{ "version" : "https://jsonfeed.org/version/1", "content" : "resources", "type" : "single", "title" : "An introduction to ATOs |Digital.gov", "description": "An introduction to ATOs", "home_page_url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/","feed_url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/resources/an-introduction-to-ato/index.json","item" : [ {"title" :"An introduction to ATOs","deck" : "Understand the authority to operate process","summary" : "What is an Authorization to Operate? Before you use software in government, you need to make sure it is allowed. You should know what an ATO is, and when you need one.","date" : "2023-10-18T09:39:00-05:00","date_modified" : "2025-01-27T19:42:55-05:00","authors" : {"lindsay-young" : "Lindsay Young"},"topics" : { "public-policy" : "Public policy", "security" : "Security", "software-engineering" : "Software engineering" },"primary_image" : { "uid" : "title-card-intro-ato-karpenko-ilia-istock-getty-images-604030034-dg-logo", "alt" : "Title card for An introduction to ATOs: Understand the authority to operate process. On the dark gray background, the text on the left is in green, and a circle of line drawings of computer science-related icons on the right are in black, green, and white.", "width" : "1200", "height" : "630", "credit" : "", "caption" : "karpenko_ilia/iStock via Getty Images", "format" : "png" },"branch" : "bc-archive-content-3", "filename" :"an-introduction-to-ato.md", "filepath" :"resources/an-introduction-to-ato.md", "filepathURL" :"https://github.com/GSA/digitalgov.gov/blob/bc-archive-content-3/content/resources/an-introduction-to-ato.md", "editpathURL" :"https://github.com/GSA/digitalgov.gov/edit/bc-archive-content-3/content/resources/an-introduction-to-ato.md","slug" : "an-introduction-to-ato","url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/resources/an-introduction-to-ato/","weight" : "1","content" :"\u003ch2 id=\"what-is-an-ato\"\u003eWhat is an ATO?\u003c/h2\u003e\n\u003cp\u003eATO stands for authorization to operate, also known as \u0026ldquo;authority to operate.\u0026rdquo; Because there is no perfect, risk-free software system, the ATO process is aimed at minimizing and managing risk responsibility. This process mostly comes from the Federal Information Security Management Act (FISMA). FISMA is an effort to standardize and consolidate security review and reporting across agencies. For more information, see the \u003ca href=\"https://security.cms.gov/learn/federal-information-security-management-act-fisma\"\u003eCenters for Medicare and Medicaid Services’ helpful one-pager on FISMA.\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eYou can think of this process as having five steps. We will go over each step in depth below in \u003cem\u003eHow to ATO your system\u003c/em\u003e.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eTo determine the \u003cstrong\u003esystem\u0026rsquo;s security impact level\u003c/strong\u003e, you first need to understand the risks that you are taking on.\u003c/li\u003e\n\u003cli\u003eYou need to have a clear understanding of your project. Document your software and policies with a \u003cstrong\u003eSystem Security and Privacy Plan\u003c/strong\u003e (SSPP).\u003c/li\u003e\n\u003cli\u003eThen, there is an \u003cstrong\u003eassessment\u003c/strong\u003e of your system and your security plan. This process reviews your SSPP and looks for ways to improve the security of your system.\u003c/li\u003e\n\u003cli\u003eOnce outstanding risks are identified, the Authorizing Official, (AO) signs off on remaining risk in an \u003cstrong\u003eATO memo\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eThis process doesn\u0026rsquo;t end. Create a \u003cstrong\u003ePlan of Action and Milestones\u003c/strong\u003e (POA\u0026amp;M) to help you create and maintain security improvements. Continue to monitor and update your system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"why-do-we-need-atos\"\u003eWhy do we need ATOs?\u003c/h2\u003e\n\u003cp\u003eWhen it comes to ATOs, fun is mandatory! You need to complete the ATO process before you use, buy, or build software for the government.\u003c/p\u003e\n\u003cp\u003eATOs can feel very bureaucratic—but they can also be a good opportunity to take stock of what you have and think about how to make it better. Of course, there are ways to improve the system, but, I can honestly say, this process can make your software more secure if you approach it intentionally. If you treat the experience only as a paperwork exercise, you will be missing out on ways to improve your product. Improving privacy and security are ways to protect your users and your agency.\u003c/p\u003e\n\u003ch2 id=\"roles-and-responsibilities\"\u003eRoles and responsibilities\u003c/h2\u003e\n\u003cp\u003eIt takes many people to collaborate on an ATO, but here are three key roles to understand so you\u0026rsquo;ll know who to talk to, and what their responsibilities are.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eSystem Owner\u003c/strong\u003e\u003cbr /\u003e\n\u003cstrong\u003eResponsibilities:\u003c/strong\u003e Overall procurement, development, integration, modification, operation, maintenance, and retirement of a system. They will work with the team to create documentation, and they are responsible for making sure the team makes security fixes in a timely manner.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation System Security Officer\u003c/strong\u003e (ISSO)\u003cbr /\u003e\n\u003cstrong\u003eResponsibilities:\u003c/strong\u003e Research, develop, implement, test, and review an organization\u0026rsquo;s information security. They assess the impacts on new systems and system modifications, review the ATO package, and they may have contracts for penetration testing, etc. This person usually works as a liaison to the agency\u0026rsquo;s security team. Your agency may also have \u003cstrong\u003eInformation System Security Managers\u003c/strong\u003e (ISSM) supporting the ISSO.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthorizing Official\u003c/strong\u003e (AO)\u003cbr /\u003e\n\u003cstrong\u003eResponsibilities:\u003c/strong\u003e Signs a memo that accepts the risks of a system. This person is personally liable for that risk. They will be your agency\u0026rsquo;s Chief Information Officer (CIO) or someone designated by the CIO. A huge part of the ATO process is aiming to educate the AO on what the risks to the system are. You also want to make sure your paperwork is detailed enough so that it can be a good resource if there is an audit. The risks that they are taking are not trivial.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"how-to-ato-your-system\"\u003eHow to ATO your system\u003c/h2\u003e\n\u003cp\u003eHow this process is interpreted and administered across agencies varies. The best advice is to talk early and often to the person or team that will be accessing your system and find out what works best for them.\u003c/p\u003e\n\u003cp\u003eSharing a \u003ca href=\"https://product-guide.18f.gov/define/roadmap/\"\u003eproduct roadmap\u003c/a\u003e can help other teams that you work with understand what your future needs may be. Waiting too long to talk to security will make the process take longer. The ATO process is a communication exercise, so creating your documentation as your system grows can be helpful. And you need to talk to your security team to know what kind of documentation they need and how they like things documented. If you start those conversations too late, it may take more time to make changes to meet requirements.\u003c/p\u003e\n\u003cp\u003eHere is an overview of the five steps you need for a federal ATO. As you begin, check out the \u003ca href=\"https://handbook.tts.gsa.gov/launching-software/lifecycle/\"\u003elifecycle of a launch\u003c/a\u003e, which outlines how to prepare for ATOs at GSA. It has a lot of good advice that is transferable to other agencies.\u003c/p\u003e\n\u003ch3 id=\"1-system-security-impact-level\"\u003e1) System security impact level\u003c/h3\u003e\n\u003cp\u003eFirst, you want to understand what kind of impact a disaster or attack on your data would have to the public and your agency. You can figure this out by completing the \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"\u003eFederal Information Processing Standards (FIPS) 199 worksheet (PDF, 80 KB, 13 pages)\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eSecurity impact level is a combination of the following three questions:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\n\u003cp\u003eHow \u003cstrong\u003econfidential\u003c/strong\u003e is the system\u0026rsquo;s data?\u003cbr /\u003e\na. Are there secrets or private information that you need to protect?\u003cbr /\u003e\nb. Is there personal identifiable information (PII), contract data, or other special kinds of data?\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eWhat is the importance of the system\u0026rsquo;s \u003cstrong\u003eintegrity\u003c/strong\u003e?\u003cbr /\u003e\na. What would be the impacts of the system getting defaced?\u003cbr /\u003e\nb. What could happen if the data was altered\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eHow important is the \u003cstrong\u003eavailability\u003c/strong\u003e of the data?\u003cbr /\u003e\na. What are the impacts of things like downtime?\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eFor each question, you categorize the impact as low, medium, or high. The system\u0026rsquo;s security impact level will be the highest answer to the three questions. This will result in your system being classified as either FISMA low, FISMA moderate, or FISMA high.\u003c/p\u003e\n\u003cp\u003eYou will notice that the above questions are about the substance of the system and its data. This doesn\u0026rsquo;t account for where something is hosted or which technologies are used; that will come up in the next step of the process. Also, keep in mind that this is a scale for every information technology (IT) system in government. Sometimes, people can confuse importance with FISMA levels. Just because something is designated as “FISMA low,” that doesn\u0026rsquo;t mean that it\u0026rsquo;s not important. Try to follow the prompts of the worksheet with reasonable answers to figure out your designation.\u003c/p\u003e\n\u003cp\u003eThis is also a good time to research any \u003ca href=\"https://pra.digital.gov/\"\u003ePaperwork Reduction Act\u003c/a\u003e (PRA) or Privacy Act requirements, and find out if your project needs a System of Record Notice (SORN).\u003c/p\u003e\n\u003ch3 id=\"2-system-security-and-privacy-plan\"\u003e2) System Security and Privacy Plan\u003c/h3\u003e\n\u003cp\u003eThe System Security and Privacy Plan (SSPP), also known as the System Security Plan (SSP), is where you document how the project operates and its security measures.\u003c/p\u003e\n\u003cp\u003eIn this document, you will:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDiagram the system in detail\u003c/li\u003e\n\u003cli\u003eExplain who uses your system and how they use it\u003c/li\u003e\n\u003cli\u003eProvide technical and policy documentation for the project\u003c/li\u003e\n\u003cli\u003eGive thoughtful answers to security questions\u003c/li\u003e\n\u003c/ul\u003e\n\n\n\n\n\n\n\n\u003cdiv class=\"image\"\u003e\n \u003cimg\n src=\"https://s3.amazonaws.com/digitalgov/cloudgov-diagram-web-app-api.png\"alt=\"Users connect to a load balancer, then connect to a cloud.gov router. The router connects to a website, and an API that reads a database.\"/\u003e\u003cp\u003eDiagram of a Web app and API running on cloud.gov.\u003c/p\u003e\u003c/div\u003e\n\n\n\u003cp\u003eThe security questions come from the National Institute of Standards and Technology (NIST). NIST creates security considerations called \u0026ldquo;controls.\u0026rdquo; The higher the security level impact (FISMA Level), the more controls your project will be responsible for. Some controls will be already taken care of by your agency or hosting platform.\u003c/p\u003e\n\u003cp\u003eMany controls can be covered by implementing software correctly, like making sure your website has the logs it needs. Other controls touch on policy and the human element. For example, someone needs to be responsible for making sure accounts are being kept up-to-date, and that people don’t have access to systems after they leave. Take a look at the \u003ca href=\"https://engineering.18f.gov/security/\"\u003esecurity section of the TTS engineering practices guide\u003c/a\u003e. It provides technical advice on implementing and documenting your ATO.\u003c/p\u003e\n\u003cp\u003eThese controls are defined in \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final\"\u003eNIST Special Publication (SP) 800-53 Revision 5: Security and Privacy Controls for Information Systems and Organizations\u003c/a\u003e:\n*Part A: \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/53/a/r5/final\"\u003eSP 800-53A Rev. 5, Assessing Security and Privacy Controls in Information Systems and Organizations\u003c/a\u003e\n*Part B: \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/53/b/upd1/final\"\u003eNIST SP 800-53B, Control Baselines for Information Systems and Organizations\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eTo look up controls, you can use the section that details \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/53/b/upd1/final\"\u003eControl Baselines for Information Systems and Organizations\u003c/a\u003e. Agency chief information security officer (CISO) shops usually have additional guidance for select controls on how to apply these standards to your project.\u003c/p\u003e\n\u003cp\u003eFor an overview of NIST Controls, read \u003ca href=\"https://digital.gov/resources/an-introduction-to-security-and-privacy-controls/\"\u003eAn introduction to security and privacy controls\u003c/a\u003e.\u003c/p\u003e\n\u003ch3 id=\"3-assessment\"\u003e3) Assessment\u003c/h3\u003e\n\u003cp\u003eThe purpose of the ATO assessment is to have experts verify the documentation your team puts together. This is where an Information System Security Officer (ISSO) and/or an Information System Security Officer (ISSM) will look for proof that your system is as you say it is, and that you are following the policies you outlined in your SSP. The proof is saved as an artifact. These artifacts may be things like documentation of policies, results from scan reports, or screen shots that prove the system is working as expected.\u003c/p\u003e\n\u003cp\u003eThe assessors will also look for vulnerabilities in your product, and ways to make your project more secure. This process varies widely depending on who is doing the assessment, what your agency\u0026rsquo;s policies are and how risky your project is. You will probably need software scans to check for any software that is out of date and check that the system settings are secure. You may also need things like penetration testing where a specialized security tester is authorized to exploit the system and try to find flaws in your system.\u003c/p\u003e\n\u003ch3 id=\"4-ato\"\u003e4) ATO\u003c/h3\u003e\n\u003cp\u003eAfter the authorizing official (AO) reviews the SSPP and Assessment package, the ATO memo is signed by the AO, ISSO, and System Owner. The AO will usually rely on the opinions of the ISSO about when the project is ready to launch and what risks are acceptable.\u003c/p\u003e\n\u003cp\u003eThis is also a human process. The project team needs to build trust with the assessment team and IT leadership. That is an important part of reaching an agreement on an ATO in a timely manner.\u003c/p\u003e\n\u003ch3 id=\"5-poam-and-monitoring\"\u003e5) POA\u0026amp;M and monitoring\u003c/h3\u003e\n\u003cp\u003eThe ATO process doesn\u0026rsquo;t end once the product is approved. The system owner is responsible for continuing to comply with rules and regulations. That means things like following the practices and policies you said you would do in your SSPP.\u003c/p\u003e\n\u003cp\u003eThe agency\u0026rsquo;s security team usually supports projects with things like regular security scans and alerts for when software the project is using something that is dangerously out of date. When those issues come up, it is the System Owner\u0026rsquo;s responsibility to make sure software risks are addressed in a timely manner. The agency\u0026rsquo;s security team will work with the system owner to document risks in a Plan of Action \u0026amp; Milestones (POA\u0026amp;M). This will record things like when software needs to be updated, and when those updates are complete. As an example, see the \u003ca href=\"https://www.fedramp.gov/assets/resources/templates/FedRAMP-POAM-Template.xlsm\"\u003eFedRAMP Plan of Action and Milestones (POA\u0026amp;M) template (XLS, 70 KB, 3 worksheets)\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eAs the system changes, the system owner needs to work with the security team to update the SSPP documentation. This process is called a Significant Change Request (SCR). For example, if your website is adding a new service like emailing updates to users, this adds new technical tools and data to your system; you’ll need to go through the SCR process to gain permission.\u003c/p\u003e\n\u003cp\u003eFinally, you will also need to follow your agency\u0026rsquo;s policies for renewing or updating your ATO. That may mean redoing this process every several years, or reviewing a subset of the process every year to make sure the SSPP is up to date.\u003c/p\u003e\n\u003ch2 id=\"presentation-video\"\u003ePresentation video\u003c/h2\u003e\n\u003cp\u003eWatch the 19-minute video, Beginner\u0026rsquo;s guide: Getting started with ATOs, for an overview of the authorization to operate process with practical advice to help authorize your system for the first time.\u003c/p\u003e\n\n\n\n\n\n\n\u003cdiv\n class=\"video\"\n style=\"position: relative; padding-bottom: 56.25%; padding-top: 30px; height: 0; overflow: hidden;\"\n\u003e\n \n \u003ciframe src=\"https://www.youtube.com/embed/vOPO2a33Bak\" title=\"Beginner\u0026#39;s guide: Getting started with ATOs\" style=\"position: absolute; top: 0; left: 0; width: 100%; height: 100%;\" allowfullscreen=\"\" frameborder=\"0\" \u003e\u003c/iframe\u003e\n\u003c/div\u003e\n\n\n\n\n\u003carticle\n class=\"dg-note \"\n\u003e\n \u003ch4 class=\"dg-note__heading\"\u003e\n \u003csvg\n class=\"dg-note__icon usa-icon dg-icon dg-icon--large\"\n aria-hidden=\"true\"\n focusable=\"false\"\n \u003e\n \u003cuse xlink:href=\"/preview/gsa/digitalgov.gov/bc-archive-content-3/uswds/img/sprite.svg#notifications\"\u003e\u003c/use\u003e\n \u003c/svg\u003e\n \n Note\n \n \u003c/h4\u003e\n \u003cp\u003e\u003cstrong\u003eWeb Managers Community\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eThe Web Managers Community of Practice is a group of government employees and contractors who manage government websites and digital services. They work to create a trusted, seamless online experience for all. \u003ca href=\"https://digital.gov/communities/web-content-managers/\"\u003eJoin the Web Managers Community\u003c/a\u003e.\u003c/p\u003e\n\n\u003c/article\u003e\n\n"} ] }