Difference between revisions of "Authority to Operate"

From MgmtWiki
Jump to: navigation, search
(Context)
(Solutions)
 
Line 8: Line 8:
 
==Solutions==
 
==Solutions==
 
* [https://icitech.org/devsecops-ato/ DevSecOps Public Sector Accelerated ATO Initiative] (2020-10-30)
 
* [https://icitech.org/devsecops-ato/ DevSecOps Public Sector Accelerated ATO Initiative] (2020-10-30)
 +
* [https://media.defense.gov/2022/Feb/03/2002932852/-1/-1/0/CONTINUOUS-AUTHORIZATION-TO-OPERATE.PDF Continuous Authorization To Operate (cATO)]
 +
<pre>
 +
Continuous Monitoring (CONMON)
 +
RMF requires a CONMON strategy for each system. This strategy describes how the
 +
System Owner, in coordination with Service Providers, will continuously monitor and assess all
 +
of the security controls within the information system’s security baseline, including common
 +
controls. The specific plan will vary based on component monitoring infrastructure, the specific
 +
technologies used by the system, and the application of the system. Automated monitoring
 +
should be as near real time as feasible. Manual controls will have different timelines associated,
 +
but must be included in the overall monitoring strategy. It is critical that System Owners in
 +
coordination with Service Providers demonstrate the ability to effectively integrate the
 +
automation and monitoring of all security controls prior to entering into a cATO status
 +
</pre>
  
 
==Reference==
 
==Reference==
  
 
[[Category: Authorization]]
 
[[Category: Authorization]]

Latest revision as of 17:50, 28 April 2022

Full Title or Meme

For secured systems an ATO must be obtained before code can be run on any secured computer.

Context

  • The US military requires an ATO before code can be run on a FedRAMP computer.
  • An ATO is also known as (aka) an Authorization to Use.

Solutions

Continuous Monitoring (CONMON)
RMF requires a CONMON strategy for each system. This strategy describes how the
System Owner, in coordination with Service Providers, will continuously monitor and assess all
of the security controls within the information system’s security baseline, including common
controls. The specific plan will vary based on component monitoring infrastructure, the specific
technologies used by the system, and the application of the system. Automated monitoring
should be as near real time as feasible. Manual controls will have different timelines associated,
but must be included in the overall monitoring strategy. It is critical that System Owners in
coordination with Service Providers demonstrate the ability to effectively integrate the
automation and monitoring of all security controls prior to entering into a cATO status

Reference