<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "FAQPage", "@id": "https://www.rise8.us/resources/how-long-does-the-ato-process-take#faq", "url": "https://www.rise8.us/resources/how-long-does-the-ato-process-take", "headline": "How Long Does the ATO Process Take?", "description": "Learn about how long it typically takes to obtain an Authorization to Operate (ATO), why timelines vary, and what factors can speed up or slow down the NIST RMF authorization process.", "mainEntity": [ { "@type": "Question", "name": "How long does the ATO process typically take?", "acceptedAnswer": { "@type": "Answer", "text": "The ATO process can take several months to more than a year, depending on system complexity, risk level, and the maturity of the program’s security and delivery practices." } }, { "@type": "Question", "name": "Why do ATO timelines vary so much?", "acceptedAnswer": { "@type": "Answer", "text": "Timelines vary based on factors like the system’s impact level, the number and type of security controls required, documentation quality, assessor availability, and how early security and compliance are integrated into delivery." } }, { "@type": "Question", "name": "What factors can slow down the NIST RMF authorization process?", "acceptedAnswer": { "@type": "Answer", "text": "Common delays include late engagement with security teams, incomplete or outdated documentation, manual control testing, unclear system boundaries, and waterfall-style delivery that bunches risk decisions at the end." } }, { "@type": "Question", "name": "What can speed up the ATO process?", "acceptedAnswer": { "@type": "Answer", "text": "Programs can move faster by adopting DevSecOps, automating evidence collection, using continuous monitoring, engaging authorizing officials early, delivering in small increments, and preparing reusable compliant artifacts." } } ], "mainEntityOfPage": { "@type": "WebPage", "@id": "https://www.rise8.us/resources/how-long-does-the-ato-process-take#webpage", "url": "https://www.rise8.us/resources/how-long-does-the-ato-process-take", "name": "How Long Does the ATO Process Take? | Rise8" }, "publisher": { "@type": "Organization", "@id": "https://www.rise8.us/#organization", "name": "Rise8", "url": "https://www.rise8.us/" }, "inLanguage": "en-US" } </script> <!-- Breadcrumb schema --> <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "BreadcrumbList", "itemListElement": [ { "@type": "ListItem", "position": 1, "name": "Home", "item": "https://www.rise8.us/" }, { "@type": "ListItem", "position": 2, "name": "Resources", "item": "https://www.rise8.us/resources" }, { "@type": "ListItem", "position": 3, "name": "How Long Does the ATO Process Take?", "item": "https://www.rise8.us/resources/how-long-does-the-ato-process-take" } ] } </script>

How Long Does the ATO Process Take?

TL;DR: How Long the ATO Process Takes


Under NIST’s Risk Management Framework (RMF), the Authorization to Operate (ATO) process typically takes 6 months to over 2 years. Delays stem from system complexity, documentation demands, slow stakeholder response, and limited assessor or AO capacity.

Traditional ATO is a point-in-time decision that may require reassessment or reauthorization for major updates or upon expiration. This guide breaks down the 7 RMF steps and what affects each timeline, then introduces DoD’s continuous ATO (cATO), an RMF-based model that enables faster, ongoing authorization decisions after the initial ATO. By combining continuous monitoring and DevSecOps, cATO enables near real-time authorization after the initial ATO, reducing risk and speeding delivery.

What is an ATO from the DOD?

An ATO is a formal declaration that a system meets the necessary government security and privacy standards for deployment as the Federal Information Security Modernization Act (FISMA) requires. The Department of Defense (DOD), like other federal agencies, requires ATOs to ensure a system can protect sensitive information and perform its intended functions without exposing the network to unacceptable levels of risk.

Do all federal systems require an ATO?

Most federal information systems that store, process, or transmit government data must receive an ATO or equivalent authorization before operation on a government network. An ATO confirms the system has completed the NIST RMF security assessment, meets the required controls, and presents an acceptable level of risk for its intended operational environment. Agencies use the RMF’s seven steps to evaluate and authorize (or deny) system operation.

What is the ATO process?

The NIST RMF outlines a structured, but adaptable process with seven steps for managing risks associated with information systems. Organizations may apply these steps in non-sequential order, as applicable to their software development lifecycles:

Note: This checklist is a high-level overview of the seven-step RMF process—multiple steps in each of these sections must be completed. More information is available by visiting NIST or when working with an experienced partner like Rise8. 

  • Prepare:
    • Identify key risk management roles within your organization.
    • Establish a risk management strategy and determine risk tolerance.
    • Develop an organization-wide risk assessment and establish tailored control baselines.
  • Categorize:
    • Determine the impact level of the system based on confidentiality, integrity, and availability.
    • Use NIST’s FIPS 199 to help categorize the information and systems.
  • Select Security Controls:
    • Choose a baseline set of security controls from NIST SP 800-53B based on the system’s categorization.
    • Supplement these controls with additional ones if necessary to address specific risks.
  • Implement Security Controls:
    • Apply the selected security controls to the system.
    • Document how these controls are deployed and integrated into the system.
  • Assess Security Controls:
    • Conduct a thorough evaluation of the implemented controls to ensure they are functioning correctly and effectively mitigating risks.
    • This assessment typically involves penetration testing and vulnerability scanning.
  • Authorize the System:
    • Compile an Authorization Package.
    • Present this package to the Authorizing Official (AO) for review.
    • The AO will evaluate the risk and decide whether to grant the ATO based on the assessment results and the system’s overall security posture.
  • Monitor Security Controls:
    • Once the ATO is granted, continuously monitor the system to ensure ongoing security.
    • Perform regular assessments, updates, and reporting to maintain compliance and address any emerging threats.

How long does it take to get an ATO?

Several factors contribute to process timeliness, including system complexity, the thoroughness of the preparation and documentation, the responsiveness of all stakeholders, and the availability of technically skilled assessors and highly competent system development teams. 

Factors Influencing ATO Duration

Here’s a general outline of what to expect in each step of the RMF:

  1. Prepare: Set up key roles, create a risk management plan, assess risks, identify common controls, and develop a monitoring strategy. Depending on your readiness, this can take weeks to months.
  1. Categorize: Link the system’s security activities to your organization’s mission. Identify information types, set impact levels, and assign a security category. This helps align security with business priorities.
  1. Control Selection: Choose baseline security controls based on risk. Add any needed supplemental or compensating controls. With clear guidelines, this step can take just a few weeks.
  2. Implement Security Controls: Apply the chosen controls, configure security measures, and document everything. This can take months, depending on system complexity. 
  1. Assess Security Controls: Test the controls with penetration testing and vulnerability scans. The assessment could take anywhere from a few weeks to months, depending on the findings. 
  1. Authorize System: Put together the Authorization Package (System Security Plan, Security Assessment Report, etc.) and submit it to the Authorizing Official. This process can take weeks, depending on the AO’s review and any risks that need addressing.
  1. Monitor and Maintain Compliance: After the ATO is granted, this step ensures your system stays secure. It involves continuous updates, monitoring, and reassessments over time.

Is there an alternative to the ATO process?

While there is no alternative to the Risk Management Framework, the RMF is very flexible and encourages implementing the framework according to your needs and abilities. So yes, there are alternatives to the traditional approach to ATO. A popular alternative involves moving to an ongoing authorization tailored for continuous delivery, often referred to as continuous Authority to Operate (cATO). Unlike the traditional ATO, which provides a one-time, time-bound approval, cATO is a dynamic, ongoing authorization process within RMF designed to expedite software development and delivery without sacrificing security. This approach is better suited for mission-critical environments that require rapid, frequent software updates while maintaining a high level of security. cATO integrates Agile and DevOps methodologies with the existing RMF, revolutionizing traditional practices by emphasizing continuous assessment and improvement. 

The benefits of cATO are:

  • Real-Time Risk Management: cATO requires continuous monitoring, enabling real-time detection and mitigation of vulnerabilities.
  • Agile and Efficient Deployment: embracing cATO allows organizations to deploy software updates and new systems faster without waiting for lengthy approvals, helping them stay responsive to changing requirements and emerging threats.
  • Enhanced Flexibility and Responsiveness: cATO allows frequent updates and modifications, keeping systems secure and functional over time. This continuous process aligns with modern DevOps, promoting a culture of ongoing improvement and adaptation.

Achieve Continuous Authorization: Make Ship Happen

When done correctly, cATO is about authorizing the system. However, the inputs that result in secure and authorized outputs for a trustworthy and transparent environment are the right people, policies/processes, and technologies. Rise8 firmly believes that local context is an important factor when designing and implementing cATO—you cannot succeed if you don’t know where you’re starting from. Rise8 pairs one-to-one with your team to bring the benefits of ongoing authorization to the continuous delivery of valuable software your users will love. Pair with Rise8 for:

  • Speed and Efficiency: Significantly reduce the time required to achieve authorization compared to traditional ATO processes.
  • Enhanced Security: Continuous monitoring and real-time risk management improve overall security posture.
  • Adaptability: Agile methodologies enable quick adaptation to new threats and changing requirements.

Learn more about Rise8 or schedule a call today to make ship happen!

Written By
No items found.
Keep reading

Related posts

Nothing more to see here!
Browse all articles
No items found.