An Authority to Operate (ATO) is an official declaration from a U.S. government agency authorizing the use of an application, platform, or product within their network. The Risk Management Framework (RMF) describes the standard all federal agencies must follow to secure, authorize, and manage information systems and specifies a process for initially securing — and then integrating constant monitoring — the protection of systems through an ATO.
In this post, let’s broadly take a look at these two items and identify their challenges.
Getting an ATO can be a tedious, continual process
Every information system operated by or for a U.S. government agency must meet Federal Information Security Modernization Act (FISMA) standards — which includes an ATO signed by a Designated Authorizing Official (DAO). The DAO is responsible and accountable for the security and the risks associated with using that information system.
Despite process variations between U.S. government agencies, the ATO process ultimately entails an exhaustive review of the application in question. It requires the completion of a large set of content that precisely defines the risks related to the use of the application by the agency. Thoroughly documenting the security posture of the information system is the only way to convince the DAO to sign off on the ATO.
When the ATO is submitted, the DAO — usually the Chief Information Officer (CIO), Chief Information Security Officer (CISO), Chief Technology Officer (CTO), or Deputy Secretary within a federal agency — conducts the review and either requests clarifications or certifies the application for use. Of course, our goal is the latter, but the former can oftentimes be inevitable.
The ATO process is tedious; it consumes time and requires renewal every few years. This creates a considerable workload for IT operations and security teams.
RMF: Architecture and Engineering in Six Steps
The RMF is a process for architecting and engineering a data security process for new information systems and suggests best practices and procedures every federal agency must follow. It also defines a process cycle for initially securing the protection of systems through an ATO. The RMF comprises six steps:
Categorize. This is the step where the security risks must be categorized, the system described, and the security plan is initiated. This step is performed to determine the types of information involved, and it is based on impact analysis.
Select. This second step is where common controls are identified, security controls are selected, and the security plan is reviewed and approved. The controls required to protect the information system are based on the system category.
Implement. The third step involves the implementation and documentation of the security controls. This involves organizationally defined parameters.
Assess. An assessment of security controls is followed by an approved plan to determine the effectiveness of the controls in meeting the security standards. This involves a full-scope and comprehensive evaluation of the security controls and control enhancements.
Authorize. The fifth step is highly crucial, determining whether to authorize the system, deny its operation, or remediate the deficiencies.
Monitor. Upon granting the ATO, ongoing monitoring is required for all identified security controls. Any changes to the system or its environment must be consistently documented and reviewed.
The RMF process is typically associated with NIST SP 800-37
— a "Guide for Applying the Risk Management Framework to Federal Information Systems", which transforms the traditional Certification and Accreditation (C&A) process into the six-step framework discussed above.
An ATO and the RMF are both key elements for every U.S. government agency and its information systems partners in modernization and digitalization.
ATO and RMF are Critical in Modernizing Information Systems
With the digitalization of the economy and of multiple business sectors, government agencies must keep up not only to provide better services to citizens but also to increase process efficiency and effectiveness within the agency. Some of the areas that need to be modernized include, but are not limited to:
- Research Information Tracking Systems
- Technical and systems architecture
- Database administration and transformation
- Compliance and security assurance
- Communications support
Modernizing those areas will prove highly beneficial to any organization and agency. Improving research accountability and reporting systems, for example, can help agencies keep up with changing priorities and requirements. Database administration can help improve process efficiency and data accuracy. These improvements, however, require the integration of information systems within an agency — which, in turn, will require an ATO. This is where consulting firms such as Alpha Omega Integration can help.
Alpha Omega’s A2O platform
addresses the lifecycle of the ATO process from gathering and evaluating the necessary controls based on the system’s security profile, to identifying exceptions in security posture and monitor controls. Built on and in collaboration with the industry leading automation vendor UiPath, A2O takes a continuous automation approach to ATO by automating collection of data from manual controls , executing the controls, identifying gaps, and increasing observability and transparency, through technical and operational