Ongoing Authorization (OA) Program
What is the Ongoing Authorization (OA) Program? GSA has established an Ongoing Authorization (OA) Program to achieve Ongoing Authorization to Operate (OATO) for GSA managed information systems. OA provides a more frequent view into the security posture of the onboarded systems. The OA Program uses biannual reviews to ensure all responsible parties are executing their responsibilities according to the defined OA Program requirements and system OATOs are maintained.
OA Program Qualification
GSA information systems must meet the following requirements before it can be considered for onboarding into the OA Program. The following prerequisites are part of the pre-assessment conducted by the OA Team and determine the eligibility of the system to receive an OATO.
-
The information system must have had all of its NIST SP 800-53 security controls for its applicable FIPS 199 level, and any additional controls required by the GSA CISO assessed within the past 18 months and issued an ATO.
-
The information system must have deployed GSA's enterprise Information System Continuous Monitoring (ISCM) tools, based on applicable system requirements, defined within the GSA ISCM Enterprise Security Management Tools.
Please reference OA Checklist for more qualification insight. The OA Checklist is completed by the OA Team in coordination with the system team members (SO, OA ISSO and OA ISSM).
OATO vs. 3-Year cycle ATO
The key difference between the classic 3-Year ATO and an OATO is that the latter does not require re-authorization every three years, however an event driven reauthorization will be required if the system:
-
Has a significant change as defined in NIST SP 800-37, Appendix F.
-
Has a security breach that impacts the security posture of the system.
Important: GSA information systems that do not meet the qualifying requirements for transitioning into the OA Program must follow one of the A&A processes defined by CIO-IT Security-06-30.
