Authorization to Operate (ATO) - a mythical unicorn for some, a holy grail to most, and a regular occurrence for those who recognize the difference between vulnerable and exploitable. ATO at its core is simply an official declaration made by an authorizing official (AO) to allow a system to operate within their boundary. To achieve ATO, the security posture of the system must be rigorously documented, evaluated and approved. Earning ATO often takes years and generally millions of dollars. ATO is the critical milestone for all systems that seek to become operational in the DoD. In accordance with policy, whenever a new software application or system is being considered for DoD use, the security posture is evaluated from inception through fielding to ensure that ATO can be achieved. Unfortunately, stakeholders often ignore security leading to insurmountable blockers, specifically for those that are transitioning from the commercial sector to DoD use. 

It is critical for companies to include security within their early design and architecture. Adversarial threats in a firm's code and tech stack will likely result in ATO being denied and require the firm to rework the entire architecture to remove and replace the offending code - leading to additional development, delays, and money wasted. In this vein, the lack of ATO inclusion can perpetuate the ‘Valley of Death’ for small business and pose a significant roadblock in transitioning from research and development to operations and sustainment. This tutorial aims to encourage all attendees to become familiar with the authorization process before development of a new system / technology begins. 

This presentation will discuss: i) what an ATO is, different types of ATOs, and associated security constructs, ii) the roles and responsibilities of everyone that plays a part in the ATO process - from government to industry, iii) where to start with an ATO and all the steps a company needs to take to achieve it, iv) tips and tricks for shortening the time and effort required to achieve ATO through a Certificate to Field or Cyber Impact Analysis, v) lessons learned from a small business who recently achieved ATO, vi) ATO reciprocity and how to make your ATO work across the DoD, and vii) how to maintain your ATO. By the end of this tutorial, attendees will be able to describe the steps needed to achieve an ATO. 

Keywords