What Does Authorization To Operate Mean?

Federal agencies are synonymous with bureaucracy and are notoriously cautious, slow-moving organizations.

With an ever-increasing risk to cybersecurity, government systems must meet security and privacy standards, demonstrating compliance by obtaining an Authorization to Operate (ATO). However, traditional ATOs fail to provide the speed and security necessary to address technology changes and emerging threats. Enter continuous Authority to Operate (cATO). An ongoing authorization tailored for continuous delivery represents a more dynamic approach to identifying, mitigating, and managing risk over time.

Note: ATOs are often colloquially referred to as an “Authority to Operate.” The technical term is “Authorization to Operate.” This guide will occasionally use the colloquial term in addition to the technical phrase.

What Is an ATO in the Military?

ATO is a formal declaration that a system meets the necessary government security and privacy standards for deployment as the Federal Information Security Modernization Act (FISMA) requires. Like other federal agencies, the DOD requires ATOs to ensure the system protects sensitive information and performs its intended functions without exposing the network to unacceptable levels of risk.

An Authorizing Official (AO) is a senior official, responsible for evaluating and accepting security risks associated with an information system. The AO has the critical decision-making role of determining whether a system is fit for operational use on the DOD network.

What Is Denial of Authorization To Operate?

In the context of government and military systems, DATO stands for Denial of Authorization to Operate —a formal decision from the AO that a system has too many risks or vulnerabilities for operation. The AO’s decision is based on a comprehensive review of the system’s security posture.

The DATO decision means the system has unacceptable risks, such as high or very high-risk findings, which the AO deems an organization cannot mitigate to an acceptable level. Consequently, a DATO prevents the deployment of a new system or requires operations to cease for an existing system. This measure ensures that systems posing significant security risks do not jeopardize the broader network or the sensitive data they handle. It underscores the commitment to maintaining rigorous security standards and protecting the integrity of information systems in the government and military sectors​.

What Is Required for an ATO?

Obtaining an ATO involves a structured, but flexible process defined by the Risk Management Framework (RMF). (ATO) documentation requirements must demonstrate the system’s security measures, risk management strategies, and compliance with federal standards. For an authorization to operate (ATO) example, the Centers for Medicare & Medicaid Services (CMS) require the following Tier 1 documentation:

• System Security and Privacy Plan (SSPP)
• Information Security Risk Assessment (ISRA)
• Privacy Impact Assessment (PIA)
• Contingency Plan (CP)
• Contingency Plan Exercise (Tabletop Exercise)

These requirements apply across all authorization processes within CMS, but certain initiatives may require additional documentation, depending on the nature of the project.

For federal agencies, the authorization package provides the AO with the information necessary to make a risk-based decision on whether to authorize the operation of a system. The system owner is responsible for the development, compilation, and submission of the package which may include the following with any additional relevant information:

• Executive Summary
• System Security Plan (SSP)
• Security Assessment Report (SAR)
• Plan of Action and Milestones (POA&M)
• Risk Assessment Report (RAR)

These documents collectively ensure a thorough evaluation of the system’s security measures, identify potential risks, and outline plans to mitigate those risks.

Note: This is a high-level overview from the seven-step RMF process. More information is available by visiting NIST or by working with an experienced partner like Rise8.

What Is the Difference between ATO and cATO?

The difference between a traditional ATO and cATO is that ATO is a time-bound authorization after a point-in-time assessment. cATO is an uncodified term describing a specific subset of ongoing authorization tailored for continuous software delivery after achieving the initial ATO. Instead of requiring reevaluation or renewal at set intervals, ongoing authorization requires continuous monitoring, implementation or remediation, and assessment to keep pace with the low lead times of continuous delivery found in high-performing DevOps organizations.

Leverage the Future of Continuous Improvement with Rise8

Red tape often delays digital transformation initiatives, including adopting modern software deployment practices critical for mitigating disruption from emerging threats and changing mission requirements.

Rise8 offers a disciplined approach to constantly understanding a system’s risk profile based on building trust through transparency and enabling technologies that create a secure, compliant, agile environment. Connect with our team today and learn how to deliver high-quality software with reduced risk in 180 days or less.