What Is an Example of Authority To Operate?

An Authority to Operate (ATO) authorizes the deployment of a software solution that meets both specific operational needs and prescribed cybersecurity requirements.  However, traditional ATOs lack speed and adequate security to address technology changes and emerging threats. The waiting period for an ATO and associated assessments hamper the swift deployment of critical software capabilities.  A popular alternative involves moving to an ongoing authorization tailored for continuous delivery, commonly called continuous Authority to Operate (cATO). 

Rise8 is at the forefront of implementing cATO, leveraging the principles of the Risk Management Framework, Agile, and DevOps to streamline the authorization process, making it faster and more efficient while maintaining rigorous security standards. To ensure your organization can achieve continuous compliance and operational excellence, Rise8 is dedicated to providing resources like an Authorization to Operate checklist or our cATO playbook—to help you continuously deliver high-quality software with reduced risk. In this article, we'll explore a real-world example of an ATO to illustrate the comprehensive process and explore cATO. 

What Is Authority To Operate?

An Authorization to Operate (ATO) is a formal declaration that confirms a specific software project is secure enough to deploy on a network. Obtaining an ATO requires an extensive and rigorous evaluation to identify and mitigate potential vulnerabilities that could compromise the system or the broader network.

Note: ATOs are often colloquially referred to as an “Authority to Operate.” The technical term is “Authorization to Operate.” This guide will occasionally use the colloquial term in addition to the technical phrase.

Who Needs an ATO?

ATOs are always for government information systems—whether managed by government agencies, contractors, or third-party service providers. The ATO validates that these systems are resilient against cyber threats and protect national security interests by ensuring that critical information remains secure and operational. ATOs indicate that a system has passed a comprehensive security assessment and meets the required security standards to function within a specific operational environment. 

Who Provides the Authorization To Operate?

The responsibility for granting an ATO falls to an Authorizing Official (AO), a senior leader responsible for overseeing the system’s security and compliance posture. The AO’s decision is based on a detailed risk assessment, security testing, and documentation that confirms compliance with the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) guidelines. The AO has the critical decision-making role of determining whether a system is fit for operational use on the agency’s network. By granting an ATO, the AO formally authorizes the system to operate, signifying that it is secure and capable of protecting sensitive data​. 

What Is an Example of Authority To Operate?

Consider the RMF process for a U.S. Army Authority to Operate. For any system slated for use within the Army network, an ATO is mandatory. Here’s how the Army’s ATO journey typically unfolds:

1. Prepare: Scope the system, identify risks, and establish the framework for managing them, ensuring all documentation and resources are in order.
2. Categorize: Classify the system by its potential impact on Army operations. This step aligns the level of security with the risk posed to the Army’s mission.
   
3. Control Selection: Tailor security controls per the NIST SP 800-53 guidelines, focusing on controls relevant to the system’s specific risk profile.
4. Implement: Deploy security controls, configuring the hardware, software, and procedures that will protect against identified threats.
5. Assess: Subject the system to rigorous testing, including vulnerability scans and penetration tests, to validate the effectiveness of the controls.
6. Authorize: The AO reviews all assessments and determines whether risks are sufficiently mitigated for safe operation within the Army’s network.
7. Continuous Monitoring: Post-authorization, the system is continually monitored to detect and respond to new threats.

Note: This list is a high-level overview of the seven-step RMF process—each section has multiple steps to complete.. More information is available by visiting NIST or when working with an experienced partner like Rise8.

cATO—Moving Beyond TraditionalATO

The DOD Authority to Operate example demonstrates the basic RMF process to obtain an ATO, but the traditional approach has limitations: …time-consuming, often taking several months to over a year, which can delay the deployment of critical systems.

• Time-Intensive: Awaiting a traditional ATO can delay deployment of mission-critical systems or major updates by months to more than two years.
• Resource-Heavy: Achieving ATO demands substantial personnel and documentation resources, creating hurdles for smaller projects.
• Static in Nature: Traditional ATO relies on point-in-time assessments, often outpaced by fast-evolving threats.
• Operational Delays: Any changes or updates can delay redeployment and impact mission readiness.

With these challenges in mind, many agencies are shifting to Continuous Authority to Operate (cATO). cATO enables real-time monitoring and dynamic adjustments to security controls, helping ensure systems remain secure and compliant without the bottlenecks of traditional ATO.

To learn more about cATO, download the Rise8 cATO playbook. 

Ready to continuously deliver valuable software your users will love? Partner with Rise8 

With cATO, organizations can achieve continuous compliance and operational excellence, ensuring that their systems are always secure, up-to-date, and ready to move at the speed their users demand. Visit our About page to learn more about Rise8 or schedule a call to see how we can work together to ensure a future where fewer bad things happen because of bad software.

‍