How Continuous Authorization to Operate (cATO) Increases Proactive Threat Mitigation Maturity for Federal Systems

Published On: July 5th, 20223 min read

As government agencies and Department of Defense (DoD) systems obtain Authorization to Operate (ATOs) for their systems, agencies require system reaccreditation every three years. While the process varies somewhat depending on the type of system and the agency requiring recertification, one thing is true — the process is labor-intensive and largely manual.

On the plus side, at least from a workload perspective, the ATO re-certification was infrequent. Unfortunately, as modernization has continued apace and cybersecurity threats have increased, gaps between reassessment have created problems operationally while the threat surface for both agencies and contractors has increased. Interconnected systems create lateral threat vectors, putting Federal and DoD systems at risk.

New call-to-action

By leveraging current technology and automation, however, a more modern approach has been introduced. The Continuous Authorization to Operate (cATO) shifts the system to real-time monitoring and increases proactive threat mitigation maturity for federal systems.

ATO & Its Challenges

ATO is a process of certification for IT systems that provides permissions for the use of those systems within an organization. Accreditation includes developing and auditing the appropriate security controls that illustrate adherence to the NIST Risk Management Framework (RMF) and indicates that the organization receiving the certification understands and accepts any residual risks.

The challenges with the ATO for federal systems, however, are numerous. Among the issues is the fact that control development, management, and validation are highly manual processes. Additionally, ATO re-certification currently happens every three years — a lifetime when it comes to IT systems and cyber threats.

Additionally, because all of the artifacts and controls for an organization’s re-certification are validated at the same time, the undertaking becomes a fire drill of sorts. For some, once the controls and systems are in place, the ATO is safely shelved until it is time for re-certification. Then, it can be an all-hands-on-deck process to complete the validation in time for re-application.

Advantages of cATO

Instead of a periodic validation of an organization’s ATO, the cATO is a continuous process that moves organizations toward monitoring security controls on a scheduled basis based on the categorization of the system.

A cATO leverages technologies like AI and machine learning when possible, and automates those tasks that do not require direct human expertise or intervention. This offers both time savings and minimizes resource requirements. 

At the same time, it moves toward the constant and consistent cybersecurity protection offered by real-time monitoring. Validation of security controls, data, and updated artifacts can be added to a system of record for continuous agency review, eliminating the fire drill created with the 3-year ATO re-certification efforts.

An Agile Approach to cATO

The idea of adding modern technologies and automation to the ATO process may seem like a distant dream. Frequently, there are too few resources qualified for controls and cybersecurity tasks for the amount of work that needs to be done. Adding in projects, even those that would alleviate some of the manual processes involved in critical tasks such as ATO certification, appear unrealistic.

However, DMI takes an agile approach to cATO updates, building on what the customer already has in place and compartmentalizing updates to make them manageable. DMI tackles cATO updates by:

  • Adding new systems to existing ones instead of replacing when possible
  • Inheriting existing controls when applicable
  • Making use of existing documentation and editing to reflect new information
  • Providing a schedule to re-assess security controls based on the CIA of the system
  • Offering proof of compliance for controls with continuous monitoring with CND tools like IDS/IPS, DLP, and the like as well as external testing

This agile and incremental approach makes the shift to cATO more realistic and obtainable, and in the end, leaves the customer in a state of readiness and compliance.

Questions? DMI would love to hear from you, and discuss a potential approach to cATO process adoption. Contact DMI today to get started with a conversation on how your organization can streamline the move to cATO.

New call-to-action