By Melissa Alexander, Hameed Salmond, and Robert Vasquez
What is an ATO? Is it Required?
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37, Revision (Rev.) 21, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, provides agencies with guidelines and a framework for authorizing information systems to operate.
Office of Management and Budget (OMB) Circular A-1302, Managing Information as a Strategic Resource, establishes the requirement for agencies to designate a senior agency official(s) as the Authorization Official(s) (AO) to formally authorize the operation of each information system and explicitly accept the risk of operating the information system based on the selection and implementation of common controls (e.g., physical and environmental protection, identification and authentication controls, and incident response)3, prior to placing a system in an operational status. Although there are numerous agency personnel who perform activities during the ATO process, the designated AO, Information System Security Officer (ISSO), and System Owner(s) are generally the three key stakeholders involved.
Since Federal guidance requires ATOs for all information systems, all agencies are compliant, right? The short answer is generally. According to a January 2024 Government Accountability Office (GAO) report4, 5,959 (95 percent) of the 6,218 total information systems from the 23 civilian Chief Financial Officers Act of 1990 (CFO Act) agencies were compliant (i.e., received an ATO) and the remaining five percent operated without an ATO.
Considerations for Authorizing Information Systems
Compliance with Federal Requirements
Technology is advancing at an exceptionally rapid pace. Along with this pace of growth comes new and updated Federal guidance and requirements that agencies must adhere to in order to be compliant. OMB Circular A-1305, Section 5, Discussion of the Major Provisions in the Appendix, states:
“…Agencies are expected to meet the requirements of, and be in compliance with, NIST standards and guidelines within one year of their respective publication dates unless otherwise directed by OMB. The one-year compliance date for revisions to NIST publications applies only to new or updated material in the publications. For information systems under development or for legacy systems undergoing significant changes, agencies are expected to meet the requirements of, and be in compliance with, NIST standards and guidelines immediately upon deployment of the systems.”
One of the more recent significant changes to Federal guidance was the replacement of NIST SP 800-53 Rev. 4 by NIST SP 800-53 Rev. 5, which was finalized in September 2020 and subsequently updated in December 2020 (see Kearney & Company, P.C.’s [Kearney] Thought Leadership Article6 on the NIST SP 800-53 Rev. 4 to NIST SP 800-53 Rev. 5 updates for more insight on the changes).
Duration of the ATO
Another key consideration when granting a system an ATO is the duration that the information system will be authorized to operate. Simply put, this will determine how often an information system will need to be reauthorized after the initial risk acceptance by the AO once the formal ATO is granted. The decision and determination on the duration of an ATO may ultimately be driven by factors within three overarching areas, which are considered at the agency, business/ program, and information system levels.
Agencies and key stakeholders may have discussions surrounding several topics and questions, including the following:
- Is sufficient funding available to perform authorization on a yearly basis for all information systems?
- Is a standard duration for all information systems throughout the agency feasible and practical?
- Is a two-year ATO appropriate, given the size of the agency and level of effort (LOE) and resources required for the ATO process
- Should information systems categorized at the different overall impact levels (i.e., high, moderate, and low) be granted separate ATO durations?
- Will there be an automatic trigger(s) to reauthorize the system outside of this defined frequency?
- As all servers will be upgraded to the latest version next Fiscal Year (FY), how will this impact the authorization process?
With the continuous modernization efforts across the Federal Government landscape and the increasing number of agencies moving to cloud systems using Cloud Service Providers (CSP) via the Federal Risk and Authorization Management Program (FedRAMP) Marketplace, new requirements and considerations have been introduced from both an authorization (i.e., agency) and audit (i.e., auditor) perspective. See Kearney’s Thought Leadership Article7 on this subject matter for more insight.
The Agency Authorized its Information Systems; What’s Next?
After an agency has authorized its information systems, that is the end of the process, right? Well, the initial granting of an authorization to operate is not the end-all, be-all. As updates and changes in risks factors and Federal requirements associated with technology and security occur, agencies would greatly benefit from consistent monitoring of selected and implemented privacy and security controls. This would allow agencies to identify and mitigate risks associated with obsolete technologies and outdated Federal guidance, which, if left unattended, increase the likelihood of threats and vulnerabilities within the information system and agency. In an ideal world, all Federal agencies would evolve and mature their processes to a level of effectiveness to implement ongoing authorizations8 to allow for continuous, secure and up-to-date information systems, security and privacy controls, and operating environments.
Until the ideal condition of ongoing authorizations can be achieved, it is important to remember that granting system authorizations is a key required process that is essential to mitigating the agency’s and information system’s security risks. A few key stakeholders in the ATO process include the AO, ISSO, and System Owner(s). Some considerations for authorizing a system include compliance with current applicable Federal requirements, ATO duration, and ATO type. ATOs are not a “one and done” occurrence, and each system and associated control should be routinely monitored to help mitigate new risks within the ever-changing technology climate.
Connect with Us
This publication is for informational purposes only and does not constitute professional advice or services, or an endorsement of any kind.
Kearney is a Certified Public Accounting (CPA) firm focused on providing accounting and consulting services to the Federal Government. For more information about Kearney, please visit us at www.kearneyco.com or contact us at (703) 931-5600.
1https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
2https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf
3https://csrc.nist.gov/glossary/term/common_control
4https://www.gao.gov/assets/d24106291.pdf
5https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf
6https://www.kearneyco.com/nist-sp-800-53-rev-5-straightforward-changes-with-complex-solutions/
7https://www.kearneyco.com/authorizations-and-audits/
8https://csrc.nist.gov/glossary/term/ongoing_assessment_and_authorization