ATO to cATO

What's Changing for Government Agencies?

A report by Rise8 featuring Daniel Holtzman, Authorizing Official (AO), DoD Chief Digital & Artificial Intelligence Office (CDAO), Office of the Secretary of Defense

Clouds

Precision and trust are paramount in government agencies, and the effectiveness of national security depends on an organization's ability to trust the information it's using

Yet, as the world of data becomes increasingly interconnected and bad actors become increasingly skilled at launching attacks, cyber threats loom large1. The Department of Defense (DoD) and its stakeholders face a persistent challenge: how can they ensure unwavering trust in the information that guides their actions, guaranteeing that technology systems do not leave them susceptible to cyber threats?

This is the necessary context behind the shift from Authority to Operate (ATO) to Continuous Authority to Operate (cATO)2: helping DoD stakeholders trust the information they must use when it comes time to verify that technology systems are capable of safeguarding military operations in an ever-changing digital landscape — or, at the very least, not introducing unacceptable levels of risk.

Continuous authorizations are harder because you have to have an ecosystem and a support structure that allows you to see in real-time, understand the system, and get insight into changes — and that ecosystem doesn’t exist inside the DoD.
- DanIEL Holtzman, Authorizing Official (AO), DOD Chief Digital & Artificial Intelligence Office (CDAO), Office of the Secretary of Defense

Time, Cost, Effort of Manual Documentation Limits Government Agencies

Independent verification is critically necessary. But the process we take now is critically flawed. According to our proprietary data, it takes 12-18 months and costs over $2 million dollars for the average software product to achieve ATO on a government network. Due to this lengthy process and associated cost, software system deployment is often delayed awaiting approval. Since many of these pending deployments are software systems desperately needed by warfighters, this has a significant impact on national security.

Of course, that’s just one example of how delays put our national security at risk every day. Because of this high barrier to deployment, organizations choose to avoid pursuing government authorization, ultimately reducing competitiveness, limiting choice, and increasing government costs even further.

The traditional approach to cATO is...

Not designed for software delivery

Current process was designed for delivery of monoliths not software, it runs mostly on Microsoft office tools, and it requires the repeated documentation of shared services like platforms and infrastructure.

Time-consuming and expensive

The average ATO takes 18 months to complete and costs over $2 million, and the result is documentation of a snapshot in time that must be updated again.

Incentivized to bury risk and vulnerabilities

The current ATO process incentivizes burying risks and vulnerabilities. It is easier to ignore or create a plan of action and milestones (POAM) forever than it is to push through a fix and have to go through the change process again.

cATO Isn’t New, But It Does Require a New Approach

Today, our systems and data are changing so quickly that we need new ways of verifying the presence or absence of risk with more accuracy and greater speed. If we don’t find a way to do this, we will lose confidence in the data, or make more errors.

In practical terms, the shift from ATO to cATO does not represent a significant change taking place. Being able to demonstrate adherence to the RMF is what has mattered all along— it’s just now possible to do so with more rigor and speed because we have access to the advanced tools and improved processes required to facilitate it.

A web-based, digital compliance platform supports the entire RMF and manages all of the data contained therein. A tool like this makes it easy to achieve cATO because it eliminates the three primary issues with the current ATO process referenced above. With these barriers removed, new capabilities can be delivered earlier and continuously to joint and coalition warfighters, with higher quality and reduced risk.

New technology can address the limitations of the ATO process…

Not designed for software delivery
Time-consuming and expensive
Incentivized to bury risk and vulnerabilities
The whole point of introducing the concept of continuous Authority to Operate is to get away from the habit of only checking access at the three year mark

There’s no mechanism that’s actually making sure you’re improving over those three years and being continuously assessed, and yet you bet attackers are increasing the cadence of developing their exploitations of networks. ATO is mostly focused on documentation of security findings or an organization’s plan to approach security.

ATO makes sure that the systems that we are deploying are secure and organizations implementing control or security are fulfilling their obligations.- JEREMY ARZUAGA SOFTWARE SECURITY ENGINEERRISE8

Here’s a look at the significant ways advanced new technology helps DoD stakeholders approach cATO with confidence:

Today, our systems and data are changing so quickly that we need new ways of verifying the presence or absence of risk with more accuracy and greater speed. If we don’t find a way to do this, we will lose confidence in the data, or make more errors.

In practical terms, the shift from ATO to cATO does not represent a significant change taking place. Being able to demonstrate adherence to the RMF is what has mattered all along— it’s just now possible to do so with more rigor and speed because we have access to the advanced tools and improved processes required to facilitate it.

A web-based, digital compliance platform supports the entire RMF and manages all of the data contained therein. A tool like this makes it easy to achieve cATO because it eliminates the three primary issues with the current ATO process referenced above. With these barriers removed, new capabilities can be delivered earlier and continuously to joint and coalition warfighters, with higher quality and reduced risk.

New technology can address the limitations of the ATO process…

Web-based compliance platform

A web-based, digital compliance platform supports the entire RMF and manages all of the data contained therein. The platform can support everything from system categorization and control all the way through implementation, assessment, and monitoring with report generation.

With compliance data at the center, such a platform eliminates manual work associated with transferring data across steps and systems. This creates a common reference for all relevant user groups, enabling continuous updates and assessments of security controls.

Decouples the organizational, physical, and digital elements of a system

Decoupling the organizational, physical, and digital elements of a system focuses assessment effort solely on delivering new changes.

When establishing a system, security controls can be labeled as either organization, infrastructure, platform, or application controls. By labeling controls in this way, this new platform overcomes a major organizational stumbling block by clearly defining where controls need to be implemented versus where they do not. Once a system is established, additional system components, along with any identified and inherited security controls, can be created in a matter of minutes instead of months.

Aggregates displays and manages key security and compliance data

Provides a central platform where all relevant security and compliance information can be managed and displayed, creating a singular point of reference for systems and services and pulling in and displaying vulnerability and compliance scan results.

Integrates with industry leading tools

The flexibility of the current implementation of the RMF allows for new ways of demonstrating compliance. The old way involved too many manual steps taken in too many different tools (most of which, like Microsoft Word and Excel, weren’t designed for this purpose), leading to fragmentation, friction, duplication of work, and near-zero transparency. More than half of the time and cost associated with achieving an ATO is a direct result of highly manual security control selection, implementation, and documentation processes.

A digital and web-based platform supports continuous testing as part of applications’ Continuous Integration / Continuous Delivery (CI/CD) pipelines. With this support, every time a change is made to an application’s codebase, the platform will measure and display the compliance statuses for each control and component.

Real-time and continuous change monitoring using AI

Modern software development practices rely heavily on shared services such as cloud environments, container orchestration services, and identity management services. Although various v development organizations may be using the exact same service(s), they are documented and assessed repeatedly as part of each individual ATO package.

Within advanced new tools, shared services can actually be shared across multiple systems. Once a component is established and assessed, that component can then be imported into any other systems established within the platform. This system of shared components and security controls serves as the foundation for a compliance and software delivery ecosystem.

We require authorization because we want to make sure we can trust the data and trust the system and trust the information. The RMF was simply meant to be a repeatable, flexible way to ensure that with results that are comparable across government agencies. The move to cATO is more about updating the culture and mindset around compliance as a continuous activity and not a box you can check.
- DANIEL HOLTZMAN

Advanced Features Unlock cATO for Government Agencies

Today’s technology can offer government agencies a web-based, digital compliance platform that supports the entire RMF and manages all of the data contained inside it. These platforms can act as a single source of truth, supporting everything from system categorization and control all the way through implementation, assessment, and monitoring with report generation.

With compliance data at the center of the platform, it eliminates manual work associated with transferring data across steps and systems. This creates a common reference for all relevant user groups, enabling continuous updates and assessments of security controls. Ultimately, these features organize and streamline the ATO process, empowering government entities to approach it with a higher level of confidence, accuracy, and security.

Simplifies the process by removing steps and complexity

No more throwing documentation over the fence or burying it in opaque Word documents or Excel spreadsheets. You are creating a central source of truth for all your security and compliance data.

Supports the entirety of software development lifecycle

Systems and individual components can be easily managed from inception to sunset. Initial assessments flow seamlessly into continuous monitoring, and documentation is managed automatically.

Unites users and stakeholders under a common process

Developers, assessors, system managers and authorizing officials are all viewing the same information. When information is introduced, it is immediately reflected across the application and is viewable by all users.

Incentivizes annual security and continuous improvement

In aggregate, these changes incentivize actual security and continual improvement rather than just running through the process.

We’ve had all the tools we needed to do cATO from the beginning, but it was expensive and timeconsuming and not very efficient. Today, when it’s more important than ever to comply with policy and align with the RMF framework, we finally have the technology to document and trace these activities with technology that is truly continuous.
- BRYON KROGER FOUNDER & CEORISE8

Authority to Operate — Efficiently

Ironically, some of the largest threats to national security today are the delays caused by the traditional approach to securing ATO for software in the Department of Defense. The current culture, process, and technology in place is simply broken, preventing government departments from efficiently meeting the standards and guidelines of NIST’s RMF.

cATO is not necessarily revolutionary. But with support from an advanced platform that puts unified compliance data at its core, the process itself becomes revolutionary. Government stakeholders have what they need to better manage documentation and enable transparency and real-time information sharing, ultimately making it possible to show continuous adherence to RMF — which is what mattered all along.

1 DOD Cybersecurity: Enhanced Attention Needed to Ensure Cyber Incidents Are Appropriately Reported and Shared

https://www.gao.gov/products/gao-23-105084

2 Memorandum for Senior Pentagon Leadership Defense Agency and DoD Field Activity Directors

https://media.defense.gov/2022/Feb/03/2002932852/-1/-1/0/CONTINUOUS-AUTHORIZATION-TO-OPERATE.PDF

Stay updated on your compliance system by accessing real-time data at the individual scan and control level, ensuring you know exactly what is required and when it's required.

Discover Tracer