<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "FAQPage", "@id": "https://www.rise8.us/resources/what-is-required-in-an-ato-package#faq", "url": "https://www.rise8.us/resources/what-is-required-in-an-ato-package", "headline": "What Is Required in an ATO Package?", "description": "Learn about what an Authorization to Operate (ATO) package includes under the NIST Risk Management Framework (RMF) and how those artifacts support a risk-based authorization decision.", "mainEntity": [ { "@type": "Question", "name": "What is an ATO package?", "acceptedAnswer": { "@type": "Answer", "text": "An Authorization to Operate (ATO) package is the set of documents and evidence used to show that a system meets required security and privacy controls under the NIST Risk Management Framework (RMF), enabling an authorizing official to make a risk-based decision." } }, { "@type": "Question", "name": "What documents are typically required in an ATO package under RMF?", "acceptedAnswer": { "@type": "Answer", "text": "Most ATO packages include a System Security Plan (SSP), Security Assessment Plan (SAP), Security Assessment Report (SAR), Plan of Action & Milestones (POA&M), continuous monitoring strategy, and supporting control evidence such as policies, diagrams, scans, and test results." } }, { "@type": "Question", "name": "How do these artifacts support a risk-based authorization decision?", "acceptedAnswer": { "@type": "Answer", "text": "They provide structured evidence of system boundaries, implemented controls, assessment results, residual risks, and mitigation plans so the authorizing official can decide whether the system’s risk is acceptable for operation." } }, { "@type": "Question", "name": "What can improve the quality and speed of an ATO package?", "acceptedAnswer": { "@type": "Answer", "text": "Integrating security early, automating evidence collection, keeping documentation current, and using DevSecOps and continuous monitoring practices reduce rework and provide clearer, faster evidence for authorization." } } ], "mainEntityOfPage": { "@type": "WebPage", "@id": "https://www.rise8.us/resources/what-is-required-in-an-ato-package#webpage", "url": "https://www.rise8.us/resources/what-is-required-in-an-ato-package", "name": "What Is Required in an ATO Package? | Rise8" }, "publisher": { "@type": "Organization", "@id": "https://www.rise8.us/#organization", "name": "Rise8", "url": "https://www.rise8.us/" }, "inLanguage": "en-US" } </script> <!-- Breadcrumb schema --> <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "BreadcrumbList", "itemListElement": [ { "@type": "ListItem", "position": 1, "name": "Home", "item": "https://www.rise8.us/" }, { "@type": "ListItem", "position": 2, "name": "Resources", "item": "https://www.rise8.us/resources" }, { "@type": "ListItem", "position": 3, "name": "What Is Required in an ATO Package?", "item": "https://www.rise8.us/resources/what-is-required-in-an-ato-package" } ] } </script>

What is Required in an ATO Package?

TL;DR: What’s Required in an ATO Package


An Authorization to Operate (ATO) package is the RMF evidence an Authorizing Official (AO) uses to decide if a federal or DoD system can securely run on a government network. Built through the seven RMF steps, it typically includes the System Security Plan (SSP), Security Assessment Report (SAR), and Plan of Action & Milestones (POA&M); DoD packages also commonly include a Risk Assessment Report (RAR) and supporting documents such as configuration and incident response plans.

These artifacts show what controls were selected, how they were implemented, how well they work, what risks remain, and how those risks will be addressed. Traditional ATOs are often time‑limited per agency policy and compliance‑focused; continuous ATO (cATO) builds on them with real‑time monitoring and ongoing risk decisions, enabling faster, safer software delivery.

What Is an ATO in the DOD?

Like other federal agencies, the Department of Defense (DOD) requires ATOs to ensure a system can protect sensitive information and perform its intended functions without exposing the network to unacceptable levels of risk.  An Authorizing Official (AO) grants an ATO after evaluating and accepting the security risks associated with an information system. The ATO signifies that the system is secure enough to process, store, and transmit information. Understanding the DOD ATO Process

ATOs are granted during the seven-step RMF process following this Authorization to Operate checklist:

  • Prepare: Identify key risk management roles, define an organizational risk strategy with tolerance levels, and establish a comprehensive risk assessment framework with tailored control baselines.
  • Categorize: Assess the system's impact level based on confidentiality, integrity, and availability using NIST FIPS 199 guidelines.
  • Select Security Controls: Based on system categorization, select a baseline set of security controls from NIST SP 800-53B, supplementing as needed to address specific risks.
  • Implement Security Controls: Implement the selected security controls and document their deployment and integration within the system.
  • Assess Security Controls: Verify effective risk mitigation with a comprehensive assessment of the implemented controls, including penetration testing and vulnerability scanning.
  • Authorize the System: Compile an Authorization Package for the Authorizing Official's review and risk assessment to determine whether to grant the ATO based on the system’s security posture.
  • Monitor Security Controls: After ATO approval, continuously monitor the system with regular assessments, updates, and reporting to maintain security and address emerging threats.

Note: This list is a high-level overview of the RMF process—multiple steps in each section must be completed. More information is available on NIST's website or when working with an experienced partner like Rise8. 

What Is Required for an ATO?

Obtaining an ATO involves a comprehensive evaluation of the system's security controls, adherence to regulatory requirements, and mitigation of potential risks. To achieve an ATO, you must:

  1. Apply the RMF Steps: The Risk Management Framework provides a structured, but flexible approach to managing and mitigating security and privacy risks of information systems. Organizations may apply the essential RMF steps in nonsequential order to achieve an ATO.

  2. Create Comprehensive Documentation: Detailed documentation demonstrating the system’s security measures, risk management strategies, and compliance with federal standards is required to achieve ATO. This includes the System Security Plan (SSP), Security Assessment Report (SAR), Risk Assessment Report (RAR), and Plan of Action and Milestones (POA&M).

  3. Select Effective Security Controls: Based on risk assessments, the system must have robust baseline security controls implemented, tested, and validated with supplemental and compensating controls added to protect against threats as necessary.

  4. Implement a Continuous Monitoring Plan: This involves real-time detecting, reporting, and responding to changes that may impact a system’s security posture; activities include configuration management and control, security impact analysis, and an assessment of security controls. 

What Is Required in an ATO Package?

This package compiles all necessary documentation for the Authorizing Official to make an informed decision about granting the ATO. It typically includes the SSP, RAR,  and POA&M, along with any other relevant documentation such as configuration management plans or incident response plans.

What Are the ATO Documents?

An ATO package compiles the documentation that enables the AO to make an informed authorization decision. It typically includes the SSP, RAR, POA&M, and other relevant documents such as configuration management and incident response plans.

ATO package documents examples include:

  • System Security Plan (SSP): Details the system’s security requirements, control implementations, boundaries, data flows, and role assignments.
  • Risk Assessment Report (RAR): Identifies potential risks, assesses their likelihood and impact, and documents mitigation strategies.
    Security Control Assessment (SCA) Report: Contains evaluation results for each control, including testing, validation, and security audit results.
  • Plan of Action and Milestones (POA&M): Outlines plans to address vulnerabilities, with timelines for remediation and progress tracking.

There’s a Better Way With Rise8

Traditional ATOs, while essential, can be a barrier to rapid deployment. Continuous ATO (cATO) offers a modern alternative, integrating continuous monitoring and agile delivery with the RMF for real-time authorization and risk management, not just compliance. This approach aligns security with speed, reducing risk rather than increasing it.

At Rise8, we specialize in implementing cATO, ensuring systems are compliant, agile, and resilient in the face of evolving threats. Our approach doesn’t just check the compliance box—it enables meaningful operational impact, empowering teams to deliver secure software at the speed of need.

Ready to modernize your authorization process? Contact Rise8 today to learn how we can help you achieve continuous delivery.

Written By
No items found.
Keep reading

Related posts

Nothing more to see here!
Browse all articles
No items found.