The ATO Survival Guide

Valentine Nwachukwu
Apr 1
4 min read

The ATO Survival Guide: What Nobody Tells You About Deploying AI on Classified Networks

I’ve sat in enough post-demo meetings to recognize the pattern.

A team builds something impressive—real AI, real capability, something that could genuinely help a warfighter make better decisions faster. The demo lands. People lean in. Someone says, “this could change everything.”

Then the ATO conversation starts.

“What impact level?”

“IL-5… maybe IL-6 depending on the data.”

“Are your containers STIG’d?”

“What’s your supply chain risk plan?”

“Who’s your ISSM?”

And just like that, the energy shifts.

What was a breakthrough a few minutes ago becomes a 12–14 month timeline, a control matrix, and a reality most teams didn’t plan for.

I’ve been through this cycle enough times at Zaden—across Icarus, Olympus, and multiple subcontract efforts with prime partners—to know that deploying into classified environments isn’t where things start to get hard.

It’s where most teams realize they built the wrong thing the right way.

Here’s what actually matters.

Your ATO Strategy Starts at Architecture — Not Compliance

The most common mistake is treating ATO like a phase instead of a foundation.

Teams build first, then try to “make it compliant.” By that point, they’ve got:

dozens of loosely defined services
dependencies they can’t fully account for
data flows that weren’t designed for classification boundaries

Now they’re retrofitting security into something that was never built for it.

At Zaden, we learned this the hard way. That’s part of why Olympus exists.

Every deployment we touch starts with the environment:

What’s the impact level?
What data are we handling?
What network are we targeting?

Those answers drive everything—container baselines, logging strategy, even how services are structured.

If you’re picking your tech stack before you understand your deployment environment, you’re not building a product—you’re building a demo

STIGs Aren’t a Checkbox — They’re a Moving Target

STIGs are the floor. Not the finish line.

Every layer of your system—OS, containers, databases—needs to be hardened. But what catches teams off guard is that compliance doesn’t stay still.

STIGs update constantly.

That “clean” container you validated a few months ago? It may already be out of date.

We’ve moved to treating STIG compliance as a continuous process:

integrated directly into CI/CD
evaluated on every build
monitored against updates as they drop

If you’re only checking compliance at the end, you’re already behind.

The Supply Chain Problem Is Deeper Than It Looks

After SolarWinds and Log4j, AOs aren’t just asking what you deployed.

They’re asking what touched your system at any point.

SBOMs are now expected—but for AI/ML systems, they’re not straightforward.

Your runtime container might look clean, but your training pipeline could have:

dozens of dependencies
transient tooling
external data processing steps

And all of that matters.

We’ve had to build internal approaches just to get visibility across the full lifecycle. Most off-the-shelf SBOM tools still don’t fully account for ML pipelines.

This is one of those areas where real deployment experience shows. If you’ve never had to answer these questions in a classified environment, it’s easy to underestimate how deep this goes.

cATO Is Worth It — But You Have to Earn It

Everyone wants continuous ATO. And for good reason.

The ability to ship updates without restarting the authorization process changes everything.

But cATO isn’t something you declare—it’s something you prove.

You need:

automated compliance built into every pipeline
continuous monitoring that actually reflects system behavior
an architecture that supports incremental change, not full reassessment

We’ve been building toward this with Olympus, and the pattern is consistent:

It takes time.

Usually months of:

demonstrating consistency
building an evidence trail
earning trust with the Authorizing Official

cATO is achievable. But it’s not a shortcut—it’s a maturity model.

Your ISSM Relationship Will Make or Break You

This one doesn’t get talked about enough.

You can have the best architecture in the room—and still lose momentum if you treat security as a formality.

The ISSM isn’t a gatekeeper to work around. They’re a partner in getting your system deployed. The teams that move fastest:

engage early
ask questions upfront
share architecture before it’s locked in

At Zaden, we bring ISSMs into the conversation before we’ve written meaningful code. By the time we reach formal assessment, there are no surprises.

A lot of what makes ATO successful isn’t technical—it’s alignment.

The Bottom Line

Deploying AI to classified environments isn’t just a technical challenge. It’s a systems problem.

The teams that succeed aren’t necessarily the ones with the most advanced models. They’re the ones who understand the environment they’re deploying into—and design for it from day one.

If you’re building in this space, here’s the advice I give almost every time:

Don’t start with the AI. Start with the pipeline.

Prove you can deploy something simple—a container, a service, a baseline capability—into your target environment.

Then build on top of that.

It’s less exciting than training a model. But it’s the difference between something that demos well—and something that actually gets fielded.

If you’re working through an ATO process right now, I’ve probably seen a version of what you’re dealing with. Happy to compare notes.