Authorization to Operate [ATO]

Authorization to Operate (ATO), sometimes called Authority to Operate, is the official management decision given by a senior government official (the Authorizing Official) to authorize operation of an information system on behalf of a federal agency and to explicitly accept the risk to organizational operations, organizational assets, individuals, other organizations, and the nation based on the implementation of a agreed-upon set of security controls.

Every information system operated by or on behalf of the U.S federal government is required to meet Federal Information Security Modernization Act (FISMA) standards, which includes system authorization and an ATO signed by an Authorizing Official (AO), who thereby takes responsibility for the security and risks associated with operating that system. The AO is generally a very high-ranking official within a federal agency, such as a Chief Information Officer (CIO), Chief Information Security Officer (CISO), Chief Technology Officer (CTO), or Deputy Secretary. In order to convince the AO to sign off on an ATO, the security posture of the information system must be thoroughly documented.

The government official who is considered primarily responsible for completing the ATO process is called an Information Security Systems Officer (ISSO). ISSOs reports to the agency’s senior Information Security Officer, Authorizing Official, management official, or information system owner. This may be the CIO, CISO, or CTO for the agency, or some other official within the agency responsible for information security. An ISSO is responsible for managing the security posture of information systems and programs, and will help to coordinate assembly of the Authorization Package for the AO’s approval.

Whenever a new software application or information system is being built by or for the federal government, it will have an ISSO assigned to it. ISSOs within federal agencies typically oversee multiple information systems, and they will clarify the agency-specific processes and documentation required to secure an ATO. It’s critical for technical staff on vendor teams to have a good relationship with their program’s ISSO and work with them to ensure that the program receives its ATO.

This guide is intended to acquaint people new to the government technology industry with the basics of an ATO. Achieving a signed ATO is a critical step in the process of creating a new software application for a federal agency, so it’s important for everyone who works on such applications to be conversant in the language used to discuss ATOs.