ATO, demystified
An Authorization to Operate is the Authorizing Official's formal risk decision that a federal information system may process federal data on federal networks for a defined period. It is not a security certification; it is a risk acceptance. The AO signs a document saying: "I understand the residual risk in this system and I accept it on behalf of the agency." That signature is what unlocks production. Without it, no production. The RMF is the methodology used to produce the evidence, narrative, and risk analysis that an AO needs to sign.
The NIST Risk Management Framework
NIST SP 800-37 rev 2 organizes authorization into seven steps. We execute each deliberately:
- Prepare. Establish organizational context, risk tolerance, common control baselines, and the authorization boundary. Many agencies underinvest here; a sloppy prepare step creates pain in every subsequent step.
- Categorize. Apply FIPS 199 and FIPS 200 to the information types processed by the system. The output is a system impact level (Low, Moderate, or High) that drives the 800-53 baseline.
- Select. Choose the control baseline and tailor it. Tailoring includes inheriting controls from common providers (e.g., AWS GovCloud for infrastructure controls), scoping out non-applicable controls with documented rationale, and applying overlays (PII, CUI, Privacy, HVA).
- Implement. Deploy the technical, operational, and management controls. This is where most of the engineering work lives.
- Assess. Independent assessment (by a 3PAO or IV&V team) validates that controls are implemented correctly and operating as intended. Produces the Security Assessment Report.
- Authorize. AO reviews the SSP, SAR, and POA&M, makes a risk decision, and signs.
- Monitor. Continuous monitoring. Control health metrics, vulnerability management, configuration drift detection, and annual partial reassessment on a three-year rotation.
NIST 800-53 rev 5 control implementation
NIST 800-53 rev 5 organizes controls into 20 families (AC, AT, AU, CA, CM, CP, IA, IR, MA, MP, PE, PL, PM, PS, PT, RA, SA, SC, SI, SR). A Moderate baseline uses approximately 287 controls plus 36 enhancements, totaling 323 line items. A High baseline uses approximately 369 controls plus 41 enhancements, totaling 410+ line items. Each control requires a written implementation narrative, defined parameter values, and evidence that the control is operating.
Our implementation approach is automation-first wherever possible. Controls backed by automated technical enforcement and log-generated evidence are dramatically easier to defend in assessment than controls backed by policy PDFs. We aim for 70+ percent of controls to have automated evidence by production cutover.
SSP authoring that survives 3PAO review
The System Security Plan is the authorization document the AO reads. For FedRAMP Moderate, expect 400-600 pages. For High, 600-900 pages. An SSP has three failure modes:
- Copy-paste. Narratives lifted from a template that do not match actual implementation. 3PAO catches this in interviews and flags the system for substantial rework.
- Missing inheritance. Controls marked "inherited" from a common provider without a reference to the specific provider control and its authorization status.
- Undefined parameters. 800-53 controls contain organization-defined parameters (ODPs) like "the organization defines the frequency of [activity]". SSPs that leave ODPs blank cannot be assessed.
We author SSPs with control-by-control narratives drafted in collaboration with the system engineers who actually built the control. We trace every ODP to a specific value. We map every inherited control to its source and its authorization status. We produce OSCAL-formatted packages for FedRAMP 20x and agency modernization programs.
POA&M management
A Plan of Action and Milestones is the living register of open control gaps. Every finding from the SAR, every quarterly vulnerability scan result, every incident lesson-learned, every audit observation — all of them land in the POA&M with an owner, a remediation plan, a target date, and a risk assessment. The POA&M is the single most scrutinized document during continuous monitoring. Aged or stalled POA&Ms cause AOs to withdraw authorizations.
We operate POA&Ms with discipline: every finding has a named owner, remediation plans are tracked weekly, target dates do not slip without explicit re-baselining, and metrics (open count, median age, past-due rate) are reported to the AO monthly.
Continuous ATO (cATO)
Continuous ATO replaces the three-year cycle with ongoing authorization backed by automated control monitoring, CI/CD pipeline integration, and streamlined change management. DoD DEVSECOPS Reference Design v2 and CISA guidance converge on three pillars: ongoing visibility into control health, active cyber defense, and mature DevSecOps practices. When a system meets the pillars, the AO can grant authorization that persists as long as the pillars remain intact. We engineer cATO by integrating control evidence into CI/CD pipelines, wiring continuous monitoring to the agency's SIEM, and producing AO-ready dashboards that show control health in real time.
Overlays that matter
- Privacy overlay (Appendix J / NIST 800-53 PT family). Required for systems handling PII. Adds 20+ controls on notice, consent, redress, and accountability.
- CUI overlay. NIST 800-171 for non-federal systems and 800-172 for enhanced protection. See our CMMC page.
- High Value Asset (HVA) overlay. CISA BOD 18-02 and subsequent guidance. Additional controls for systems whose compromise would critically impact the agency or nation.
- DoD IL overlays. IL4, IL5, and IL6 add DoD-specific controls on top of FedRAMP baselines.
Who we build ATOs for
- DoD — RMF packages for IL4/IL5 systems. DISA SCA coordination.
- HHS — FedRAMP Moderate and High systems supporting health missions.
- VA — enterprise ATOs for claims, health, and benefits systems.
- DHS — HVA overlays for mission-critical infrastructure.
- GSA — cloud.gov ATOs, shared service authorizations.