What is an Authority to Operate?
All federal information systems must be granted an Authority to Operate (ATO) before being placed into production status. An ATO is issued when an information system has been assessed and the Agency Authorizing Official (AO)—a senior official that is often the CIO—has explicitly accepted the risk to operations (including mission, functions, image, and reputation), assets, individuals, and other organizations. The ATO is granted by the AO, and each agency determines the ATO criteria for their information systems, although the National Institute of Standards and Technology has provided guidance with the Risk Management Framework (RMF) process. These procedures and guidance are derived from the Federal Information Security Modernization Act.
When conducting risk assessments and granting ATOs for information systems that use cloud service offerings, agencies can use the Federal Risk Authorization and Management Program (FedRAMP). FedRAMP enables agencies to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations and allowing agencies to leverage security authorizations on a governmentwide scale. The FedRAMP provisional ATO (P-ATO) provides AOs with evidence that particular security controls have been met so they don’t have to repeat the RMF steps for those specific controls. FedRAMP P-ATOs can be granted by either the Joint Authorization Board (JAB) or through an agency.
The U.S. Defense Department (DOD) Defense Information Systems Agency Cloud Computing Security Requirements Guide defines the information Impact Levels 2, 4, 5, and 6 for DOD missions as well as the additional steps DOD organizations must take to achieve their ATOs.