ATO is short for Authority to Operate, it is a formal declaration by a Designated Approving Authority (DAA) that grants permission for an IT system or product to operate with other existing systems or networks. ATOs are often used in government organizations to manage risk by evaluating and certifying each new product before it's approved for use. Private companies also use ATOs. An example of an ATO is the requirement of an authority to operate before a software program can be installed by an employee on a company network.
Organizations leverage ATO for software risk management
As reliance on software and IT systems grow across every organization, so too do the consequences of outages and security incidents. ATOs are primarily used to address these types of security or operational integrity concerns. Government agencies and private organizations may require authorization to operate (ATO) to determine that there are no flaws in a product that could compromise data and that the product will not cause issues with existing apps or networks.
Authority to Operate (ATO) process
If an organization requires an ATO before a product can be used, the appropriate certifying body within that organization must be contacted and will usually require a sample of the product for testing. In government, the Federal Information Security Modernization Act requires federal agencies to have systems in place to assess and monitor security and privacy risks. This process may be implemented by an inter-agency body like the Federal Risk and Authorization Management Program, or by individual agencies such as the Department of Defense (DoD), via the Defense Information Systems Agency. The time for an ATO process varies widely depending on the agency. At the DoD, ATO Accreditation is given by an Authorizing Official (AO)—formerly the Designated Accrediting Authority (DAA) and can take up to 3 years at a substantial cost. At other agencies, the time to achieve ATO can range from 3 to 9 months and cost anywhere from $90,000 to $700,000.
Applying for an Authority to Operate accreditation
The application process for obtaining an Authority to Operate (ATO) accreditation varies depending on the government agency. Generally, the steps in the ATO process align with the NIST Risk Management Framework (RMF), which integrates certification of security, privacy, and cyber supply chain risk management in a six-step process:
- Categorize. Assign categories to a system within the organization based on potential adverse impacts.
- Select relevant security controls based on NIST SP 800-53, to protect the system based on risk assessment.
- Implement NIST SP 800-53 security controls based on parameters defined by the agency.
- Assess the effectiveness of the security controls.
- Authorize by designating senior managers to evaluate risks.
- Monitor continuously all security and compliance controls.
Ongoing system monitoring and management
Once the risks have been assessed and the IT system or software is granted an initial ATO, careful and continuous monitoring is key to maintaining the authority to operate. Ensuring ongoing compliance and security requires the implementation of an incident response and management system and a change management system, which is well documented and reported as part of the ATO package.
ATO expiration and renewal
Depending on the ATO authority, each system may be assessed on an annual or other recurring basis to ensure compliance with its ATO and to identify potential vulnerabilities. This review typically includes:
- ◼
Updating core documentation
- ◼
Updating the Contingency Plan (CP)
- ◼
Conducting a Contingency Plan Tabletop Exercise (CPTT)
- ◼
Undergoing a PenTest
- ◼
Addressing and closing open Plan of Action and Milestones (POA&Ms), if applicable
- ◼
Assessing controls
In addition, every three years, a system's ATO is assessed for reauthorization. Much like the annual assessments, this includes a review of all components to ensure compliance and to identify vulnerabilities. As an intermediate step, the government may issue an Interim Authority to Test (IATT), which grants temporary authorization to test a system without live data for a defined period under specified conditions or constraints.
Continuous Authority to Operate (cATO)
Given the long timeframe that it can take to get an ATO and the speed at which technology and related security risks evolve, government agencies, including the Defense Department have started to move to a more flexible framework known as continuous authorization to operate (cATO). cATOs provide continuous authorization of software by requiring the integration of security into the full development lifecycle from the start, which exceeds existing ATO security requirements.
Many agencies have adopted the DoD’s three main competencies for continuous ATO. These competencies include:
- ◼
Ongoing visibility of key cybersecurity activities inside of the system boundary with robust continuous monitoring of RMF controls.
- ◼
The ability to conduct active cyber defense to respond to cyber threats in real-time.
- ◼
The adoption and use of an approved DevSecOps design.
Traditional ATO | cATO |
|---|---|
| Conducts assessments for a point in time | Promotes real-time visibility and response |
| Uses manual processes and can produce outdated security and compliance data | Promotes more frequent and automated assessments as well as continuous security and compliance |
| Requires rework and repetitive tasks | Leverages common controls for cost savings and efficiency |
| Does not incorporate DevSecOps practices | Promotes DevSecOps and newer teaming models |
| Focus is on paper compliance over security | Focuses the culture on continuous monitoring, assessment, and prioritized remediation |
Government and Military ATO
The Department of Defense is leading the way in implementing cATOs. The general idea is that the old way of doing things, a point-in-time grant of an Authority to Operate (ATO) takes too long and might have lost its relevance before the system gets up and running. A “continuous ATO” (cATO) is becoming the “gold standard” for cybersecurity across departments, while also bringing more commonality to how Defense organizations use ATOs. The emphasis on continuous monitoring, instead of rigorous, single-point-in-time security exams, means new software and systems can get online much more quickly. This approach does a much better job of assessing cybersecurity in the real world since the authorizations are based on current threats and vulnerabilities versus those that were known at the original filing of the ATO.
ATO with VMware Tanzu
Regardless of the government agency or private organization authority, the ATO process is cumbersome and requires exhaustive review and analysis. To streamline this process, it's vital to implement an integrated solution for continuous monitoring, assessing, recording, and reporting on security and compliance status in real-time. Successful solutions must also offer holistic risk management across on-premises and public clouds.
VMware Tanzu Platform and VMware Tanzu Labs provide the technology, people, and process to help organizations in highly regulated industries achieve true DevSecOps outcomes and reduce the time it takes to obtain authority to operate (ATO). With VMware Tanzu, companies can adopt DevSecOps practices to take advantage of new tools and architectural paradigms to deliver consistent, secure software at every level.
