The current wave of IT innovation is hitting a big bottleneck in government: the Authority to Operate (ATO) process. Agencies can code quickly with AI agents, deploy quickly with DevSecOps and continuous improvement/continuous delivery (CI/CD) pipelines, and scale quickly with the cloud. While the ATO process serves as a vital security check, it remains largely mired in the same manual processes and spreadsheets that agencies have used for decades. The reliance on these periodic, point-in-time security snapshots makes it difficult to keep up with today’s rapidly changing IT environment.
Increasingly, agencies realize they need to adopt a continuous ATO, or cATO, process that provides real-time monitoring of Risk Management Framework controls, ensuring that systems remain compliant and secure as they evolve. cATO entails a fundamental shift from tracking controls in spreadsheets and documents to using machine-readable formats, such as the Open Security Controls Assessment Language (OSCAL), to streamline and automate the ATO process. This compliance-as-code approach enables the ATO process to keep pace with innovation, said Travis Howerton, Co-Founder and CEO of RegScale.
“Everybody’s wanting to get closer to real time on this, so that as soon as there’s a problem, we can respond the same way we do in our Security Operations Center,” he said.
In this video interview, Howerton explains how agencies can shift to a cATO process. Topics include:
- Leveraging OSCAL to assess security in real time
- Enforcing cyber policy in real time
- The emerging role of AI agents