In the Department of Defense (DoD) Authority to Operate (ATO) process, Authorizing Officials (AO), as described by the National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF), assume responsibility for operating an information system at an acceptable level of risk to agency operations. This role is vital to the ATO process, and it is important for software companies seeking an ATO to have an understanding of the responsibilities and priorities of DoD AOs. In this article, we will cover the role of an AO in the ATO process for cloud service offerings (CSO) and cloud service providers (CSP).
Who is the Authorizing Official?
The role of AO is primarily as chief reviewer and decision maker in all things related to system risk management and risk assessment. Risk can never be completely eliminated from an information system, so an AO weighs the risk to benefit ratio of a system to decide its authorization status.
Authorizing Officials are high ranking members within an agency such as Chief Information Officers (CIO), Chief Information Security Officers (CISO), or Chief Technology Officer (CTO) among other candidates. In order to prevent any conflicts of interests, the AO is never the information system owner (ISO). Second to the AO is the Authorizing Official Designated Representative (AODR). The party submitting the ATO package works directly with Security Control Assessors (SCA) that assess the management, operational, and technical security controls implemented internally or inherited by an information system to determine the effectiveness of the controls. AODRs also work closely with SCAs, providing recommendations on system authorization decisions to the AO. The AO is responsible for the final signage of approval based on all available security information.
There are two main authorizing official structures: traditional and joint authorization. Traditional authorization involves one AO, while joint authorization involves multiple high ranking officials sharing risk and responsibility for a system’s security and risk levels. Joint Authorization structures can include AOs from multiple programs and agencies. Joint authorization structures foster greater reciprocity between AOs, meaning that one accepts, or at least gives weight to the reviews, assessments, and authorizations of another. Reciprocity reduces the redundancy of review and assessment efforts.
Responsibilities of Authorizing Officials in the ATO Process
The AO reviews security authorization packages, which can consist of a few different security documents including but not limited to:
- System security plans (SSP)
- Security assessment reports (SAR)
- Plan of action and milestones (POAM) documents
- Information security continuous monitoring (ISCM) plans
- Risk assessment reports (RAR)
When an information system is considered ready by the AO, they will sign an ATO, usually determined after an AO decision brief provided by the system owner. The ATO decision document will include the conditions under which the ATO is valid, as well as an expiration date. In most cases, this is all documented in the Enterprise Mission Assurance Support Service (eMASS) so that it is easily accessible by other accrediting officials. The AO is also responsible for determining what changes warrant another ATO review. The AO will regularly review data accumulated from security monitoring reports to inform ongoing authorization decisions.
Finally, aside from procedural responsibilities the AO also takes into account organizational risk tolerance, system dependencies and controls, mission and business requirements, how critical the system is to the mission, and the overall risk management strategy of the organization, according to NIST.gov.
Game Warden and Authorizing Officials
In the future, automated assessments supported by continuous monitoring activities will provide AOs with the documentation and oversight needed to confidently accredit software continuously. Game Warden®, a first of its kind accredited commercial DevSecOps platform and secure cloud hosting environment, provides the capabilities to approach this future today. Game Warden’s automated DevSecOps capabilities allow software teams more freedom to focus on improving their product by reducing some of the burden of security testing and reviews. In addition, AOs can be more consistently informed on security posture and make faster authorization decisions.