What is Continuous Authority to Operate (cATO)?

A complete overview of cATO

By Rise8


In today’s digital landscape, safeguarding sensitive data and securing information systems are among organizations’ top priorities. In light of emerging threats and reliance on technology for daily operations, from simple to complex, security is increasingly important. As a result, the federal government established laws (such as the Federal Information Security Modernization Act), policies, regulations, and standards to ensure departments, agencies, and organizations implement appropriate measures to safeguard systems and data. 

One such guideline is the NIST Risk Management Framework (RMF), which outlines a structured, but flexible process for managing risks and ensuring the security of information systems. Under this framework, an organization must receive an Authority to Operate (ATO) from the Authorizing Official (AO) before system implementation and use.  However, given the ever-evolving nature of cyber threats and the rapid changes in technology, a traditional ATO provides neither adequate speed nor security. Critical missions and the users who support them require Continuous Delivery as a result of a continuous Authority to Operate (cATO). 

What is cATO?

Continuous Authority to Operate (cATO) is a branded term that was used by the USAF Kessel Run program to describe a specific implementation of an ongoing authorization, as defined within the RMF, that they pioneered to enable Continuous Delivery. It requires rapid and higher frequency application of the RMF to continuously monitor risks as well as the controls in place, and ensure compliance with standards to manage security and privacy risks on a near real-time basis. 

This approach allows for flexibility and responsiveness to emerging threats and alleviates the time and resource-intensive requirement for a full ATO process following a change in technology, requirement, or system.

Why is cATO necessary?

DevOps Research and Assessment (DORA), a program that seeks to understand software delivery and operations performance, has nearly a decade of research indicating a positive correlation between speed, stability, and security in high-performing software organizations. 

Today, however, there are tangible concerns about the traditional application of the NIST RMF and potential delays in the process of obtaining an Authorization to Operate (ATO). Subsequent delays and disruption in government processes could have significant consequences on the battlefield, in medical operations, and across the distribution of government benefits.

Achieving cATO: Key Criteria

The Department of Defense (DoD) has outlined three critical criteria for achieving Continuous Authority to Operate (cATO):

1. Continuous Monitoring: Consistently assessing security controls to ensure they work as intended and effectively mitigate cyber threats. This ongoing monitoring is crucial for an accurate understanding of an organization's security status.

2. Active Cyber Defense: Employing advanced tools and techniques to detect and respond to security incidents and proactively defend against potential cyber threats.

3. Adopting DevSecOps: Integrating security into every stage of the software development lifecycle, promoting early identification and resolution of security vulnerabilities.

These criteria form the foundation for attaining and maintaining cATO, ensuring that security is not a one-time activity, but instead, an ongoing process organizations integrate into daily operations.

Benefits of cATO

Continuous Delivery as a result of cATO offers several advantages to organizations, including:

- Enhanced Security: cATO demands continuous monitoring and protection of sensitive information, reducing the risk of data breaches and cyber-attacks.

- Cost Savings: Automating monitoring processes saves time and resources organizations would otherwise spend on periodic ATO assessments.

- Flexibility: Allowing system changes without repeating the entire ATO process enhances agility and adaptability.

- Compliance: Continuous monitoring and reporting help organizations efficiently meet compliance requirements.

- Improved Software: Eliminating delays in software updates results in the end user receiving better software, faster. 


In our digital age, the Continuous Delivery of mission-critical software as a result of cATO is imperative. cATO ensures the safety of information and enables the swift and secure delivery of essential software. Securing our systems is paramount for national security and maintaining public trust. The underlying urgency is to preserve the stability and integrity of our way of life. 

Want more information on how to achieve cATO? Check out our cATO Playbook.

Photo description: Capt. Zachary Hoffman, officer in charge of Test and Training Support with the Space and Missile Systems Center's Space Superiority, takes notes as Senior Airman Bailey Bourque from the 18th Space Control Squadron, consults with Brian Jennings, current Design Practice Lead at Rise8, and Victor Woo from SMC's Section 31 team on a software prototype at Vendenberg Air Force Base, Calif. The Section 31 team is part of the Kobayashi Maru program at Los Angeles Air Force Base in El Segundo, Calif., and is focused on Airmen building products for Airmen while utilizing industry agile software development practices.

Photo credit: U.S. Air Force photo by Maj. Matt Holland