When a business works with the general public, there’s a certain level of risk inherent in the process. We see it time and time again, with companies subject to data breaches and the loss of public information, like what happened to Target in 2013, Equifax in 2017, 23andMe in 2023, and many, many more.
While there are security standards in place for private corporations, enforcement is slim, and violations tend to be retroactively applied. It’s left to lawsuits and FTC penalties to step in after the fact, by which point the damage is done.
It’s one thing when it’s personal customer records, credit card or banking information, or personal details like social security numbers being leaked. Those are devastating on an individual basis, but the breadth of the exploitation that can occur is relatively small, all things considered.
The stakes are much higher when state-level actors are involved.
The federal government is not a monolithic organization. It’s made up of hundreds, if not thousands, of individual departments and organizations, all of which broadly cooperate to achieve goals relevant to the nation. While some of these departments and their operations are broadly public, whether for accountability or simply to maintain operations, others must act in secrecy.
As such, governmental information needs to be protected. The number of people who are allowed to access certain kinds of information is limited. Some information is protected as CUI – that is, controlled but not classified information. Other information is labeled secret, top secret, or higher, with greater restrictions on who can see and access that information.
This begs the question: Is all of this secret information carried from place to place in locked briefcases by couriers protected by armed guards and handed over to the individual recipient directly? Of course not. A wealth of even the most secret information is funneled through email systems, hosted on secure cloud platforms, and generally conveyed using modern technology.
What, then, is to stop a threat actor – whether it’s an individual hacking group or a nation-state like North Korea – from listening in? If major service providers like Google can be breached, how is the government assured of its security?
Two things are true here:
- The first is that, well, the government isn’t assured of its security. Information security is a constant arms race between threat actors and security professionals. Breaches happen.
- The second is that the government takes steps above and beyond those that private businesses or individuals take to secure its own information. Whether this is using high levels of encryption for sensitive data, using air-gapped and segmented networks for internal communications, or restricting the kinds of service providers they can use to only those that are validated; there are many steps taken.
It’s that second one that we’re interested in today.
Working With the Government
The government is constantly stuck between two competing pressures. One pressure is the need to adopt modern technology, to be able to adapt to the times, keep up with the general populace, and avoid falling behind and out of touch. The other pressure is the need to make sure that every new technology and process is secure enough for the government.
Sometimes, the government will engineer its own systems. The federal government is laced with internal networks, computer systems, and proprietary software that isn’t accessible elsewhere.
Other times, the government recognizes that there’s no good reason to reinvent the wheel. A primary example is the basic operating system of a computer. Millions of government workers spend all day using Microsoft Windows because engineering a customized operating system is a massive and unnecessary investment.
There are thousands of service providers, ISVs (Independent Service Providers), CSPs (Cloud Service Providers), and more, all working with the government at any given time. Some work specifically with individual departments or agencies; others have broader contracts and can be used by nearly any part of the government.
One thing unites all of these service providers: they all have (at least) an ATO.
What Is an ATO?
An ATO is the Authority to Operate. According to the National Institute of Standards and Technology – NIST – an ATO can be defined in a few different ways.
“The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.”
“Formal declaration by a designated accrediting authority (DAA) or principal accrediting authority (PAA) that an information system is approved to operate at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards.”
“Authorization to Operate; One of three possible decisions concerning an issuer made by a Designated Authorizing Official after all assessment activities have been performed stating that the issuer is authorized to perform specific PIV Card and/or Derived Credential issuance services.”
All of these definitions mean essentially the same thing. The Authority to Operate is the permission granted by the head of an agency or its delegated Authorization Official (AO) to a service provider, allowing the agency to work with that service provider.
An ATO is granted after a complex security review process and must be obtained for each agency within the government that a service provider wants to work with. There’s also something called a P-ATO, or Provisional Authority to Operate, which helps to streamline part of the process in the case of a service provider that wishes to work with multiple agencies. You can read more about the differences between ATO and P-ATO in our guide here.
What is the Process for Receiving an ATO?
For any service provider looking to receive an ATO to work with a government agency, there’s a six-step process. However, it’s really more of a 7-step process, but the first step is often handwaved away. Broadly, these steps are defined by the NIST Risk Management Framework.
Let’s go through those steps.
Step 0: Choose an Agency
The first step, and the one generally handwaved away, is selecting the agency the service provider wishes to work with. This step is usually handwaved because no service provider is going to go through this process without already having chosen an agency, and indeed, the agency’s input is critical to the process as they provide the primary sponsorship.
A service provider can’t apply for authority to operate with an agency without that agency’s interest and cooperation. This cooperation is formally known as “FedRAMP Sponsorship”.
Many – but not all – federal agencies operate under the set of security standards designed by the NIST under standards like 800-53, the guidelines that govern handling CUI and Federal Information. Some agencies have additional standards above and beyond the minimums set by this document. Knowing the agency – and thus, knowing their standards – is the key foundation for obtaining ATO.
Step 1: Categorize the System
The first step of the ATO process is to categorize your service according to the level of risk you represent to the agency. Your job is to document the purpose of your system for the agency’s use and to classify yourself as a General Support System, Major Application, Minor Application, or Subsystem. The agency, meanwhile, will analyze your role in their organization and categorize you as having a low impact, moderate impact, or high impact.
This categorization lays the groundwork for what security implementations you will need to make, what documentation you will need to provide, and even whether or not you’re compatible with the agency and thus allowed to proceed.
The three core elements of this analysis are Confidentiality, Integrity, and Availability.
- Confidentiality is the preservation of information and restriction on access to only those with proper authorization.
- Integrity is the steps taken to prevent unauthorized modification or destruction of information.
- Availability is the assurance of reliable and timely access to the information by those authorized to access it.
These are the three axes upon which your ATO process hinges.
The process for this is outlined in NIST SP 800-60, the Guide for Mapping Types of Information and Information Systems to Security Categories.
Step 2: Select Security Controls
Bearing in mind the minimum security standards as set by the NIST and the agency specific requirements, you and the agency will then work to determine what baseline level of security controls is necessary to adhere to the three core elements of security. These controls will apply at the OS, Application, and Database layers and provide thorough security on your side of the equation. The agency, of course, will have its own internal security and policies.
This step is essentially a gap analysis of the security you have in place compared to the standards set by the NIST and other documentation. Anything you don’t already have in place will be flagged for implementation in the next step.
Step 3: Implement Security Controls
For each security control necessary as part of the overall adherence to FedRAMP standards, you must have either an implementation of the security control or other controls that compensate for the lack of that one control. Any control that is not implemented must be planned and must be implemented before the ATO can be granted. Each security control must be documented and demonstrated.
The process for this is outlined in NIST SP 800-53A, the Guide for Assessing Security and Privacy Controls in Information Systems and Organizations.
Step 4: Assess Security Controls
Step two is to determine the security controls necessary. Step three is to implement those security controls. It stands to reason, then, that step four is to evaluate the efficacy of those controls. After all, if security is nothing but the appearance of security but is easily avoided, it’s not really security at all, is it?
For this process, you develop a System Assessment Plan (typically a large and comprehensive document) according to the desired ATO requirements from the agency. The agency’s cybersecurity team will then conduct various tests, such as penetration testing and controls testing to evaluate the security. If the assessor identifies security gaps, they must be fixed immediately. Smaller or minor issues are noted and can be worked into the Plan of Action for post-ATO follow-up development.
Overall, this assessment process can take weeks to months, and that’s before considering the time each previous step will take, including the creation of the SSP.
The final step before obtaining ATO is for a third-party assessment organization to review the results of the assessment and the work done by both the sponsoring agency and the service provider. This final review puts the stamp on the ATO process, which can then be finally reviewed and granted.
Often, the first attempt most ATO efforts are going to fail. They can fail for any number of reasons, from minor errors in documentation to missed deadlines all the way up to critical failures in security. Working with a company like Ignyte can help streamline and speed up this process and minimize errors caused by issues with documentation or other problems.
Step 6: Monitor the System
The final step is ongoing monitoring. ATO is not a one-and-done review. Rather, compliance with security is an evolving process and a moving target. As threats grow more sophisticated, as technology changes, adapts, and improves, and as security standards are reviewed and updated, your company must continue to advance along with it. You become part of a moving, living system; to maintain your ATO and your agency contract, you must keep up.
Additionally, ATOs expire after three years. At this point, another complete review must be conducted, almost as if you had never applied at all. While it’s easier the second time around because you’ve already produced much of the documentation, it’s not uncommon for companies to fail their initial renewals. Standards change, and companies that have not kept up with their monitoring continue to maintain their documentation or fail to adhere to security standards when they update their platforms all find themselves lacking in this review.
This is one way we at Ignyte can help. Our platform makes it easy to conduct ongoing monitoring and keep your documentation up to date as you operate and maintain your agency contracts. With many ways to save your company time and money while providing detailed assessment and maintenance services, Ignyte can be your secret to success.
Additionally, we’ve recently been certified as a 3PAO and can provide auditing services for FedRAMP certification. For all of the details of our services and our solutions, browse our site or ask us questions directly. We’re more than happy to help.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.