MEMORANDUM FOR SENIOR PENTAGON LEADERSHIP
DEFENSE AGENCY AND DOD FIELD ACTIVITY DIRECTORS
SUBJECT: Continuous Authorization To Operate (cATO)
The Risk Management Framework (RMF) establishes the continuous management of
system cybersecurity risk. Current RMF implementation focuses on obtaining system
authorizations (ATOs) but falls short in implementing continuous monitoring of risk once
authorization has been reached. Efforts in the Department are attempting to emphasize the
continuous monitoring step of RMF to allow for continuous authorization (cATO). Real-time or
near real-time data analytics for reporting security events is essential to achieve the level of
cybersecurity required to combat today’s cyber threats and operate in contested spaces. The
purpose of this memo is to provide specific guidance on the necessary steps to allow systems to
operate under a cATO state.
cATO represents a challenging but necessary enhancement of our cyber risk approach in
order to accelerate innovation while outpacing expanding cybersecurity threats. In order to
achieve cATO, the Authorizing Official (AO) must be able to demonstrate three main
competencies: On-going visibility of key cybersecurity activities inside of the system boundary
with a robust continuous monitoring of RMF controls; the ability to conduct active cyber defense
in order to respond to cyber threats in real time; and the adoption and use of an approved
DevSecOps reference design.
Continuous Monitoring (CONMON)
RMF requires a CONMON strategy for each system. This strategy describes how the
System Owner, in coordination with Service Providers, will continuously monitor and assess all
of the security controls within the information system’s security baseline, including common
controls. The specific plan will vary based on component monitoring infrastructure, the specific
technologies used by the system, and the application of the system. Automated monitoring
should be as near real time as feasible. Manual controls will have different timelines associated,
but must be included in the overall monitoring strategy. It is critical that System Owners in
coordination with Service Providers demonstrate the ability to effectively integrate the
automation and monitoring of all security controls prior to entering into a cATO status.
Systems are rarely produced or deployed as a singular system; they operate as a system of
systems. The goal of a cATO is to formalize and monitor the connections across these systems of
systems to deliver cyber resilient capabilities to warfighters at the speed of relevance. CONMON
requires the AO have the ability to monitor the cumulative set of security controls that span the
AO's area of responsibility (AOR) in order to make real time risk decisions. The AO must
approve, support and manage an organization’s CONMON plan for all applications.
For cATO, all security controls will need to be fed into a system level dashboard view,
providing a real time and robust mechanism for AOs to view the environment. Using this
information, the AO will be better positioned to make real time and informed risk decisions as to
OFFICE OF THE SECRETARY OF DEFENSE
1000 DEFENSE PENTAGON
WASHINGTON, DC 20301-1000
