DEFENSE AGENCY AND DOD FIELD ACTIVITY DIRECTORS - MEMORANDUM PENTAGON LEADERSHIP
February 2022
SUBJECT: Continuous Authorization To Operate (cATO)
The Risk Management Framework (RMF) establishes the continuous management of system cybersecurity risk. Current RMF implementation focuses on obtaining system authorizations (ATOs) but falls short in implementing continuous monitoring of risk once authorization has been reached. Efforts in the Department are attempting to emphasize the continuous monitoring step of RMF to allow for continuous authorization (cATO). Real-time or near real-time data analytics for reporting security events is essential to achieve the level of cybersecurity required to combat today’s cyber threats and operate in contested spaces. The purpose of this memo is to provide specific guidance on the necessary steps to allow systems to operate under a cATO state.