What Is ATO, and how does it compare with cATO? Learn how the cATO framework can enable secure, on-time delivery of mission-critical projects.
Software development has become more efficient with modern tools, yet it remains plagued by delays and security risks. For government and military applications, the challenge is clear: create secure, effective software and deploy it at the speed users need.
Authorization to Operate (ATO) plays a critical role, serving as the formal approval to deploy a system on a network. Traditional ATO, however, is a one-time security check, repeated for major updates or when authorization expires. To keep pace with new technology and emerging threats, federal agencies need a faster, more adaptive approach: continuous Authority to Operate (cATO). Properly implemented, cATO provides ongoing authorization, enabling secure and rapid software delivery after initial ATO. Not only does the Risk Management Framework (RMF) support this, it actively encourages it.
Keep reading for an overview of ATO and cATO and a better understanding of how cATO’s dynamic and onoing approach to system authorization is better suited for today’s fast-paced and continuously evolving cybersecurity landscape.
What Does ATO Stand For?
ATO stands for authorization to operate; it’s best thought of as a formal declaration that a system meets the necessary government security and privacy standards for deployment as the Federal Information Security Modernization Act (FISMA) requires. It represents a formal commitment to managing security and privacy risks for federal government software. An ATO is an output of the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF). It’s based on the .
The NIST ATO process provides seven essential steps organizations may apply in non-sequential order to maintain ongoing situational awareness and support risk management decisions regarding information systems’ security and privacy postures.
Note: ATOs are often colloquially referred to as an “Authority to Operate.” The technical term is “Authorization to Operate.” This guide will occasionally use the colloquial term in addition to the technical phrase.
What Is ATO Certification?
Certification and accreditation (C&A) was part of the DoD Information Assurance Certification and Accreditation (DIACAP) program the NIST RMF replaced in 2015, and is no longer used. You should be using the RMF today.
What Is the ATO Process?
An Authority to Operate checklist includes seven essential RMF ATO process steps.
- Prepare: Identify key risk management roles, develop a risk management strategy, conduct risk assessments, identify organizationally tailored and common controls, and establish a monitoring strategy.
- Categorize: Analyze the impact of loss to categorize systems and the information they process, store, and transmit.
- Select: Choose an initial set of controls and tailor them following the complete risk assessments.
- Implement: Employ controls and describe how they apply within the system and its operating environment.
- Assess: Determine whether the organization has effectively implemented controls and whether they produce the intended results regarding security and privacy requirements.
- Authorize: Provide organizational accountability with a leadership determination on whether the system or controls have an acceptable level of risk to operate.
- Monitor: Monitor the system and implement controls over time to mitigate risk and keep systems and information secure; document changes, conduct risk assessments and impact analyses, and report the system’s security and privacy posture
Note: This list is a high-level overview of the seven-step RMF process—multiple steps in each section must be completed. More information is available on the NIST website or working with an experienced partner like Rise8.
An ATO is a time-bound authorization—often three years— after which the organization’s system must undergo a full reauthorization process. This process is resource-intensive and disruptive with the snapshot-in-time evaluation of the system’s security posture, providing neither speed nor adequate security to address changing technology and emerging threats.
How Long Does the ATO Process Take?
The entire process from preparation to obtaining the ATO can range from six months to two years, with one year being a common duration. Many in government identify waiting for an ATO and working through assessments as the longest step in developing and deploying software. Several factors contribute to process timeliness, including the system complexity, the thoroughness of the preparation and documentation, the responsiveness of all stakeholders, and the availability of technically skilled assessors and highly competent system development teams.
Organizations may reduce the amount of time between the design and deployment of crucial software projects in one of two ways:
- Use an ATO checklist or checklist template, as described above; or
- After achieving the initial ATO, leverage ongoing authorization tailored for continuous delivery or continuous Authority to Operate (cATO).
To improve risk management of information systems, DoD officials recently released the DevSecOps Continuous Authorization Implementation Guide, which maps out the principles of the continuous Authority to Operate, or cATO, model. After a system achieves its initial authorization, properly implementing cATO a la ongoing authorization is a fundamental step in the department’s vision to build a faster, more secure development environment and achieve software supremacy.
ATO vs cATO: Why the Difference Matters
cATO is the uncodified term used to describe a specific subset of ongoing authorization tailored for continuous software delivery. cATO is designed to integrate continuous monitoring and agile methodologies, ensuring that security and compliance are maintained in real time as systems and software are developed and updated.
The advantages of ongoing authorization include:
- Improved security posture and reduced risk by minimizing defects through threat analysis and secure coding practices. Secure Release Pipelines enable continuous vulnerability detection, remediation, and developer education.
- Increased transparency and trust with default access to body-of-evidence artifacts, like source code and diagrams, supporting continuous monitoring and automated risk assessments.
- Reduced costs while increasing value delivery to organizations and end-users by leveraging cloud environments and reducing security risks, enabling software deployment in hours or days instead of weeks or months.
Unleash Innovation with Rise8
By embracing the ongoing authorization process, federal agencies can overcome bureaucratic delays, better manage emerging threats, and accelerate digital transformation. Rise8 is at the forefront of cATO, spearheading initiatives to deliver software solutions 25x faster than traditional methods. Are you ready to revolutionize the speed and safety with which you can deliver software? To learn more, check out our cATO playbook or contact us today.