Authority To Operate (ATO) Policy
This policy outlines how we authorize systems to go live in production.
This policy modifies the responsibilities of Authorizing Officials in the Technology Transformation Service (TTS), the organization previously known as OCSIT/18F.
The Technology Transformation Service is led by a Commissioner, who directly reports to the Administrator of General Services. In order to support the work done by TTS, the Administrator has delegated all risk acceptance authority to the TTS Commissioner for all systems built or purchased by TTS wherein:
information is collected or maintained by or on behalf of the agency
information systems used or operated by GSA or by a contractor of GSA or other organization on behalf of GSA
This scope is defined by the Federal Information Security Management Act. Systems that fall into either of these categories are herein referred to as “TTS systems”. In order to ensure that risk for TTS systems is properly assessed and cost-effectively reduced to an appropriate level by senior TTS officials and system owners, the TTS Commissioner can both delegate to TTS Authorizing Officials and designate their representatives to carry out this work.
Previously, all information systems built, operated, maintained, and owned by OCSIT/18F were authorized by the Deputy Associate Administrator for 18F or other properly delegated OCSIT Authorizing Officials, in keeping with the standard set in NIST FIPS 200 Minimum Security Requirements for Federal Information and Information Systems and elaborated in NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems:
“Accordingly, authorizing officials are in management positions with a level of authority commensurate with understanding and accepting such information system-related security risks.” (Page D-4)
In November 2015, delegations of Authorizing Official responsibility were made to deal with the continued growth of OCSIT/18F.
With the restructuring of OCSIT/18F into the TTS, in order to ensure the timeliness, accountability, and quality of forthcoming authorizations, and to ensure that Authorizing Officials have both authority and context sufficient to make risk based decisions, further changes are required.
Changes in authority
The following delegations and designations are made in the TTS:
All subsequent delegations or designations are valid for the duration of the employment of the individuals who digitally co-sign this policy and commit said signature into the Handbook.
Delegations and designations may be revoked by either the TTS Commissioner or the Administrator of the General Services via digital signature.
All Authorizing Officials formally accept the security responsibility for the operation of a system and their authorizations must declare that their systems are adequately protected.
The TTS Commissioner hereby delegates the 18F Infrastructure Director, in their role as Acting TTS Infrastructure Director, as the Authorizing Official responsible for authorizing via digital signature any and all systems, except for systems categorized at the FIPS High impact level, for either confidentiality, integrity, or availability.
The Acting TTS Infrastructure Director hereby designates the Infrastructure Leads of the TTS Business Units as Authorizing Official Designated Representatives for all systems, and therefore the responsibility for all security planning and “approving the security plan, plans of actions and milestones, the security assessment, and the determination of risk”. The Infrastructure Leads must prepare and approve via digital signature the final authorization package in a structure data format determined by the Acting TTS Infrastructure Director.
Any authorization or risk acceptance by the Acting TTS Infrastructure Director is subject to veto, if digitally signed and given in writing, by the TTS Commissioner or TTS Deputy Commissioner.
All changes in authority take effect immediately upon signature of the TTS Commissioner and counter-signature of the relevant staff. No change in authority is active if a counter-signature of the staff accepting the delegation or designation is missing.
This policy is put into effect by this policy being digitally signed by the Acting TTS Infrastructure Director and committed into this Handbook. All digital signatures must be submitted by signing the entire content of this policy with PGP or exporting the content to a PDF and signing with your GSA PIV card.
Still have questions?
Ask in Slack: #infrastructure