Authority to Operate

From MgmtWiki
Revision as of 17:50, 28 April 2022 by Tom (talk | contribs) (Solutions)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Full Title or Meme

For secured systems an ATO must be obtained before code can be run on any secured computer.


  • The US military requires an ATO before code can be run on a FedRAMP computer.
  • An ATO is also known as (aka) an Authorization to Use.


Continuous Monitoring (CONMON)
RMF requires a CONMON strategy for each system. This strategy describes how the
System Owner, in coordination with Service Providers, will continuously monitor and assess all
of the security controls within the information system’s security baseline, including common
controls. The specific plan will vary based on component monitoring infrastructure, the specific
technologies used by the system, and the application of the system. Automated monitoring
should be as near real time as feasible. Manual controls will have different timelines associated,
but must be included in the overall monitoring strategy. It is critical that System Owners in
coordination with Service Providers demonstrate the ability to effectively integrate the
automation and monitoring of all security controls prior to entering into a cATO status