It is not just important. It is imperative. It is mandatory. But it is hard to achieve!
We find that many of the Software as a Service (SaaS) providers still have difficulties to accept the fact that to sell to the government and DoD cloud application solutions and services, these solutions must be authorized by the government. In the realm of application development, securing an Authorization to Operate (ATO) is a prerequisite before an agency can deploy the application for its users.
ATO is defined as an official decision by an organization, explicitly accepting the associated risks to various facets of the business. This acceptance is based on the implementation of an agreed-upon set of security controls. For cloud services aligning with Joint Authorization Board (JAB) standards, there exists the possibility of obtaining a Provisional Authorization to Operate (P-ATO). This requires evidence of commitment from six agencies intending to use the cloud services. The JAB, consisting of CIOs from the General Services Administration (GSA), Department of Defense (DoD), and the Department of Homeland Security (DHS), may issue a P-ATO after reviewing the cloud service for government-wide application.
Components of ATO Package
An ATO package comprises essential documentation for the security control assessment, providing Authorizing Officials (AO) with the necessary information to make informed, risk-based decisions. Key components include the System Security Plan (SSP), Security Assessment Report (SAR), and Plan of Action and Milestones (POA&M). Additionally, agencies may opt to include a Risk Assessment Report (RAR) as part of the security authorization package.
The Six-Step ATO Process
- Categorize the System: Classify the system within the client-agency organization based on potential adverse impacts, considering security objectives like confidentiality, integrity, and availability.
- Select Baseline Security Controls: Choose relevant baseline security controls to evaluate their effectiveness in securing the application.
- Implement Security Controls: Deploy selected security controls within the client’s enterprise architecture, focusing on custom code and configuration.
- Assess Security Controls: Collaborate with the client’s cybersecurity team to evaluate the effectiveness of security controls, including penetration testing and a comprehensive review process.
- Authorize Information System: Schedule and prioritize the system assessment, followed by a cross-functional team review of ATO documentation. Once approved, the AO signs the ATO memo.
- Monitor Security Controls: Implement continuous monitoring of controls, addressing security notifications and updating relevant documentation.
Project Hosts’ GSS One platforms support SaaS providers and Cloud Solution Providers (CSPs) in two ways –
Our GSS One Azure has achieved three additional ATOs recently. This brings the total number of ATOs for our GSS One – Azure to thirty-four (34) and counting.
Our GSS One AWS has now achieved FedRAMP High “In-Process” status for an authorization by the FedRAMP Joint Authorization Board (JAB) and is ready to onboard SaaS providers on AWS.
Utilizing our innovative GSS One platform, and our FasTrack onboarding process, we are not only setting new efficiency standards in the industry, but also empowering Cloud SaaS providers and CSPs to excel in a competitive government market. This achievement reaffirms Project Hosts’ commitment to delivering Cloud Compliance as a Service solutions that meet the highest standards of confidentiality, integrity, availability, and security recognized by the U.S. government.