Authorization that never expires
Traditional ATOs expire after three years, triggering costly reauthorization cycles. Continuous ATO eliminates expiration entirely by maintaining real-time security posture visibility. Thalorin enables the three pillars required for cATO: continuous monitoring, active cyber defense, and DevSecOps integration.
From periodic snapshots to continuous assurance
Traditional authorization captures security posture at a single moment. The day after assessment, drift begins. Configurations change, vulnerabilities emerge, personnel rotate. By year two, the authorized state bears little resemblance to the operational state. The February 2022 DoD CISO memo established cATO as the “gold standard” for cybersecurity risk management—authorization without expiration, maintained through continuous validation rather than periodic reassessment.
Traditional ATO
- Point-in-time assessment
- 3-year authorization cycle
- Manual reassessment required
- Security drift between cycles
- Reactive posture
Continuous ATO
- Real-time monitoring
- No expiration date
- Automated validation
- Drift detected immediately
- Proactive posture
Three pillars. Continuous authorization.
DoD's cATO evaluation criteria mandate three capabilities operating in concert. Without all three, authorization reverts to traditional time-bounded ATO. Thalorin provides the platform infrastructure to implement, monitor, and demonstrate each pillar.
Continuous Monitoring
Real-time visibility into security control effectiveness. Automated scanning, log aggregation, and anomaly detection feed a unified dashboard showing current compliance state across all controls.
Requirements
- All security controls fed into system-level dashboard
- Real-time mechanism for AOs to view environment
- Automated alerting on control degradation
- Evidence of ongoing assessment activities
Thalorin Capability
Control status dashboard with automated evidence collection from scanners, SIEM, and configuration management tools.
Built for software factories
DoD operates 50+ software factories delivering mission applications through DevSecOps pipelines. Platform One, Black Pearl, Kessel Run, and Army Software Factory each maintain cATO status, enabling tenant applications to inherit platform controls. Thalorin integrates with these platforms to track inherited controls, monitor tenant-specific implementations, and maintain the evidence chain required for cATO.
Platform One
Air Force- 70+ programs on Big Bang
- Party Bus with DAF-wide cATO
- 1,200+ hardened images in Iron Bank
- Mandated reciprocity across Air Force
Black Pearl
Navy- Government-owned, contractor-operated
- Designated RAISE Platform of Choice
- Sigma Defense as prime contractor
- Navy-wide DevSecOps standardization
Kessel Run
Air Force- Pioneered DoD cATO model (April 2018)
- First DoD organization to achieve cATO
- Transitioning to government-led model
- Template for software factory authorization
Army Software Factory
Army- Austin-based development center
- PEO Soldier cATO for Nett Warrior (2024)
- Soldier-centered application development
- Rapid capability delivery
Security gates that generate evidence
cATO requires security integrated into every pipeline stage—not bolted on at the end. Thalorin connects to your CI/CD toolchain to aggregate security findings, track remediation, and automatically generate the evidence trail demonstrating ongoing compliance. Every scan, every gate, every deployment becomes part of your continuous authorization record.
Click a stage to view security activities and tools
The dashboard AOs actually need
cATO evaluation criteria require “a real-time and robust mechanism for AOs to view the environment.” Generic security dashboards show vulnerabilities and alerts. AOs need to see control status, risk decisions, and authorization impact. Thalorin translates technical telemetry into authorization-relevant views.
Drill-down capability from metrics to underlying controls to specific evidence.
Quantified security posture
cATO demands measurable security outcomes, not checkbox compliance. Thalorin tracks the metrics that demonstrate ongoing authorization validity: how quickly you detect threats, how fast you remediate findings, how consistently your controls operate.
Mean Time to Patch (MTTP)
How quickly vulnerabilities are remediated after discovery. Target: Critical <24hrs, High <7 days, Medium <30 days.
Guardrail Pass Rate
Percentage of deployments passing all security gates without exception. Target: >95% first-pass success.
Control Drift Rate
Frequency of controls falling out of compliance. Target: <5% monthly drift rate.
Evidence Freshness
Age of most recent evidence for each control. Target: 100% of controls with evidence <30 days old.
MTTD / MTTR
Mean time to detect and respond to security incidents. Demonstrates active cyber defense capability.
Inheritance Accuracy
Percentage of inherited controls with validated CSP evidence. Target: 100% inheritance documentation.
From traditional ATO to continuous authorization
cATO isn't a different authorization—it's an evolution. Systems must first complete all RMF steps and reach the Monitor phase before applying for cATO. The DoD Component CISO nominates candidate systems, and evaluation assesses readiness across Platform, Process, and People criteria. Thalorin guides the transition with gap analysis, readiness scoring, and implementation workflows.
Foundation
Complete traditional RMF cycle through authorization. Establish baseline security posture and enter Monitor phase.
Key Milestones
- Complete ATO achieved
- CONMON plan documented
- Baseline evidence established
cATO meets Zero Trust
The DoD Zero Trust Strategy (FY2027 deadline) directly intersects with cATO requirements. Both demand continuous verification, real-time monitoring, and automated response. Navy Flank Speed became the first DoD component achieving “Target” level Zero Trust, serving 560,000+ users. Organizations pursuing cATO are simultaneously building Zero Trust foundations.
Ready for authorization without expiration?
See how Thalorin enables the three pillars of continuous ATO — real-time monitoring, DevSecOps integration, and automated evidence collection.