ATO
Authorization to Operate Field Guide

Illustration of two trucks lifting a shield and a key towards  data storate devices.

This guide is an introduction to the basics of attaining an Authorization To Operate for systems on behalf of the federal government. We hope it can help agile product teams understand how the ATO process works and integrate it into their development process from inception to launch and beyond.

Special thanks to Craig Butler and Casey Douglas for writing this field guide.

What is ATO

Authorization to Operate (ATO), sometimes called Authority to Operate, is the official management decision given by a senior government official (the Authorizing Official) to authorize operation of an information system on behalf of a federal agency and to explicitly accept the risk to organizational operations, organizational assets, individuals, other organizations, and the nation based on the implementation of an agreed-upon set of security controls.

Every information system operated by or on behalf of the U.S federal government is required to meet Federal Information Security Modernization Act (FISMA) standards, which includes system authorization and an ATO signed by an Authorizing Official (AO), who thereby takes responsibility for the security and risks associated with operating that system. The AO is generally a very high-ranking official within a federal agency, such as a Chief Information Officer (CIO), Chief Information Security Officer (CISO), Chief Technology Officer (CTO), or Deputy Secretary. In order to convince the AO to sign off on an ATO, the security posture of the information system must be thoroughly documented.

The government official who is considered primarily responsible for completing the ATO process is called an Information Security Systems Officer (ISSO). ISSOs report to the agency’s senior Information Security Officer, Authorizing Official, management official, or information system owner. This may be the CIO, CISO, or CTO for the agency, or some other official within the agency responsible for information security. An ISSO is responsible for managing the security posture of information systems and programs, and will help to coordinate assembly of the Authorization Package for the AO’s approval.

Whenever a new software application or information system is being built by or for the federal government, it will have an ISSO assigned to it. ISSOs within federal agencies typically oversee multiple information systems, and they will clarify the agency-specific processes and documentation required to secure an ATO. It’s critical for technical staff on vendor teams to have a good relationship with their program’s ISSO and work with them to ensure that the program receives its ATO.

This guide is intended to acquaint people new to the government technology industry with the basics of an ATO. Achieving a signed ATO is a critical step in the process of creating a new software application for a federal agency, so it’s important for everyone who works on such applications to be conversant in the language used to discuss ATOs.

Risk Management Framework

For all federal agencies, the Risk Management Framework (RMF) describes the process that must be followed to secure, authorize, and manage information systems. The RMF defines a process cycle that is used for initially securing the protection of systems through an ATO and integrating ongoing monitoring.

Illustration showing the six stages of the risk management framework on a circle with arrows pointing from one stage to the next. The six stages are catgorize, select, implement, assess, authorize, and monitor,

The RMF is a six-step process, most commonly associated with NIST SP 800-37, to architect and engineer a data security process for new information systems and suggests best practices and procedures each federal agency must follow when enabling a new system.

Step 1: Categorize

Categorization is based on an impact analysis and is performed to determine the types of information included within the authorization boundary, security requirements for the information type, and potential impact resulting from a security compromise. Agencies are required to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability and to select appropriate security controls.

Step 2: Select

Controls are the management, operational, and technical safeguards or countermeasures employed within an organizational information system that protect the confidentiality, integrity, and availability of the system and its information. The specific controls required to protect the system are based on the categorization of the system.

Step 3: Implement

Controls specified in the System Security Plan (SSP) are implemented by taking into account NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations and the minimum organization requirements (i.e., organizationally defined parameters).

Step 4: Assess

An assessment of the security controls follows an approved plan to determine the effectiveness of the controls in meeting the security requirements of the system. The security assessor conducts a comprehensive, full-scope assessment of the security controls and control enhancements employed within or inherited by an information system to determine the overall effectiveness of the controls.

Step 5: Authorize

The residual risks identified during the security control assessment are evaluated, and the determination is made to authorize the system to operate, deny its operation, or remediate the deficiencies.

Step 6: Monitor

After the ATO is granted, ongoing monitoring is performed on all identified security controls and any changes to the system or its environment are documented and reviewed.

Security objectives

The Federal Information Processing Standards (FIPS) define three security objectives for information and information systems:

Confidentiality

“Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information...”
[44 U.S.C., Sec. 3542]

A loss of confidentiality is the unauthorized disclosure of information.

Confidentiality

“Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity...” [44 U.S.C., Sec. 3542]

A loss of integrity is the unauthorized modification or destruction of information.

Confidentiality

“Ensuring timely and reliable access to and use of information...” [44 U.S.C., SEC. 3542]

A loss of availability is the disruption of access to or use of information or an information system.

Impact categorization

Every information system that has an ATO must be classified into one of three levels of potential impact to organizations and individuals should there be a breach of security (defined as a loss of confidentiality, integrity, or availability). FIPS Publication 199 defines these three levels as:

Illustration of a circle barely filled with color.

Low

The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

Illustration of a circle filled halfway with color.

Moderate

The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

Illustration of a circle filled nearly all the way with color.

High

The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, has more detailed definitions of these levels.

Control selection

Security and privacy control baselines serve as a starting point for the protection of information, information systems, and individuals’ privacy. NIST SP 800-53B defines these security and privacy control baselines. The three defined control baselines contain sets of security controls and control enhancements that offer protection for information and information systems that have been categorized as low-impact, moderate-impact, or high-impact.

These are the security and privacy control families for information systems in NIST SP 800-53 rev. 5. Specific controls and control enhancements are found within each control family.

IDControl family
ACAccess Control
ATAwareness and Training
AUAudit and Accountability
CASecurity Assessment and Authorization
CMConfiguration Management
CPContingency Planning
IAIdentification and Authentication
IRIncident Response
MAMaintenance
MPMedia Protection
PSPersonnel Security
PTPII Processing and Transparency
PEPhysical and Environmental Protection
PLPlanning
PMProgram Management
RARisk Assessment
SASystem and Services Acquisition
SCSystem and Communications Protection
SISystem and Information Integrity
SRSupply Chain Risk Management

NIST SP 800-53B, Control Baselines for Information Systems and Organizations, has more detailed information on baselines.

Control implementation

A team must implement the selected security controls and document all the processes and procedures they need to maintain their operation. This includes implementing the security controls and documenting the security control implementation details, as appropriate, in the security plan.

There are three types of control implementation:

Illustration of white building blocks with one green block in the middle.

System-specific

System-specific controls are security controls that provide a security capability for a particular information system only and are the primary responsibility of information system owners and their AO.

Illustration of building blocks that are all green.

Common

Common controls are security controls that can support multiple information systems efficiently and effectively as a common capability. When these controls are used to support a specific information system, they are referenced by that specific system as inherited controls.

Illustration of building blocks that are all half white and half green.

Hybrid

Hybrid controls are security controls where one part of the control is deemed to be common and another part of the control is deemed to be system-specific.

Assessment

The purpose of assessing security controls is to ensure they were implemented correctly, operate as intended, and successfully meet the security requirements for the information system. Assessments are required prior to system authorization and annually to ensure that the security measures are working effectively.

A full scope assessment of all security controls must be performed prior to the initial ATO, and the ATO must be renewed every three years. Each year, 1/3 of the controls are tested so that by the end of the third year, all controls have been tested for the ATO renewal. A full scope assessment of the controls can be required if significant changes to the information system are made at any time throughout the lifecycle.

There are currently two approaches for completing assessments:

Illustration of a clipboard with the acronym SCA on it.

Security Control Assessment

A Security Control Assessment (SCA) is a systematic, manual procedure for evaluating, describing, testing, and examining information system security controls.

Illustration of a clipboard with the acronym ACT on it.

Adaptive Capabilities Testing

Adaptive Capabilities Testing (ACT) is an agency-specific, next-generation assessment based on NISTIR 8011 that relies heavily on automation and focusing on capabilities rather than individual controls.

NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, has more detailed information about assessing security controls.

NISTIR 8011, Automation Support for Security Control Assessments, has more detailed information about automated assessments and capabilities.

Authorization package

In order to satisfy an agency’s requirements for a completed ATO, a team must complete a set of documents called the “authorization package” that fully describe the security controls that are in place to protect the information system. NIST SP 800-37 defines the authorization package as:

The essential information that an authorizing official uses to determine whether to authorize the operation of an information system or the provision of a designated set of common controls. At a minimum, the authorization package includes an executive summary, system security plan, privacy plan, security control assessment, privacy control assessment, and any relevant plans of action and milestones.

The exact process and document titles vary from agency to agency, but in general the most common required document names are:

System Security Plan (SSP)
A formal document that provides an overview of the security security controls, whether in place or planned, and implementation details for meeting those requirements. This document summarizes the overall approach taken to address each of the control families. Sometimes the SSP document includes the NIST SP 800-53 security and privacy controls; other agencies prefer to break the details of those out into a supplemental document.
Privacy Impact Assessment (PIA)
An analysis of how information is handled that ensures handling conforms to applicable legal, regulatory, and policy requirements regarding privacy. Determines the risks and effects of collecting, maintaining, and disseminating information in an identifiable form in an electronic information system. Examines and evaluates protections and alternative processes for handling information to mitigate potential privacy risks. Defined and required by Office of Management and Budget OMB M-03-22.
Privacy Threshold Assessment (PTA)
A questionnaire used to determine if a system contains personally identifiable information (PII), whether a PIA is required, whether a System of Records Notice (SORN) is required, and if any other privacy requirements apply to the information system. A PTA should be completed when proposing a new information technology system through the budget process that will collect, store, or process identifiable information, when starting to develop or significantly modify such a system, or when a new electronic collection of identifiable information is being proposed. A PTA will determine if a PIA is required.
Risk Assessment (RA)
A document that identifies risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the nation resulting from the operation of an information system. Part of risk management, an RA incorporates threat and vulnerability analyses and considers mitigations provided by security controls or privacy controls planned or in place. Synonymous with risk analysis.
Incident Response Plan (IRP)
The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of malicious cyber attacks against an organization’s information system(s).
Disaster Recovery Plan (DRP)
A written plan for recovering one or more information systems at an alternate facility in response to a major hardware or software failure or destruction of facilities.
ATO Boundary Diagram
A visual layout of the information system that clearly describes the authorization boundary. This diagram shows which technology resources are included within the ATO boundary and all external connections.
Interconnection Systems Agreements / Memoranda of Understanding / Memoranda of Agreement (ISA/MOU/MOA)
Agreements between the federal agency operating an information system with an ATO and outside organizations. These agreements include details of sensitive information being shared and how it is being secured. These are generally included in ATO processes in order to clearly document how Personal Identifying Information (PII) is being shared between the federal agency and other agencies or third parties.
Plan of Action and Milestones (POA&M or POAM)
A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.
Security Assessment Report (SAR)
Assesses the findings of the assessor and the recommendations for correcting any identified vulnerabilities in the security controls.
Risk Assessment Report (RAR)
Assesses and documents the use of resources and controls to eliminate and/or manage vulnerabilities that are exploitable by internal and external threats.

Monitoring

Risk management is a continuous process. Information systems are in a constant state of change with upgrades to hardware, software, or firmware and modifications to the surrounding environments where the systems reside and operate. A structured approach to managing, controlling, and documenting changes to an information system or its environment of operation is an essential element of an effective monitoring program. Strict configuration management and control processes are established by the agency to support such monitoring activities.

Security Impact Analysis (SIA) determines the extent to which proposed or actual changes to the information system or its environment of operation can affect or have affected the security state of the system. Changes to the information system or its environment of operation may affect the security controls currently in place, produce new vulnerabilities in the system, or generate requirements for new security controls that were not needed previously. If the results of the SIA indicate that the proposed or actual changes can affect or have affected the security state of the system, corrective actions are initiated and appropriate documents are revised and updated.

Trusted Internet Connections (TIC)

In 2007, OMB published M-08-05 announcing the Trusted Internet Connections (TIC) initiative. At the time, there was no uniformity or policy around the gateways used by federal networks to connect to the internet. As a result, federal agency internet connections were inconsistent, insecure, and insufficient in the face of increasing risks of vulnerability exploitation and data exfiltration.

To address these concerns, the TIC initiative sought to improve the security of connections between internal federal agency networks and the internet. The initiative’s goal was to reduce the number of these connections to 50 or less, in order to permit centralized monitoring and security of all traffic between federal networks and the public internet.

Illustration showing an agency building with an arrow pointing to a set of doors representing a
                trusted internet connection, then an arrow leading to a globe that represents the internet.

All traffic between federally controlled networks and the internet must pass through a Trusted Internet Connection. This is a requirement for any ATO process; no information system or web application intended for use by the federal government will be granted an ATO unless its traffic is routed through a TIC.

Maintaining ATO

An ATO is valid for three years, based on the assumption that the system’s security posture won’t change significantly during that time period. This assumption that significant changes won’t occur may be unrealistic because of agile software development practices, which facilitate and embrace change. As significant changes are inevitably made, the ATO becomes insufficient, resulting in a need to reassess and reauthorize the system. The RMF offers a structured process to integrate information security and risk management activities into the system development life cycle.

Glossary

This is a glossary of important terms to understand in relation to the ATO process.

ACT
See Adaptive Capabilities Testing below.
Adaptive Capabilities Testing (ACT)
An agency-specific next generation assessment based on NISTIR 8011, relying heavily on automation and focusing on capabilities rather than individual controls.
AO
See Authorizing Official below.
Authorization Boundary
All components of an information system to be authorized for operation by an authorizing official. This excludes separately authorized systems to which the information system is connected. NIST glossary entry for Authorization Boundary.
Authorizing Official (AO)
A senior (federal) official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the nation. NIST glossary entry for Authorizing Official.
EINSTEIN
The federal government’s intrusion detection and response system. All network traffic passing through a TIC is routed through EINSTEIN in order to protect federal networks from malicious traffic and attacks. Additionally, all traffic passing through EINSTEIN is analyzed for persistent long-term threat patterns. CISA reference for EINSTEIN.
Federal Information Security Modernization Act (FISMA)
FISMA 2014 codifies the Department of Homeland Security’s role in administering the implementation of information security policies for federal executive branch civilian agencies, overseeing agencies’ compliance with those policies, and assisting OMB in developing those policies. CISA reference for FISMA.
Federal Information Processing Standards (FIPS)
Standards created by NIST that federal information systems are required to follow. These include the standards for cryptographic algorithms and the minimum security controls required by federal information systems. Current FIPS Standards.
Federal Risk and Authorization Management Program (FedRAMP)
A U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. All cloud services used by federal information systems must be FedRAMP-approved in order to be granted an ATO. FedRAMP website.
FedRAMP
See Federal Risk and Authorization Management Program above.
FIPS
See Federal Information Processing Standards above.
FIPS 199
Standards for Security Categorization of Federal Information and Information Systems. This publication establishes the definitions of the security categorization: Low, Moderate, and High. Each security categorization requires a different level of documentation and security. FIPS publication 199.
FIPS 200
Minimum Security Requirements for Federal Information and Information Systems. Provides an overview of the security controls required to secure and authorize federal information systems. FIPS publication 200.
FISMA
See Federal Information Security Modernization Act above.
Information System Security Officer (ISSO).
Individual assigned responsibility by the senior agency information security officer, authorizing official, management official, or information system owner for ensuring that the appropriate operational security posture is maintained for an information system or program. NIST glossary entry for ISSO.
Interconnection Security Agreement (ISA)
A document that regulates security-relevant aspects of an intended connection between an agency and an external system. It regulates the security interface between any two systems operating under two different distinct authorities. It includes a variety of descriptive, technical, procedural, and planning information. It is usually preceded by a formal MOA/MOU that defines high-level roles and responsibilities in management of a cross-domain connection. NIST glossary entry for ISA.
ISA
See Interconnection Security Agreement above.
ISSO
See Information System Security Officer above.
Memorandum of Understanding or Agreement (MOU/MOA)
A document established between two or more parties to define their respective responsibilities in accomplishing a particular goal or mission. In this guide, an MOU/A defines the responsibilities of two or more organizations in establishing, operating, and securing a system interconnection. NIST Glossary entry for MOU/MOA.
MOA
See Memorandum of Understanding or Agreement above.
MOU
See Memorandum of Understanding or Agreement above.
National Institute of Standards and Technology (NIST)
Article 1, section 8, of the Constitutionof the United States (1789) requires Congress to “fix the standard of weights and measures." NIST is the non-regulatory agency in the Department of Commerce that determines those standards, including everything from the official U.S. definition of inches and pounds to the definition of time itself. Their complete dominion over how we quantify the universe itself includes setting the standards for information technology security that U.S. federal agency information systems are required to follow in order to attain their ATO. NIST website.
NIST
See National Institute of Standards and Technology above.
NIST SP 800-37
The document that defines the Risk Management Framework for Information Systems and Organizations. This document lays out the NIST standards for evaluating and managing the risks inherent in operating information systems. It is considered authoritative by most federal agencies in their ATO determinations and lays out the basic evaluation process followed by most agencies in preparing their Authorization Package. The current revision of this is NIST 800-37 Revision 2.
NIST SP 800-53
The definition of Security and Privacy Controls for Federal Information Systems and Organizations. It consists of hundreds of specific security controls that must be addressed before a federal information system can be considered secure. The current revision of this standard is NIST 800-53 Revision 5. A companion volume, NIST 800-53Ar4, provides guidance on assessing the security of federal information systems.
Office of Management and Budget (OMB)
OMB is the office within the Executive Office of the President of the United States that produces the president's budget and ensures federal agency compliance with the president's programs, policies, and procedures. It is also responsible for creating initiatives across executive branch agencies. The OMB director reports to the president, vice president, and the White House chief of staff.
OMB
See Office of Management and Budget above.
OMB M-19-26
2019 OMB Memorandum outlining TIC use cases for newer technologies such as cloud services. OMB M-19-26 full memo.
OMB M-08-05
Implementation of Trusted Internet Connections (TIC). The memo that outlined the initiative to require all traffic between federal networks and the internet to pass through a TIC. OMB M-08-05 full memo.
OMB M-03-22
OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002. This memorandum established the need for Privacy Impact Analysis (PIA) of federal information systems. OMB M-03-22 full memo.
PIA
See Privacy Impact Assessment below.
Plan of Action and Milestones (POA&M or POAM)
A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones. NIST glossary entry for POAM.
POAM
See Plan of Action and Milestones above.
Privacy Impact Assessment (PIA)
A process for examining the risks and ramifications of collecting, maintaining, and disseminating information in identifiable form in an electronic information system. It's also a process for identifying and evaluating protections and alternative processes to mitigate the impact to privacy of collecting information in identifiable form. Consistent with the September 26, 2003, OMB guidance (M-03-22) implementing the privacy provisions of the E-Government Act, agencies must conduct privacy impact assessments for all new or significantly altered IT investments administering information in identifiable form collected from or about members of the public. Agencies may choose whether to conduct privacy impact assessments for IT investments administering information in identifiable form collected from or about agency employees. The PIA plays a vital role in the ATO process by justifying the potential impact of a compromise of the information system. NIST glossary entry for PIA.
Privacy Threshold Assessment (PTA)
A process for determining whether an information system contains Personally Identifiable Information (PII) and therefore requires a PIA.
PTA
See Privacy Threshold Assessment above.
Risk Assessment
The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the nation resulting from the operation of an information system. Part of risk management, it incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis. NIST glossary entry for risk assessment.
Security impact analysis (SIA)
The analysis conducted by an organizational official to determine the extent to which changes to the information system have affected the security state of the system. NIST glossary entry for SIA.
SCA
See Security Controls Assessment below.
Security Controls Assessment (SCA)
The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. NIST glossary entry for SCA.
SIA
See Security Impact analysis above.
Trusted Internet Connections (TIC)
Internet gateways for federal networks monitored and supervised by the Department of Homeland Security in accordance with M-08-05 and subsequent guidance. It is an ATO requirement that all traffic entering or exiting from federal networks must transit through a TIC. CISA reference for TIC.
TIC
See Trusted Internet Connections above.

Additional resources