Traditional ATOs expire after three years, triggering costly reauthorization cycles. Continuous ATO eliminates expiration entirely by maintaining real-time security posture visibility. Thalorin enables the three pillars required for cATO: continuous monitoring, active cyber defense, and DevSecOps integration.
Traditional authorization captures security posture at a single moment. The day after assessment, drift begins. Configurations change, vulnerabilities emerge, personnel rotate. By year two, the authorized state bears little resemblance to the operational state. The February 2022 DoD CISO memo established cATO as the “gold standard” for cybersecurity risk management—authorization without expiration, maintained through continuous validation rather than periodic reassessment.
DoD's cATO evaluation criteria mandate three capabilities operating in concert. Without all three, authorization reverts to traditional time-bounded ATO. Thalorin provides the platform infrastructure to implement, monitor, and demonstrate each pillar.
Real-time visibility into security control effectiveness. Automated scanning, log aggregation, and anomaly detection feed a unified dashboard showing current compliance state across all controls.
Control status dashboard with automated evidence collection from scanners, SIEM, and configuration management tools.
DoD operates 50+ software factories delivering mission applications through DevSecOps pipelines. Platform One, Black Pearl, Kessel Run, and Army Software Factory each maintain cATO status, enabling tenant applications to inherit platform controls. Thalorin integrates with these platforms to track inherited controls, monitor tenant-specific implementations, and maintain the evidence chain required for cATO.
cATO requires security integrated into every pipeline stage—not bolted on at the end. Thalorin connects to your CI/CD toolchain to aggregate security findings, track remediation, and automatically generate the evidence trail demonstrating ongoing compliance. Every scan, every gate, every deployment becomes part of your continuous authorization record.
Click a stage to view security activities and tools
cATO evaluation criteria require “a real-time and robust mechanism for AOs to view the environment.” Generic security dashboards show vulnerabilities and alerts. AOs need to see control status, risk decisions, and authorization impact. Thalorin translates technical telemetry into authorization-relevant views.
Drill-down capability from metrics to underlying controls to specific evidence.
cATO demands measurable security outcomes, not checkbox compliance. Thalorin tracks the metrics that demonstrate ongoing authorization validity: how quickly you detect threats, how fast you remediate findings, how consistently your controls operate.
How quickly vulnerabilities are remediated after discovery. Target: Critical <24hrs, High <7 days, Medium <30 days.
Percentage of deployments passing all security gates without exception. Target: >95% first-pass success.
Frequency of controls falling out of compliance. Target: <5% monthly drift rate.
Age of most recent evidence for each control. Target: 100% of controls with evidence <30 days old.
Mean time to detect and respond to security incidents. Demonstrates active cyber defense capability.
Percentage of inherited controls with validated CSP evidence. Target: 100% inheritance documentation.
cATO isn't a different authorization—it's an evolution. Systems must first complete all RMF steps and reach the Monitor phase before applying for cATO. The DoD Component CISO nominates candidate systems, and evaluation assesses readiness across Platform, Process, and People criteria. Thalorin guides the transition with gap analysis, readiness scoring, and implementation workflows.
Complete traditional RMF cycle through authorization. Establish baseline security posture and enter Monitor phase.
The DoD Zero Trust Strategy (FY2027 deadline) directly intersects with cATO requirements. Both demand continuous verification, real-time monitoring, and automated response. Navy Flank Speed became the first DoD component achieving “Target” level Zero Trust, serving 560,000+ users. Organizations pursuing cATO are simultaneously building Zero Trust foundations.
See how Thalorin enables the three pillars of continuous ATO — real-time monitoring, DevSecOps integration, and automated evidence collection.