NIST RMF and Continuous ATO

Achieving cATO based on the NIST RMF framework empowers organizations to deliver mission-critical software and updates quickly and securely.

Despite the modern tools that have made software development a much simpler prospect than it was even a few years ago, it’s still a process fraught with delays and security vulnerabilities. In government and military applications, there is an imperative to not only develop effective, secure software, but also deploy it at the speed users demand. 

In this context, achieving authorization to operate (ATO)—a formal declaration that authorizes the deployment of a specific system on a network—is vital. Unfortunately, the traditional ATO is a point-in-time security controls check, required for initial deployment, major updates, and when the authorization expires. Software development across the federal government requires a more rapid, dynamic, and robust approach—continuous authority to operate (cATO). Done correctly, cATO leverages an ongoing authorization tailored for the swift and continuous delivery of higher-quality, secure software. The Risk Management Framework (RMF) not only allows for this, but encourages it.

This article highlights the fundamentals of cATO, including how organizations can leverage the National Institute of Standards and Technology (NIST) RMF and the recommended contents of an effective and versatile cATO playbook.

What Does ATO Stand for (in Technology)?

Within a government technology context, ATO stands for authorization to operate; it’s best thought of as a formal declaration that a system meets the necessary government security and privacy standards for deployment as the Federal Information Security Modernization Act (FISMA) requires. It represents a formal commitment to managing security and privacy risks for federal government software, including the Department of Defense (DOD).

Note: ATOs are often colloquially referred to as an “Authority to Operate.” The technical  term is “Authorization to Operate.” This guide will occasionally use the colloquial term in addition to the technical phrase. 

What Is continuous Authorization to Operate (cATO)?

Continuous authorization to operate (or continuous authority to operate) (cATO) is an ongoing-authorization process for continuous delivery, after achieving initial authorization, that moves beyond the point-in-time nature of traditional ATOs. This methodology enhances mission-critical environments that require frequent and rapid deployment of software updates while maintaining high security.

What Is a continuous ATO (cATO) Based On?

Initially, cATO was part of an initiative to streamline and expedite software approval processes, blending Agile and DevOps methodologies with the existing RMF. This innovative approach revolutionized traditional practices by emphasizing continuous assessment and improvement.

Today, the Department of Defense (DOD) describes cATO as a continuous risk determination and authorization by continuously assessing, monitoring, and managing risk. cATO allows organizations to build and release new system capabilities if they can continuously monitor them against the approved security controls. Organizations must meet three criteria to achieve cATO: continuous monitoring of security controls; active cyber defense measures; and the adoption of DevSecOps practices.

At times, this framework has devolved into an exercise of “authorizing the people and the process” rather than focusing on authorizing the information systems as the RMF requires. It’s important to remember that cATO is about authorizing the system itself, albeit with the right people, policies/processes, and technologies as the inputs that result in secure, authorized outputs for a trustworthy and transparent environment.

What Is the Difference between ATO and cATO?

The best way to differentiate between a traditional Authorization to Operate (ATO) and continuous Authorization to Operate (cATO) is that ATO is a time-bound authorization after a point-in-time assessment. cATO is an uncodified term describing a specific subset of ongoing authorization tailored for continuous software delivery.

  • ATO traditionally provides authorization for a set period—often three years—after which the organization’s system must undergo a full reauthorization process. This process is resource-intensive, disruptive with the snapshot-in-time evaluation of the system’s security posture, and provides neither speed nor adequate security to address changes in technology and emerging threats.
  • By contrast, an ongoing authorization tailored for continuous delivery (cATO) represents a more dynamic and continuous approach to identifying, mitigating, and managing risk over time. Instead of requiring periodic reevaluation or renewal at set intervals, ATO compliance for an ongoing authorization requires truly continuous monitoring, implementation or remediation, and assessment to keep pace with the low lead times of continuous delivery found in high-performing DevOps organizations. 

A 2022 DOD memorandum described current ATO processes as imperfect and insufficient in meeting modern challenges. Specifically, the current implementation “focuses on obtaining system authorizations (ATOs) but falls short in implementing continuous monitoring of risk once authorization has been reached.” Additionally, “real-time or near real-time data analytics for reporting security events is essential to achieve the level of cybersecurity required to combat today’s cyber threats and operate in contested spaces,” bolstering the requirement for a transition from ATO to cATO “to accelerate innovation while outpacing expanding security threats.” Because operations typically occur across a system of systems, the goal is to formalize and monitor system connections and enhance overall cybersecurity. 

What Are the Benefits of continuous ATO (cATO)?

When organizations achieve continuous Authorization to Operate, they benefit in three distinct ways:

Improved Security Posture, Lower Risk

Some of the most effective ways for organizations to improve their security posture and lower their risk exposure include:

  • Rapidly assessing and reducing the number of security vulnerabilities or defects through effective threat analysis and best practices for secure coding.
  • Continuously working to detect—and then remediate—application vulnerabilities effectively and quickly.
  • Making up-to-date, reputable cybersecurity and vulnerability education available to development teams and other stakeholders.

Increased Transparency, Trust

When properly developed and implemented, cATO also increases transparency and trust within the organization, by:

  • Making all body of evidence artifacts (e.g., source code, documents, or diagrams) from throughout the software development life cycle accessible for security control assessors and other cybersecurity personnel to support assessment and evaluation through continuous monitoring.
  • Establishing and utilizing secure release pipelines to facilitate incremental automation of key risk assessment functions and practices.

Reduced Costs, Increased Delivery of Value

Organizations can reduce their costs and increase the delivery of value for their own and their end users’ needs by:

  • Leveraging a secure cloud environment for software design, development, and delivery.
  • Reducing the overall number of security defects and risks, including taking a proactive cybersecurity posture to quickly detect and mitigate new vulnerabilities as they emerge.
  • Decreasing the time it takes to fully develop and deliver software solutions—from weeks, months, or even years to hours or days. 
  • Providing a level of adaptability and agility that enables developers to make more efficient system changes and updates.
  • Ensuring compliance within complex regulatory environments.

What Is the RMF Continuous Monitoring Strategy?

The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) continuous monitoring strategy provides essential tasks in the ATO process to maintain ongoing situational awareness in support of risk management decisions regarding the security and privacy posture of information systems.

As laid out in the framework’s flexible and adaptable guidelines, the ATO RMF process consists of seven essential steps that organizations may apply in nonsequential order: 

Note: This checklist is a high-level overview of the seven-step RMF process—multiple steps in each section must be completed. More information is available on NIST's website or when working with an experienced partner like Rise8.

  1. Prepare: Identify key risk management roles, develop a risk management strategy, conduct risk assessments, identify organizationally tailored and common controls, and establish a monitoring strategy.
  1. Categorize: Analyze the impact of loss to categorize systems and the information they process, store, and transmit.

  2. Select: Choose an initial set of controls and tailor them following the complete risk assessments.

  3. Implement: Employ controls and describe how they apply within the system and its operating environment.

  4. Assess: Determine whether the organization has effectively implemented controls and whether they produce the intended results regarding security and privacy requirements.

  5. Authorize: Provide organizational accountability with a leadership determination on whether the system or controls have an acceptable level of risk to operate.  
  1. Monitor: Monitor the system and implement controls over time to mitigate risk and keep systems and information secure; document changes, conduct risk assessments and impact analyses, and report the security and privacy posture of the system.

What Is NIST 800-53 Continuous Monitoring, and What Are the Benefits?

The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)  provides a structured approach to risk management. Continuous monitoring is one of the essential steps. NIST 800-137 defines information security continuous monitoring as an organization’s “ongoing awareness of their information security posture, vulnerabilities, and threats,” and addresses the assessment and analysis of security control effectiveness. Subsequently, the RMF provides guidance to maintain ongoing situational awareness of the security and privacy posture of the information system in support of risk management decisions. 

How Do You Implement Continuous ATO?

The DOD outlines three distinct criteria for successfully achieving cATO: continuous monitoring, active cyber defense, and adoption/implementation of DevSecOps.

  1. Continuous monitoring requires a consistent approach to assessing security controls, including verification that in-place controls are working properly without introducing new vulnerabilities.
  1. Employing an active cyber defense involves the adoption and implementation of advanced tools and techniques for proactive threat detection and risk mitigation.
  1. Finally, adopting DevSecOps empowers organizations to integrate a security-based focus into each stage of software development, deployment, and ongoing authorization.

So, how do organizations achieve these three objectives—without compromising security or speed? Success starts with an established and proven continuous ATO playbook or template. This approach provides a checklist-type list of essential continuous ATO process steps that simplify maintaining ongoing security without slowing down the ability to deploy updates and deliver new features.

What Is Included in a Continuous ATO Playbook?

A basic continuous Authorization to Operate (cATO) playbook addresses three main components of continuous ATO management—people, policies, and integrated processes/technologies— and specific, technical “plays” for cATO implementation. Let’s review each of the three major components of the cATO playbook before evaluating the types of specific “plays” your playbook should include.

  • People: Despite the proliferation of AI throughout countless industries, an effective cATO playbook doesn’t just design plays or “run” itself. Instead, it requires passionate leadership and a dedicated team ready to take a proactive, comprehensive approach to the design, development, and deployment of projects.
  • Processes: Effectively achieving—and maintaining—cATO requires a lot of quick, yet informed, decision-making, often within a high-pressure context. Leveraging a well-designed cATO playbook is one of the best ways to make competent decisions quickly. Organizations may seek to leverage an existing cATO playbook or opt for an ATO or continuous ATO playbook template they can customize to their applications.
  • Integrated Processes and Technologies: From a logistics perspective, this means applying the seven steps of the RMF: prepare, categorize, select, implement, assess, authorize, and monitor. As an organization becomes more experienced and proficient with the principles of cATO, it streamlines the process of developing and deploying higher-quality software with reduced risk.

Where Can I View an Example Playbook for cATO?

View Rise8’s cATO playbook online on our website, or visit this page to download a copy. 

Ready to Make Ship Happen? We’re Here to Answer the Call

Visit our About page to learn more about Rise8 or schedule a call to see how we can work together to ensure a future where fewer bad things happen because of bad software.

Keep reading

Related posts

Nothing more to see here!
Browse all articles
A symposium for GovTech change agents.
A symposium for GovTech change agents.

Prodacity is a movement committed to authenticity and learning that sets the standard for achieving mission outcomes in government. It emphasizes organizational change, bureaucracy hacking, and practical implementation strategies without sales pitches and innovation theater.

LEARN MORE