What Is an ATO for Federal Agencies?
The National Institute of Standards and Technology (NIST) defines an ATO, or an Authority to Operate, as the official management decision given by a senior federal official or officials to “authorize operation of an information system and to explicitly accept the residual risk to agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations,” and the country, based on the deployment “of an agreed-upon set of security and privacy controls.” ATOs also apply to common controls inherited by agency information systems.
ATOs are “informed by a security authorization package including at a minimum a system security plan, security assessment report, and plan of action and milestones that detail risks relating to implementation of required controls for an information system given its FIPS 199 Security Impact level and any additional controls that are tailored in to address specific agency and/or system specific security considerations,” says General Services Administration CISO Bo Berlas.
“ATOs are traditionally issued for a three-year period and renewed every three years based on an updated security authorization package, including a new security assessment report and updated system security plan and plan of action and milestones,” Berlas adds.
Officials establish an authorization termination date as a condition of the authorization, and the date can be adjusted at any time by the authorizing official to “reflect an increased level of concern regarding the security and privacy posture of the system,” NIST states.
“For example, the authorizing official may choose to authorize the system to operate only for a short period of time if it is necessary to test a system in the operational environment before all controls are fully in place, (i.e., the authorization to operate is limited to the time needed to complete the testing objectives),” according to NIST.
What Is the Difference Between an ATO and a Continuous ATO?
In February, the Pentagon issued a memo that described the benefits of using cATOs, which the memo notes represent “a challenging but necessary enhancement of our cyber risk approach in order to accelerate innovation while outpacing expanding cybersecurity threats.
To achieve a cATO, authorizing officials “must be able to demonstrate three main competencies: On-going visibility of key cybersecurity activities inside of the system boundary with a robust continuous monitoring of RMF controls; the ability to conduct active cyber defense in order to respond to cyber threats in real time; and the adoption and use of an approved DevSecOps reference design,” the memo states.
The goal of a cATO is to “formalize and monitor the connections” across the multiple interconnected systems that make up larger IT systems “to deliver cyber resilient capabilities to warfighters at the speed of relevance,” according to the memo.
A key benefit of a cATO is continuous monitoring of security system controls within IT systems. To achieve a cATO, officials will need to show that they have real-time or near-real-time cybersecurity countermeasures they can deploy, as well as a secure software supply chain.
“Within the Army, continuous monitoring using a cATO helps us make sure the right defensive overwatch posture is in place for systems operating on the network, ensuring the network remains secure while providing the appropriate user experience,” says Army CIO Raj Iyer. “The process ensures that information systems are operating within established security standards as the Army transitions to a zero-trust architecture.”