cATO Continuous Authority — control mapping and POA&M
cATO Continuous Authority is the evidence-collection and POA&M tracking surface for orgs operating under a continuous authority-to-operate posture. It maps your live security telemetry to the NIST SP 800-53 control catalog and produces audit-ready exports for eMASS and Xacta.
Three core capabilities:
1. NIST 800-53 control catalog
Browse by family (AC, AU, CM, CP, IA, IR, RA, SC, SI, etc.) or by impact-level baseline (Low / Moderate / High / FedRAMP overlay). Each control has the canonical text, the platform-provided implementation evidence, and customer-responsibility guidance.
2. Live evidence + POA&M timeline
Integrations with your SIEM, identity provider, vulnerability scanner, and asset inventory feed evidence into each control automatically. POA&M items are created when a control fails its evidence check; each POA&M tracks owner, due date, mitigation plan, and status.
The timeline view shows evidence freshness — a control whose last evidence is older than the SLA flips to "stale" and surfaces in the Dashboard.
3. eMASS / Xacta export
On demand, the module produces:
• An eMASS-formatted control evidence package
• An Xacta-formatted POA&M export
• A System Security Plan (SSP) skeleton with control implementations populated from the live evidence
These are starting points — your ISSO / ISSE will refine the language for the specific authorization boundary.
Who can enable:
Government orgs (governmentOrg = true) and Turtini platform admins. The module is hidden from commercial orgs.
Caveats:
• cATO is a process, not a product. Turtini provides the evidence pipeline and reporting; the authorization decision rests with your AO.
• Continuous evidence collection only covers controls that map to telemetry the platform can see. Manual / procedural controls (training records, security awareness completion, plan reviews) still require human input — the module surfaces a checklist for those.
• The evidence is suitable for FedRAMP Moderate and DoD IL2/IL4-track authorization workflows. Higher-impact authorizations (IL5/IL6) require deployment in our forthcoming high-side environment, which is on the roadmap and not yet live as of 2026-05.