PLATFORM
SOLUTIONS
FEATURES
COMPANY
RESOURCES
EVENTS
CONTACTLOGIN
BY SOLUTION
Software accreditationCloud compliance & securityDevSecOps Platformmanaged application hosting
BY CLOUD PROVIDER
AWS Gov CloudGoogle Cloud Platform
EVENTS
OFFSET SYMPOSIUMEVENTS
CompanY
About uscareersPartnersnewsroom
Resources
BlogPodcastsCase StudiesVideowebinarsGlossaryNewsletter
PLATFORM
SOLUTIONS
FEATURES
COMPANY
RESOURCES
EVENTS
LOGIN
TALK TO TEAM
 
MAIN MENU
TALK TO TEAM

What is a Continuous Authority to Operate?

Chris Bryant
August 1, 2022

An Authority to Operate (ATO) is a government seal of approval for an IT solution to operate on government networks. It signifies that software is functional and secure. Most ATOs are static because the results of security and risk assessments only capture a snapshot of an information system’s security posture. As changes are made to the system, a new assessment must be accomplished to update the static security information. This process takes time, often resulting in slow releases of new features and capabilities. A continuous ATO (cATO) is a type of ATO that can be achieved to avoid this problem. 

How does a cATO Work?

A cATO can be achieved when a system can demonstrate three key competencies: continuous monitoring, real time cyber defense, and the adoption and use of an approved DevSecOps reference design.

  • Continuous monitoring entails maintaining on-going visibility of a system’s cybersecurity posture. The controls in place to perform this monitoring and reporting must be common across the system.
  • Real time cyber defense involves the ability of the system to respond to active threats and cyber attacks. Countermeasures must be effective in thwarting attacks. Data of these attacks should be recorded and reported to official United States cybersecurity entities such as the United States Cyber Command, and JFHQ-DoDIN.
  • An approved DevSecOps reference design is a certified set of processes, tools, platforms, and infrastructures used in combination to develop software. DevSecOps platforms can use inherited security models. An inherited security model means that software built in accordance with pre-determined security protocols and policies and run within the security guard rails of an accredited system, can inherit an ATO.
The cATO model above shows how shifting security and compliance to the left of the development process can improve the efficiency of the ATO process. 

Benefits of a cATO

The benefits of a cATO relate to savings in time, cost, and required expertise for software providers:

  • Software releases can be approved and released in hours versus months, complementing continuous integration and continuous delivery (CI/CD) pipelines. 
  • Software providers can avoid spending excess money on in-house security and government compliance experts.
  • There is no need for software providers to develop their own private production environments.
  • The cATO method cuts out the need for an itemized assessment of all of the thousands of security controls for every software release.
  • Dynamic Application Security Testing (DAST) and other runtime scanning tools can be leveraged to test application security in production environments.  

The benefits of a cATO are felt by all sides of the capability exchange. Authorizing officials, software providers, mission owners, and end users can all enjoy automated security assurance, greater access to secure virtual capabilities, and software that can adapt to meet changing conditions.

cATO Summarized 

This ATO pathway offers great benefits in cost and time savings. It lends itself to more efficient security assessments and reviews by solving the problem of “snapshot” security perspectives that are only useful until the next software changes are committed. cATOs can streamline security implementation, assessment, review, and certification for those providing software capabilities to the government.

Software Accreditation
DevSecOps
Success Robot illustration
SUCCESS!
DOWNLOAD NOW
Oops! Something went wrong while submitting the form.
Recommended Articles
Defense Software

Understanding DoD Cloud Computing Impact Levels

Understanding DoD Cloud Computing Impact Levels
Business-to-Government (B2G)

Accelerate SaaS Delivery onto DoD Networks with Game Warden from Second Front Systems

Accelerate SaaS Delivery onto DoD Networks with Game Warden from Second Front Systems

Get great content updates from our team to your inbox.

GDPR and CCPA compliant.
Second Front Systems is a public benefit software company accelerating the delivery of mission-critical software-as-a-service (SaaS) solutions to the government.
PlatformGame WardenFEATURESTAlk to teamEVENtsABoutCOMPANYCareersNewsroomGovernmentLEGALDocumentsTERMS OF SERVICEPrivacy PolicyCookie Policy
SolutionsSoftware ACCREDITATIONOffset SymposiumCloud Compliance & SecurityDEvsecops PlatformManaged application hostingBy Cloud ProviderAWS Gov CloudBy CustomerDecision lens
ResourcesBLOGPodcastsCase StudiesVIDEOGlossaryWebinarscontactEventsOffset Symposiumevents
An icon of a location marker.
1207 Delaware Ave Suite 800
Wilmington DE 19806-5225
An icon of an envelop.
info@secondfront.com
301-744-7318
© 2023 Second Front Systems, Inc.