Yet, as the world of data becomes increasingly interconnected and bad actors become increasingly skilled at launching attacks, cyber threats loom large1. The Department of Defense (DoD) and its stakeholders face a persistent challenge: how can they ensure unwavering trust in the information that guides their actions, guaranteeing that technology systems do not leave them susceptible to cyber threats?
This is the necessary context behind the shift from Authority to Operate (ATO) to Continuous Authority to Operate (cATO)2: helping DoD stakeholders trust the information they must use when it comes time to verify that technology systems are capable of safeguarding military operations in an ever-changing digital landscape — or, at the very least, not introducing unacceptable levels of risk.
Independent verification is critically necessary. But the process we take now is critically flawed. According to our proprietary data, it takes 12-18 months and costs over $2 million dollars for the average software product to achieve ATO on a government network. Due to this lengthy process and associated cost, software system deployment is often delayed awaiting approval. Since many of these pending deployments are software systems desperately needed by warfighters, this has a significant impact on national security.
Of course, that’s just one example of how delays put our national security at risk every day. Because of this high barrier to deployment, organizations choose to avoid pursuing government authorization, ultimately reducing competitiveness, limiting choice, and increasing government costs even further.
Today’s technology can offer government agencies a web-based, digital compliance platform that supports the entire RMF and manages all of the data contained inside it. These platforms can act as a single source of truth, supporting everything from system categorization and control all the way through implementation, assessment, and monitoring with report generation.
With compliance data at the center of the platform, it eliminates manual work associated with transferring data across steps and systems. This creates a common reference for all relevant user groups, enabling continuous updates and assessments of security controls. Ultimately, these features organize and streamline the ATO process, empowering government entities to approach it with a higher level of confidence, accuracy, and security.
Ironically, some of the largest threats to national security today are the delays caused by the traditional approach to securing ATO for software in the Department of Defense. The current culture, process, and technology in place is simply broken, preventing government departments from efficiently meeting the standards and guidelines of NIST’s RMF.
cATO is not necessarily revolutionary. But with support from an advanced platform that puts unified compliance data at its core, the process itself becomes revolutionary. Government stakeholders have what they need to better manage documentation and enable transparency and real-time information sharing, ultimately making it possible to show continuous adherence to RMF — which is what mattered all along.