Authorization Readiness Levels

Framework Overview

Five Pathways, Nine Levels

MIT’s Dual-Use Readiness Levels framework gave the defense tech ecosystem a shared language for measuring startup maturity across five dimensions: technology, commercial funding, commercial customers, mission funding, and mission customers. But for any software company selling into the Department of War or broader public sector, there is a sixth dimension that often determines whether a promising product ever reaches the warfighter: authorization to operate.

Authorization Readiness Levels (ARL) is a complementary framework that maps the pathway from “we know we need an ATO” to “we hold production authorizations across multiple agencies and pathways.” It covers five distinct authorization pathways, each with its own 9-level progression from initial awareness through scaled, multi-agency operations.

Audience	How to use ARL
Founders	Assess where you are, plan where to go, and communicate your ATO strategy to investors and government stakeholders
Investors	Evaluate authorization maturity and understand the timeline and investment required to unlock government revenue
Gov stakeholders	Understand where your vendor partners are in their authorization journey and what they need to advance

Pathway	Code	Focus	Owner
FedRAMP Authorization	FARL	Federal civilian cloud authorization baseline under Rev 5 and the emerging 20x pathway	GSA / FedRAMP PMO
DoW RMF Authorization	RARL	Risk Management Framework pathway through eMASS, governed by NIST 800-53 and DISA STIGs	DoW Authorizing Officials
Impact Level Authorization	IARL	DoW Cloud Computing SRG pathway to IL4, IL5, and IL6 Provisional Authorizations	DISA
Continuous ATO	CARL	DevSecOps-native pathway to continuous authorization, aligned with DoW Reference Design and SWFT	DoW Program AO
CMMC Certification	CMRL	Cybersecurity Maturity Model Certification for protecting CUI across the defense industrial base	CMMC PMO / C3PAOs

Each pathway runs the same 9-level progression (levels 1–9).

Readiness Dimensions

How Authorization Intersects with Every Readiness Dimension

Dimension	How authorization intersects
Technology (TRL)	Architecture decisions at TRL 3-5 determine whether your system is authorizable at all
Mission Funding (MFRL)	SBIR and OTA awards increasingly expect authorization pathway plans as deliverables
Mission Customer (MCRL)	The Authorizing Official who signs your ATO is a mission customer stakeholder
Commercial Customer (CCRL)	FedRAMP authorization is increasingly valued as a trust signal in healthcare, finance, and critical infrastructure
Commercial Funding (CFRL)	Investors evaluate ATO readiness as a proxy for government revenue predictability

Universal Pattern

The 9-Level Journey

Every authorization pathway follows a universal arc from awareness through scaled operations. The specifics differ, but the shape is the same.

Level	Stage	Phase
1	Aware	Discovery & Planning
2	Scope	Discovery & Planning
3	Gap	Discovery & Planning
4	Remediate	Build & Assessment
5	Submit	Build & Assessment
6	Assess	Build & Assessment
7	Authorize	Authorized & Scaling
8	Operate	Authorized & Scaling
9	Scale	Authorized & Scaling

Pathway Details

Pathway Deep Dives

FedRAMP Authorization Readiness Level (FARL)

The federal civilian baseline. FedRAMP operates under a unified authorization model since the JAB was dissolved in August 2024, with Rev 5 alignment and the emerging FedRAMP 20x continuous validation pathway replacing the traditional assessment cycle.

1. Awareness
2. Boundary Scoping
3. Gap Analysis — 3PAO/RAR
4. Remediation & SSP
5. Sponsor Secured
6. Assessment Complete
7. ATO Granted
8. Marketplace & Reuse
9. Sustained & Evolution

Read full pathway details in the whitepaper →

DoW RMF Authorization Readiness Level (RARL)

The DoW-specific Risk Management Framework pathway, operationalized through eMASS and governed by NIST 800-53 and DISA STIGs. This is the pathway for systems deployed directly on DoW networks and enclaves.

1. Mission Need & RMF Awareness
2. System Categorization & eMASS
3. STIG Assessment & Planning
4. Documentation in eMASS
5. SCA Engagement
6. Assessment Complete
7. ATO Granted
8. Operational ConMon
9. Multi-Enclave Maturity

Read full pathway details in the whitepaper →

Impact Level Authorization Readiness Level (IARL)

The DoW Cloud Computing Security Requirements Guide (CC SRG) pathway to IL4, IL5, and IL6 Provisional Authorizations, managed by DISA. Required for cloud services handling CUI and national security data.

1. IL Strategy Determination
2. Isolation Architecture Design
3. CC SRG Gap Assessment
4. DISA Engagement & Application
5. DISA Assessment In Progress
6. Findings Remediated
7. PA Granted
8. Production at IL with ConMon
9. Multi-IL Strategic Positioning

Read full pathway details in the whitepaper →

Each level includes detailed descriptions, examples, and actionable guidance. Download the 29-page whitepaper covering all 5 pathways →

Continuous ATO Readiness Level (CARL)

The DevSecOps-native pathway to continuous authorization, aligned with the DoW Enterprise DevSecOps Reference Design and the Software Fast Track (SWFT) initiative. cATO replaces 3-year assessment cycles with ongoing, automated validation.

1. DevSecOps Foundation
2. Security Tooling in CI/CD
3. Continuous Monitoring Architecture
4. Hardened Containers & Provenance
5. Program Sponsor for cATO
6. Initial cATO Issued
7. Operational cATO
8. Multi-Program Expansion
9. Enterprise Reference Implementation

Read full pathway details in the whitepaper →

CMMC Readiness Level (CMRL)

The Cybersecurity Maturity Model Certification pathway for protecting CUI across the defense industrial base, governed by 32 CFR Part 170 and DFARS 252.204-7021. Affects an estimated 80,000+ contractors in the DIB.

1. Awareness & Level Determination
2. CUI Scoping & Asset ID
3. NIST 800-171 Gap & SPRS
4. SSP Development & Implementation
5. POA&M Closeout & Readiness
6. C3PAO Assessment Complete
7. Certification Achieved
8. Operational Compliance & Affirmation
9. Multi-Level & DIB Leadership

Read full pathway details in the whitepaper →

By The Numbers

The Authorization Landscape

Metric	What it represents
80K	Contractors that need CMMC Level 2 certification
<600	Certified CMMC assessors available
$500K–$2M	Typical FedRAMP Rev 5 authorization cost
33x	ROI on a $1.5M FedRAMP investment unlocking $50M TAM

MIT Mapping

Mapping to MIT’s Dual-Use Readiness Levels

Authorization Readiness Levels interact with every dimension of MIT’s framework. The following mapping shows typical alignment.

Authorization Stage	Typical MIT Alignment	Key Implication
ARL 1-2 (Awareness, Scoping)	TRL 4-5, MFRL 1-2, MCRL 1-2	Architecture decisions must be made with authorizability in mind. Most cost-effective time to design for compliance.
ARL 3-4 (Gap Analysis, Remediation)	TRL 6-7, MFRL 3-4, MCRL 3-4	Compliance remediation should be funded — SBIR Phase II, OTA, or seed/Series A should include ATO budget. Expect $500K-$2M for Rev 5; potentially much less under 20x.
ARL 5-6 (Assessment)	TRL 7-8, MFRL 5-6, MCRL 5-6	The AO is a mission customer. Managing the assessment relationship is as important as the technology itself.
ARL 7 (ATO Granted)	TRL 8-9, MFRL 7, MCRL 7-8	Authorization unlocks production revenue. The inflection point for mission customer conversion.
ARL 8-9 (ConMon, Multi-Agency)	TRL 9, MFRL 8-9, MCRL 8-9, CFRL 6+	Sustained authorization is a competitive moat. Investors value it. Reuse and reciprocity accelerate growth.

Strategic Guidance

Key Principles for Dual-Use ATO Strategy

1 · Design for Authorization from Day One

The most expensive ATO decision is the one you don’t make early enough. Selecting a FedRAMP-authorized IaaS provider, implementing FIPS-validated encryption, and designing your system boundary at TRL 3-5 saves 6-12 months and hundreds of thousands of dollars compared to retrofitting at TRL 7-8.

2 · The AO Is a Customer, Not a Gatekeeper

The Authorizing Official and their team (ISSM, ISSO, SCA) are mission customer stakeholders. Build relationships early, understand their risk appetite, and treat the process as a partnership.

3 · Fund Authorization Like a Product Feature

ATO is not overhead — it is a product feature that unlocks an entire market. Budget for it in SBIR proposals, include it in OTA milestones, and present it to investors as go-to-market infrastructure. A $1.5M FedRAMP investment that unlocks $50M in addressable government revenue is a 33x leverage play.

4 · Leverage Inheritance and Reciprocity

Build on FedRAMP-authorized IaaS/PaaS to inherit 50-70% of the control baseline. Leverage reciprocity between DoW organizations. Use your FedRAMP authorization as the foundation for DoW RMF and IL authorization.

5 · Build Toward Continuous, Not Just Compliant

FedRAMP 20x replaces narrative SSPs with machine-readable KSIs and persistent validation. DoW cATO replaces 3-year cycles with continuous monitoring. FedRAMP aims to stop accepting new Rev 5 packages by late FY27 — the transition window is now.

6 · Treat Authorization as a Competitive Moat

Every additional agency ATO, every IL level, every year of ConMon history widens the moat. Protect and maintain your authorizations — they are among your most valuable business assets.

7 · Understand the Institutional Map

FedRAMP is managed by the FedRAMP PMO at GSA. IL PAs are managed by DISA under the CC SRG. DoW RMF ATOs are issued by individual AOs through eMASS. CMMC certifications are managed by the CMMC PMO with C3PAOs and DIBCAC. Understanding which institution owns which authorization prevents wasted effort.

Institutional Landscape

Who Owns Each Authorization

Authorization	Owner	Framework / Authority
FedRAMP	GSA	FedRAMP PMO + Board
DoW RMF	DoW AOs	eMASS + DoDI 8510.01
IL PA	DISA	CC SRG
cATO	DoW Program AO	DevSecOps Ref Design
CMMC	CMMC PMO	C3PAOs + DIBCAC

Whitepaper

Download the Complete Framework

29-page whitepaper with all 5 pathways x 9 levels, detailed examples, MIT alignment mapping, and procurement guidance.

Download PDF →