Authority to Operate
Full Title or Meme
For secured systems an ATO must be obtained before code can be run on any secured computer.
- The US military requires an ATO before code can be run on a FedRAMP computer.
- An ATO is also known as (aka) an Authorization to Use.
- DevSecOps Public Sector Accelerated ATO Initiative (2020-10-30)
- Continuous Authorization To Operate (cATO)
Continuous Monitoring (CONMON) RMF requires a CONMON strategy for each system. This strategy describes how the System Owner, in coordination with Service Providers, will continuously monitor and assess all of the security controls within the information system’s security baseline, including common controls. The specific plan will vary based on component monitoring infrastructure, the specific technologies used by the system, and the application of the system. Automated monitoring should be as near real time as feasible. Manual controls will have different timelines associated, but must be included in the overall monitoring strategy. It is critical that System Owners in coordination with Service Providers demonstrate the ability to effectively integrate the automation and monitoring of all security controls prior to entering into a cATO status