<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "FAQPage", "@id": "https://www.rise8.us/resources/what-is-a-continuous-ato#faq", "url": "https://www.rise8.us/resources/what-is-a-continuous-ato", "headline": "What Is a Continuous ATO?", "description": "Learn why traditional Authorization to Operate (ATO) can be too slow for modern threats and how Continuous ATO (cATO) enables ongoing, real-time authorization through continuous monitoring.", "mainEntity": [ { "@type": "Question", "name": "What is a Continuous ATO (cATO)?", "acceptedAnswer": { "@type": "Answer", "text": "A Continuous Authorization to Operate (cATO) is an ongoing authorization approach that keeps a system approved as it changes, using continuous monitoring and real-time risk management instead of point-in-time reauthorization." } }, { "@type": "Question", "name": "Why can traditional ATO be too slow for modern threats?", "acceptedAnswer": { "@type": "Answer", "text": "Traditional ATO is typically a time-bound, milestone-driven process that relies on periodic reviews. That cadence can’t match today’s rapid threat landscape or continuous software delivery needs, creating delays in shipping and securing updates." } }, { "@type": "Question", "name": "How does continuous monitoring support cATO?", "acceptedAnswer": { "@type": "Answer", "text": "Continuous monitoring provides ongoing visibility into security controls and system risk. It enables teams to detect issues quickly, remediate continuously, and maintain authorization while releasing updates frequently." } }, { "@type": "Question", "name": "How does cATO enable faster, safer delivery?", "acceptedAnswer": { "@type": "Answer", "text": "By pairing DevSecOps practices with continuous monitoring and automated controls, cATO allows frequent releases without restarting a full static approval process, improving both speed and security." } } ], "mainEntityOfPage": { "@type": "WebPage", "@id": "https://www.rise8.us/resources/what-is-a-continuous-ato#webpage", "url": "https://www.rise8.us/resources/what-is-a-continuous-ato", "name": "What Is a Continuous ATO? | Rise8" }, "publisher": { "@type": "Organization", "@id": "https://www.rise8.us/#organization", "name": "Rise8", "url": "https://www.rise8.us/" }, "inLanguage": "en-US" } </script> <!-- Breadcrumb schema --> <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "BreadcrumbList", "itemListElement": [ { "@type": "ListItem", "position": 1, "name": "Home", "item": "https://www.rise8.us/" }, { "@type": "ListItem", "position": 2, "name": "Resources", "item": "https://www.rise8.us/resources" }, { "@type": "ListItem", "position": 3, "name": "What Is a Continuous ATO?", "item": "https://www.rise8.us/resources/what-is-a-continuous-ato" } ] } </script>

What is a continuous ATO?

TL;DR: What a Continuous ATO (cATO) Is

A Continuous Authority to Operate (cATO) is an RMF-aligned, ongoing authorization model that enables federal teams to deliver secure, compliant software rapidly. Unlike traditional ATOs—which are static, time-bound approvals—cATO uses continuous monitoring and real-time risk decisions to authorize system changes as they happen.

In a continuous AO model, the Authorizing Official provides ongoing risk oversight and acceptance, using live monitoring evidence to approve system changes and releases in near real time. First implemented at Air Force Kessel Run in 2018, cATO allows software to ship in hours or days, strengthening security posture and accelerating mission outcomes.

What Does ATO Stand for in RMF?

Because an ATO is an output of the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF), they are often referenced together. The RMF process includes seven steps organizations may apply in non-sequential order, according to software development lifecycles, to manage and mitigate risks in government information systems.

What Is a Conditional ATO?

An ATO indicates a system has passed a thorough evaluation and is authorized to operate within specified conditions for a specified period, typically three years. During this time, there is a requirement for ongoing monitoring to maintain system compliance. At the end of the period, the organization’s system must undergo a full reauthorization process. If the RMF process reveals unmitigated vulnerabilities, the AO may grant an ATO with conditions or “conditional ATO,” outlining the risks an organization must address within a given timeframe.

What Is a Continuous ATO?

A popular alternative to the traditional ATO involves moving to an ongoing authorization tailored for continuous delivery or continuous Authority to Operate (cATO). Unlike the one-time, time-bound approval of ATO, cATO is a dynamic, ongoing authorization process within RMF designed to expedite software development and delivery without sacrificing security. This approach is better suited for mission-critical environments that require rapid, frequent software updates while maintaining high security. More than 80% of the time it takes to get a traditional ATO is spent waiting in a queue where capacity and skills deficits cause delays. Waiting leads to obsolescence.

The concept of cATO emerged as a response to these limitations and a demand for a process to make changes in near-real time. As co-founder of the U.S. Air Force’s Kessel Run, the DOD’s first software factory, Rise8 Founder and CEO Bryon Kroger spearheaded the initiative to apply DevOps principles to meet NIST RMF requirements. In 2018, DOD officials approved cATO for Kessel Run’s systems; ongoing authorization granted authorization at the time of release and removed it as a bottleneck for lead time and deployment frequency so that software deployments could occur in hours, not months or years.

What Is the cATO Process Like With Rise8?

When done correctly, cATO is about authorizing the system. However, the inputs that result in secure and authorized outputs for a trustworthy and transparent environment are the right people, policies/processes, and technologies. Rise8 firmly believes that local context is an important factor when designing and implementing cATO—you cannot succeed if you don’t know where you’re starting from. Rise8 pairs one-to-one with your team to bring the benefits of ongoing authorization to the continuous delivery of valuable software your users will love.

Pair with Rise8 for:

  • Speed and Efficiency: Significantly reduce the time required to achieve authorization compared to traditional ATO processes.
  • Enhanced Security: Continuous monitoring and real-time risk management improve overall security posture.
  • Adaptability: Agile methodologies enable quick adaptation to new threats and changing requirements.

Are you ready to rise? Explore our free continuous ATO playbook or contact us today to learn more about how Rise8 is working to create a future where fewer bad things happen because of bad software.

Written By
No items found.
Keep reading

Related posts

Nothing more to see here!
Browse all articles
No items found.