Within the context of a risk management project, the decision to authorize an information system to operate is a critical cornerstone. NIST defines authorization to operate (ATO) as a “management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security [and privacy] controls.”
ATO is a management decision
It is important to understand that an ATO is not a one-off decision – it is rather a program that needs to be managed accordingly. The purpose of an ATO is to provide accountability by requiring a senior management official – called authorizing official – to determine if the security and privacy risk (including supply chain risk) to an organization is acceptable based on the operation of the system.
An essential task in the ATO project is the determination of risk since the decision to authorize (or not) a system to operate depends on the security and privacy posture of that system, as well as the risk from its use and operation. This risk is determined using the review and analysis of the information and materials in the authorization package, as well as organizational-level and system-level risk information provided by senior officials. The authorization package includes security and privacy plans, security and privacy assessment reports, and plans of action and milestones.
Equipped with this information, knowledge of the organization, and the organization’s risk management strategy and risk tolerance, the authorizing official analyzes security and privacy considerations and business needs and determines if the risk to the organization’s operations is acceptable. When deciding whether to authorize a system to operate, the authorizing official also reviews current residual risk and organizational plans of action and milestones.
The system authorization might be revoked, or the system might be reauthorized in the event of new risks or vulnerabilities, deficiencies discovered from the continuous monitoring program, new business requirements, or significant changes in the system.
Six steps to ATO
To accomplish an ATO security authorization, NIST RMF determines six steps that are to be completed:
- Categorize—What is the system’s overall risk level? Has it been categorized as high, moderate or low impact?
- Select—Using the system’s categorization, have the appropriate level of security and privacy controls been chosen? What controls are being selected to mitigate risk? This step includes baseline security and privacy controls and specifying minimum assurance requirements.
- Implement—Are the individual controls implemented or planned, or are there compensating controls in place? Are the controls inherited from another system, are they system specific, or hybrid?
- Assess—Through verification of evidence, the controls are tested to determine if they are in place and operating as intended.
- Authorize—Documents are submitted to the AO, who will either accept or deny the system’s risk in an accreditation decision.
- Monitor—The objective of a continuous monitoring program is to determine if the complete set of planned, required and deployed security controls within an information system or inherited by the system continue to be effective over time in light of the inevitable changes that occur.
How to make your ATO project succeed
Authorizing your information systems is a matter of project management. To ensure that this cybersecurity project succeeds, you need to consider the following factors:
- Executive buy-in. Business leaders need to understand the value of security authorization as a means not only to mitigate cyber risks, but to improve the overall organizational risk posture. Executives need to allocate the appropriate resources – funds, staff, and infrastructure – to the authorizing officer to help them accomplish the ATO authorization on an on-going basis for all information systems deployed across the enterprise.
- Avoid scope creep. Changes in system configurations, features or in business needs happen all the time. It is important to make the authorizing officer an integral part of the Change Management program and avoid any loopholes that could jeopardize the security posture of the organization.
- Have authorizing experts. The success of the authorization to operate process is relying on the proficiency and expertise of the authorizing officer. Organizations can secure the appropriate skillsets through training, new hires, or outsourcing. Once your ATO project is stood up, it won’t be of much value if it’s inefficiently or haphazardly administered.
How the CGRC Certification Can Help You to Succeed
The ISC2 Certified in Governance, Risk and Compliance (CGRC) certification provides all the foundational knowledge required to run the ATO authorization effectively. The Certified in Governance, Risk and Compliance is an information security practitioner who advocates for security risk management in pursuit of information system authorization to support an organization’s mission and operations in accordance with legal and regulatory requirements.
A CGRC professional understands the risks to the business of operating unauthorized systems and possesses the expertise to:
- Compile the authorization package.
- Analyze the information contained in the package to determine the amount of risk associated with operating the system.
- Develop responses to address the remaining risk.
- Decide whether to authorize or not the information system.
What is more, the ISC2 CGRC certification meets the requirements of Directive 8570.1 for IAM Level I and IAM Level II positions. Every organization can benefit from a wide range of training options to build-up the skillsets required for running the ATO authorization effectively