What Is an ATO from the DOD?

Federal agencies need authorization to operate when making changes to software systems. See what’s required and how the system can be improved.

The DOD's approach to ATOs is essential to safeguard national security information and ensure defense systems are resilient against evolving threats, but the traditional ATO requires a point-in time security check of controls that repeats for major updates or when the authorization expires. The traditional ATO does not support near real-time changes to address changes to technology or emerging threats.

A popular alternative to the traditional ATO involves moving to an ongoing authorization tailored for continuous delivery, often referred to as continuous Authority to Operate (cATO). Unlike the traditional ATO, which provides a one-time, time-bound approval, cATO is a dynamic, ongoing authorization process within RMF designed to expedite software development and delivery without sacrificing security. This approach is better suited for mission-critical environments that require rapid, frequent software updates while maintaining a high level of security. 

Note: ATOs are often colloquially referred to as an “Authority to Operate.” The technical  term is “Authorization to Operate.” This guide will occasionally use the colloquial term in addition to the technical phrase.

What Is an ATO for Software?

An ATO is a formal declaration that a system meets the necessary government security and privacy standards for deployment as the Federal Information Security Modernization Act (FISMA) requires. 

Federal government agencies are the primary users of the RMF, although private sector organizations seeking a structured approach to security risk management may also use it. The Authorizing Official, a senior official responsible for evaluating and accepting the security risks associated with an information system, grants an ATO. The AO has the critical decision-making role of determining whether a system is fit for operational use on an agency’s network. 

What Is an ATO in the DOD?

The Department of Defense (DOD), like other federal agencies, requires Authorization to Operate (ATO) to ensure a system can protect sensitive information and perform its intended functions without exposing the network to unacceptable levels of risk. Obtaining an ATO requires the application of the National Institute of Standards and Technology’s seven-step Risk Management Framework (NIST RMF) to grant permission for systems to operate on the DOD’s network. DOD ATO requirements and DOD ATO process steps are synonymous with the RMF:

  • Prepare: Identify key risk management roles, define an organizational risk strategy with tolerance levels, and establish a comprehensive risk assessment framework with tailored control baselines.
  • Categorize: Assess the system's impact level based on confidentiality, integrity, and availability using NIST FIPS 199 guidelines.
  • Select Security Controls: Based on system categorization, select a baseline set of security controls from NIST SP 800-53B, supplementing as needed to address specific risks.
  • Implement Security Controls: Implement the selected security controls and document their deployment and integration within the system.
  • Assess Security Controls: Verify effective risk mitigation with a comprehensive assessment of the implemented controls, including penetration testing and vulnerability scanning.
  • Authorize the System: Compile an Authorization Package for the Authorizing Official's review and risk assessment to determine whether to grant the ATO based on the system’s security posture.
  • Monitor Security Controls: After ATO approval, continuously monitor the system with regular assessments, updates, and reporting to maintain security and address emerging threats.

Note: This list is a high-level overview of the RMF process—multiple steps in each section must be completed. More information is available on NIST's website or when working with an experienced partner like Rise8.

What Is the Purpose of ATO for the DOD?

Like all federal agencies, the primary purpose of an Authorization to Operate for DOD is to ensure an information system meets specific security standards and has an acceptable level of risk to operate on a network. The risk management process to obtain an ATO emerged from efforts to safeguard critical infrastructure. This process can help identify and mitigate vulnerabilities that could compromise the system or the data it handles.

Do All Federal Systems Require an ATO?

Yes, all government agencies must obtain an ATO for new or modified IT systems to mitigate security risks and meet FISMA compliance requirements: 

  • Perform System Risk Categorization
  • Meet Baseline Security Controls
  • Document Controls in the System Security Plan
  • Perform Risk Management
  • Conduct Annual Security Reviews
  • Implement Continuous Monitoring

Continuous Authorization To Operate: A Way Forward for the DOD

The traditional ATO process, while thorough, is not optimized for today’s fast-paced software development cycles. cATO is a more dynamic and ongoing approach. Rather than a periodic reevaluation for major updates or at a set interval, cATO requires consistent and ongoing authorizations to ensure compliance with security standards. Continuous monitoring tools and practices help identify and mitigate risks as they arise, providing a more flexible and responsive approach to system security. 

The Continuous Authority to Operate (cATO) Agile framework offers three main benefits:

  1. Enhanced Security: Reduce security defects and risks through threat analysis and secure coding. The Secure Release Pipeline enables continuous vulnerability detection, remediation, and cybersecurity education for development teams.
  2. Increased Transparency: Provide default access to evidence artifacts—source code, documents, and diagrams—throughout the software lifecycle, making it easier for security assessors to support continuous monitoring and automate risk assessments incrementally.
  3. Cost Savings & Value Delivery: Leverage cloud environments to cut costs and deliver value faster. Result: software ships in hours or days, not weeks or months.

Rise8: Continuous Improvement, Simplified

Ready to elevate your software development approach? Partner with Rise8 to streamline continuous delivery and tackle the complexities with a team as dedicated to your mission as you are. It’s time to make ship happen. Get started today, and let’s drive meaningful change together.

Keep reading

Related posts

Process
What Is Authority To Operate for Systems?
Process
Implementing DevSecOps in the Government: The 3 Keys to Success
Process
How to Use Growth Boards for Accountability in Government Software Delivery
Process
Achieving Continuous Delivery for Government Agencies
A symposium for GovTech change agents.
A symposium for GovTech change agents.

Prodacity is a movement committed to authenticity and learning that sets the standard for achieving mission outcomes in government. It emphasizes organizational change, bureaucracy hacking, and practical implementation strategies without sales pitches and innovation theater.

LEARN MORE