How to Simplify and Streamline the ATO Process and its Transition to cATO
“The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors.”
Government agencies use ATOs to manage risk in their IT systems and its networks by evaluating the security and compliance controls for implementing new systems and upgrading existing ones. The ATO validates that the Federal agency in question accepts that the benefits exceed any operational risk that the new/upgraded system is likely to introduce.
The ATO process requires an exhaustive review and detailed analysis of the IT system and the potential risks it presents to the agency, operations, assets, and individuals. Much of this process remains manual, especially the detailed reports and documentation that needs to be submitted for approval.
Information Security Systems Officers (ISSO) are responsible for completing the ATO process. They work with the IT teams to create and clarify the required agency-specific processes and documentation such as system security plan (SSP), privacy threshold analysis (PTA), contingency plan (CP), etc. Following which a security assessment report (SAR) is prepared.
To secure an ATO. It’s critical for technical staff on vendor teams to have a good relationship with their program’s ISSO and work collaboratively to ensure that the program receives its ATO. However, due to the sheer volume and the extensive process involved, traditional ATO process could take up to 3 years leading to high costs. The Designated Approving Authority (DAA) may also issue ATOs on interim bases for periods from 90 to 180 days.
Applying for ATO
the IT system and information processed, stored, and transmitted into low, medium, and high impact. This can help classify the types of information within the authorization boundary and accordingly select appropriate security and compliance controls.
Based on categorization select appropriate security controls based on the set of NIST SP 800-53 to protect the system based on risk assessment(s)
NIST SP 800-53 controls based on parameters defined by the agency/organization.
Designated senior management, typically the AO, evaluates identified risks and decides on whether to authorize to operate, reject or remediate in accreditation decisions.
all security controls to ascertain their efficacy and ensure that they are meeting set requirements and providing desired results.
The security certification and accreditation process consists of four distinct phases:
Following ATO authorization, all security and compliance controls are continuously monitored and assessed for any drift in risk posture. This is recorded and reviewed on an ongoing basis.
Improve Efficiency with Continuous Authorization (cATO)
DevSecOps to Drive cATO
Empower Your Security Teams
Book a demo to see how Caveonix can help you improve your organization’s approach to ATO and cATO.