Authorization to Operate (ATO)

What is an ATO?

An ATO is a hallmark of approval that endorses an information system for use within a federal agency. Authorization signifies:

1. A comprehensive understanding of the system’s hardware, software, and connections.
2. A clear delineation of the system’s mission or purpose.
3. An assessment of the benefits offered by the system versus the inherent risks it poses.

All federal information systems must be granted an Authority to Operate (ATO) before being placed into production status. A federal ATO is issued when an information system has been assessed, and the Agency Authorizing Official (AO) has explicitly accepted the risks. 

The ATO is granted by the AO, and each agency determines the ATO criteria for their information systems. Federal agencies rely on the National Institute of Standards and Technology’s (NIST) Risk Management Framework for Information Systems and Organizations to assist them in choosing the controls they need for cybersecurity, privacy, and supply chain risk management.

RMF implementations involve obtaining an authorization to operate (ATO) every three years.

Note: These procedures and guidance discussed in the article regarding federal information systems are derived from the Federal Information Security Modernization Act.

How Does FISMA Define a Federal Information System?

As defined in FISMA, “[t]he term ‘Federal information system’ means an information system used or operated by an executive agency, a contractor of an executive agency, or another organization on behalf of an executive agency.”

How Does FEDRAMP Ease the ATO Process?

When evaluating risks and granting Authorities to Operate (ATOs) for information systems that use cloud services, federal agencies can turn to the Federal Risk Authorization and Management Program (FedRAMP). FedRAMP helps federal agencies adopt cloud computing by establishing transparent standards and streamlined processes for security authorizations. It empowers agencies to leverage security authorizations across the government, fostering efficiency and consistency.

Through the FedRAMP provisional ATO (P-ATO), Agencies receive assurance that specific security controls have been satisfactorily met, eliminating the need to repeat the steps of the Risk Management Framework (RMF) for those controls. These P-ATOs can be issued either by the Joint Authorization Board (JAB) or directly by an authorized agency.

Cloud service providers undergo rigorous assessment and authorization procedures for each Cloud Service Offering (CSO). Once a provider obtains a P-ATO for their CSO, the associated security package becomes reusable across federal agencies. This reusability significantly reduces administrative overhead and accelerates the ATO technology process, as agencies can “inherit” the P-ATO status for Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) offerings.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Start Free Trial Now

Start Free Trial Now

Learn more about Authorization to Operate (ATO)
Click Here

The ATO Process

1. Initial Contact with Certifying Body

• When an organization requires an ATO federal government before a product can be used, the first step is to contact the appropriate certifying body within that organization.
• This may be a specific department or team responsible for overseeing security and compliance.

2. Submission of Product Sample for Testing

• Upon contacting the certifying body, the organization will typically be required to submit a product sample for testing.
• This sample is the basis for assessing the product’s security and operational integrity.

3. Regulatory Compliance and Framework

• Compliance with regulatory frameworks like the Federal Information Security Modernization Act (FISMA) is mandatory in government organizations, such as federal agencies.
• FISMA requires federal agencies to have systems to assess and monitor security and privacy risks, ensuring that ATO processes adhere to established standards.

4. Implementation of ATO Process

• The ATO process may be implemented by various entities within government organizations, depending on the agency structure.
• This process may be managed by an inter-agency body like the Federal Risk and Authorization Management Program (FedRAMP), which provides standardized security requirements for cloud products and services.
• Alternatively, individual agencies, such as the Department of Defense (DoD), may manage their ATO processes internally through agencies like the Defense Information Systems Agency (DISA).

5. ATO Timeline and Cost Considerations

• The time required to achieve ATO accreditation can vary widely depending on the agency and the complexity of the product.
• At the DoD, ATO Accreditation is granted by an Authorizing Official (AO), formerly known as the Designated Accrediting Authority (DAA), and can take up to 3 years.
• This process may involve substantial costs, including expenses related to testing, assessment, and compliance efforts.
• The time to achieve ATO can range from 3 to 9 months, with costs varying from $90,000 to $700,000, depending on the scope and scale of the project.

Is an ATO Sufficient in Today’s Digital Environment? 

The problem with the ATO approach is that security threats aren’t static; they evolve. cATO is the evolution of this framework, which requires the continual authorization of ATO software components, such as containers, to build security into the entire development lifecycle using DevSecOps practices. 

Recent developments within federal agencies signal a shift towards a more agile and responsive framework known as Continuous Authorization to Operate (cATO). Traditional ATOs, while essential, have limitations. They provide a snapshot of security posture at a particular moment, often becoming outdated shortly after issuance. In contrast, cATOs embrace real-time or near-real-time monitoring, enabling agencies to adapt swiftly to evolving cyber threats.

The cATO Advantage

Continuous authorization offers several advantages over its traditional counterpart. Fostering ongoing visibility and response capabilities empowers agencies to address cybersecurity challenges proactively. Moreover, cATOs promote a culture of operational resilience and innovation, aligning with modern practices like DevSecOps and automation.

Charting the Path Forward

Implementing a cATO framework necessitates a robust continuous monitoring program equipped with the tools and processes to maintain situational awareness and respond effectively to security events. Agencies embarking on this journey can draw inspiration from pioneering initiatives within organizations like the General Services Administration (GSA) and the Department of Defense (DOD).

The transition from traditional ATOs to cATOs signifies a larger shift in how federal agencies approach cybersecurity and risk management. By embracing continuous authorization, agencies can navigate the complexities of today’s threat landscape with agility, resilience, and efficiency.