This guide is an introduction to the basics of attaining an Authorization To Operate for systems on behalf of the federal government. We hope it can help agile product teams understand how the ATO process works and integrate it into their development process from inception to launch and beyond.
Authorization to Operate (ATO), sometimes called Authority to Operate, is the official management decision given by a senior government official (the Authorizing Official) to authorize operation of an information system on behalf of a federal agency and to explicitly accept the risk to organizational operations, organizational assets, individuals, other organizations, and the nation based on the implementation of a agreed-upon set of security controls.
Every information system operated by or on behalf of the U.S federal government is required to meet Federal Information Security Modernization Act (FISMA) standards, which includes system authorization and an ATO signed by an Authorizing Official (AO), who thereby takes responsibility for the security and risks associated with operating that system. The AO is generally a very high-ranking official within a federal agency, such as a Chief Information Officer (CIO), Chief Information Security Officer (CISO), Chief Technology Officer (CTO), or Deputy Secretary. In order to convince the AO to sign off on an ATO, the security posture of the information system must be thoroughly documented.
The government official who is considered primarily responsible for completing the ATO process is called an Information Security Systems Officer (ISSO). ISSOs reports to the agency’s senior Information Security Officer, Authorizing Official, management official, or information system owner. This may be the CIO, CISO, or CTO for the agency, or some other official within the agency responsible for information security. An ISSO is responsible for managing the security posture of information systems and programs, and will help to coordinate assembly of the Authorization Package for the AO’s approval.
Whenever a new software application or information system is being built by or for the federal government, it will have an ISSO assigned to it. ISSOs within federal agencies typically oversee multiple information systems, and they will clarify the agency-specific processes and documentation required to secure an ATO. It’s critical for technical staff on vendor teams to have a good relationship with their program’s ISSO and work with them to ensure that the program receives its ATO.
This guide is intended to acquaint people new to the government technology industry with the basics of an ATO. Achieving a signed ATO is a critical step in the process of creating a new software application for a federal agency, so it’s important for everyone who works on such applications to be conversant in the language used to discuss ATOs.Return to top ⇧
For all federal agencies, the Risk Management Framework (RMF) describes the process that must be followed to secure, authorize, and manage information systems. The RMF defines a process cycle that is used for initially securing the protection of systems through an ATO and integrating ongoing monitoring.
The RMF is a six-step process, most commonly associated with NIST SP 800-37, to architect and engineer a data security process for new information systems, and suggests best practices and procedures each federal agency must follow when enabling a new system.
Categorization is based on an impact analysis and is performed to determine the types of information included within the authorization boundary, security requirements for the information type, and potential impact resulting from a security compromise. Agencies are required to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability and to select appropriate security controls.
Controls are the management, operational, and technical safeguards or countermeasures employed within an organizational information system that protect the confidentiality, integrity, and availability of the system and its information. The specific controls required to protect the system are based on the categorization of the system.
Controls specified in the System Security Plan (SSP) are implemented by taking into account NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations and the minimum organization requirements (i.e., organizationally defined parameters).
An assessment of the security controls follows an approved plan to determine the effectiveness of the controls in meeting the security requirements of the system. The security assessor conducts a comprehensive, full-scope assessment of the security controls and control enhancements employed within or inherited by an information system to determine the overall effectiveness of the controls.
The residual risks identified during the security control assessment are evaluated and the determination is made to authorize the system to operate, deny its operation, or remediate the deficiencies.
After the ATO is granted, ongoing monitoring is performed on all identified security controls and any changes to the system or its environment are documented and reviewed.
The Federal Information Processing Standards (FIPS) define three security objectives for information and information systems:
“Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information...”
[44 U.S.C., Sec. 3542]
A loss of confidentiality is the unauthorized disclosure of information.
“Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity...”
[44 U.S.C., Sec. 3542]
A loss of integrity is the unauthorized modification or destruction of information.
“Ensuring timely and reliable access to and use of information...”
[44 U.S.C., SEC. 3542]
A loss of availability is the disruption of access to or use of information or an information system.
Every information system that has an ATO must be classified into one of three levels of potential impact to organizations and individuals should there be a breach of security (defined as a loss of confidentiality, integrity, or availability). FIPS Publication 199 defines these three levels as:
The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, has more detailed definitions of these levels.Return to top ⇧
Security and privacy control baselines serve as a starting point for the protection of information, information systems, and individuals’ privacy. NIST SP 800-53B defines these security and privacy control baselines. The three defined control baselines contain sets of security controls and control enhancements that offer protection for information and information systems that have been categorized as low-impact, moderate-impact, or high-impact.
These are the security and privacy control families for information systems in NIST SP 800-53 rev. 5. Specific controls and control enhancements are found within each control family.
|AT||Awareness and Training|
|AU||Audit and Accountability|
|CA||Security Assessment and Authorization|
|IA||Identification and Authentication|
|PT||PII Processing and Transparency|
|PE||Physical and Environmental Protection|
|SA||System and Services Acquisition|
|SC||System and Communications Protection|
|SI||System and Information Integrity|
|SR||Supply Chain Risk Management|
NIST SP 800-53B, Control Baselines for Information Systems and Organizations, has more detailed information on baselines.Return to top ⇧
A team must implement the selected security controls and document all the processes and procedures they need to maintain their operation. This includes implementing the security controls and documenting the security control implementation details, as appropriate, in the security plan.
There are three types of control implementation:
System-specific controls are security controls that provide a security capability for a particular information system only and are the primary responsibility of information system owners and their AO.
Common controls are security controls that can support multiple information systems efficiently and effectively as a common capability. When these controls are used to support a specific information system, they are referenced by that specific system as inherited controls.
Hybrid controls are security controls where one part of the control is deemed to be common and another part of the control is deemed to be system-specific.
The purpose of assessing security controls is to ensure they were implemented correctly, operate as intended, and successfully meet the security requirements for the information system. Assessments are required prior to system authorization and annually to ensure that the security measures are working effectively.
A full scope assessment of all security controls must be performed prior to the initial ATO, and the ATO must be renewed every three years. Each year, 1/3 of the controls are tested so that by the end of the third year, all controls have been tested for the ATO renewal. A full scope assessment of the controls can be required if significant changes to the information system are made at any time throughout the lifecycle.
There are currently two approaches for completing assessments:
A Security Control Assessment (SCA) is a systematic, manual procedure for evaluating, describing, testing, and examining information system security controls.
Adaptive Capabilities Testing (ACT) is an agency-specific, next-generation assessment based on NISTIR 8011 that relies heavily on automation and focusing on capabilities rather than individual controls.
NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, has more detailed information about assessing security controls.
NISTIR 8011, Automation Support for Security Control Assessments, has more detailed information about automated assessments and capabilities.Return to top ⇧
In order to satisfy an agency’s requirements for a completed ATO, a team must complete a set of documents called the “authorization package” that fully describe the security controls that are in place to protect the information system. NIST SP 800-37 defines the authorization package as:
The essential information that an authorizing official uses to determine whether to authorize the operation of an information system or the provision of a designated set of common controls. At a minimum, the authorization package includes an executive summary, system security plan, privacy plan, security control assessment, privacy control assessment, and any relevant plans of action and milestones.
The exact process and document titles vary from agency to agency, but in general the most common required document names are:
Risk management is a continuous process. Information systems are in a constant state of change with upgrades to hardware, software, or firmware and modifications to the surrounding environments where the systems reside and operate. A structured approach to managing, controlling, and documenting changes to an information system or its environment of operation is an essential element of an effective monitoring program. Strict configuration management and control processes are established by the agency to support such monitoring activities.
Security Impact Analysis (SIA) determines the extent to which proposed or actual changes to the information system or its environment of operation can affect or have affected the security state of the system. Changes to the information system or its environment of operation may affect the security controls currently in place, produce new vulnerabilities in the system, or generate requirements for new security controls that were not needed previously. If the results of the SIA indicate that the proposed or actual changes can affect or have affected the security state of the system, corrective actions are initiated and appropriate documents are revised and updated.Return to top ⇧
In 2007, OMB published M-08-05 announcing the Trusted Internet Connections (TIC) initiative. At the time, there was no uniformity or policy around the gateways used by federal networks to connect to the internet. As a result, federal agency internet connections were inconsistent, insecure, and insufficient in the face of increasing risks of vulnerability exploitation and data exfiltration.
To address these concerns, the TIC initiative sought to improve the security of connections between internal federal agency networks and the internet. The initiative’s goal was to reduce the number of these connections to 50 or less, in order to permit centralized monitoring and security of all traffic between federal networks and the public Internet.
All traffic between federally-controlled networks and the internet must pass through a Trusted Internet Connection. This is a requirement for any ATO process; no information system or web application intended for use by the federal government will be granted an ATO unless its traffic is routed through a TIC.Return to top ⇧
An ATO is valid for three years, based on the assumption that the system’s security posture won’t change significantly during that time period. This assumption that significant changes won’t occur may be unrealistic because of agile software development practices, which facilitate and embrace change. As significant changes are inevitably made, the ATO becomes insufficient, resulting in a need to reassess and reauthorize the system. The RMF offers a structured process to integrate information security and risk management activities into the system development life cycle.Return to top ⇧
This is a glossary of important terms to understand in relation to the ATO process.
These are links to resources with further information about the ATO process.
Work with Ad Hoc to meet the federal regulatory compliance requirements for attaining ATO.