How to Simplify and Streamline the ATO Process and its Transition to cATO

Varsha Poonacha


   5 min read
Despite the need to modernize IT systems to upgrade or deploy higher quality, lower cost software, the US Government agencies are caught in a vicious cycle when it comes to digital risk. Federal agencies are stuck between the need to accelerate the implementation of new systems to protect against sophisticated threats while meeting Authority to Operate (ATO) requirements.
Federal Information Security Modernization Act (FISMA) requires all agencies to ensure continuous assessment and monitoring of security and privacy risks to get certified to implement software directly via internal government teams or through external partners. Furthermore, with FISMA standards and NIST guidelines & compliance specifications becoming increasingly stringent, the ATO process is getting more cumbersome.
Following the 2020 SolarWinds software attack incident that created a backdoor into the digital infrastructure of Federal agencies and private sector companies, the US President issued a US Cyber Executive Order in May of 2021 that established new rules for government suppliers to enhance cybersecurity.

“The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors.”

ATO Process

Government agencies use ATOs to manage risk in their IT systems and its networks by evaluating the security and compliance controls for implementing new systems and upgrading existing ones. The ATO validates that the Federal agency in question accepts that the benefits exceed any operational risk that the new/upgraded system is likely to introduce.


The ATO process requires an exhaustive review and detailed analysis of the IT system and the potential risks it presents to the agency, operations, assets, and individuals. Much of this process remains manual, especially the detailed reports and documentation that needs to be submitted for approval.


Information Security Systems Officers (ISSO) are responsible for completing the ATO process. They work with the IT teams to create and clarify the required agency-specific processes and documentation such as system security plan (SSP), privacy threshold analysis (PTA), contingency plan (CP), etc. Following which a security assessment report (SAR) is prepared.


To secure an ATO. It’s critical for technical staff on vendor teams to have a good relationship with their program’s ISSO and work collaboratively to ensure that the program receives its ATO. However, due to the sheer volume and the extensive process involved, traditional ATO process could take up to 3 years leading to high costs. The Designated Approving Authority (DAA) may also issue ATOs on interim bases for periods from 90 to 180 days.

Applying for ATO

The ATO process is greatly dependent on following the Risk Management Framework process, most commonly associated with NIST SP 800-37. The RMF defines a six-step process that integrates security, compliance, and cyber supply chain risk management activities into the system development life cycle.


the IT system and information processed, stored, and transmitted into low, medium, and high impact. This can help classify the types of information within the authorization boundary and accordingly select appropriate security and compliance controls.



Based on categorization select appropriate security controls based on the set of NIST SP 800-53 to protect the system based on risk assessment(s)



NIST SP 800-53 controls based on parameters defined by the agency/organization.



Designated senior management, typically the AO, evaluates identified risks and decides on whether to authorize to operate, reject or remediate in accreditation decisions.



all security controls to ascertain their efficacy and ensure that they are meeting set requirements and providing desired results.

The security certification and accreditation process consists of four distinct phases:



Following ATO authorization, all security and compliance controls are continuously monitored and assessed for any drift in risk posture. This is recorded and reviewed on an ongoing basis.

Improve Efficiency with Continuous Authorization (cATO)

Improving the efficiency of the traditional ATO process is important. However, due to its inherently protracted nature, by the time an ATO is issued, it might actually be out of date. Therefore, the introduction of the New Continuous ATO Initiative for ‘Active’ Cybersecurity by the Department of Defense (DOD) is a game-changer. With Government and civilian agencies digitally transforming their initiative, speed and agility is becoming critical to their operations.
Further to accelerating and streamlining ATO, it makes it more nimble and flexible. The three main metrics authorizing officials must achieve to reach cATO are:
  1. On-going visibility of key cybersecurity activities inside of the system boundary with a robust continuous monitoring of RMF controls.
  2. The ability to conduct active cyber defense to respond to cyber threats in real time
  3. The adoption and use of an approved DevSecOps reference design.

DevSecOps to Drive cATO

DevSecOps Shift Left methodology stimulates improved communication and collaboration between the various stakeholders integrated into the DevSecOps environment. This makes achieving cATO viable. For this, automating continuous monitoring, assessment and reporting of drifts in security and compliance posture as well as deploying automation to perform continuous security and compliance assessments during CI/CD (continuous integration/continuous delivery) is critical.

Empower Your Security Teams

The journey to continuous authorization often starts with a federal agency streamlining traditional ATO processes and progressing into operating more systems under continuous authorization. Our extensive experience and in depth knowledge of Government and Federal agency specific security, compliance and governance requirements enables Caveonix’s unified platform to streamline the ATO process and efficiently transition to cATO, helping agencies with continuous monitoring and assessment of their hybrid multicloud estates.
Caveonix Cloud supports every phase of the journey with a modular approach that lets agencies use our platform as the system of record directly or in concert with other applications to start reaping efficiencies and cost savings immediately.
Caveonix Cloud empowers you with:
  • Complete compliance with 42+ regulatory requirements, including FedRAMP, FISMA, NIST RMF, CNSSI-1253, DHS-800-53 Rev4, HIPAA, etc.
  • Expedition of all six steps of the NIST RMF improving efficiency, reducing costs and accelerating timeline to initial ATO completion by 50%, and speeds recertification time by as much as 90%.


Book a demo to see how Caveonix can help you improve your organization’s approach to ATO and cATO.