Federal Zero Trust

Josef Kamara, CPA, CISSP, CISA · Updated May 6, 2026 · 1 minute read

Continuous Authorization

The federal authorization model that replaces the traditional three-year reauthorization cycle with sustained, evidence-driven risk acceptance. NIST SP 800-37 Revision 2 established continuous authorization in 2018 as the natural endpoint of the Monitor step (RMF Step 6); the Authorizing Official maintains the ATO indefinitely so long as the continuous monitoring program produces sufficient evidence to support the ongoing risk decision. The DoD cATO program and FedRAMP 20x are the two most visible operational implementations. The model collapses the documentation cliff at the three-year boundary into a steady stream of monitored controls.

The Authority Brief

One compliance analysis per week from Josef Kamara, CPA, CISSP, CISA. Federal and private compliance, written for practitioners.