CATOA — Continuous ATO Agent

Access Control Family Assessment

Select an AC control, review the system context, and watch CATOA perform a full RMF assessment — gap analysis, SSP narrative generation, and POA&M triage.

Select Control

System Implementation Context

The system is a classified C2 (Command and Control) application hosted on a hardened RHEL 9 server within a SCIF at a DoD facility. It uses Active Directory for identity management, PKI/CAC authentication, and role-based access controls managed through a custom authorization service. The system has 45 authorized users across 4 role types. Remote access is provided via an Aruba VPN concentrator with MFA enforcement. The system connects to SIPRNet and processes data up to SECRET//NOFORN.

Sample system context for demonstration. In production, CATOA ingests your actual eMASS system data automatically.

CATOA ASSESSMENT ENGINE

CONFIDENCE

HOW THIS WORKS IN PRODUCTION

This demo shows CATOA in action. The CATOA appliance runs Llama 3.3 70B locally via Ollama inside your enclave — no external API calls, no cloud dependencies, no data leaving the boundary. The model ingests your eMASS export, maps controls to CCIs, and performs this same analysis across your entire control set continuously. What you just saw for one control, CATOA does for all 400+ controls in your baseline — automatically, on a schedule, air-gapped.