We talked with Second Front System’s VP of Sales, TJ Rowe about all things Authority to Operate (ATO), and got incredibly valuable information on the topic. Find TJ’s answers to our questions below:
TJ Overview:
I’m the vice President of sales at Second Front, so I lead both our public sector and commercial go-to-market teams.
I’m a recovering army infantry officer, myself. I have not crossed the milestone yet on, on doing this longer than the Army, so congrats on that. But at Second Front, we went after the technical and security side of “How do we accelerate The transition of commercial software to government networks.” It’s one thing to solve for the contracting piece, which is a huge pain point in a very difficult market to navigate, which is where you guys (Long Capture) fit in. We help by accelerating that actual piece of technology to get onto the government network for their end customer.
1. What is ATO and why should companies care about it?
ATO is one of several accreditations for the Department of Defense. ATO is an Authority to Operate, which is an authorization from a government official that is allowing a commercial piece of software or a government piece of software to run on a network and host data at that classification level.
There’s a couple other varieties of accreditation. So, there’s an interim authority to test, which is an IATT, usually given to a piece of software. Kind of first deployment onto a network and a 6 to 12 month timeline of testing before they get a full authority to operate. There’s also an Authority to Connect an ATC, which is generally a little bit more involved with hardware that’s connected to software systems.
But why care if you’re a software company engaging with the Department of Defense?
Ultimately to transact and deliver your software, in most cases to a certain classification level, a certain network, you’ll need to achieve an authority to operate in some fashion, uh, in order to deliver to your end customer.
2. When does a company need ATO?
I hate to give the consulting answer here… but it really does depend.
I think engaging with the Department of Defense comes down to three things.
1. The first piece is YOUR CUSTOMER.
So is my customer, the army, the Air Force, and where does my customer expect my software to eventually live? Is it an unclassified use case? Is it a secret use case? Does it have a different classification level?
2. The second piece is YOUR TECHNOLOGY.
So have I been building my software secure from day one? And am I ready for that deployment to that, to that network? Is my architecture compatible? Am I using services that are not available on those networks?
3. The third piece is YOUR INFRASTRUCTURE.
Are you building in a way that you are hooked into a certain cloud service provider and you’re really dependent on their native services, or are you able to deploy in a cloud fashion for your government customer? So the three kind of factors there will determine exactly when you need an ATO or when you need to start bringing in a little bit of thought around your architecture and your services.
Am I ready to deploy this to the network the second that my customer says, “I need you up and running”?
3. How early in the “go-to-market strategy” should companies be evaluating and making this decision?
I think it, it comes down to their go-to market ultimately, and at the end of the day, how quickly do they wanna move from that “SBIR Phase I – Phase II contract land” to full production contracts, whether they’re going for a Phase III or a STRATFI or TACFI, or they’re going for production OT’s elsewhere, or even far-based contracts across the department.
To go after those contracts, in most cases, you need an ATO.
You know, an inside joke for sales people at at these software conferences is – an ATO is your “license to sell” at that level.
So, I think the most common path we see is folks win a SBIR Phase I, or they win a SBIR Phase II, and they say, “Hey, I’ve got a 12 month timeline here on my milestone delivery. By the end of that, I wanna have my ATO.” And I think that’s the most common path.
But if you have the resources, and you have the time to invest earlier, and you know who your ideal customer persona is in the DoD, and you know that you can go get that ATO and give your salespeople a license, then go for it.
It really comes down to that go-to-market strategy.
An ATO at the end of the day, like many things, whether it’s human capital or otherwise, is an investment for a certain market that you’re going after. So if you treat it as an ROIC analysis and you know it’s gonna cost this this many dollars and this much time to get my ATO, what is my return on invested capital in one year, two years, three years? And does that time horizon align with the investment?
And then I think you have a good decision.
4. What are some of the different ways companies can approach the contracting barriers and funding barriers of ATO?
We’ve seen a healthy mix, I think of all of the above at this point, where folks are willing to make the investment out of pocket and they realize that they will recoup that investment through just direct sales and contracts in the future.
We’ve also seen folks include a Game Warden license for accreditation and hosting as part of their SBIR Phase II proposal.
Then we’ve also seen folks just list a license for accreditation and hosting as, as an ODC on their contract. And that’s why we prefer to do business B2B so that we can give that commercial software vendor optionality around how do we outlay this cost versus, you know, incoming revenue from our government customers.
5. What are some of the common challenges you’ve seen selling software to the Department of Defense?
A lot of challenges.
There’s quite a bit to unpack, at least from my own experience.
I think I’ve seen two, two major challenges with trying to sell software as a service to the government:
One is: the contracting of FAR-based contracts.
Really, unless you’re going through an OT or an IDIQ, it’s really hard to transact software as a service.
In particular, if your business is a consumption model. So, the government is just not very good at buying cloud services yet. They’re good at buying now cloud infrastructure, but the services that run there, they’re not. They’re not great at transacting yet.
Then the second is: it’s changing the model of how they procure software.
So, We see this vernacular all the time in The DoD. They’ll still refer to a SaaS (a software service application) as commercial off-the-shelf software. Yeah. Quite literally. Not on a shelf.
However, it is cloud-hosted and will be delivered as such, and you’re just hitting an endpoint to use the piece of software. You’re not buying it off the shelf and installing it, locally on your desktop like you did in the past. So, there’s a little bit of an education piece.
And then there’s just navigating the contracting challenges with transacting software as a service.
6. How should companies look at revenue when making the jump from commercial?
There’s certainly nuances and considerations, especially if their goal is to go after this market, but also raise, raise private capital, whether that’s venture capital or otherwise.
The color of money really matters.
The reason that venture capitalists invest in software companies is for great margins and scalability. Build once, sell many, you are getting annual recurring revenue.
That color of money is the gold standard in venture capital and, and you know, private software companies.
So it’s pretty hard to go win a government contract and have that look like an RR.
So that’s the biggest consideration that I’ve seen, that as you’re going after some of these FAR-based contracts or firm fixed price, if you’re selling a consumption based piece of software that’s gonna bring the revenue recognition that you’re looking for, to then show investors that, “Hey, we have a scalable product in this market.”
You can couple that though, with the ability to go into the Department of Defense and capture SBIR, Phase II’s, CRAs, R&D, a lot of great prototyping, research and development, and non-dilutive capital. But you cannot confuse that for revenue because if you confuse that for revenue and then turn back to investors, you’re gonna have a challenging conversation to navigate.
So I think it’s just having a really clear idea of exactly what revenue you need for an investment perspective, and then how to go capture that with your technology.
__
To find a video of this whole chat, as well as more information on TJ and Second Front Systems be sure to visit: https://longcapture.com/old-fashioned-chat-ato-second-front-systems/
