What Is a Continuous ATO?

The traditional processes to obtain and maintain Authorization to Operate (ATO) often fall short in today’s rapidly changing threat landscape. They are slow and, resource-intensive, leaving new threats to outpace new or upgraded systems. Unlike the traditional ATO, continuous Authority to Operate (cATO) offers a dynamic, real-time approach to system authorization. Leveraging the principles of what some refer to as  “NIST continuous ATO,” cATO requires continuous monitoring and rapid response to evolving risks, ensuring that systems remain secure and compliant without the lengthy delays typical of conventional authorization. This article explores the concept of cATO, its benefits, and how it enables continuous software delivery for federal agencies.

What Does ATO Stand for in RMF?

Because an ATO is an output of the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF), they are often referenced together. The RMF process includes seven steps organizations may apply in non-sequential order, according to software development lifecycles, to manage and mitigate risks in government information systems.

What Is a Conditional ATO?

An ATO indicates a system has passed a thorough evaluation and is authorized to operate within specified conditions for a specified period, typically three years. During this time, there is a requirement for ongoing monitoring to maintain system compliance. At the end of the period, the organization’s system must undergo a full reauthorization process. If the RMF process reveals unmitigated vulnerabilities, the AO may grant an ATO with conditions or “conditional ATO,” outlining the risks an organization must address within a given timeframe.

What Is a Continuous ATO?

A popular alternative to the traditional ATO involves moving to an ongoing authorization tailored for continuous delivery or continuous Authority to Operate (cATO). Unlike the one-time, time-bound approval of ATO, cATO is a dynamic, ongoing authorization process within RMF designed to expedite software development and delivery without sacrificing security. This approach is better suited for mission-critical environments that require rapid, frequent software updates while maintaining high security. More than 80% of the time it takes to get a traditional ATO is spent waiting in a queue where capacity and skills deficits cause delays. Waiting leads to obsolescence.

The concept of cATO emerged as a response to these limitations and a demand for a process to make changes in near-real time. As co-founder of the U.S. Air Force’s Kessel Run, the DOD’s first software factory, Rise8 Founder and CEO Bryon Kroger spearheaded the initiative to apply DevOps principles to meet NIST RMF requirements. In 2018, DOD officials approved cATO for Kessel Run’s systems; ongoing authorization granted authorization at the time of release and removed it as a bottleneck for lead time and deployment frequency so that software deployments could occur in hours, not months or years.

What Is the cATO Process Like With Rise8?

When done correctly, cATO is about authorizing the system. However, the inputs that result in secure and authorized outputs for a trustworthy and transparent environment are the right people, policies/processes, and technologies. Rise8 firmly believes that local context is an important factor when designing and implementing cATO—you cannot succeed if you don’t know where you’re starting from. Rise8 pairs one-to-one with your team to bring the benefits of ongoing authorization to the continuous delivery of valuable software your users will love.

Pair with Rise8 for:

• Speed and Efficiency: Significantly reduce the time required to achieve authorization compared to traditional ATO processes.‍
• Enhanced Security: Continuous monitoring and real-time risk management improve overall security posture.‍
• Adaptability: Agile methodologies enable quick adaptation to new threats and changing requirements.

Are you ready to rise? Explore our free continuous ATO playbook or contact us today to learn more about how Rise8 is working to create a future where fewer bad things happen because of bad software.