must improve, not degrade.
We should support this shift, but it must be an intentional and coordinated change driven by agency leadership, policymakers, and the organizations responsible for setting federal standards. That is why I always return to a simple triad that should guide every modernization decision: any new approach to managing compliance must be faster, cheaper, and produce better security outcomes while reducing overall risk.
If a solution does not achieve all three, then it is not a win. Faster alone creates fragility. Cheaper alone shifts the burden without improving defense. Better security without efficiency guarantees it will not scale. What we ultimately need is a cultural shift in how compliance is managed — moving away from a paperwork-first mindset toward a real-time, engineering-driven approach where controls are continuously validated through automation and evidence.
The result is a system that is both stronger and more sustainable: a compliance ecosystem that adapts as quickly as the threats do, and one that frees teams to focus on mitigating risk rather than documenting it. The model only works if all conditions are met.
The Right Model
So how do we achieve that?
The first step is rationalization. We need to harmonize overlapping frameworks and reduce redundant evidence requirements. If 85 percent of controls are the same across FedRAMP, CMMC, and NIST, then agencies should be able to inherit or map those controls once and apply them across multiple mandates. This is already happening in pockets, but it needs to become the norm rather than the exception.
The second step is automation. Instead of requiring teams to manually document environments, configure security settings, or collect screenshots and spreadsheets to demonstrate compliance, systems should be designed to automatically verify their own state.
When controls are integrated directly into the CI/CD pipeline through compliance-as-code, infrastructure provisioning, and runtime operations, we create a living system of compliance. Evidence is produced as a natural byproduct of how technology is deployed and maintained, not through after-the-fact paperwork.
The third step is continuous monitoring. Annual or triennial assessments are not sufficient for ephemeral systems. Security assurance must be ongoing. Real-time control validation gives both auditors and operators confidence that protections are active, effective, and consistent. It also aligns security operations with the pace of technology rather than forcing technology to slow down to match legacy oversight models.
This is not just a technical shift. It is a culture shift. It requires policymakers, auditors, CISOs, and mission owners to agree that the goal is not compliance for compliance’s sake, but dynamic, resilient security. It requires us to value measurable outcomes over the volume of documentation.
The federal government has some of the most talented cybersecurity professionals in the world. What they need now are processes that unlock their ability to defend, rather than bury it under administrative overhead. Modern threats are fast, coordinated, and constantly evolving. Our cybersecurity governance must be the same.
We do not need less rigor. We need real-time compliance automation. And we need it urgently.
