<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "FAQPage", "@id": "https://www.rise8.us/resources/what-is-an-example-of-authority-to-operate#faq", "url": "https://www.rise8.us/resources/what-is-an-example-of-authority-to-operate", "headline": "What Is an Example of Authority to Operate?", "description": "Get a real-world example of an Authorization to Operate (ATO) using the NIST RMF steps and explains why agencies are evolving from traditional ATO to Continuous ATO (cATO).", "mainEntity": [ { "@type": "Question", "name": "What is an example of an Authorization to Operate (ATO)?", "acceptedAnswer": { "@type": "Answer", "text": "A real-world example of an ATO is when a federal system completes the NIST RMF steps—categorizing the system, selecting and implementing controls, assessing those controls, and receiving risk acceptance from an Authorizing Official—so it can operate in production." } }, { "@type": "Question", "name": "How do the NIST RMF steps show up in an ATO example?", "acceptedAnswer": { "@type": "Answer", "text": "In practice, RMF is used to define system boundaries and impact level, choose the right security controls, document them in a System Security Plan, test and validate them through a Security Assessment Report, and track remaining risks in a POA&M before authorization is granted." } }, { "@type": "Question", "name": "Why are agencies evolving from traditional ATO to Continuous ATO (cATO)?", "acceptedAnswer": { "@type": "Answer", "text": "Agencies are shifting to cATO because traditional ATO is a point-in-time approval that can slow delivery. cATO uses continuous monitoring and DevSecOps to keep systems authorized as they change, enabling faster and safer releases." } }, { "@type": "Question", "name": "What makes a cATO approach safer while moving faster?", "acceptedAnswer": { "@type": "Answer", "text": "Continuous evidence collection, automated security testing, and real-time risk visibility let authorizing officials make ongoing risk decisions without waiting for a full reauthorization cycle." } } ], "mainEntityOfPage": { "@type": "WebPage", "@id": "https://www.rise8.us/resources/what-is-an-example-of-authority-to-operate#webpage", "url": "https://www.rise8.us/resources/what-is-an-example-of-authority-to-operate", "name": "What Is an Example of Authority to Operate? | Rise8" }, "publisher": { "@type": "Organization", "@id": "https://www.rise8.us/#organization", "name": "Rise8", "url": "https://www.rise8.us/" }, "inLanguage": "en-US" } </script> <!-- Breadcrumb schema --> <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "BreadcrumbList", "itemListElement": [ { "@type": "ListItem", "position": 1, "name": "Home", "item": "https://www.rise8.us/" }, { "@type": "ListItem", "position": 2, "name": "Resources", "item": "https://www.rise8.us/resources" }, { "@type": "ListItem", "position": 3, "name": "What Is an Example of Authority to Operate?", "item": "https://www.rise8.us/resources/what-is-an-example-of-authority-to-operate" } ] } </script>

What Is an Example of Authority To Operate?

TL;DR: Authority to Operate (ATO) Examples

An Authority to Operate (ATO) authorizes the deployment of a software solution that meets both specific operational needs and prescribed cybersecurity requirements.  However, traditional ATOs lack speed and adequate security to address technology changes and emerging threats. The waiting period for an ATO and associated assessments hamper the swift deployment of critical software capabilities.  A popular alternative involves moving to an ongoing authorization tailored for continuous delivery, commonly called continuous Authority to Operate (cATO). 

Rise8 is at the forefront of implementing cATO, leveraging the principles of the Risk Management Framework, Agile, and DevOps to streamline the authorization process, making it faster and more efficient while maintaining rigorous security standards. To ensure your organization can achieve continuous compliance and operational excellence, Rise8 is dedicated to providing resources like an Authorization to Operate checklist or our cATO playbook—to help you continuously deliver high-quality software with reduced risk. In this article, we'll explore a real-world example of an ATO to illustrate the comprehensive process and explore cATO. 

What Is an Example of Authority To Operate?

A practical ATO example is a U.S. Army system that must complete the NIST Risk Management Framework (RMF) and receive risk acceptance from an Authorizing Official (AO) before it can operate on the Army network.

The Problem With Traditional ATO

The DoD ATO example illustrates the basic RMF process, but the traditional approach can take several months to over a year in practice and may delay the deployment of critical systems.

Here are common drawbacks agencies face with the traditional ATO model:

  • Time-Intensive: Traditional ATOs can delay mission‑critical deployments or major updates by months or longer.
  • Resource-Heavy: The process requires substantial personnel and documentation, creating barriers for smaller projects.
  • Static in Nature: ATOs are based on point‑in‑time assessments, which can’t keep up with fast‑evolving threats without strong continuous monitoring.
  • Operational Delays: Significant changes or updates may require reassessment or reauthorization, slowing responsiveness and readiness.

What is Continuous Authority to Operate (cATO)?

With these challenges in mind, DoD programs are shifting to Continuous Authority to Operate (cATO).

Continuous ATO (cATO) is an RMF‑based, ongoing authorization model for continuous delivery after an initial ATO. Instead of waiting for periodic reauthorization, cATO uses continuous monitoring and near real‑time risk decisions to keep systems secure and compliant as they evolve—unless risk thresholds are exceeded and the cATO is revoked.

Ready to continuously deliver valuable software your users will love? Partner with Rise8 

With cATO, organizations can achieve continuous compliance and operational excellence, ensuring that their systems are always secure, up-to-date, and ready to move at the speed their users demand. Visit our About page to learn more about Rise8 or schedule a call to see how we can work together to ensure a future where fewer bad things happen because of bad software.

Written By
No items found.
Keep reading

Related posts

Process
What Is an ATO from the DOD?
Process
What Is Authority To Operate for Systems?
Process
Emerging Trends in EW: How AI and Agile Software Are Transforming Electronic Warfare
Process
2025 AFA Air, Space & Cyber Conference Panel: Expanding the Defense Industrial Base
No items found.