This blog is an excerpt from our recent course created in partnership with GitHub and AWS, “Security as Code: How to Simplify Compliance Authorizations.” Access the full course here.
An Authority to Operate, or ATO, is a term you’ll hear often in government, specifically in reference to information technology systems. An ATO is a formal declaration by a senior-level agency official that authorizes an IT system or product to operate on government networks.
Before an ATO is issued, the agency must categorize the system based on its criticality to government operations, determine what security measures must be implemented, and assess the effectiveness of those measures. When an ATO is issued for an IT system, it also means that the official has assumed responsibility for any risks.
By law, all federal IT systems are required to obtain a signed ATO to process government data. That includes cloud systems provided by third-party vendors.
Under the Federal Risk and Authorization Management Program, or FedRAMP, all cloud service providers must obtain an ATO before agencies can use their products or services. Security and compliance are primary considerations for government agencies as they begin their cloud journey. But they can face challenges using commercially available solutions that may not yet be authorized for government use by a formal ATO.
Part of the reason? The events leading up to an ATO can take a year or more. There is often a lengthy, back and forth process between government system owners and those assessing the security of the system. This manual process can include hundreds of pages of security documentation, making it nearly impossible to fully digest and review.
Service providers also can have issues achieving authorizations due to complexity, time and cost. This can limit agencies in executing their missions because the slow pace of the ATO process doesn’t align with agencies’ dynamic needs for new and innovative software.
And the work doesn’t end after an ATO is issued. Agencies must also account for any expired or expiring ATOs that need renewing to keep those systems compliant, and they have to continuously monitor the security of their IT systems.
In addition to FedRAMP, agencies must ensure their products and solutions achieve compliance with numerous other standards, including Defense Federal Acquisition Regulation Supplement or D-FARS. This sets acquisition requirements for Defense Department officials and any company that wants to do business with DoD.
If an agency processes credit cards, they must also comply with Payment Card Industry (or PCI) Data Security Standards. Agencies that manage criminal justice information must ensure their data protections meet Criminal Justice Information Services, or CJIS, standards. ATO documentation can be used to show that agencies align with these and other compliance standards, but it can be a time-consuming process.
The challenges with traditional ATOs and all the compliance requirements that government must meet are clear.
In our full course, we’ll discuss an alternate approach that simplifies and shortens the ATO process using automated and auditable methods.