Authorization Readiness Levels: The Missing Dimension of Dual-Use Strategy

Originally published on GoOptimal.io

Overview

This framework extends MIT’s Dual-Use Readiness Levels by introducing a sixth dimension: authorization to operate (ATO). The article presents “Authorization Readiness Levels (ARL),” which maps five distinct government authorization pathways across nine progression levels each.

The Five Authorization Pathways

FARL (FedRAMP Authorization): Federal civilian cloud authorization under Rev 5 and the emerging 20x continuous validation pathway, managed by GSA’s FedRAMP PMO.

RARL (DoD RMF Authorization): The Department of Defense Risk Management Framework pathway through eMASS, governed by NIST 800-53 and DISA STIGs.

IARL (Impact Level Authorization): The DoD Cloud Computing Security Requirements Guide pathway to IL4, IL5, and IL6 Provisional Authorizations, managed by DISA.

CARL (Continuous ATO): A DevSecOps-native pathway aligned with DoD Enterprise DevSecOps Reference Design and the Software Fast Track initiative.

CMRL (CMMC Certification): The Cybersecurity Maturity Model Certification pathway protecting Controlled Unclassified Information across the defense industrial base, affecting approximately 80,000+ contractors.

The Universal 9-Level Journey

Every pathway follows this progression:

1. Aware — Recognize the pathway exists and applies
2. Scope — Define system boundaries and applicable controls
3. Gap Analysis — Assess current state against requirements
4. Remediate — Close identified gaps
5. Submit — Deliver documentation and artifacts
6. Assess — Undergo third-party or government assessment
7. Authorize — Receive formal authorization decision
8. Operate — Maintain continuous compliance
9. Scale — Extend authorization to new offerings

Levels 1-3 focus on discovery and planning; 4-6 involve building and assessment; 7-9 address authorization and scaling operations.

Key Strategic Principles

The framework emphasizes designing for authorization from inception, treating Authorizing Officials as mission customers, and budgeting authorization as a market-unlocking product feature. A $1.5M FedRAMP investment that unlocks $50M in addressable government revenue represents significant leverage.

MIT Alignment

Authorization stages typically align with specific Technology Readiness Levels (TRL) and other MIT dual-use dimensions, with architecture decisions at TRL 3-5 being the most cost-effective time for compliance design.