The Defense Department launched a new cybersecurity initiative that will allow for continuous monitoring of cloud systems, the agency announced this week as part of a department-wide shift from passive to active cybersecurity practices.
The initiative calls for continuous authorization to operate (cATO), which DOD touts as an improvement upon its Risk Management Framework (RMF), which previously relied on one-time ATO sign-offs on systems or technologies.
Continuous authorization to operate allows DOD to engage in real-time monitoring of cyber risk. A cATO does not expire as long as the required real time risk posture is maintained,” according to a DOD memo signed by DOD CISO David McKeown.
DOD Chief Software Officer Jason Weiss told GovCIO Media & Research in an email that the cATO memo intends to “build” off current DevSecOps initiatives throughout the agency.
“The memo represents a concerted effort to raise-the-bar beyond what an existing paper document oriented authorization to operate (ATO) requires,” Weiss said. “Different services have created different standards and understanding of what it takes to reach this level of maturity. This memo is the first step to…
