What Does ATO Stand for in RMF?

An authority to operate (ATO) is a formal declaration that confirms software is secure enough to deploy on a network. Obtaining an ATO is a requirement for all government systems and is essential for maintaining operational security and protecting sensitive data. The process requires an extensive and rigorous evaluation to identify and mitigate potential vulnerabilities that could compromise the system or the broader network. ATO is like a permission slip—it authorizes the deployment of a software solution that solves a specific problem and meets the cybersecurity requirements for a particular agency. Unfortunately, a traditional ATO is often inadequate with regard to speed and security, and our Warfighters and citizens pay the price of delays.

Continuous Authority to Operate (cATO) describes an innovative approach to ongoing authorization for delivering higher-quality software with reduced risk after obtaining an initial ATO. This article will provide a high-level overview of what some refer to as “NIST continuous ATO” and what Rise8 refers to as a Continuous Delivery-Risk Management Framework (CD-RMF).

What Is an ATO in RMF?

Authorization to Operate (ATO) is a product of the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) so they are often referenced together.

The RMF outlines a structured, but adaptable process with seven steps for managing risks associated with information systems: prepare, categorize, select, implement, assess, authorize, and monitor. Organizations may apply these steps in non-sequential order, as applicable to their software development lifecycles. ATOs are always for government information systems, but the meaning in a business context is no different.

What Is an ATO Used For?

By providing a structured and thorough approach, an ATO ensures an information system meets specific security standards with an acceptable level of risk to operate on a network. The process of obtaining an ATO identifies and mitigates vulnerabilities that may compromise the system or the data it handles.  The functions of an ATO include, but are not limited to:

• Risk Management: The process to obtain an ATO evaluates and mitigates security risks to ensure the system operates safely.
• Compliance: An ATO confirms that the system meets all federal security standards and regulations.
• Deployment Authorization: The ATO grants permission for the system to deploy on government networks.
• Incident Response: The ATO establishes protocols for managing and mitigating security incidents.
• Operational Integrity: The ATO verifies the system can operate securely and effectively.

Unfortunately, the traditional ATO approach is lengthy and complex, requiring extensive documentation, rigorous assessments, and multiple layers of review which often delays software delivery months or even years for the most critical missions. In addition,

ATOs are valid for a fixed period, typically three years, requiring periodic reauthorization at the end of the period or when a system requires major updates. Cyclical re-evaluation lacks the speed and security necessary to tackle changes in technology or cyber threats.

What Are the Seven Steps of the RMF Process?

The RMF ATO process consists of seven essential steps that organizations may apply in nonsequential order:

1. Prepare: Identify key risk management roles, establish the organizational risk management strategy, and conduct risk assessments.
2. Categorize: Categorize systems and the information they process based on the potential impact of a security breach.
3. Select: Choose appropriate security controls from NIST SP 800-53 based on the categorization and risk assessments.
4. Implement: Implement the selected security controls and properly document them.
5. Assess: Assess the effectiveness of the implemented controls to ensure they function as intended and manage the risk effectively.‍
6. Authorize: A senior official reviews the security risks and decides whether the system or controls have an acceptable level of risk to operate resulting in an ATO.‍
7. Monitor: Conduct continuous controls monitoring to ensure they remain effective and the system stays secure over time.

These ATO process steps are essential to maintain ongoing situational awareness for risk management decisions on information systems’ security and privacy posture.

Note: This list is a high-level overview of the RMF process—multiple steps in each section must be completed. More information is available on NIST's website or when working with an experienced partner like Rise8.

How Long Does the ATO Process Take?

While the time required to obtain an ATO varies from six months to two years, many identify working through the assessments as the longest step in developing and deploying software. An ATO granted during the seven-step RMF process requires a point-in-time check of security controls that can take months; the exercise repeats for major updates. Several factors contribute to process timeliness, including system complexity, the thoroughness of the preparation and documentation, the responsiveness of all stakeholders, and the availability of technically skilled assessors and highly competent system development teams.

Notably, an ATO is issued for a limited period, typically three years, and requires reauthorization once it expires. This periodic reassessment can be resource-intensive and disruptive, leading to delays and potential security gaps. The Department of Defense (DOD) ATO process highlights these challenges, emphasizing the need for a more dynamic and continuous approach to maintain security and operational efficiency.

cATO is an ongoing authorization for continuous delivery after achieving the initial authorization. It allows an organization to build and release new system capabilities if it can continuously monitor them against the approved security controls. To achieve cATO, DoD identifies three criteria organizations must meet:

• Continuous monitoring of security controls.
• Active cyber defense measures.
• The adoption of DevSecOps practices.

Shifting from periodic reviews to constant monitoring avoids drifting out of compliance and creates a more robust cybersecurity posture. cATO is not a waiver or a shortcut to compliance with the RMF. Instead, the method tackles requirements at every step of the software development lifecycle to reduce risk.

Ship Software. Save Lives.

Rise8 is at the forefront of continuous Authorization to Operate, pioneering its application in federal settings. By employing strategies for continuous delivery, Rise8 helps organizations deploy secure, compliant, and timely software. Our approach to continuous authorization reduces the need for repeated, time-consuming reauthorizations under the traditional ATO framework. This allows for more agile and responsive operations, better aligned with the fast-paced demands of modern cybersecurity.

The Rise8 cATO playbook, can help you start making impactful changes today. Together, we can ship game-changing software so that fewer bad things happen because of bad software.