TL;DR: What Authorization to Operate (ATO) Means
An Authorization to Operate (ATO) is a formal risk-based decision—required under FISMA and implemented via the NIST Risk Management Framework (RMF)—that allows a federal or DoD system to operate in a designated environment. An Authorizing Official (AO) reviews system documentation and risk posture to determine whether the residual risk is acceptable. If not, the AO may issue a Denial of Authorization to Operate (DATO) to block deployment.
While traditional ATOs support compliance and protect sensitive data, their static nature can hinder fast-paced software delivery. The Continuous ATO (cATO) model addresses this by replacing periodic reauthorization with continuous monitoring, automated risk assessment, and real-time AO oversight—enabling faster, more secure system changes without compromising risk governance.
What Is an ATO in the Military?
ATO is a formal declaration that a system meets the necessary government security and privacy standards for deployment as the Federal Information Security Modernization Act (FISMA) requires. Like other federal agencies, the DOD requires ATOs to ensure the system protects sensitive information and performs its intended functions without exposing the network to unacceptable levels of risk.
An Authorizing Official (AO) is a senior official, responsible for evaluating and accepting security risks associated with an information system. The AO has the critical decision-making role of determining whether a system is fit for operational use on the DOD network.
What Is Denial of Authorization To Operate?
In the context of government and military systems, DATO stands for Denial of Authorization to Operate —a formal decision from the AO that a system has too many risks or vulnerabilities for operation. The AO’s decision is based on a comprehensive review of the system’s security posture.
The DATO decision means the system has unacceptable risks, such as high or very high-risk findings, which the AO deems an organization cannot mitigate to an acceptable level. Consequently, a DATO prevents the deployment of a new system or requires operations to cease for an existing system. This measure ensures that systems posing significant security risks do not jeopardize the broader network or the sensitive data they handle. It underscores the commitment to maintaining rigorous security standards and protecting the integrity of information systems in the government and military sectors.
What Is Required for an ATO?
Obtaining an ATO involves a structured, but flexible process defined by the Risk Management Framework (RMF). ATO documentation requirements must demonstrate the system’s security measures, risk management strategies, and compliance with federal standards. For an authorization to operate (ATO) example, the Centers for Medicare & Medicaid Services (CMS) require the following Tier 1 documentation:
- System Security and Privacy Plan (SSPP)
- Information Security Risk Assessment (ISRA)
- Privacy Impact Assessment (PIA)
- Contingency Plan (CP)
- Contingency Plan Exercise (Tabletop Exercise)
These requirements apply across all authorization processes within CMS, but certain initiatives may require additional documentation, depending on the nature of the project.
For federal agencies, the authorization package provides the AO with the information necessary to make a risk-based decision on whether to authorize the operation of a system. The system owner is responsible for the development, compilation, and submission of the package which may include the following with any additional relevant information:
- Executive Summary
- System Security Plan (SSP)
- Security Assessment Report (SAR)
- Plan of Action and Milestones (POA&M)
- Risk Assessment Report (RAR)
These documents collectively ensure a thorough evaluation of the system’s security measures, identify potential risks, and outline plans to mitigate those risks.
Note: This is a high-level overview from the seven-step RMF process. More information is available by visiting NIST or by working with an experienced partner like Rise8.
What Is the Difference between ATO and cATO?
The difference between a traditional ATO and cATO is that ATO is a time-bound authorization after a point-in-time assessment. cATO is an uncodified term describing a specific subset of ongoing authorization tailored for continuous software delivery after achieving the initial ATO. Instead of requiring reevaluation or renewal at set intervals, ongoing authorization requires continuous monitoring, implementation or remediation, and assessment to keep pace with the low lead times of continuous delivery found in high-performing DevOps organizations.
Leverage the Future of Continuous Improvement with Rise8
Red tape often delays digital transformation initiatives, including adopting modern software deployment practices critical for mitigating disruption from emerging threats and changing mission requirements.
Rise8 offers a disciplined approach to constantly understanding a system’s risk profile based on building trust through transparency and enabling technologies that create a secure, compliant, agile environment. Connect with our team today and learn how to deliver high-quality software with reduced risk in 180 days or less.
