What Is the Difference between ATO and Continuous ATO?

According to Forbes, cybersecurity attacks increased by 72% between 2021 and 2023. In the business world, these attacks cause significant financial losses that average $4.45 million. For government, this can result in disruption on the battlefield or in the delivery of critical services.

To ensure a system can protect sensitive information and perform its intended functions without exposing the network to an unacceptable level of risk, government information systems require an Authorization to Operate (ATO). Unfortunately, Traditional ATOs can be time-consuming and often lead to delays in deploying critical systems due to their static, point-in-time assessments. Our Warfighters and citizens pay the price for these delays.

Software development across the federal government requires a more rapid, dynamic, and robust approach— continuous Authority to Operate (cATO). Done correctly, cATO leverages an ongoing authorization tailored for the swift and continuous delivery of higher-quality, secure software.

Note: ATOs are often colloquially referred to as an “Authority to Operate.” The technical term is “Authorization to Operate.” This guide will occasionally use the colloquial term in addition to the technical phrase.

What Does ATO Stand For?

ATO stands for Authorization to Operate; it’s a formal declaration that a system meets the necessary government security and privacy standards for deployment as the Federal Information Security Modernization Act (FISMA) requires. It represents a formal commitment to managing security and privacy risks for federal government, including the Department of Defense (DOD) ATO process to implement changes in mission-critical information systems. Unfortunately, the traditional ATO does not support real-time modifications to address changes to technology or emerging threats.

What Is a continuous ATO?

Continuous Authority to Operate (cATO) is the uncodified term used to describe a specific subset of ongoing authorization tailored for continuous software delivery. cATO is designed to integrate continuous monitoring and Agile methodologies, maintaining security and compliance in real time as systems and software are developed and updated. cATO emphasizes continuous assessment and improvement to identify, mitigate, and manage risk over time.

What is continuous monitoring according to NIST? The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) includes continuous monitoring as an essential step to risk management. NIST 800-137 defines information security continuous monitoring as an organization’s “ongoing awareness of their information security posture, vulnerabilities, and threats,” and addresses the assessment and analysis of security control effectiveness.

While there are no official guidelines set by NIST for continuous ATO, DOD outlines three distinct criteria for successfully achieving cATO: continuous monitoring, active cyber defense, and adoption/implementation of DevSecOps.

What Is the Difference between ATO and continuous ATO?

The best way to differentiate between a traditional Authorization to Operate (ATO) and continuous Authorization to Operate (cATO) is that ATO is a time-bound authorization after a point-in-time assessment. cATO is an uncodified term describing a specific subset of ongoing authorization tailored for continuous software delivery.

• ATO traditionally provides authorization for a set period—often three years—after which the organization’s system must undergo a full reauthorization process. This process is resource-intensive, disruptive with the snapshot-in-time evaluation of the system’s security posture, and provides neither speed nor adequate security to address changes in technology and emerging threats.

By contrast, an ongoing authorization tailored for continuous delivery (cATO) represents a more dynamic and continuous approach to identifying, mitigating, and managing risk over time. Instead of requiring periodic reevaluation or renewal at set intervals, an ongoing authorization requires continuous monitoring, implementation or remediation, and assessment to keep pace with the low lead times of continuous delivery found in high-performing DevOps organizations.

What Is a continuous ATO Example?

Ongoing authorization allows organizations to update software in near real-time, as changing technology or emerging threats require.

For example, the Department of Defense may need to rework itstheir fuel management system for a specific location. This system could track fuel supply chains and demands while having functionality to initiate fuel orders and scheduling.

This example includes multiple moving parts: tracking, analysis, and ordering. Under a traditional ATO, major updates would require the static, point-in-time assessment to restart. With cATO, the shift from periodic reauthorization to ongoing assessment and authorization provides a flexible framework for frequent updates and modifications while ensuring systems remain secure and functional over time. cATO benefits include an improved security posture with lower risk; increased transparency and trust; and reduced cost with increased delivery of value to the user.

Tackle Software Delivery Challenges with Rise8

We create environments where changes are implemented swiftly and securely, proving that with the right team and mindset, continuous delivery can reshape the future—one where fewer bad things happen because of bad software.

Embracing cATO isn’t about checking boxes; it’s about revolutionizing the speed and safety with which you can deliver software. If you’re ready to transform the way your organization approaches software development, contact us to learn more about how we enable large enterprises to continuously deliver valuable software that users love.