What Is Continuous Authorization?

What Is Continuous Authorization?

When resources are limited and critical missions or services with implications to lives are on the line, time is of the essence. Unfortunately, efforts to implement security into software development often result in the loss of valuable time. For some, making changes quickly, i.e. speed, means compromising security.

With continuous Authority to Operate (cATO), there no longer has to be a tradeoff between speed and security or stability. In this article, we explore some of the advantages of cATO.

What Does Authorization To Operate Mean?

Authorization to Operate (ATO) refers to the formal declaration that a system meets the necessary government security and privacy standards for deployment as the Federal Information Security Modernization Act (FISMA) requires. For software across the federal government, including the DOD, an Authority to Operate involves an evaluation of the system’s security controls, risk management strategies, and overall security posture to ensure it can effectively protect sensitive data and maintain operational integrity without compromising the system or broader network.

While obtaining an ATO helps ensure the security and compliance of information systems, the traditional approach is lengthy and complex, involving extensive documentation, rigorous assessments, and multiple layers of review often resulting in substantial delays to system deployment.

There’s a better way. Adopting a continuous Authorization to Operate (cATO), rooted in the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF), allows your team to adapt to changing needs or emerging threats rather than waiting to overhaul an entire system. Instead of slogging for months or years to improve your operations, you can have an impact in hours or days.

Note: ATOs are often colloquially referred to as an “Authority to Operate.” The technical term is “Authorization to Operate.” This guide will occasionally use colloquial term in addition to the technical phrase.

What Is Continuous Authorization?

Continuous authorization, or continuous Authority to Operate, is an ongoing authorization process for continuous delivery, after achieving initial authorization, that moves beyond the point-in-time nature of traditional ATOs.Rather than a time-bound, single point-in-time assessment, cATO represents a more dynamic and continuous approach to identifying, mitigating, and managing risk over time. The continuous authorization to operate meaning is an uncodified term describing a specific subset of ongoing authorization tailored for continuous software delivery. Rise8 is spearheading initiatives to accomplish “early and continuous delivery of valuable software,” 25x faster than traditional methods.

What Is the Difference between ATO and continuous ATO?

An ATO is typically issued for a fixed period, often three years, after which the system must undergo a full reauthorization process to renew the ATO. This process is often resource-intensive and disruptive, requiring a snapshot in time evaluation of the system’s security posture. A cATO however, is a more dynamic and ongoing approach. Rather than a periodic reevaluation at a set interval, cATO requires consistent and ongoing authorizations to ensure compliance with security standards. Continuous monitoring tools and practices help identify and mitigate risks as they arise, providing a more flexible and responsive approach to system security. Ongoing authorization requires continuous monitoring, implementation or remediation, and assessment to keep pace with the low lead times of continuous delivery found in high-performing DevOps organizations. Achieving cATO benefits include improved security posture and reduced risk, increased transparency and trust, and reduced costs with increased delivery of value.

What Is an Ongoing Authorization Example?

Ongoing authorization allows organizations to update software in near real-time, as changing technology or emerging threats require. Developing a new system to monitor air quality across the country is one opportunity for a National Institute of Standards and Technology (NIST), continuous ATO example. Using the flexible NIST Risk Management Framework (RMF), the organization can obtain an initial ATO and then move to an ongoing authorization for continuous delivery. Preparation to develop the new system would include the identification of key roles, establishing a risk management strategy, system categorization, selection and implementation of appropriate security controls with emphasis on automation and real-time assessment, and documentation in a System Security Plan (SSP). Instead of a one-time static assessment, the system has real-time monitoring tools for continuous evaluation to detect and address vulnerabilities as they emerge. This requires regular testing and updates to security controls. With continuous monitoring, the Authorizing Official (AO) can grant ongoing authorization if the system meets security standards, without waiting for a periodic review cycle.  

How Do You Implement Continuous ATO? With Rise8!

Rise8 capabilities, executed by small, empowered balanced teams, continuously deliver technology-neutral, valuable software users love with mission impacts that transform culture. Our digital solutions include:

  • Cloud Infrastructure & Platform Engineering
  • Applications & Data
  • Cybersecurity & Compliance
  • Product & Execution
  • Research & Design
  • Strategy & Operating Model

Ready to rise? Contact us to learn how.

Keep reading

Related posts

Nothing more to see here!
Browse all articles
A symposium for GovTech change agents.
A symposium for GovTech change agents.

Prodacity is a movement committed to authenticity and learning that sets the standard for achieving mission outcomes in government. It emphasizes organizational change, bureaucracy hacking, and practical implementation strategies without sales pitches and innovation theater.

LEARN MORE