UNCLASSIFIED
Continuous Authorization to Operate (cATO) – Evaluation Criteria Page 18
UNCLASSIFIED
Glossary
Authorization boundary “All components of an information system to be authorized for
operation by an authorizing official. This excludes separately authorized systems to which the
information system is connected.” NIST 800-37r2.
Authorizing Official (AO) is “a senior Federal official or executive with the authority to
authorize (i.e., assume responsibility for) the operation of an information system or the use of a
designated set of common controls at an acceptable level of risk to agency operations (including
mission, functions, image, or reputation), agency assets, individuals, other organizations, and the
Nation.” NIST 800-37r2.
Authorization to Operate (ATO) is “the official management decision given by a senior
Federal official or officials to authorize operation of an information system and to explicitly
accept the risk to agency operations (including mission, functions, image, or reputation), agency
assets, individuals, other organizations, and the Nation based on the implementation of an
agreed-upon set of security and privacy controls. Authorization also applies to common controls
inherited by agency information systems.” NIST 800-37r2.
Continuous Authorization to Operate (cATO) is the state achieved when the organization that
develops, secures, and operates a system has demonstrated sufficient maturity in their ability to
maintain a resilient cybersecurity posture that traditional risk assessments and authorizations
become redundant. This organization must have implemented robust information security
continuous monitoring capabilities, active cyber defense, and secure software supply chain
requirements to enable continuous delivery of capabilities without adversely impacting the
system’s cyber posture.
Continuous Integration/Continuous Delivery (CI/CD) Pipeline is the process workflows and
associated tools to achieve the continuous integration and continuous delivery of software with
maximum use of automation.
Control gate is a defined point in the project lifecycle when specific requirements, called exit
criteria, must be met to move to the next phase in the lifecycle. Exit criteria include functional,
security, and non-functional criteria.
DevSecOps is a software engineering culture and practice that aims at unifying software
development (Dev), security (Sec) and operations (Ops). The main characteristic of DevSecOps
is to automate, monitor, and apply security at all phases of software development: plan, develop,
build, test, release, deliver, deploy, operate, and monitor.
DevSecOps Platform (DSOP) is the set of tools and automation that enables a software factory.
It includes the ability to create DevSecOps pipelines with control gates, and to deploy software
into development and test environments. It may also deploy into production, depending on the
production environment. Use of a DevSecOps platform is encouraged to accelerate development,
delivery, and authorization. DoD Enterprise DevSecOps Reference Designs for a DSOP may be
found here.
ISCM is defined as “maintaining ongoing awareness of information security, vulnerabilities, and
threats to support organizational risk management decisions.” NIST SP 800-137.