Sep 09 2022

Understanding the Transition from Authorization to Operate to Continuous ATO

The Defense Department and other agencies are moving toward a cATO model to better implement continuous monitoring of risk for new IT systems.

Federal agencies have long followed the National Institute of Standards and Technology’s Risk Management Framework for Information Systems and Organizations to help agencies select the appropriate safeguards related to cybersecurity, privacy and supply chain risk management.

A key component of how agency IT officials assess risk and deploy new information systems is an authorization to operate, or ATO. Essentially, ATOs have served as signoffs given to IT systems, whereby officials deem the level of inherent risk in deploying them acceptable enough for them to be used.

Recently, however, the Defense Department and other agencies have indicated that it is time to move to a nimbler and more flexible framework known as continuous authorization to operate, or cATO.

The thinking is that, by the time an ATO is issued, it might already be out of date. Traditional ATOs also do not provide for continuous monitoring of risk the way cATOs are designed to do.

Additionally, cATOs are seen as providing more up-to-date assessments of how cybersecurity functions in real-world conditions, since they are based on current known vulnerabilities rather than what was known at the time an assessment was made months or years ago.

Click the banner to receive curated content by becoming an Insider.

What Is an ATO for Federal Agencies?

The National Institute of Standards and Technology (NIST) defines an ATO, or an Authority to Operate, as the official management decision given by a senior federal official or officials to “authorize operation of an information system and to explicitly accept the residual risk to agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations,” and the country, based on the deployment “of an agreed-upon set of security and privacy controls.” ATOs also apply to common controls inherited by agency information systems.

ATOs are “informed by a security authorization package including at a minimum a system security plan, security assessment report, and plan of action and milestones that detail risks relating to implementation of required controls for an information system given its FIPS 199 Security Impact level and any additional controls that are tailored in to address specific agency and/or system specific security considerations,” says General Services Administration CISO Bo Berlas.

READ MORE: Software factories are among the projects that could benefit from cATOs.

“ATOs are traditionally issued for a three-year period and renewed every three years based on an updated security authorization package, including a new security assessment report and updated system security plan and plan of action and milestones,” Berlas adds.

Officials establish an authorization termination date as a condition of the authorization, and the date can be adjusted at any time by the authorizing official to “reflect an increased level of concern regarding the security and privacy posture of the system,” NIST states. 

“For example, the authorizing official may choose to authorize the system to operate only for a short period of time if it is necessary to test a system in the operational environment before all controls are fully in place, (i.e., the authorization to operate is limited to the time needed to complete the testing objectives),” according to NIST.

What Is the Difference Between an ATO and a Continuous ATO?

In February, the Pentagon issued a memo that described the benefits of using cATOs, which the memo notes represent “a challenging but necessary enhancement of our cyber risk approach in order to accelerate innovation while outpacing expanding cybersecurity threats.

To achieve a cATO, authorizing officials “must be able to demonstrate three main competencies: On-going visibility of key cybersecurity activities inside of the system boundary with a robust continuous monitoring of RMF controls; the ability to conduct active cyber defense in order to respond to cyber threats in real time; and the adoption and use of an approved DevSecOps reference design,” the memo states.

The goal of a cATO is to “formalize and monitor the connections” across the multiple interconnected systems that make up larger IT systems “to deliver cyber resilient capabilities to warfighters at the speed of relevance,” according to the memo.

EXPLORE: How agencies are changing employees' zero-trust mindset and enhancing security.

A key benefit of a cATO is continuous monitoring of security system controls within IT systems. To achieve a cATO, officials will need to show that they have real-time or near-real-time cybersecurity countermeasures they can deploy, as well as a secure software supply chain. 

“Within the Army, continuous monitoring using a cATO helps us make sure the right defensive overwatch posture is in place for systems operating on the network, ensuring the network remains secure while providing the appropriate user experience,” says Army CIO Raj Iyer. “The process ensures that information systems are operating within established security standards as the Army transitions to a zero-trust architecture.”

Bo Berlas
ATOs are traditionally issued for a three-year period and renewed every three years based on an updated security authorization package.”

Bo Berlas CISO, General Services Administration

Continuous ATOs are sometimes referred to as ongoing authorizations, Berlas says, and “are based on a full security authorization package and the results of defined continuous monitoring activities that can be used to determine changes in risk and risk acceptance determinations made by authorizing officials.”

Other agencies are moving to a cATO approach. “GSA is actively moving systems from traditional three-year authorizations to ongoing authorizations as a fundamental pivot away from traditional compliance to more outcome-oriented models focusing on operational security and automation,” Berlas says.  

GSA sees cATOs as “necessary and fundamental to balancing compliance workloads and with requirements to provide operational resiliency,” he adds.  

The agency has a formalized ongoing authorization program for federal information systems that is informed by GSA’s Continuous Monitoring Program and a set of defined prerequisites that are required to be in place before a system can transition from a traditional ATO to a cATO. The process and requirements are defined in GSA’s IT Security Procedural Guide: Information Security Continuous Monitoring Strategy & Ongoing Authorization Program CIO-IT Security-12-66.

ATOs vs. cATOs: Pros and Cons

ATOs provide agencies with a full, three-year or event-driven independent assessment of cybersecurity risk.

However, there are cons to a traditional ATO, including that the assessment is for a point in time and not ongoing, Berlas says.

They are also time-intensive and expensive, not conducive to modern DevSecOps practices, and promote a more compliance-driven approach as well as a culture focused on maintaining paper, according to Berlas.  

DIVE DEEPER: Supply chain issues can affect cybersecurity.

Meanwhile, cATOs are operationally focused, promoting more near-real-time visibility and response, Berlas says. They also promote transitioning away from assessments every three years to ones conducted more frequently, as well as from manual assessments to automated assessments.

Further, cATOs leverage common controls, which leads to cost savings and improved efficiency, Berlas notes. Also, cATOs offer a stronger security posture with less time needed to identify and resolve security risks, and they promote DevSecOps and newer teaming models.

How Can Agencies Implement the cATO Process?

If agencies want to adopt cATOs, they need to use a “robust and formalized continuous monitoring program, which requires the ability to maintain ongoing situational awareness and ready response in the event of security events,” Berlas says. 

“At GSA, that means systems in OA are limited at this time to federal information systems that are fully integrated into the agencies’ IT and IT security ecosystems, including implementation of requisite tooling; have full and clean security authorization packages; and are free of fundamental security gaps,” according to Berlas.  

DISCOVER: GSA CIO David Shive talks shared services, zero trust and modernization.

“Agencies can begin their cATO journey by defining their continuous monitoring program and their prerequisites, as GSA has,” he adds.

In the DOD realm, the Army has established a program called Sentinel to baseline the configuration of IT systems and networks to make it easier to conduct continuous monitoring, according to an Army official. The Army also has established an accredited DevSecOps platform called CReATE in the commercial cloud to allow application developers to build cybersecurity early into the software development process, which is a key enabler to achieving a cATO.

aaa 1

Register