Commercial independent software vendors (ISVs) who want to do business with the Department of Defense (DoD) and the federal government must meet strict security and compliance regulations by passing an Authority to Operate (ATO) process. The stakes are high for government IT security because sensitive and even top-secret data can be found in the government cloud, making them a seductive target for attackers.
This blog post peels back the layers of the ATO process for commercial software vendors:
What’s an ATO?
Whether commercial or custom-built, every application must pass the ATO process before an agency can take the application into production for its users.
The National Institute for Standards and Technology (NIST) defines an ATO as follows:
The official management decision given by a senior organizational official to authorize the operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.
There’s also a possibility to receive a Provisional Authority to Operate (P-ATO) for cloud services that satisfy the JAB authorization. Those requirements include evidence that includes six agencies are committed to using the cloud services. The Joint Authorization Board (JAB) may issue a P-ATO. When a JAB convenes, it’s to review a cloud service for government-wide use. CIOs from the General Services Administration (GSA), DoD, and Department of Homeland Security (DHS) comprise the JAB.
An ATO package includes documentation of the security control assessment. The package provides the Authorizing Official (AO) the essential information they need to make a risk-based decision about whether to authorize the operation of your application or a designated set of controls.
- System Security Plan (SSP)
- Security Assessment Report (SAR)
- Plan of Action and Milestones (POA&M)
Your agency customer may choose to include a6 risk assessment report (RAR) as part of the security authorization package.
ATO: Inside the Process
Here’s an overview of the ATO process, including the cross-functional team that it requires:
Roles in the ATO Process
Successfully passing the ATO process requires a cross-functional team that brings together product, security, and ATO knowledge. The typical team roles in the ATO process are:
- Security Lead: Someone focused on the documentation and assessment of your application
- System Owner: A developer on your project team who understands the system going through the ATO process. The system owner will be the one to answer technical questions and fix issues that arise during the ATO process
- Technical Lead: A member with ATO experience who helps with assessment preparation and supports the security and system owner
ATO Process: Step by Step
The ATO process includes six steps:
1. Categorize the System with the Agency Infrastructure
The first step of the ATO process is to categorize your system within the client-agency organization based on the potential adverse impact on the agency’s mission. Your agency customer will determine the overall risk level for your application based on the following security objectives:
- Confidentiality
- Integrity
- Availability
Delineating and documenting the purpose of the system for your federal client is necessary at this stage because the team will need to categorize the system as having low, moderate, or high impact. The team also needs to categorize the system as GSS, MA, minor application, or subsystem.
2. Select Baseline Security Controls
They select the relevant baseline security controls to determine their effectiveness in securing your application. Security controls are the management, operational and technical safeguards or countermeasures employed within a federal agency’s information system that protect the confidentiality, integrity, and availability of the system and its information.
3. Implement Security Controls
Implement the security controls for your application within your federal customer’s enterprise architecture. It’s where your team captures how your system meets each of the regulations. Suppose your application uses established web frameworks such as a FedRAMP authorized PaaS from a CSP. In that case, it takes care of many of the lower-level controls and security best practices, leaving your team to focus on your application’s custom code and configuration. The attack surface is all the custom code and configuration done outside standard frameworks.
Your team will need to document all the data types and functions in your application because later, you’ll need to map them to the government’s formalized data set of mission functions via NIST 800-60.
4. Assess Security Controls
Assessing the effectiveness of the security controls starts with your development and infrastructure team collaborating with your agency client’s cybersecurity team to evaluate your application’s security controls. The Security Assessment Plan, your team, creates depends on the type of ATO your agency-client requires. For example, there’s a Security Assessment Framework for FedRAMP ATOs.
Typically, a penetration test on the system occurs as part of the assessment. The development team must immediately fix any penetration test results that the assessor deems severe enough to prevent an ATO. The assessor also reviews the SSP document and assesses the control narratives. This part of the process takes two weeks to three months.
They will also review the SSP document and test the control narratives. This testing and review process will take two weeks to three months and should be the top priority for your project team upon request.
The assessor will document less critical issues that your team can remediate later in the plan of action and milestones (POA&M) document. They’ll document less critical issues that your team can remediate later in the plan of action and milestones (POA&M) document.
A security assessment report (SAR) captures the results of this assessment.
5. Authorize Information System
Your federal client’s infrastructure lead will work with your project team to schedule and prioritize your system assessment. Once the assessment starts, your AO will review all items in your ATO checklist, especially your ATO package.
Then a cross-functional team including members of your project team, your AO, your infrastructure lead, and your client’s cybersecurity staff will meet to review all your ATO documentation. This review process should take one to two weeks and make it a top priority for your project team.
Once your team finalizes the ATO package and your client deems your application ready, your AO signs the ATO memo for your application.
6. Monitor Security Controls
Continuous monitoring of controls is a necessity in federal IT and cybersecurity. Your team must act on any security notifications that arise from your static analysis and automated vulnerability scanning
Updates to your system security plan and other architecture and security-related documentation should continue during this phase.
Additional Resources
Here are some additional resources if you want to learn more about the ATO process:
- Agency Authorization Playbook (FedRAMP)
- Authorization to Operate: Preparing Your Agency’s Information System (GSA Blog)
- Cybersecurity and Risk Management Framework (Defense Acquisition University)
- Risk Management Framework for Army Information Technology (United States Army)
DoD Cloud Authorization Process (Defense Information Systems Agency)
Post-ATO Activities
There are certain scenarios when your application may require a new ATO. Here are some examples of changes when your application may require a new ATO:
- Encryption methodologies
- Administrative functionality
- Storage of personally identifiable information (PII) or other sensitive data
Your federal client’s security staff will be the ones to determine whether your application requires a new ATO.
Once your application achieves an ATO, it remains in effect for three years from the date of approval. Before the expiration of your application’s ATO, you’ll need to replace that ATO with a new one. Your team will repeat the standard ATO process. The good news is that you may be able to reuse and update your existing ATO materials.
Are you an ISV who wants to do business with the United States federal government?
Learn more about the services Project Hosts offers for FedRAMP clouds on Microsoft Azure.