Continuous Authority To Operate

Picture this: federal agencies releasing software and updates with the speed and efficiency of a tech startup, yet with the rigorous security standards their critical missions demand.

This isn’t a pipe dream—through the continuous delivery model, you can enable faster deployment without compromising security. Here at Rise8, we’re dedicated to this revolution. By emphasizing continuous compliance, we aim to shift the paradigm to continuous delivery with real-time risk management.

Our goal is to demonstrate how applying Agile methodologies to the rigorous demands of RMF can achieve continuous delivery and operational excellence with systems that are not only compliant but also robust and secure. Let's dive into the origin of continuous Authority to Operate (cATO) and how it can redefine success in government software development and beyond.

What Is ATO in Cyber Security? What Are the Advantages and Disadvantages?

To put it simply, ATO is like a permission slip—it gives you authorization to deploy a software solution that both solves a specific problem and meets the cybersecurity requirements for a particular agency like the United States Air Force or United States Department of Veterans Affairs.

Theoretically, the advantages of obtaining an ATO are clear: high quality software with reduced risk.

While these advantages can be true, the disadvantages may outweigh the presumptive benefits. Unfortunately, the authorization process is inadequate with regard to speed and security and our citizens and Warfighters pay the price for these delays. Unlike the commercial sector, lives are often the measure for the cost of delay in government—the software we develop solves real problems on the battlefield, the operating table, in the distribution of government benefits to heroes in desperate need, and across other critical missions. When these projects require years for authorization to start development, the delay from repeatedly seeking an ATO can, and does, literally kill people.

‍

‍

How Can I Obtain an ATO Using the RMF?

ATO is a product of the Risk Management Framework (RMF), a set of guidelines developed by the National Institute of Standards and Technology (NIST) to help organizations manage and mitigate risks to their information systems. Federal government agencies are the primary users of RMF, although private sector organizations seeking a structured approach to security risk management may use it as well.

RMF lays out seven main steps: prepare, categorize, select, implement, assess, authorize, and monitor. The ATO RMF process could look like this:

1. Prepare: Begin with essential risk management activities:

• Identify key risk management roles
• Establish your organizational risk management strategy and determine the risk tolerance
• Create an organization-wide risk assessment
• Establish tailored control baselines and make them availableIdentify common controls

2. Develop and implement your organization-wide strategy for continuous monitoring Categorize System: Determine the impact if your system was jeopardized—is the risk to the agency low, moderate, or high regarding confidentiality, integrity, and availability of systems or processed information? NIST’s FIPS 199 publication is an RMF tool that can help with this assessment.
3. Select Security Controls: Choose a baseline set of controls from NIST SP 800-53B to protect your system based on risk assessments. Then, add supplemental and compensating controls if necessary from NIST SP 800-53.
4. Implement Security Controls: Apply the selected controls to your system, making sure to properly document how the controls are deployed.
5. Assess Security Controls: Test and evaluate the effectiveness of the controls, making sure they are functioning properly and providing the expected level of security. Penetration testing is an essential part of this assessment.
6. Authorize System: Finally, the AO will review the security risks and effectiveness of the implemented controls. Based on this review, they will decide whether the risks are acceptable and whether or not to grant the ATO.
7. Monitor Security Controls: After receiving authorization, you must perform ongoing monitoring with regular assessments to ensure the system stays secure over time.
   

What Is Continuous Monitoring in RMF?

RMF continuous monitoring involves real-time detecting, reporting, and responding to changes that may affect your system’s security posture. Continuous monitoring can involve activities like:

• Configuration management and control to keep track of all hardware and software configurations, ensuring changes occur in a controlled manner in order to prevent unauthorized modifications that could impact security.
• Security impact analysis to understand how modifications, like software updates or hardware upgrades, affect the system’s overall security.
• Assessment of security controls with regular scans and audits to detect vulnerabilities and deviations from security policies.

With steps like continuous monitoring built into the seven-step process, the RMF demonstrates how security is a dynamic and essential practice that requires integration through each system’s lifecycle to safeguard against ever-evolving threats.

‍

‍

What Is an Example of Authority To Operate?

Imagine a team of software developers tasked with creating a new satellite tracking system for the U.S. Space Force. This system, one that is crucial for national security, requires comprehensive testing for security weaknesses before launching.

After all, the risks of hacking the satellite tracking system could have potentially severe consequences:

• Hackers accessing sensitive information including the operational details of satellites, their trajectories, and other classified data that could compromise national security.
• Bad actors could potentially gain a way to commandeer the satellites themselves, allowing them to alter orbits, deactivate critical functions, or repurpose them for malicious intent.
• Foreign agents could alter the data, misleading operators about satellite positions, potentially causing physical or strategic losses due to incorrect decisions.

With such high stakes, creating a secure system is vital. Armed with an Authority to Operate checklist, the team begins the process to obtain authorization and begin work. The authorization process took just over a year, during which the needs of the U.S. Space Force shifted. Once the team receives their ATO, it must make major changes to controls implementation, thus requiring the need to update and resubmit the System Security Plan (SSP) to meet the new requirements from the Space Force. Unfortunately, this means starting the entire ATO process again. After another year and a half, they finally get a new ATO and begin again. After working on the software project for three years, their ATO expired, and they had to seek reauthorization of their system.

By the time the software was finally complete, nearly six years had passed. While the team was able to deliver a functional satellite tracking system, they weren’t satisfied with the results. If they had a faster process for receiving authorization, they could have tweaked the software as they developed and delivered a truly modern system that met the changing needs of the Space Force.

This narrative shows what authority to operate means in a practical scenario: while it’s obviously important to ensure a vital system is secure and ready to support military operations, the tedious logistics of securing an ATO can cause major bottlenecks and prevent teams from delivering the best possible product at the speed users demand.

Fortunately, there’s a better way: enter Continuous Authority to Operate.

‍

‍

What Is Continuous Authority To Operate?

Continuous Authority to Operate (cATO) is a dynamic, ongoing approval process within RMF designed to expedite software development and delivery without sacrificing security. The concept of cATO emerged in April of 2018, when Lauren Knausenberger, the Air Force Director of Cyberspace Innovation, authorized its use in a memorandum titled “Implementation of Ongoing Authorization for Agile Software Development.” This initiative, spearheaded by Bryon Kroger as a co-founder of Kessel Run, marked a significant shift in how authorizing officials granted operational approvals—aligning RMF with Agile and DevOps methodologies.

Bryon Kroger coined the term “cATO” to describe this innovative approach to ongoing authorization for continuous software delivery. Initially, Kessel Run’s efforts drew from earlier fast-tracked authorization processes like 18F’s accelerated ATOs and NGA’S “ATO-in-a-day.” However, over time, new cATO implementations diverged from the original, RMF-based implementation towards a model that favored certain technologies and political interests, straying from the RMF’s technology-neutral stance. Essentially, cATO shifted to “certify the people and the process” rather than focusing on authorizing the systems themselves the RMF requires.

Today, Bryon Kroger leads Rise8 as Founder and CEO, spearheading the effort to return to an RMF-aligned continuous authorization process.

What Is the cATO Process in Cyber Security?

It’s important to remember one key point: the cATO process, when done correctly, is about authorizing the system itself. However, the inputs that result in secure and authorized outputs for a trustworthy and transparent environment are the right people, policies/processes, and technologies. We firmly believe that local context is an important factor when designing and implementing cATO—you cannot succeed if you don’t know where you’re starting from. Let’s take a look at each of these inputs in closer detail.

1. People: Effectively implementing cATO begins with identifying a passionate change leader with deep understanding of current software delivery and the business impacts of these projects. This leader should guide a carefully selected team, ensuring a well-rounded approach to risk management. The leader should also empower the Dream Team to own their decisions and the outcomes, fostering accountability for the ongoing success of the cATO process. Your leader should understand that while having a great team is important, ultimately what we actually authorize are systems, not the people creating them.
2. Policy: A baseline understanding of NIST SP 800-37, Revision 2, “Risk Management Framework for Information Systems and Organizations” is necessary for your cATO process to succeed. NIST SP 800-37 outlines the processes and policies for system authorization within an organization, distinguishing between initial authorization, ongoing authorization, and reauthorization. It advocates for a shift from static, point-in-time authorization to a dynamic, near real-time ongoing authorization process facilitated by robust continuous monitoring. This ongoing authorization depends on regular risk assessments and acceptance decisions, supported by automation and continuous monitoring to maintain an up-to-date security and privacy posture, ensuring that the system operation remains within acceptable risk levels. Understanding NIST policies are crucial for organizations aiming to align their security practices with modern, agile operational needs and the continuous delivery of services.
3. Integrated Process & Technology: Now it’s time for the actual cATO process, incorporating the seven steps of the RMF:
   • Prepare (for a zero-based review): Start by aligning all stakeholders, creating a comprehensive Communication Strategy and Plan, and gathering and distributing resources (this video, RMF Introductory Course, NIST SP 800-37, Revision 2 and the NIST RMF Website are excellent examples of cATO/RMF resources to share). During your preparation, remember to leverage common controls inheritance as a part of your plan—the more controls your applications can inherit, the lower the burden on each application team and assessors who only have to assess inherited controls once. Be sure to draw your authorization boundaries thoughtfully, and share the tools and automations you will be using with your team.
   • Categorize: As you categorize your system in accordance with the RMF, this is an opportunity for your Dream Team to accomplish tasks quickly. Security categorization is one of the most important steps in RMF as it directly ties your system’s security to the agency’s priorities
     
     Categorize Resources:‍
     1. FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, defines requirements for categorizing information and information systems.‍
     2. FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, specifies a risk-based process for selecting the security controls necessary to satisfy the minimum requirements.‍
     3. NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, is a four-step process for categorizing the information and information system level of risk.‍
     4. NIST SP 800-53, Revision 5, Recommended Security Controls for Federal Information Systems, is essentially an encyclopedia for security controls.‍
     5. NIST Special Publication 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems, assists with SSPP/SSP development.
   • Control Selection: During the Select step, be deliberate about tailoring controls. Teams often overlook this opportunity that can be critical to the efficacy and efficiency of your continuous RMF. Consider compensating controls as applicable for the use of SaaS awaiting FedRAMP and/or DISA SRG IL P-ATO.
   • Implement & Assess: During this step, your integrated people, process, and technology should produce an authorization package that, per RMF, includes:
     1. Executive summary
     2. System security plan (SSP)
     3. Privacy plan
     4. Security control assessment
     5. Privacy control assessment, and,
     6. Any relevant plans of action and milestones (POAM).
   • Remember: RMF and cATO implementations are meant to be technology agnostic—rather than focusing on specific tools, find the right solutions for your project.
   • Initial Authorization: It’s finally time! Submit your authorization package and meet with the Authorizing Official. Since you’ve involved assessors through the entire system life cycle, and already gone through the remediation process, your initial authorization should be extremely smooth.
   • Monitor: We recommend an initial observation period of 6-12 months with your AO. During this time, meet regularly with assessors and your AO to demonstrate the results of your greatly improved implementation, assessment, and continuous monitoring processes. Be diligent about remediating issues and meeting the conditions for ongoing authorization per your Authorizing Official.
   • Ongoing Authorization: As the project continues, you will continue to submit authorization packages and meet with your Authorizing Official whenever you need to make small changes.
   • Measure Outcomes: Be sure to select outcome metrics for the people, process, and technologies involved in order to prove the success of your project. You can use metrics like Time to Value, employee survey results, Deployment Frequency, Mean Time to Restore (MTTR) after an incident, outage or service degradation – regardless of the metrics you select, be sure you are measuring your outcomes.

Bonus Resource: For agencies like Veterans Affairs, Space Force, or the Air Force, the Continuous ATO playbook from Rise8 contains additional information about implementing cATO properly.

‍

‍

What Is the Difference Between ATO and cATO?

Essentially, a traditional ATO provides a time-bound authorization after a point-in-time assessment, while a cATO is an uncodified term used to describe a specific subset of ongoing authorization tailored for continuous software delivery. An ATO is typically issued for a fixed period, often three years, after which the system must undergo a full reauthorization process to renew the ATO. This process is often resource-intensive and disruptive, requiring a snapshot in time evaluation of the system’s security posture. A cATO, however, is a more dynamic and ongoing approach. Rather than a periodic reevaluation at a set interval, cATO requires consistent and ongoing authorizations to ensure compliance with security standards. Continuous monitoring tools and practices help identify and mitigate risks as they arise, providing a more flexible and responsive approach to system security.

Let’s use a simple analogy to understand this better. Imagine you are building a house and are following the ATO process. You will have four months to finish this project. You consult with your client, draw up detailed blueprints, and make a comprehensive list of the materials, labor, and tools you’ll need to complete the structure. Your client reviews the blueprints and lists carefully with the help of a structural engineer, which takes a week due to the length and depth of the plans, and finally grants approval for construction to begin. As you get into the project, things are going well! The foundation is poured, framing goes up, and everything is flowing smoothly until you hit a snag: the drywall you ordered is now unavailable and you need to order from a different supplier. So, you have to halt your entire team, including the people working on the landscaping outside, update your list of materials, and send the blueprints, materials list, labor quote, and tools list to your client and the structural engineer for the entire project to be reapproved. This delays the project by a week, but they finally approve it and work begins again until another snag pops up: the selected doorknobs are only available in brass, not silver. So back to the drawing board and another week’s delay. Before you know it, your four months have passed and you have to resubmit your blueprints and lists yet again in order to get another four months to finish this project.

Now, let’s talk about what it could look like as a cATO process. Your journey begins with consulting the client, drawing up your blueprints, and making your lists. However, you’ve involved the structural engineer right from the start. Because she’s already familiar with your plans, the approval process only takes a few days. As the project progresses, you hit the drywall snag—you quickly draft an email to the client and the structural engineer letting them know the exact details of the problem and your proposed solution: swapping suppliers. You let them know that no other details of the project have changed. Rather than having to look at the entire packet of blueprints and lists, they simply approve the one change, and the project continues. As each minor problem arises, you’re able to address each issue individually and receive permission for these small changes without causing major delays to the timeline. With this expedited approval process, the house is built in five months.

This is a very simple NIST continuous ATO example, but it demonstrates how following a cATO process can help projects move quickly and efficiently.

‍

‍

What Are the Benefits of cATO?

Continuous authority to operate agile framework has three main benefits:

1. Improve your security posture and lower risk by reducing the number of security defects through threat analysis and secure coding practices. With the Secure Release Pipeline, you can continuously detect and remediate application vulnerabilities as well as provide cybersecurity and vulnerability education to application development teams.
2. Increase transparency and trust with default access to all body of evidence artifacts—like source code, documents, and diagrams—throughout the software development life cycle. This allows security control assessors and cybersecurity personnel an easier way to support continuous monitoring. Additionally, you can incrementally automate risk assessment via secure release pipelines.
3. Reduce costs & increase delivery of value to organizations and end-users through leveraging a cloud environment and reducing the number of security defects and risks. The end result? Shipping software in hours or days, instead of weeks, months or even years.

‍

‍

How Do You Implement Continuous ATO?

Implementing cATO involves implementing RMF in a way that is fully aligned with Agile and DevOps software development life cycles without compromising compliance or sacrificing speed. This task is easier said than done, but at Rise8, we’ve put together a comprehensive cATO playbook with 23 plays to help you implement cATO successfully.

Our plays include:

• Organizing teams and platforms for success
• Hire independent technical assessors
• Develop a communications strategy & plan
• Employ user centered design on all the users… especially neglected assessors and authorizers
• Start an education and training campaign during the prepare step
• Mythbusting
• Converge RMF with your SDLC
• Maximize common control inheritance
• Enable modularity of common control inheritance through automation
• Implement the “GRC as code” agreement
• Incorporate OSCAL as you automate
• Build controls into a secure release pipeline
• Automate control implementation workflows
• Embed technical assessors into the SDLC at a reasonable ratio
• Actually document things (no, for real)
• Assess in real time and impose assessor SLAs
• Scan on every commit
• Scan applications at runtime
• Enforce best technical practices (DORA)
• Periodic spot checks and pen tests
• Advanced: Automated checks and pen tests
• Zero-based review to Ongoing Authorization
• Quarterly renewal frequency, immediate notification

We began with the history of cATO, a process that would not have been possible without collaboration and a deep commitment to continuous improvement. At Rise8, we’re dedicated to moving forward—and we ask for your help! As a final step in your cATO process, consider sharing your new implementations, plays, automations, and lessons learned. We will be creating a formal open source community around RMF for continuous delivery, and will provide ways for you to contribute as we advance the cause, together. Together, we rise!

You can read more about these plays in our continuous authority to operate playbook.

Note: Due to the lack of consensus on what a cATO is and the ambiguity around how to implement the RMF to achieve one, we propose that the term “cATO” no longer be used. Even if everyone agreed on a standard practice for cATO, the name itself cannot be found as an authorization type/decision within NIST 800-37. As we work to clear up how to achieve “early and continuous delivery of valuable software” for the federal government, we hope to codify this process under a new authorization type/decision.

Embracing cATO isn’t about merely ticking compliance boxes—it’s about revolutionizing the speed and safety with which you can deliver software. At Rise8, we’re not just participating in this revolution, we’re leading it. Our mission is clear: we deliver software that doesn’t just function—it transforms. We create environments where changes are implemented swiftly and securely, proving that with the right team and the right mindset, continuous delivery can reshape the future. This is software delivery reimagined, where every deployment is a step towards a world where fewer bad things happen due to bad software.