Discover what Authority to Operate (ATO) means for systems and how continuous ATO models is the right way to ensure ongoing security and compliance
Navigating federal security and compliance requirements for information systems can be slow-moving and daunting. Read to learn how applying Agile methodologies to the rigorous and adaptable National Institute for Standards and Technology (NIST) Risk Management Framework (RMF) can help you achieve continuous delivery and operational excellence with compliant, robust, and secure systems.
What Is an Authority To Operate?
An Authorization to Operate (ATO) is a formal declaration that an information system meets the necessary government security and privacy standards for deployment as the Federal Information Security Modernization Act (FISMA) requires. It represents a formal commitment to managing security and privacy risks for federal government software.
Note: ATOs are often colloquially referred to as an “Authority to Operate.” The technical term is “Authorization to Operate.” This guide will occasionally use the colloquial term in addition to the technical phrase.
What Is Authority To Operate for Systems?
Are you wondering “What is Authorization to Operate NIST?” or “What is Authority to Operate for Systems?” It’s all the same. ATO is a product of the NIST RMF, so they are often referenced together. The RMF outlines a structured, but adaptable process with seven steps for managing risks associated with information systems. Obtaining an ATO involves an evaluation of the system's security controls, risk management strategies, and overall security posture to ensure it can effectively protect sensitive data and maintain operational integrity without compromising the system or broader network. It’s important to remember that ATOs are granted during the seven-step RMF process. a
What Is Required for an ATO?
Traditionally an ATO, granted during the seven-step RMF, requires a point-in-time check of security controls that can take months; the exercise repeats for major updates or when the authorization expires. Several factors contribute to process timeliness, including the system’s complexity, the thoroughness of the preparation and documentation, the responsiveness of all stakeholders, and the availability of technically skilled assessors and highly competent system development teams. Here’s a general outline of what to expect in each step of the RMF:
- Prepare: Define roles, set a risk management strategy, and prioritize security and privacy risks for systems and the organization.
- Categorize: Analyze the impact of potential losses on the system and its information.
- Select: Choose and customize security controls based on the system’s risk level.
- Implement: Apply and document the selected controls within the system’s environment.
- Assess: Independently verify the controls’ functionality and effectiveness.
- Authorize: The Authorizing Official reviews all assessments and documentation to decide if the system’s risk is acceptable.
- Continuous Monitoring: Continuously assess, update, and monitor to maintain compliance and address new threats.
Note: This list is a high-level overview of the RMF process—multiple steps in each section must be completed. More information is available by visiting NIST or when working with an experienced partner like Rise8.
What Is the Difference Between ATO and cATO?
The RMF is flexible and encourages implementing the framework according to your needs and abilities. While there is no alternative to the RMF, a popular approach involves moving to an ongoing authorization tailored for continuous delivery, often referred to as continuous Authority to Operate (cATO). Traditional ATOs can be time-consuming and often lead to delays in deploying critical systems due to their static, point-in-time assessments. In contrast, cATO offers a more dynamic and ongoing approach to system authorization suited for today’s fast-paced and continuously evolving cybersecurity landscape.
cATO is the uncodified term used to describe a specific subset of ongoing authorization tailored for continuous software delivery. cATO is designed to integrate continuous monitoring and agile methodologies, ensuring real-time security and compliance as systems and software are developed and updated. This approach aligns with the RMF but shifts the focus from periodic reauthorization to ongoing assessment and authorization.
Benefits of Ongoing Authorization:
- Real-Time Risk Management: Continuous monitoring enables immediate detection and mitigation of vulnerabilities, maintaining higher security and compliance while reducing risks from emerging threats.
- Agile Deployment: cATO supports faster software updates and system rollouts, eliminating delays from lengthy reauthorization, and allowing organizations to adapt swiftly to new demands.
- Enhanced Flexibility: Frequent updates and modifications ensure systems stay secure and functional, aligning with DevOps practices to foster continuous improvement and adaptability.
Practical Example
An authority to operate Department of Defense (DOD) example highlights the practical application of these concepts. The Authorizing Official (AO) in a DOD organization may grant an ATO for a mission-critical system as an output of the seven-step NIST RMF process, but a traditional ATO provides a time-bound authorization after a point-in-time assessment. The traditional ATO lacks the speed and security an organization requires to address technology changes and emerging threats. In contrast, a DOD Authority to Operate with cATO has a more dynamic and ongoing approach. Rather than a periodic reevaluation at a set interval, cATO requires consistent and ongoing authorizations to ensure compliance with security standards. Continuous monitoring tools and practices help identify and mitigate risks as they arise, providing a more flexible and responsive approach to system security.
What Is the cATO Process Like Today?
continuous Authority to Operate (cATO), when done correctly, is about authorizing the system itself. However, the inputs that result in secure and authorized outputs for a trustworthy and transparent environment are the right people, policies/processes, and technologies. We firmly believe that local context is an important factor when designing and implementing cATO—you cannot succeed if you don’t know where you’re starting from:
- People: Implementing cATO starts with a strong, knowledgeable change leader who understands software delivery and its business impacts. This leader guides a skilled, empowered team while ensuring accountability for cATO success. Ultimately, systems—not people—are authorized, underscoring the need for system-specific focus.
- Policy: Familiarity with NIST SP 800-37, Revision 2 is essential. This framework transitions from static authorizations to dynamic, real-time processes supported by automation and continuous monitoring. Regular risk assessments ensure security and compliance align with agile, modern operations.
- Integrated Process & Technology: cATO integrates the seven steps of the RMF, blending streamlined workflows with technology for efficient execution.
How Do You Implement cATO??
Implementing cATO involves implementing RMF in a way that is fully aligned with Agile and DevOps software development life cycles without compromising compliance or sacrificing speed. This task is easier said than done, but at Rise8, we’ve put together a comprehensive cATO playbook with 23 plays to help you implement cATO successfully. Our plays include:
- Organizing teams and platforms for success
- Hire independent technical assessors
- Develop a communications strategy & plan
- Employ user-centered design on all the users… especially neglected assessors and authorizers
- Start an education and training campaign during the prepare step
- Mythbusting
- Converge RMF with your SDLC
- Maximize common control inheritance
- Enable modularity of common control inheritance through automation
- Implement the “GRC as code” agreement
- Incorporate OSCAL as you automate
- Build controls into a secure release pipeline
- Automate control implementation workflows
- Embed technical assessors into the SDLC at a reasonable ratio
- Actually document things (no, for real)
- Assess in real time and impose assessor SLAs
- Scan on every commit
- Scan applications at runtime
- Enforce best technical practices (DORA)
- Periodic spot checks and pen tests
- Advanced: Automated checks and pen tests
- Zero-based review to Ongoing Authorization
- Quarterly renewal frequency, immediate notification
Next Steps
If you’re ready to transform the way your organization approaches software development, consider partnering with Rise8. We’ll help you navigate the complexities of continuous delivery with a team as committed as you are. Reach out to us today to start the conversation. Together, we rise.