.png)
Ask a team that has deployed software in the U.S. government about their experience, and they’ll probably all tell you the same thing: ATO is a pain in the neck.
ATO, short for Authorization to Operate, is the official certification that an IT system meets cybersecurity standards of a particular agency, and is acceptable for government use. It’s a requirement for all software and infrastructure used in federal environments and it’s good for three years, but that doesn’t mean it’s easy to obtain.
Traditionally, achieving an ATO has required familiarity with dozens of cybersecurity standards and systems, hundreds of pages of documentation, months of time, and, in some cases, millions of dollars. And even when it’s all complete, this only represents a snapshot of a point in time. So once the certification is up, teams have to go back and account for the updates and cybersecurity standards that emerged in the interim.
It’s a process that has many efficiencies, and for years there have been calls for improvement across government agencies and the private companies who do business with them. Today, those voices are being heard. There is a new groundswell to adopt continuous Authorization to Operate (cATO), which shifts the ATO process from a lengthy, manual review of every system to real-time risk management that integrates security, every step of the way.
With cATO, systems are not only deployed faster to serve the mission sooner, they are also more secure. Let’s explore how this paradigm shift is reshaping the federal government landscape.
While there are plenty of gripes about the traditional ATO process, most government-focused technologists understand its intent. The government has a need to protect highly-sensitive data from nation-state adversaries, and any piece of software or infrastructure that is deployed on its network could present an avenue to a breach. When the stakes are this high, shipping secure systems and doing things the right way are important.
But many lament the traditional ATO process because it is long, arduous, and filled with many pitfalls. To obtain authorization, systems must follow the seven-step Risk Management Framework (RMF). To meet it, they have to generate a Site Security Plan. These can be upwards of 400 pages, and must include diagrams of every network it is deployed to, every piece of software in the stack, plans for building security where it is housed, and more.
Testing the systems is another matter. Security teams send the results of a scan to engineering teams, but these two teams have different conventions and different vernacular, and there are pages of information to review. Engineers who could be building new systems to solve problems end up spending weeks on bureaucratic problems just to get their tools accredited.
That process is hard enough, and it typically takes 12-18 months and costs $1 million, on average, but it’s just for a single system. Operating a government agency requires hundreds of systems, all of which need their own ATO. As the paperwork piles up, backlogs overwhelm the ability to deploy software that’s needed to serve the mission.
When a system does receive an ATO, that certification is good for three years. That gives some longevity, but there are also downsides. It means the ATO is delivered at a point in time, and aligned with the security benchmarks that are prescribed at a given moment. In technology three years is a long time. Systems are updated, new technology is developed, cybersecurity threats arise, and standards emerge to protect systems against them. With all of this activity, systems drift from the baseline that was established in the original ATO, and they don’t only change once. The static process provides no mechanism to ensure that needed updates are identified and completed. This isn’t just about compliance; standards and regulations change because the threat landscape changes, and industries evolve. In the end, updating systems strengthens security. Attackers aren’t waiting for an ATO process to kick off.
As we’ve reviewed so far, the traditional ATO process is time-intensive, labor-intensive, and too easily falls out of date.
There is a growing recognition of the need to reform this process, and Continuous ATO is the result.
With Continuous ATO (cATO), teams can move from a point-in-time certification to a model of constant hardening that aligns with the latest widely-accepted standards and tailors them to the particular needs of an organization. But it’s not just about simplifying the existing ATO process. cATO introduces automation tools that identify and remediate issues without the need for human intervention, so engineering and security teams can spend more time solving real problems and less time solving bureaucratic ones.
The key to cATO is a shift from certifying a single system to accrediting the process that can build many systems. This process not only ensures security is continuously enforced over time, but also scales with a system as it grows and evolves.
There are three core elements of cATO:
- Continuous Monitoring and Enforcement: Provides visibility into an entire system in order to identify security or compliance drift of Risk Management Framework controls, and remediate changes.
- Active Cyber Defense: Enables a proactive response to threats.
- Secure Software Supply Chain: Ensures all components from open source and other third-party providers are secure and integrated with DevSecOps workflows.
These building blocks ensure a strong baseline and alignment with security best practices if implemented correctly. Still, there are challenges along the way. Even basic configuration standards can be a challenge to implement and maintain.
To receive and implement cATO, you not only have to be doing those things—you also have to show that you are doing them. Here are a couple of key questions to answer along the way:
*Have we verified that software and IT systems are Secure by Design?
Secure by Design is a set of principles laid out by the Cybersecurity and Infrastructure Security Agency that integrate security throughout the software development lifecycle, and aligning with them is a solid starting point for any system.
*Can I validate that the continuous monitoring and remediation works?
Not every part of a system or fix has to be accounted for, but it’s necessary to show that the mechanism to provide visibility and self-healing works.
*Is it Zero Trust by default?
Zero Trust marks a shift in security strategy from one where some are trusted by default, to one where no one is trusted by default.
Meet these, and you’re well on your way to obtaining cATO.
At Sicura, our team experienced the challenges with the traditional, static ATO process firsthand. This led us to develop a platform that embeds security into the foundation of IT infrastructure, and enables organizations to align with Secure by Design.
Sicura’s products enable security teams to:
- Efficiently assess security controls
- Quickly remediate changes to security parameters related to myriad factors including user actions and software updates
- Enforce customizable baseline security parameters set to minimize organizational information security risks
- Minimize threats from malicious actors
Our Security Control Management platform enables IT teams to obtain Authority to Operate (ATO) faster, allowing for rapid fielding of mission-critical capabilities.
Trusted by Federal IT teams like Army DEVCOM C5ISR and Department of State–Consular Affairs to secure infrastructure, Sicura SCM protects critical assets while supporting continuous ATO (cATO) initiatives.
Get in touch to see how Sicura can accelerate your path to cATO.
Ask a team that has deployed software in the U.S. government about their experience, and they’ll probably all tell you the same thing: ATO is a pain in the neck.
ATO, short for Authorization to Operate, is the official certification that an IT system meets cybersecurity standards of a particular agency, and is acceptable for government use. It’s a requirement for all software and infrastructure used in federal environments and it’s good for three years, but that doesn’t mean it’s easy to obtain.
Traditionally, achieving an ATO has required familiarity with dozens of cybersecurity standards and systems, hundreds of pages of documentation, months of time, and, in some cases, millions of dollars. And even when it’s all complete, this only represents a snapshot of a point in time. So once the certification is up, teams have to go back and account for the updates and cybersecurity standards that emerged in the interim.
It’s a process that has many efficiencies, and for years there have been calls for improvement across government agencies and the private companies who do business with them. Today, those voices are being heard. There is a new groundswell to adopt continuous Authorization to Operate (cATO), which shifts the ATO process from a lengthy, manual review of every system to real-time risk management that integrates security, every step of the way.
With cATO, systems are not only deployed faster to serve the mission sooner, they are also more secure. Let’s explore how this paradigm shift is reshaping the federal government landscape.
While there are plenty of gripes about the traditional ATO process, most government-focused technologists understand its intent. The government has a need to protect highly-sensitive data from nation-state adversaries, and any piece of software or infrastructure that is deployed on its network could present an avenue to a breach. When the stakes are this high, shipping secure systems and doing things the right way are important.
But many lament the traditional ATO process because it is long, arduous, and filled with many pitfalls. To obtain authorization, systems must follow the seven-step Risk Management Framework (RMF). To meet it, they have to generate a Site Security Plan. These can be upwards of 400 pages, and must include diagrams of every network it is deployed to, every piece of software in the stack, plans for building security where it is housed, and more.
Testing the systems is another matter. Security teams send the results of a scan to engineering teams, but these two teams have different conventions and different vernacular, and there are pages of information to review. Engineers who could be building new systems to solve problems end up spending weeks on bureaucratic problems just to get their tools accredited.
That process is hard enough, and it typically takes 12-18 months and costs $1 million, on average, but it’s just for a single system. Operating a government agency requires hundreds of systems, all of which need their own ATO. As the paperwork piles up, backlogs overwhelm the ability to deploy software that’s needed to serve the mission.
When a system does receive an ATO, that certification is good for three years. That gives some longevity, but there are also downsides. It means the ATO is delivered at a point in time, and aligned with the security benchmarks that are prescribed at a given moment. In technology three years is a long time. Systems are updated, new technology is developed, cybersecurity threats arise, and standards emerge to protect systems against them. With all of this activity, systems drift from the baseline that was established in the original ATO, and they don’t only change once. The static process provides no mechanism to ensure that needed updates are identified and completed. This isn’t just about compliance; standards and regulations change because the threat landscape changes, and industries evolve. In the end, updating systems strengthens security. Attackers aren’t waiting for an ATO process to kick off.
As we’ve reviewed so far, the traditional ATO process is time-intensive, labor-intensive, and too easily falls out of date.
There is a growing recognition of the need to reform this process, and Continuous ATO is the result.
With Continuous ATO (cATO), teams can move from a point-in-time certification to a model of constant hardening that aligns with the latest widely-accepted standards and tailors them to the particular needs of an organization. But it’s not just about simplifying the existing ATO process. cATO introduces automation tools that identify and remediate issues without the need for human intervention, so engineering and security teams can spend more time solving real problems and less time solving bureaucratic ones.
The key to cATO is a shift from certifying a single system to accrediting the process that can build many systems. This process not only ensures security is continuously enforced over time, but also scales with a system as it grows and evolves.
There are three core elements of cATO:
- Continuous Monitoring and Enforcement: Provides visibility into an entire system in order to identify security or compliance drift of Risk Management Framework controls, and remediate changes.
- Active Cyber Defense: Enables a proactive response to threats.
- Secure Software Supply Chain: Ensures all components from open source and other third-party providers are secure and integrated with DevSecOps workflows.
These building blocks ensure a strong baseline and alignment with security best practices if implemented correctly. Still, there are challenges along the way. Even basic configuration standards can be a challenge to implement and maintain.
To receive and implement cATO, you not only have to be doing those things—you also have to show that you are doing them. Here are a couple of key questions to answer along the way:
*Have we verified that software and IT systems are Secure by Design?
Secure by Design is a set of principles laid out by the Cybersecurity and Infrastructure Security Agency that integrate security throughout the software development lifecycle, and aligning with them is a solid starting point for any system.
*Can I validate that the continuous monitoring and remediation works?
Not every part of a system or fix has to be accounted for, but it’s necessary to show that the mechanism to provide visibility and self-healing works.
*Is it Zero Trust by default?
Zero Trust marks a shift in security strategy from one where some are trusted by default, to one where no one is trusted by default.
Meet these, and you’re well on your way to obtaining cATO.
At Sicura, our team experienced the challenges with the traditional, static ATO process firsthand. This led us to develop a platform that embeds security into the foundation of IT infrastructure, and enables organizations to align with Secure by Design.
Sicura’s products enable security teams to:
- Efficiently assess security controls
- Quickly remediate changes to security parameters related to myriad factors including user actions and software updates
- Enforce customizable baseline security parameters set to minimize organizational information security risks
- Minimize threats from malicious actors
Our Security Control Management platform enables IT teams to obtain Authority to Operate (ATO) faster, allowing for rapid fielding of mission-critical capabilities.
Trusted by Federal IT teams like Army DEVCOM C5ISR and Department of State–Consular Affairs to secure infrastructure, Sicura SCM protects critical assets while supporting continuous ATO (cATO) initiatives.
Get in touch to see how Sicura can accelerate your path to cATO.
Ready to maintain secure and compliant infrastructure focused on cost, automation, and consistency?