The road to operating in a federally compliant manner requires organizations obtain an Authority to Operate (ATO) prior to taking a system into production for government users. The Federal Information Security Management Act of 2002 requires federal agencies to develop, document, and implement an agency wide information security program.
Security certification and accreditation are important activities that support a risk management process and are an integral part of an agency’s overall information security program and these programs include:
- Periodic testing of the effectiveness of the management, operational, and technical controls of every information system identified in the inventory required under section 3505(c)
- Plan for security
- Ensure that appropriate officials are assigned security responsibility
- Authorize system processing prior to operations and periodically, thereafter
- The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.
The Risk Management Framework (RMF) provides the foundation and path for taking a system through the assessment and authorization process. There are six main RMF steps to complete when going through the ATO process.
Step 1. Security Categorization
Define criticality /sensitivity of information system according to potential impact of data loss. This step is completed by the system owner in conjunction with the Authorizing Official (AO) who ultimately makes the final decision
Step 2. Select Security Controls
System Owner and AO select minimum (baseline) security controls to protect the information system; apply tailoring guidance as appropriate.
Step 3. Implement Security Controls
Implement security controls and apply security configuration settings.
QTS helps by building and configuring the underlying system components to meet compliance standards. The scope covers policy, process, and evidence that QTS has performed activities surround physical, environmental, logical access, change management and remediation, and security incident response in a manner that meets government risk management requirements.
Step 4. Assess Security Controls
Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements)
QTS provides assistance with audit evidence requests and inquiries as part of audit support.
Step 5. Authorize Information System
Determine risk to agency operations, agency assets, or individuals and, if acceptable, authorize information system operation
QTS provides assistance with audit evidence as requested during the Authorization phase.
Step 6. Monitor Security Controls
Continuously track changes to the information system that may affect security controls and reassess control effectiveness
QTS continually performs physical, environmental, logical access, change management and remediation, and security incident response activities in a manner that meets government risk management requirements.
After completing a security assessment, the head of an agency (or their designee) can authorize the system for use, or grant an Authorization to Operate (ATO). An agency grants an ATO according to a risk-based framework that analyzes how a vendor has implemented the security controls within their IT environment.