In my role, I’ve had the privilege of meeting with thousands of CISOs, security leaders and customers worldwide. What I hear repeatedly is clear: Managing cyber risk is more complex than ever, driven by the evolving digital, threat, and regulatory landscape. From those conversations, one theme has stood out – the need to operationalize risk. Not just find it. But actually bring people, processes and platforms together in a way that drives real action.
That’s what the Risk Operations Center (ROC) is all about. It’s a framework for quantifying cyber risk, and a model for helping national agencies and organizations act with precision: eliminating the risks that matter most, much faster. In September 2025, the Department of War (DoW) announced its new Cybersecurity Risk Management Construct (CSRMC), marking a shift from stagnant risk frameworks that can’t keep up with the digital battlefield. By shifting from “snapshot-in-time” risk assessments to continuous, automated risk management, this forward-looking approach will enable defense agencies to respond with agility and precision. Combined with machine-readable automation to share the status of key controls, a Risk Operations Center can bring transparency and accountability to risk managers and authorizers alike.
Innovative constructs like continuous Authority to Operate (cATO) reflect a deeper evolution underway in the DoW cybersecurity strategy. The current legacy ATO process — often taking over a year — creates bottlenecks that delay deploying mission-critical technologies precisely when speed matters most. With cyber threats increasing in sophistication and speed, point-in-time compliance checks are inadequate for safeguarding defense assets and personnel.
The goal of cATO is to replace point-in-time ATO assessments with ongoing, real-time security monitoring and risk management. Rather than periodic reauthorization cycles, cATO uses automated security controls, continuous monitoring pipelines, and near-real-time threat visibility to maintain an always-current authorization posture. The key is that the authorizer (internal or external to the organization) gets a near-real-time view into the control’s status.
Advancing Continuous Risk Governance Through Unified Risk Operations
For defense agencies operating in contested and rapidly evolving threat environments, the ROC represents a necessary evolution in cyber governance. A ROC centralizes risk-relevant data across cyber operations, system engineering, compliance and mission domains. It integrates asset and vulnerability telemetry, control performance data, threat intelligence and operational impact assessments into a unified risk framework. Using clear risk scoring, automated workflows and coordination across cybersecurity, IT, acquisition and mission teams, deploying a ROC allows remediation to be prioritized based on mission impact, not just technical severity.
This model supports current cATO objectives. cATO demands automated validation of security controls against defined risk tolerances throughout the system lifecycle. Within a defense agency, a ROC serves as the operational backbone of that mandate, providing visibility into control effectiveness, residual risk and systemic exposure across agencies. Authorizing officials would then have actionable insight into whether defense systems remain within acceptable risk thresholds by gaining a near-real-time view of the status of any control or risk.
Accelerating cATO Alongside Defense Cyber Innovation
Automation, active monitoring and DevSecOps now form the backbone of real-time cyber defense. Defense agencies and tech partners must make continuous diagnostics, risk-driven prioritization and enforced automation standard practice, built on infrastructure that’s truly immutable. In this model, systems aren’t patched in place; every update is a full replacement, driven through CI/CD pipelines for maximum speed and reliability. A unified identity model is core, empowering authorizing defense officials to base risk decisions on immediate, accurate data, not on paperwork or lagging reports.
With that foundation set, here are the starting tactics needed for a successful transition to cATO:
- Deploy Continuous Diagnostics and Mitigation (CDM) using Department of Homeland Security (DHS) program tools for managing assets, vulnerabilities and identities across agencies.
- Leverage a ROC framework to go beyond technical scores like the Common Vulnerability Scoring System (CVSS) for vulnerability management and prioritization. Looking at risk scores based on threat intelligence and mission context empowers agencies to make more informed remediation and response decisions. The ROC then automates continuous monitoring workflows to enrich them with risk-informed context, empowering operators to focus on what matters most.
- Test automation in cloud, application, and container environments to provide the continuous visibility and automated security validation needed for a cATO framework, enabling faster, more secure software delivery.
- Ensure CI/CD pipelines, such as GitHub Actions, GitLab CI and Jenkins, are integrated with security scanning, providing an automated approach to identifying and mitigating security vulnerabilities early in the software development lifecycle (SDLC). This ensures that builds are security-managed before they are deployed to production.
- Leverage container and supply chain security image scanning to automate the continuous monitoring of container security and the modern Kubernetes stack, address supply chain risks and offer the real-time security data necessary for continuous risk management.
- Control mapping and automation with National Institute of Standards and Technology (NIST) Open Security Controls Assessment Language (OSCAL) automates and standardizes security documentation by providing machine-readable formats for control baselines, system security plans, and assessments. This approach reduces manual effort, speeds up compliance processes, enables interoperability between security tools, and can deliver continuous visibility into the state of any control – a goal for any authorizer.
- Automate evidence collection APIs and integration feeds into Federal Authorization and Risk Management Program (FedRAMP) or Federal Information Security Management Act (FISMA) control dashboards, providing real-time, continuous validation of security controls, shifting away from periodic, manual compliance activities.
Advancing Mission Resilience Through Innovation
cATO is not just a technical upgrade; it represents a cultural evolution, embedding security as an ongoing, collective responsibility across every phase of the mission lifecycle. By operationalizing continuous risk awareness, the DoW is setting a new tempo for government cybersecurity: adapting faster, protecting smarter and equipping the military with controls to outpace adversaries and keep mission advantage in a landscape where every second counts.
By embracing cATO’s dynamic, mission-centric ethos, defense agencies will enhance warfighter readiness, safeguard critical operations and create a foundation for sustained technological advantage.
As a cybersecurity visionary, Sumedh is passionate about making the world’s digital journey safer. His education and early experiences as a coder led him to Qualys, where he rose from engineer to president and CEO. He joined Qualys in 2003, shortly after the company’s founding. His contributions and leadership helped propel Qualys to its current success in cybersecurity. Sumedh became president and CEO in 2021. A “product fanatic and engineer at heart,” Sumedh has been instrumental in dramatically expanding the original Qualys platform’s scope, integrations, and automations. He holds a bachelor’s degree in computer engineering with distinction from the University of Pune.



Leave a Reply
You must be logged in to post a comment.