Authority to Operate

What is the purpose of an ATO?

All GSA IT systems are required to obtain a signed Authorization to Operate (ATO) prior to full operation. The ATO represents the formal management and executive approval to place a system into production at GSA. An ATO is granted after an IT system fully complies with the Assessment and Authorization process.

What is the process for obtaining an ATO at GSA?

All GSA systems seeking ATO must be compliant with the following standards specified in the Assessment and Authorization process:

• GSA Security Authorization

• GSA E-Authentication/Digital ID

• GSA Business Continuity Planning

Types of FCS Security Authorization to Operate (ATO)

Moderate Impact Software as a Service (MiSaaS) and Low Impact Software as a Service (LiSaaS) ATO**

The MiSaaS and LiSaaS security authorization processes created for the FedRAMP Tailored program. Both processes leverage the inherent flexibility in the application of security controls noted in NIST Special Publication (SP) 800-53, Revision 5, "Security and Privacy Controls for Information Systems and Organizations," described as tailoring in NIST SP 800-37, Revision 2, "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy." This approach has been used to more closely align with GSA business requirements (i.e., DevOps and agile development) and environments of operation (i.e., environments that have or are pursuing a FedRAMP provisional ATO.) The process is focused on operational security from both a functional and assurance perspective and not on adherence to static checklists or the generating of large volumes of security authorization paperwork (more details about procedural guides).

Explore the FCS Procedural Security Guide for Authorization for a detailed list of milestones to achieve ATO. It is intended to navigate an FCS Tenant through the FCS Security Authorization process

Lightweight Security Authorization (LATO)

The General Services Administration (GSA) Lightweight Security Authorization Process is specific to new GSA applications residing on infrastructures that have a GSA Authorization to Operate (ATO) concurred by the GSA Chief Information Security Officer (CISO) or a Federal Risk and Authorization Management Program (FedRAMP) Infrastructure-as-a-Service (IaaS) provisional ATO. Applications leveraging FedRAMP SaaS or PaaS solutions must follow GSA's Leveraged FedRAMP XaaS solution process as described in CIO-IT Security-06-30, "Managing Enterprise Cybersecurity Risk." Exceptions to the above must be approved by GSA CISO and AO.

90-day Limited ATO (LATO) (FIPS 199 Low or Moderate): A 90-day LATO is based on an external assessment including automated vulnerability and web application scanning as well as automated and manual penetration testing (if Internet accessible). Eligibility to pursue a 90-day LATO is determined on a case-by-case basis and must be approved by the GSA CISO and AO.

One-year LATO (FIPS 199 Moderate): A one-year LATO is based on completing all tasks in the Lightweight Security Authorization Process (see Section 2.4).

Three-year Full ATO (FIPS 199 Low): A three-year authorization based on completing all tasks in the Lightweight Security Authorization Process (see Section 2.4).

What are the common "ATO Showstoppers?"

The GSA IT Security organization has defined a list of "ATO Showstoppers." Work closely with your ISSO to ensure there are no blockers to obtaining the 3-year ATO. The following are considered "ATO Showstoppers":

• Failure to implement Multi-Factor Authentication (MFA) for Privileged and User-level access - All authentication points should use MFA for authentication as per NIST 800-63-B.

• Critical and High vulnerabilities

• Remote Code Execution (RCE) vulnerabilities

• End of Life (EOL) software - Ensure unsupported (both COTS and open source) software or tools are not in use.

• Failure to have System Architecture reviewed and approved by ISE

• Encryption of Sensitive Data - All sensitive data (PII, PCI, authenticator, or classified as sensitive by business) is encrypted with FIPS approved cipher. This includes data stored in database backups, logs, or anything that could have sensitive data.

Links to ATO Related Information for FAS and IQ FISMA Systems

FAS Systems:

Responsible Org: Federal Acquisition Service (Q)

• The following link provides system specific information regarding the ATO process including: FAS System Names, ATO Dates, ATO Types, Renewal Dates, Related Artifacts, ISSO Name, System Owner Name and more: FAS Systems ATO Dates.

IQ(+IQ Sub-systems) Systems:

Responsible Org: Office of Acquisition IT Services (IQ)

• The following link provides major system specific information regarding the ATO process, including: FISMA System Name, Division Director, ISSO Name, ATO Date, ATO Type, and the ATO Renewal Date: IQ Systems ATO Dates and more.

• The following link provides specific information for each subsystem related to the FISMA systems listed in the IQ Systems link. There are potentially multiple 'sub-systems' for each FISMA system. For each sub-system, the following information is provided: Sub-system name, related (parent) FISMA system, FISMA System ATO Renewal Date, Division Director, ISSO Name, Division Supported, ISSM Name, and the Vendor providing support: IQ Sub-systems ATO Dates.

FedRAMP Details

FedRAMP ATO Process

The FedRAMP process was designed to standardize modernization efforts and minimize cybersecurity threats.

FedRAMP Status for AWS Services

GSA-IT has authorized a selection of AWS Services available for use. Explore the current list of available resources and engage with security to initiate a service review.

Applications Currently Authorized

A comprehensive list of current ATO'd applications can be found in GEAR - GSA Active FISMA System Inventory