Bryon Kroger, founder and CEO of Rise8, said adopting the continuous authority to operate process could enable federal agencies to speed up digital transformation efforts by continuously delivering more secure and agile software while preventing bureaucratic delays and improving security.
“Think of cATO as an ongoing authorization for continuous delivery after achieving the initial ATO. The process embeds compliance into the development lifecycle by creating strong controls, rigorous continuous monitoring for security and privacy risks, and exceptional documentation,” Kroger wrote in an opinion column published Monday on Federal News Network.
According to the chief executive of Rise8, the cATO method relies on the continuous application of the National Institute of Standards and Technology’s Risk Management Framework and is a “disciplined approach” that could allow agencies to better understand the risk profile of a system based on establishing trust through transparency.
Kroger, also co-founder of the U.S. Air Force’s Kessel Run software factory, called on agencies to leverage the flexibilities that RMF offers, hire technical assessors and implement common controls inheritance as they transition from the traditional ATO process to the cATO model.
He also urged agencies to advance automation and digitization, manage modular evidence packages and demonstrate comprehensive capabilities for continuous monitoring once the initial ATO is achieved.
“The NIST RMF focuses explicitly on verifying that security controls remain in place. Don’t confuse this with dynamic scanning for security vulnerabilities, which is merely one component of continuous monitoring,” Kroger added.