Using RegScale to Support the DoD Continuous ATO

February 16, 2022 | By J. Travis Howerton

With the recent publication of Department of Defense (DoD) guidance on supporting the Continuous Authorization to Operate (cATO) process, RegScale is now uniquely positioned as a continuous compliance automation solution to provide real-time monitoring of Risk Management Framework (RMF) controls. The cATO is the new “gold standard” in cyber security allowing DoD to keep systems continuously accredited based on the robustness of their security posture. To learn more about the DoD cATO objectives, see the February 2022 memo.

For years, cATO has been the holy grail of cyber security but it has been elusive and difficult to achieve. According to the DoD, there are three primary criteria for allowing a cATO:

  • Ongoing visibility of cyber security controls for the system
  • Conducting active cyber defense against emerging threats
  • Use of an approved DevSecOps reference design


RegScale now has tools within our platform that can support all three of these critical objectives to allow DoD systems to meet their cATO objectives.

First, continuous compliance automation is the core capability of our platform. We not only provide machine readable versions of compliance controls such as NIST, CMMC, and SOX, we also provide both Application Programming Interfaces (APIs), a Command Line Interface (CLI), and out of the box integrations to support continuous monitoring platforms. For example, our recent partnership announcement with allows us to monitor cloud security issues, vulnerabilities, and threats in their platform and to update control assessments and compliance data automatically as part of a cloud continuous monitoring program. We will continue to build out additional integrations with Tenable, Qualys, and other continuous monitoring programs based on customer demand. The result is that ATO paperwork becomes self-updating, available on demand, and near real-time to improve risk-based decision making.

Second, we have partnered with Volpe IT Group (VITG) to integrate the FedRAMP methodology for Threat-based Authorizations into our risk-modeling using the NIST Open Security Control Assessment Language (OSCAL) as the underlying data exchange standard. This approach allows customers to tailor control implementations based on their specific risk tolerances to current threats.

Finally, as an open and real-time compliance automation platform, RegScale can plug seamlessly into cloud architectures, Continuous Integration (CI) and Continuous Delivery (CD) platforms, and Kubernetes clusters to automate compliance reporting for a modern DevSecOps deployment or software factory. Whether orchestrating compliance integrations with our CLI, scripting checks against our APIs, or even conducting periodic manual assessments, RegScale is designed to be a cloud-native solution that provides continuous ATO capabilities for DevSecOps programs.

Schedule a free demo today to learn how RegScale can help you enable continuous ATO for your DevSecOps program. In addition to offering free and automated tools, we have experienced risk management professionals who can assist you in creating a continuous ATO program that will meet the DoD requiremeents. With RegScale, our customers get software with a service to provide a concierge like experience for continuous ATO.

Ready to get started?

Choose the path that is right for you! 

Skip the line

My organization doesn’t have GRC tools yet and I am ready to start automating my compliance with continuous monitoring pipelines now. 


My organization already has legacy compliance software, but I want to automate many of the manual processes that feed it.