ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Going for the ATO

Going for the ATO

Jo Anna Bennerson, CISA, CGEIT, CPA, ITILv3, PMP
| Published: 3/13/2017 3:04 PM | Category: Government-Regulatory | Permalink | Email this Post | Comments (0)

Jo Anna BennersonThe Authority to Operate (ATO) is necessary to work in the system of US federal government agencies. My recent Journal article provides details on how to obtain the authority to operate. The following steps can help US enterprises gain the approval to operate with the federal government:

   ●  Ensure confidentiality, integrity and availability—The first necessary step toward achieving ATO is confidentiality, integrity and availability (CIA). This means that only approved people can get in, any changes to the system or data are genuine, and the system is up and ready for use.
   ●  Embrace the NIST 800-53 control families—Every family is a tightly knit assembly of control with a dash-one, or parent control, followed by offspring controls that dive deep into the security measure. For instance, the Access Control Family starts with the dash one control of access control policy. It is followed by more detailed controls to be implemented and assessed such as Account Management and Access Enforcement. Using the lists of controls within each of the 18 NIST control families allows users to demonstrate security that is in place or that it is being planned.
   ●  Keep the evidence—Just like in any operational process, you create or gather documentation to delineate the process and what has taken place. Just like any trail or audit, you keep evidence of the path you have taken. The ATO process allows you to gather and store all the security documentation. This serves well in building a case for the security posture of your system and how it fits into your federal agency’s risk profile.

In addition to these steps, following the US National Institute of Standards and Technology Risk Management Framework can help your system be granted with the ATO.

Read Jo Anna Bennerson’s recent Journal article:
Navigating the US Federal Government Agency ATO Process for IT Security Professionals,” ISACA Journal, volume 2, 2017.


There are no comments yet for this post.