Continuous Authority to Operate (cATO) is a proactive strategy for maintaining the security and compliance of information systems on an ongoing basis. Unlike traditional ATO, which relies on periodic reviews, cATO involves continuous and automated assessments throughout the entire development lifecycle, including design, implementation, testing, deployment, and operations. This approach encompasses evaluating cybersecurity controls, managing vulnerabilities, updating disaster recovery plans, and continuously monitoring and analyzing for active cyber threats and vulnerabilities. By doing so, agencies can implement flexible and rapid security updates efficiently.

Think of it this way: Compare an annual checkup to a smartwatch for heart monitoring. A traditional checkup involves getting your pulse checked once a year, while a smartwatch monitors it continuously and alerts you if something is wrong. Similarly, cyber attackers target you all year long, so waiting for an annual security check isn’t enough​.

A smartwatch also receives regular firmware updates to ensure accurate health assessments. In the same way, a good cATO process should receive regular updates for security checks to address new and emerging cyber threats​, based upon continuous cyber threat hunting and cyber threat intelligence management.

A traditional ATO process can be tedious, slow, and prone to errors. In contrast, cATO automates cybersecurity checks throughout the day and with every code push, rather than just once a year.​

cATO includes setting cybersecurity controls based on a system’s risk level—low, moderate, or high—and using automated tools like Twistlock and Aqua for real-time scanning. This continuous approach helps organizations quickly identify cyber threats and maintain strong security.

Implementing cATO can be challenging, because it requires a mindset shift. Moving to continuous monitoring and real-time security management means changing traditional methods. Cybersecurity gaps might appear if initial designs don’t meet all cybersecurity controls, requiring adjustments and ongoing Plans of Action and Milestones (POA&Ms) to resolve issues.

REI works with agencies to support cATO programs by actively managing cybersecurity to keep systems safe and compliant. This involves regularly updating ATO processes, checking for cyber vulnerabilities, and ensuring everything works together seamlessly. It also means adapting to new regulations while maintaining automated systems. Based on our experience implementing cATO, we’d like to offer these tips and warnings:

Tips for Being a Good cATO Custodian:

Actively Manage Cybersecurity: Being a good custodian of cATO means more than just keeping systems running; it’s about actively managing and improving cybersecurity processes. This requires cultivating a cybersecurity-first culture, stressing the importance of cybersecurity in all operations, and encouraging collaboration among IT, developers, information system security officers, business sponsors, and other stakeholders.

Invest in Cybersecurity Training: Regular training is key to keeping all staff updated on the latest cybersecurity practices and tools. For example, everyone should be required to attend various levels of training per NIST and other security bodies (like DHS USCIS ISD). The levels can vary based on job role/function. This helps staff manage cATO effectively and ensures they are prepared to handle new challenges as they emerge.

Adapt to Change: Staying adaptable is a must for cATO success. cATO requires active continuous monitoring and impact analysis with every change. Additionally, continuously updating cybersecurity measures to address new cyber threats and regulations ensures your system stays protected and compliant.

Automate Everything: Leveraging Security Orchestration and Automated Response (SOAR) technology minimizes the chance of human error and lets you measure your cybersecurity posture multiple times a day and with every new code push. People are great at creativity, and automation is great at repetitive tasks. By automating everything, you’re freeing people to do what they do best and making the automation even more robust, resulting in faster response time to cyber incidents, faster remediation of cyber-attacks, and reduced costs.

Overcome Cultural Challenges: Addressing cultural challenges requires perseverance and a strong commitment to cybersecurity processes. Even when there’s pressure to prioritize speed, keeping cybersecurity front and center is vital for long-term success. We advocate for cybersecurity by design, thus a SecDevOps mindset. While DevOps has been around for over a decade, fully integrating cybersecurity into the process at the start can ensure security vulnerabilities are addressed up front rather than as an afterthought.  Thus, beginning with cybersecurity in mind helps reduce the tension between speed of development and potential security concerns.

Be on the Lookout for These Common Pitfalls:

Design and Cybersecurity Conflicts: When starting a new software development program, a traditional DevOps approach for designing software and infrastructure often conflicts with cybersecurity controls. This can lead to security gaps that require revisions, which are complex and time-consuming. It’s important to align the design with security standards from the beginning, but this can be challenging. “Shift left” cybersecurity thinking can help by integrating security from the start rather than adding it later. This approach speeds up innovation, because development doesn’t get delayed when it reaches the security team.

Inherited Vulnerabilities and POA&Ms: When transitioning a contract or program from one contractor to another, incoming teams often inherit system POA&Ms. These are plans to address known system gaps and need to be prioritized and considered part of regular development activities, not left to be fixed at the end of a development period. Mitigation examples include additional layers of security to protect against the threat, well-organized software updates/upgrades, and innovative workarounds to improve the security posture. POA&M plans should be reviewed regularly and revised based on the current environment. In some cases, plans can change when the software and design of the system change. If POA&Ms are unfixable, they can be mitigated by considering the threat category then requesting a deviation and/or acceptance of the risk. This frequently happens with legacy systems.

Outdated Software and Legacy Infrastructure: Many software solutions and infrastructure were designed years ago with outdated technology that may now be vulnerable. Upgrading or replacing this old technology to meet current security standards can be resource-intensive and requires ongoing review to manage risks while keeping systems functional. Today’s cutting-edge technology can quickly become outdated, but must be prioritized to minimize threats and hacks, so it’s important to track current tools and note their end-of-support dates. This helps teams plan and budget for updates in advance, rather than scrambling to fix problems. This proactive approach is crucial because systems are often interconnected, and one outdated component can cause widespread issues.

Continuous Review and Adaptation: Part of the cATO process involves continuously reviewing security controls and adapting to new threats or vulnerabilities. Maintaining an ongoing review process requires consistent effort and resources. Organizations must balance the need for continuous adaptation with the practicalities of implementing these changes within existing systems and budgets.

Conclusion

cATO keeps systems secure and flexible by constantly assessing cybersecurity and adapting to new threats. This approach helps agencies quickly tackle challenges while staying compliant with cybersecurity regulations. To make cATO work effectively, organizations need to change their mindset and integrate security into everything they do—every single day. Remember, it is vital to ensure cybersecurity by design.

Being a good cATO custodian means actively managing cybersecurity processes, applying IT and cybersecurity governance, regularly training staff, and staying flexible to adapt to changes. It’s important to bring together people, processes, and technology while overcoming cultural challenges. By following these practices, agencies can keep their systems safe and ready for any cyber threats they may face.