Federal GRC Engineering
cATO
Continuous Authorization to Operate, the DoD authorization model in which a software delivery organization sustains an Authority to Operate through continuous monitoring, automated control evidence, and a fully implemented DevSecOps pipeline rather than a point-in-time assessment refreshed every three years. The DoD CIO published the "DevSecOps Continuous Authorization Implementation Guide" on April 11, 2024, defining specific security and development metrics, evaluation criteria, and the role of software bills of material in cATO eligibility. Air Force Platform One operates one of the longest-running cATO implementations in the department.