How Long Does the ATO Process Take?

How Long Does the ATO Process Take?


Getting an Authorization to Operate (ATO) can drag on for months—sometimes to more than two years. This extensive and rigorous evaluation is essential for maintaining operational security and protecting sensitive data when deploying new software or major updates, but it doesn’t have to be an endless bureaucratic slog.  

To accelerate the National Institue of Standards and Technology (NIST) Risk Management Framework (RMF) process to obtain ATO, it’s imperative to understand a typical timeline and factors influencing it and explore the value of continuous Authority to Operate (cATO) for continuous delivery after achieving initial ATO.  Plus, we’ll share an Authority to Operate checklist to help you navigate the complex process.

What is ATO approval?

An Authorizing Official (AO) is the senior official responsible for evaluating and accepting security risks associated with an information system. The AO has the critical decision-making role of determining whether a system is fit for operational use on the agency’s network. This requires an assessment of the technical aspects of the system, ensuring mitigation of potential risks to an acceptable level before software deployment. By granting an ATO, the AO formally authorizes the system to operate, signifying it is secure and capable of protecting sensitive data.

What is an ATO from the DOD?

The Department of Defense (DOD), like other federal agencies, requires ATOs to ensure a system can protect sensitive information and perform its intended functions without exposing the network to unacceptable levels of risk. An ATO is a formal declaration that a system meets the necessary government security and privacy standards for deployment as the Federal Information Security Modernization Act (FISMA) requires. 

The DOD's approach to ATOs is essential to safeguard national security information and ensure defense systems are resilient against evolving threats, but the traditional ATO requires a point-in time security check of controls that repeats for major updates or when the authorization expires. The traditional process does not support near real-time changes to address changes to technology or emerging threats.

Do all federal systems require an ATO?

ATOs are always for government information systems. They indicate that a system has passed a comprehensive security assessment and meets the required security standards to function within a specific operational environment. Federal agencies must apply the seven-step Risk Management Framework to grant permission for systems to operate on government networks.

What is the ATO process?

The NIST RMF outlines a structured, but adaptable process with seven steps for managing risks associated with information systems. Organizations may apply these steps in non-sequential order, as applicable to their software development lifecycles:

Note: This checklist is a high-level overview of the seven-step RMF process—multiple steps in each of these sections must be completed. More information is available by visiting NIST or when working with an experienced partner like Rise8. 

  • Prepare:
    • Identify key risk management roles within your organization.
    • Establish a risk management strategy and determine risk tolerance.
    • Develop an organization-wide risk assessment and establish tailored control baselines.
  • Categorize:
    • Determine the impact level of the system based on confidentiality, integrity, and availability.
    • Use NIST’s FIPS 199 to help categorize the information and systems.
  • Select Security Controls:
    • Choose a baseline set of security controls from NIST SP 800-53B based on the system’s categorization.
    • Supplement these controls with additional ones if necessary to address specific risks.
  • Implement Security Controls:
    • Apply the selected security controls to the system.
    • Document how these controls are deployed and integrated into the system.
  • Assess Security Controls:
    • Conduct a thorough evaluation of the implemented controls to ensure they are functioning correctly and effectively mitigating risks.
    • This assessment typically involves penetration testing and vulnerability scanning.
  • Authorize the System:
    • Compile an Authorization Package.
    • Present this package to the Authorizing Official (AO) for review.
    • The AO will evaluate the risk and decide whether to grant the ATO based on the assessment results and the system’s overall security posture.
  • Monitor Security Controls:
    • Once the ATO is granted, continuously monitor the system to ensure ongoing security.
    • Perform regular assessments, updates, and reporting to maintain compliance and address any emerging threats.

How long does it take to get an ATO?

Several factors contribute to process timeliness, including system complexity, the thoroughness of the preparation and documentation, the responsiveness of all stakeholders, and the availability of technically skilled assessors and highly competent system development teams. 

Factors Influencing ATO Duration

Here’s a general outline of what to expect in each step of the RMF:

  1. Prepare: Set up key roles, create a risk management plan, assess risks, identify common controls, and develop a monitoring strategy. Depending on your readiness, this can take weeks to months.
  1. Categorize: Link the system’s security activities to your organization’s mission. Identify information types, set impact levels, and assign a security category. This helps align security with business priorities.
  1. Control Selection: Choose baseline security controls based on risk. Add any needed supplemental or compensating controls. With clear guidelines, this step can take just a few weeks.
  2. Implement Security Controls: Apply the chosen controls, configure security measures, and document everything. This can take months, depending on system complexity. 
  1. Assess Security Controls: Test the controls with penetration testing and vulnerability scans. The assessment could take anywhere from a few weeks to months, depending on the findings. 
  1. Authorize System: Put together the Authorization Package (System Security Plan, Security Assessment Report, etc.) and submit it to the Authorizing Official. This process can take weeks, depending on the AO’s review and any risks that need addressing.
  1. Monitor and Maintain Compliance: After the ATO is granted, this step ensures your system stays secure. It involves continuous updates, monitoring, and reassessments over time.

Is there an alternative to the ATO process?

While there is no alternative to the Risk Management Framework, the RMF is very flexible and encourages implementing the framework according to your needs and abilities. So yes, there are alternatives to the traditional approach to ATO. A popular alternative involves moving to an ongoing authorization tailored for continuous delivery, often referred to as continuous Authority to Operate (cATO). Unlike the traditional ATO, which provides a one-time, time-bound approval, cATO is a dynamic, ongoing authorization process within RMF designed to expedite software development and delivery without sacrificing security. This approach is better suited for mission-critical environments that require rapid, frequent software updates while maintaining a high level of security. cATO integrates Agile and DevOps methodologies with the existing RMF, revolutionizing traditional practices by emphasizing continuous assessment and improvement. 

The benefits of cATO are:

  • Real-Time Risk Management: cATO requires continuous monitoring, enabling real-time detection and mitigation of vulnerabilities.
  • Agile and Efficient Deployment: embracing cATO allows organizations to deploy software updates and new systems faster without waiting for lengthy approvals, helping them stay responsive to changing requirements and emerging threats.
  • Enhanced Flexibility and Responsiveness: cATO allows frequent updates and modifications, keeping systems secure and functional over time. This continuous process aligns with modern DevOps, promoting a culture of ongoing improvement and adaptation.

Achieve Continuous Authorization: Make Ship Happen

When done correctly, cATO is about authorizing the system. However, the inputs that result in secure and authorized outputs for a trustworthy and transparent environment are the right people, policies/processes, and technologies. Rise8 firmly believes that local context is an important factor when designing and implementing cATO—you cannot succeed if you don’t know where you’re starting from. Rise8 pairs one-to-one with your team to bring the benefits of ongoing authorization to the continuous delivery of valuable software your users will love. Pair with Rise8 for:

  • Speed and Efficiency: Significantly reduce the time required to achieve authorization compared to traditional ATO processes.
  • Enhanced Security: Continuous monitoring and real-time risk management improve overall security posture.
  • Adaptability: Agile methodologies enable quick adaptation to new threats and changing requirements.

Learn more about Rise8 or schedule a call today to make ship happen!

Keep reading

Related posts

Nothing more to see here!
Browse all articles
A symposium for GovTech change agents.
A symposium for GovTech change agents.

Prodacity is a movement committed to authenticity and learning that sets the standard for achieving mission outcomes in government. It emphasizes organizational change, bureaucracy hacking, and practical implementation strategies without sales pitches and innovation theater.

LEARN MORE