Authorization to Operate (ATO)
An ATO is the formal decision by an Authorizing Official (AO) to accept the risk of operating a system, based on its security posture and evidence.
Plain-language definitions of cybersecurity and compliance terms for defense, federal, and regulated teams.
An ATO is the formal decision by an Authorizing Official (AO) to accept the risk of operating a system, based on its security posture and evidence.
BYOAI is an architecture that lets an organization choose which AI provider and deployment it uses — commercial or self-hosted — rather than being locked to one.
CMMC is the U.S. Department of Defense's program for certifying that defense contractors protect sensitive government information to a required cybersecurity standard.
cATO is an approach where continuous monitoring, real-time evidence, and active drift management keep a system authorized over time, rather than relying on a periodic point-in-time ATO.
CUI is unclassified information the government requires to be safeguarded or disseminated under specific controls.
A CVE is a unique identifier assigned to a publicly known software or hardware vulnerability.
CVSS is the open standard that assigns a 0–10 severity score to a vulnerability based on its intrinsic characteristics.
eMASS is the DoD's web-based system of record for managing RMF packages, controls, POA&Ms, and authorizations.
NIST SP 800-171 is a security standard of 110 controls for protecting Controlled Unclassified Information (CUI) on non-federal systems.
A POA&M is the running record of open security weaknesses, the planned fixes, owners, and deadlines.
RMF is NIST's structured, six-step lifecycle (categorize, select, implement, assess, authorize, monitor) for managing security and privacy risk in information systems.
A SPRS score is the number, derived from the DoD Assessment Methodology, that represents how fully a contractor has implemented the NIST 800-171 controls.
An SSP is the document that describes a system's boundary, its components, and how it satisfies each required security control.
TRACE Score is Advisedly's 0–100 vulnerability priority that factors in your specific environment — including threat activity, exposure, asset importance, and compliance impact — rather than a one-size-fits-all severity.