A new memo from the Department of Defense (DoD) is encouraging the use of a continuous Authorization To Operate (cATO) under the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) – instead of a point-in-time ATO – to serve as the “gold standard” for systems’ cybersecurity risk management.
cATOs are needed to provide real-time or near real-time data analytics for cyber reporting. The memo explains how the traditional ATO model may not always be up to date with evolving cyber threats.
“cATO represents a challenging but necessary enhancement of our cyber risk approach in order to accelerate innovation while outpacing expanding cybersecurity threats,” the Feb. 3 memo says.
“In order to achieve cATO, the Authorizing Official (AO) must be able to demonstrate three main competencies: On-going visibility of key cybersecurity activities inside of the system boundary with a robust continuous monitoring of RMF controls; the ability to conduct active cyber defense in order to respond to cyber threats in real-time; and the adoption and use of an approved DevSecOps reference design,” the memo details.
Once an AO determines their system has met all three requirements, they can work with their component chief information security officer (CISO) to request a cATO from the DoD CISO. DoD CISO-approved cATOs do not have an expiration date, however, they can be revoked if the real-time risk posture is not maintained.
David McKeown, DoD’s senior information security officer, said one of the main goals of the cATO “is about codifying a standard approach for that term for the Department of Defense.”
“What we’ve had in the past was different program elements, different services, using that term in different ways, and it’s created some confusion,” McKeown told reporters last week. “So, in order to figure out what that standardized look of a cATO is and what level of cybersecurity we expect across the three ingredients within that memo, we are going to be working closely with the software factories to tease out those best practices.”
The memo said “DoD CIO-CS will coordinate and publish guidance on the implementation and evaluation of reaching a cATO state” shortly after the memo’s release, but did not indicate a specific date for that.