Introducing the ATO Field Guide

Today, Ad Hoc is releasing an ATO Field Guide to inform the public, our customers, and our partners about how federal web applications are authorized to operate on behalf of the American people, and provide a basic introduction to federal risk management and information security concepts. The guide includes an overview of the ATO process, the laws and standards that have shaped its evolution, a glossary of key terms and acronyms, and links to further information and authoritative sources.

Since its founding in 2014, Ad Hoc has had the privilege of building and operating safe and secure digital services on behalf of the federal government. The opportunity to serve the public by bringing the technical expertise of the private sector to the challenges of government comes with a responsibility to help protect the nation’s information systems.

In order to safeguard their systems, federal government agencies are required to assess the risks and harm that could result from a compromise. They’re required to have information security programs to manage these risks and implement appropriate security controls. The risks and controls for each information system within an agency are documented and signed off on by a senior agency official as an Authorization To Operate (ATO).

These responsibilities are detailed in the Federal Information Security Management Acts of 2002 and 2014 (FISMA), which require each agency to develop, document, and implement an agency-wide information security program. In response to FISMA 2002, the National Institute of Standards and Technology (NIST) created a Risk Management Framework to provide guidance on how federal agencies could fulfill these obligations.

The process of securing systems for the federal government is often seen as difficult and complex. Developers who haven’t worked in the government space can be intimidated by the requirements, sometimes seeing the ATO process as a roadblock to rapid innovation. At Ad Hoc, we believe that agile product teams should see the risk management framework as a useful guide to building secure, well-documented applications at every stage of their life cycle. It’s critical for development teams to understand how the ATO process works and integrate it into their development process from inception to launch and beyond.

As part of our mission to build things that matter, Ad Hoc partners with our government customers to maintain their ATOs and operate securely. We’ve developed extensive internal training materials to help our team members understand this process, and we hope that by sharing some of what we’ve learned, we can help everyone who builds government digital services.

We’re also interested in helping increase public awareness of the effort our government puts into keeping our nation’s critical information systems secure. The requirements of FISMA and the ATO process are key tools in the effort to ensure that America’s information infrastructure continues to stay safe and reliable, even as federal agencies push forward with technical modernization. As we help build a digital-first government, Ad Hoc remains committed to supporting government risk management in collaboration with all our customers and partners.