Subscribe and listen to the Fed Gov Today Podcast anytime on Apple Podcasts, Spotify, or at FedGovToday.com.
Presented by Synack
In this episode of Fed Gov Today with Francis Rose, sponsored by Synack, Dina Saleh, Federal Solutions Architect at Synack, shares how the Continuous Authority to Operate (C-ATO) model is changing the way agencies approach cybersecurity. Drawing on her experience working closely with federal teams, Dina explains that C-ATO brings energy and efficiency back into a process that has long been viewed as slow, repetitive, and exhausting.
Dina begins by describing the traditional Authority to Operate (ATO) process as a “death loop”—a fatigue-heavy cycle filled with static documentation and endless checklists. “For anyone who’s been through it, it’s definitely one of those processes that gives you a few gray hairs,” she jokes. The old approach required agencies to perform compliance and testing every few years, often resulting in systems that became outdated and insecure long before their next review.
The shift to continuous authorization, Dina says, has been a game-changer. “We’re redoing that whole concept of static, one-dimensional procedures,” she explains. By continuously monitoring, testing, and updating systems, agencies no longer have to wait years between assessments to find and fix vulnerabilities. The result is more agility, stronger compliance, and better security across the enterprise.
Still, the move to C-ATO brings its own challenges. Dina points out that continuous means nonstop—and that can lead to a different kind of fatigue. “Teams are drowning in dashboards, fighting too many tools, and buried under data,” she says. Legacy systems, in particular, often weren’t designed for the level of visibility continuous monitoring requires. The result is an overwhelming amount of vulnerability data, log reports, and scan results that can leave security teams feeling lost in the noise.
That’s where Synack comes in. Dina describes the company’s approach as “a cheat sheet for the exam.” Agencies might have pages of vulnerability data, but Synack helps them focus on what truly matters—what’s exploitable, verifiable, and urgent. “We don’t just give you data,” she says. “We give you direction.” Instead of chasing every alert, Synack’s combination of human expertise and technology narrows the focus to the vulnerabilities that pose real, immediate risks.
The conversation then turns to the role of artificial intelligence in cybersecurity. Dina acknowledges that AI is “the shiny new thing” everyone is excited about, but she cautions that it’s not a silver bullet. “You can’t just slap AI on top of your compliance stack and call it continuous,” she says. She compares AI to “an intern who never sleeps”—great for automating repetitive, time-consuming tasks, but not a substitute for human insight. Synack uses AI to surface potential issues quickly, but humans still play a critical role in validating results and determining what truly matters.
When asked whether agencies can apply a single blueprint for success, Dina warns against a cookie-cutter approach. “Every environment is unique,” she emphasizes. Agencies have different systems, missions, and risk profiles, and C-ATO must be tailored to fit those specific needs. What works for one agency may not work for another.
She concludes by stressing that effective continuous authorization is about balance and customization. Agencies must combine automation with human expertise, focus on actionable insights, and design processes that fit their specific environments. “You can’t paint with a broad brush,” she says. “You have to look at everything specifically to that agency.” Dina’s message is clear: success with C-ATO isn’t about technology alone—it’s about rethinking the process, empowering people, and building smarter, more sustainable cybersecurity practices for the long term.
Please fill out the requested information below