Continuous ATOs are sometimes referred to as ongoing authorizations, Berlas says, and “are based on a full security authorization package and the results of defined continuous monitoring activities that can be used to determine changes in risk and risk acceptance determinations made by authorizing officials.”
Other agencies are moving to a cATO approach. “GSA is actively moving systems from traditional three-year authorizations to ongoing authorizations as a fundamental pivot away from traditional compliance to more outcome-oriented models focusing on operational security and automation,” Berlas says.
GSA sees cATOs as “necessary and fundamental to balancing compliance workloads and with requirements to provide operational resiliency,” he adds.
The agency has a formalized ongoing authorization program for federal information systems that is informed by GSA’s Continuous Monitoring Program and a set of defined prerequisites that are required to be in place before a system can transition from a traditional ATO to a cATO. The process and requirements are defined in GSA’s IT Security Procedural Guide: Information Security Continuous Monitoring Strategy &…
