The Department of Defense has released a memorandum to provide defense agencies with guidance to enable their information systems to achieve a continuous authorization to operate as part of efforts to advance innovation while countering evolving cyber threats.
The memo states that there are three competencies the authorizing official should demonstrate to reach cATO: adoption of an approved DevSecOps reference design; ability to carry out active cyber defense to facilitate real-time cyberthreat response; and ongoing visibility of cyber activities within the system boundary and continuous monitoring of risk management framework controls, according to the memo.
The document highlighted the importance of having a continuous monitoring strategy to facilitate monitoring and assessment of all security controls within the security baseline of the information system and how the strategy relates to achieving a cATO.
For active cyber defense, a system should demonstrate its ability to field countermeasures to block cyber adversaries and authorizing official should maintain communications with cyber service providers, U.S. Cyber Command and other operational compoents to facilitate information sharing and take measures.
Although cATOs do not have an expiration date, such authorizations may be canceled due to changes in risk tolerance, poor cybersecurity posture, or a cyber incident that resulted from poor compliance with cyber practices, according to the memo.