Continuous Authorization to Operate (cATO) needs a DevSecOps platform - This is written in US Federal government speak, but the same benefits apply to commercial enterprises. If you use a centralized PaaS for your apps instead of customized infrastructure per each app, you can certify the layers below the application as compliant to use. Then when you put new all code on it, you only need to certify a thin layer of new code. The more traditional alternative (a customized infrastructure stack per app) means you have to certify the whole stack for each new app version. That takes a lot more time than the wafer thin layer of app.