Skip to content

Manifesto for a Continuous Delivery Risk Management Framework (CD-RMF)©


Manifesto for a Continuous Delivery Risk Management Framework (CD-RMF)© 2023 by Rise8, Inc. is licensed under CC BY-ND 4.0. This license requires that reusers give credit to the creator. It allows reusers to copy and distribute the material in any medium or format in unadapted form only, even for commercial purposes.


We believe that achieving continuous delivery as part of DevOps in the federal government, subject to FISMA, requires a truly continuous application of the NIST Risk Management Framework (RMF). While this can be done within the letter of NIST 800-37r2, we intend to advocate for a new authorization type or a new subset of ongoing authorization. This would require a particular implementation of the RMF for Continuous Delivery as part of Agile Software Development & Operations.

The US Air Force pioneered such an implementation which resulted in a Continuous Authority to Operate (cATO). Since then, there has been little consensus on what a cATO is, much less how to implement the RMF to achieve one. In fact, many cATOs have completely diverged from RMF and cannot be considered FISMA compliant. For that reason, we are proposing the term “cATO” no longer be used. Even if the poor practices could be cleaned up, the name itself is problematic and cannot be found as an authorization type/decision within NIST 800-37. It was always intended to be a very opinionated subset of ongoing authorization with prescribed practices. We hope to codify this under a new authorization type/decision.

This manifesto and the playbook aim to align the community around achieving the “early and continuous delivery of valuable software” in federal government as promised by the Manifesto for Agile Software Development. Given that, we have intentionally stayed true to the format and content of the Manifesto, highlighting how compliant DevOps naturally fits in.

This artifact draws heavily from the Manifesto for Agile Software Development, which can be found at: