Working Paper | March 2026

Authorization Readiness Levels

A Framework for Dual-Use Companies Navigating the Pathway to Authority to Operate

Ryan Gutwein

Extending MIT's Dual-Use Readiness Levels for ATO Strategy

FedRAMP + DoW RMF + Impact Level + cATO + CMMC
Download PDF Read Below
Framework Overview

Five Pathways, Nine Levels

MIT's Dual-Use Readiness Levels framework gave the defense tech ecosystem a shared language for measuring startup maturity across five dimensions: technology, commercial funding, commercial customers, mission funding, and mission customers. But for any software company selling into the Department of War or broader public sector, there is a sixth dimension that often determines whether a promising product ever reaches the warfighter: authorization to operate.

Authorization Readiness Levels (ARL) is a complementary framework that maps the pathway from "we know we need an ATO" to "we hold production authorizations across multiple agencies and pathways." It covers five distinct authorization pathways, each with its own 9-level progression from initial awareness through scaled, multi-agency operations.

For Founders

Assess where you are, plan where to go, and communicate your ATO strategy to investors and government stakeholders

For Investors

Evaluate authorization maturity and understand the timeline and investment required to unlock government revenue

For Gov Stakeholders

Understand where your vendor partners are in their authorization journey and what they need to advance

FARL

FedRAMP Authorization

Federal civilian cloud authorization baseline under Rev 5 and the emerging 20x pathway

GSA / FedRAMP PMO

19
RARL

DoW RMF Authorization

Risk Management Framework pathway through eMASS, governed by NIST 800-53 and DISA STIGs

DoW Authorizing Officials

19
IARL

Impact Level Authorization

DoW Cloud Computing SRG pathway to IL4, IL5, and IL6 Provisional Authorizations

DISA

19
CARL

Continuous ATO

DevSecOps-native pathway to continuous authorization, aligned with DoW Reference Design and SWFT

DoW Program AO

19
CMRL

CMMC Certification

Cybersecurity Maturity Model Certification for protecting CUI across the defense industrial base

CMMC PMO / C3PAOs

19
Readiness Dimensions

How Authorization Intersects with Every Readiness Dimension

Technology (TRL)

Architecture decisions at TRL 3-5 determine whether your system is authorizable at all

Mission Funding (MFRL)

SBIR and OTA awards increasingly expect authorization pathway plans as deliverables

Mission Customer (MCRL)

The Authorizing Official who signs your ATO is a mission customer stakeholder

Commercial Customer (CCRL)

FedRAMP authorization is increasingly valued as a trust signal in healthcare, finance, and critical infrastructure

Commercial Funding (CFRL)

Investors evaluate ATO readiness as a proxy for government revenue predictability

Universal Pattern

The 9-Level Journey

Every authorization pathway follows a universal arc from awareness through scaled operations. The specifics differ, but the shape is the same.

1

AWARE

2

SCOPE

3

GAP

4

REMEDIATE

5

SUBMIT

6

ASSESS

7

AUTHORIZE

8

OPERATE

9

SCALE

Levels 1-3

Discovery & Planning

Levels 4-6

Build & Assessment

Levels 7-9

Authorized & Scaling

Pathway Details

Pathway Deep Dives

FARL FedRAMP Authorization Readiness Level

The federal civilian baseline. FedRAMP operates under a unified authorization model since the JAB was dissolved in August 2024, with Rev 5 alignment and the emerging FedRAMP 20x continuous validation pathway replacing the traditional assessment cycle.

1Awareness
2Boundary Scoping
3Gap Analysis -- 3PAO/RAR
4Remediation & SSP
5Sponsor Secured
6Assessment Complete
7ATO Granted
8Marketplace & Reuse
9Sustained & Evolution
Read full pathway details in the whitepaper →
RARL DoW RMF Authorization Readiness Level

The DoW-specific Risk Management Framework pathway, operationalized through eMASS and governed by NIST 800-53 and DISA STIGs. This is the pathway for systems deployed directly on DoW networks and enclaves.

1Mission Need & RMF Awareness
2System Categorization & eMASS
3STIG Assessment & Planning
4Documentation in eMASS
5SCA Engagement
6Assessment Complete
7ATO Granted
8Operational ConMon
9Multi-Enclave Maturity
Read full pathway details in the whitepaper →
IARL Impact Level Authorization Readiness Level

The DoW Cloud Computing Security Requirements Guide (CC SRG) pathway to IL4, IL5, and IL6 Provisional Authorizations, managed by DISA. Required for cloud services handling CUI and national security data.

1IL Strategy Determination
2Isolation Architecture Design
3CC SRG Gap Assessment
4DISA Engagement & Application
5DISA Assessment In Progress
6Findings Remediated
7PA Granted
8Production at IL with ConMon
9Multi-IL Strategic Positioning
Read full pathway details in the whitepaper →

Each level includes detailed descriptions, examples, and actionable guidance

29-page whitepaper with all 5 pathways

Download PDF
CARL Continuous ATO Readiness Level

The DevSecOps-native pathway to continuous authorization, aligned with the DoW Enterprise DevSecOps Reference Design and the Software Fast Track (SWFT) initiative. cATO replaces 3-year assessment cycles with ongoing, automated validation.

1DevSecOps Foundation
2Security Tooling in CI/CD
3Continuous Monitoring Architecture
4Hardened Containers & Provenance
5Program Sponsor for cATO
6Initial cATO Issued
7Operational cATO
8Multi-Program Expansion
9Enterprise Reference Implementation
Read full pathway details in the whitepaper →
CMRL CMMC Readiness Level

The Cybersecurity Maturity Model Certification pathway for protecting CUI across the defense industrial base, governed by 32 CFR Part 170 and DFARS 252.204-7021. Affects an estimated 80,000+ contractors in the DIB.

1Awareness & Level Determination
2CUI Scoping & Asset ID
3NIST 800-171 Gap & SPRS
4SSP Development & Implementation
5POA&M Closeout & Readiness
6C3PAO Assessment Complete
7Certification Achieved
8Operational Compliance & Affirmation
9Multi-Level & DIB Leadership
Read full pathway details in the whitepaper →
By The Numbers

The Authorization Landscape

80K

contractors need CMMC Level 2 certification

<600

certified CMMC assessors available

$500K-$2M

typical FedRAMP Rev 5 authorization cost

33x

ROI on $1.5M FedRAMP investment unlocking $50M TAM

MIT Mapping

Mapping to MIT's Dual-Use Readiness Levels

Authorization Readiness Levels interact with every dimension of MIT's framework. The following mapping shows typical alignment.

Authorization Stage Typical MIT Alignment Key Implication
ARL 1-2 (Awareness, Scoping) TRL 4-5, MFRL 1-2, MCRL 1-2 Architecture decisions must be made with authorizability in mind. Most cost-effective time to design for compliance.
ARL 3-4 (Gap Analysis, Remediation) TRL 6-7, MFRL 3-4, MCRL 3-4 Compliance remediation should be funded -- SBIR Phase II, OTA, or seed/Series A should include ATO budget. Expect $500K-$2M for Rev 5; potentially much less under 20x.
ARL 5-6 (Assessment) TRL 7-8, MFRL 5-6, MCRL 5-6 The AO is a mission customer. Managing the assessment relationship is as important as the technology itself.
ARL 7 (ATO Granted) TRL 8-9, MFRL 7, MCRL 7-8 Authorization unlocks production revenue. The inflection point for mission customer conversion.
ARL 8-9 (ConMon, Multi-Agency) TRL 9, MFRL 8-9, MCRL 8-9, CFRL 6+ Sustained authorization is a competitive moat. Investors value it. Reuse and reciprocity accelerate growth.
Strategic Guidance

Key Principles for Dual-Use ATO Strategy

01Design for Authorization from Day One

The most expensive ATO decision is the one you don't make early enough. Selecting a FedRAMP-authorized IaaS provider, implementing FIPS-validated encryption, and designing your system boundary at TRL 3-5 saves 6-12 months and hundreds of thousands of dollars compared to retrofitting at TRL 7-8.

02The AO Is a Customer, Not a Gatekeeper

The Authorizing Official and their team (ISSM, ISSO, SCA) are mission customer stakeholders. Build relationships early, understand their risk appetite, and treat the process as a partnership.

03Fund Authorization Like a Product Feature

ATO is not overhead -- it is a product feature that unlocks an entire market. Budget for it in SBIR proposals, include it in OTA milestones, and present it to investors as go-to-market infrastructure. A $1.5M FedRAMP investment that unlocks $50M in addressable government revenue is a 33x leverage play.

04Leverage Inheritance and Reciprocity

Build on FedRAMP-authorized IaaS/PaaS to inherit 50-70% of the control baseline. Leverage reciprocity between DoW organizations. Use your FedRAMP authorization as the foundation for DoW RMF and IL authorization.

05Build Toward Continuous, Not Just Compliant

FedRAMP 20x replaces narrative SSPs with machine-readable KSIs and persistent validation. DoW cATO replaces 3-year cycles with continuous monitoring. FedRAMP aims to stop accepting new Rev 5 packages by late FY27 -- the transition window is now.

06Treat Authorization as a Competitive Moat

Every additional agency ATO, every IL level, every year of ConMon history widens the moat. Protect and maintain your authorizations -- they are among your most valuable business assets.

07Understand the Institutional Map

FedRAMP is managed by the FedRAMP PMO at GSA. IL PAs are managed by DISA under the CC SRG. DoW RMF ATOs are issued by individual AOs through eMASS. CMMC certifications are managed by the CMMC PMO with C3PAOs and DIBCAC. Understanding which institution owns which authorization prevents wasted effort.

Institutional Landscape

Who Owns Each Authorization

FedRAMP

GSA

FedRAMP PMO + Board

DoW RMF

DoW AOs

eMASS + DoDI 8510.01

IL PA

DISA

CC SRG

cATO

DoW Program AO

DevSecOps Ref Design

CMMC

CMMC PMO

C3PAOs + DIBCAC

Whitepaper

Download the Complete Framework

29-page whitepaper with all 5 pathways x 9 levels, detailed examples, MIT alignment mapping, and procurement guidance.

Download PDF →
Related Posts

Continue Reading

FedRAMP 20x
Mar 5, 2026Industry Insights

FedRAMP 20x: A Step Forward on Paper, A Marathon in Practice

FedRAMP 20x promises streamlined cloud authorizations. But across DoW, civilian agencies, and the IC, the real challenge is institutional inertia.

Read blog >>
ATO Bottleneck
Mar 5, 2026Industry Insights

The ATO Bottleneck: Why Authorization Takes So Long and What Actually Fixes It

The ATO process was designed to manage risk. Instead, it has become the risk — delaying deployments by 12 to 18 months.

Read blog >>
CI/CD Pipeline Compliance
Mar 7, 2026Engineering

Building a Compliant CI/CD Pipeline for Public Sector: GitHub, GitLab, and the Authorization Boundary

A practical guide to architecting a CI/CD pipeline across the authorization boundary for FedRAMP, DoW IL, and agency ATO environments.

Read blog >>
Get Started

Ready to Secure Your
Software Delivery?

See how Optimal can accelerate your path to ATO while strengthening your security posture.

Request Demo Get Started