Understanding the Values of the cATO Manifesto

The Power of 8

By Rise8


Whether you work in development, testing, or operations, it’s imperative to stay current with the latest trends, tools, and techniques. The cATO Manifesto proposes eight values to help agencies improve the quality, security, and performance of their products. 

While there is merit to the terms on the right side of each of the following values, the cATO Manifesto emphasizes the terms on the left.

1. Proactive Prevention Over Reactive Remediation

The first value of the cATO Manifesto is proactive prevention over reactive remediation, focusing on preventing problems, i.e. vulnerabilities and breaches, rather than fixing them after they occur. To achieve this, engineers must build systems that identify these issues before production deployment and adopt a proactive approach to testing, monitoring, and maintenance.  This saves time and resources and improves the overall quality of their products.

2. Automated Assurance Over Manual Checks

The second value proposes harnessing the power of automation over manual checks to ensure consistent, efficient adherence to NIST Risk Management Framework (RMF) standards. This approach saves time and effort, reduces human errors, and provides more accurate and reliable results. Automated testing and monitoring can also detect issues that are harder to identify through manual inspection, such as memory leaks, concurrency problems, and security vulnerabilities.

3. Continuous Collaboration Over Siloed Departments

Continuous collaboration, versus siloed departments that may have differing incentives, encourages synergy across development, operations, and risk management teams and can foster creativity, diversity, and innovation while enabling engineers to share knowledge, skills, and best practices. Moreover, collaboration can help break down the barriers between departments to create a culture of cross-functional responsibility.

4. Adaptive Frameworks Over Rigid Rulesets

The fourth value of the cATO Manifesto is adaptive frameworks over rigid rulesets. Flexible and adaptive frameworks, like the NIST RMF itself, can provide a structure and a guideline to adapt to new challenges, technologies, and learnings without compromising security or privacy.  By adopting adaptive frameworks there is more opportunity for innovation. 

5. Real-time Feedback Over Periodic Audits

The fifth value of the cATO Manifesto prioritizes instant feedback on security and privacy risks over periodic audits. Periodic reviews are still necessary, but they do not enable immediate actions and adjustments. Real-time feedback facilitates a sense of ownership and accountability and encourages improved performance and quality. 

6. Team Education Over Enforcement Only

Educating teams on the importance of the NIST RMF and fostering a culture of shared responsibility and awareness over imposing rules, is central to the sixth value of the cATO Manifesto. This prioritizes education and training to improve engineers' knowledge, skills, and competencies over simply requiring them to follow rules and procedures. Education empowers ownership, supports informed decisions, and drives innovation. Education and training also keep the latest trends, tools, and techniques at the forefront so engineers can continue to adapt to changing requirements and challenges.

7. Transparency in Processes Over Obscurity

Transparency in processes over obscurity requires clear visibility of all NIST RMF processes, technologies, and their outputs, ensuring all stakeholders understand, trust, and can validate the approach. Transparency promotes trust, accountability, and collaboration, and enables stakeholders to understand and assess the quality, security, and performance of the products. 

8. Tailored Implementation Over One-Size-Fits-All

The final value of the cATO Manifesto is tailored implementation over one-size-fits-all. While generic solutions may provide a foundation, engineers should adopt customized and tailored solutions that meet the unique mission objectives of each organization, accounting for specific requirements, constraints, and risks. By tailoring the solutions to the project, as recommended in the NIST RMF, engineers can achieve better outcomes, optimize their resources, and improve their performance.


The cATO Manifesto proposes eight values that can help software delivery teams improve the quality, security, RMF adherence, and performance of their products. Proactive Prevention, Automated Assurance, Continuous Collaboration, Adaptive Frameworks, Real-time Feedback, Team Education, Transparency, and Tailored Implementations are central to better ways of managing security and privacy risks. By adopting these values, delivery teams can provide products with higher quality with reduced risk.

This artifact draws heavily from the Manifesto for Agile Software Development, which can be found at: https://agilemanifesto.org/