Blog Continuous Compliance Government

How to Prepare for Operating Under Continuous ATO Status Using Kion

Austin Fuller

4 min read

Last updated on February 4th, 2023 at 2:46pm

The Department of Defense (DoD) recently launched a new initiative that will allow for continuous monitoring of cloud systems and build upon existing DevSecOps efforts inside of the DoD. The new continuous authorization to operate (Continuous ATO or cATO) improves upon the existing Risk Management Framework (RMF) by allowing the DoD to engage in real-time monitoring of cyber risk instead of the previous system of one-time authorizations to operate for systems or technologies.

The memo, signed by David W. McKeown, the DoD Senior Information Security Officer states: “Efforts in the Department are attempting to emphasize the continuous monitoring step of RMF to allow for continuous authorization (cATO). Real-time or near real-time data analytics for reporting security events is essential to achieve the level of cybersecurity required to combat today’s cyber threats and operate in contested spaces.”

The DoD recognizes the gap between properly assessing and monitoring risk once a traditional authorization to operate (ATO) is reached and when it is reviewed every three years. The shift to continuous monitoring of risk after continuous ATO is achieved will help to “deliver cyber resilient capabilities to warfighters at the speed of relevance”.

To achieve continuous ATO, the memo states that the Authorizing Official (AO) must be able to demonstrate:

  1. On-going visibility of key cybersecurity activities inside of the system boundary with a robust continuous monitoring of RMF controls.
  2. The ability to conduct active cyber defense in order to respond to cyber threats in real time.
  3. The adoption and use of an approved DevSecOps reference design.

While it’s not expected that DoD systems will move to operating under cATOs overnight, it is clear from the above requirements that system owners will need to meet a high bar to be issued cATO status. Kion helps to simplify the complex grunt work that inherently comes with monitoring and operating DoD systems by delivering real-time visibility and remediation of compliance and security violations.

Continuous Monitoring (CONMON)

DoD infrastructure is made up of systems with high complexity due to their sensitivity and varying classification levels. And, given the size of government entities, that complexity is compounded by the need to keep the systems up and functioning because many are mission-critical. These challenges are acknowledged in the DoD memo: “Systems are rarely produced or deployed as a singular system; they operate as a system of systems. The goal of a cATO is to formalize and monitor the connections across these systems of systems…”. This complex environment presents challenges that Kion is uniquely prepared to address.

Kion gives AOs access to continuous monitoring capabilities that allows them to prevent, detect, notify, and remediate through compliance checks across their entire cloud environment in real-time. Because Kion is self-hosted inside of the customer’s cloud environment, Kion has controlled, elevated access to run compliance checks and even make prescribed remediations for cloud resources. With over 4,000 compliance checks and support for frameworks like CMMC, NIST 800-53, and more out-of-the-box, Kion can show your real-time security posture with great breadth.

The DoD emphasized the need to be agile with this new approach to continuous monitoring of risk. The memo stated “Published cATO guidance is intended to be agile as threats mature so cATO evaluation criteria will also be updated to outpace the threats we face. DoD CIO will iterate with the community to ensure that guidance is up to date and commensurate with cybersecurity best practices.”

As RMF controls evolve over time, AOs can create custom compliance checks inside of Kion to stay up to date on any changes and comply with new standards. No matter how requirements change in the future, you will be able to adapt and monitor them.

Active Cyber Defense

While Kion is not positioned as an active cyber defense tool, our open API allows us to ingest findings from other sources like Tenable, AWS Security Hub, and more that can then be referenced against our library of compliance checks to show potential remediation areas in real-time, thus enabling AOs to take immediate countermeasures against potential threats.

Kion will be anticipating the release of guidance from DOD CIO-CS for implementation and evaluation of reaching continuous ATO state. If you’d like to learn more about how you can prepare for the upcoming guidance or see how Kion can help you reach continuous ATO status, reach out to our team.

Talk to an expert.


DoD Enterprise DevSecOps Reference Design

DoD cATO Memo

About the Author

Austin Fuller

Austin has nearly a decade of experience in enterprise software and cybersecurity and is an AWS-certified cloud practitioner.

Start your cloud operations journey.

Request a demo today,