Fact or Fiction: Preparing Your ATO Package Will Take You 180 Days

“Fact or Fiction” explores the realities of various Federal IT challenges and the factors contributing to common myths and misconceptions across diverse, trending topics. In the launch of this series, we dive into the truth and misconceptions perpetuating our commitment to a seven-month-long accreditation package preparation.

FACT: Preparing an ATO package averages 208 days – that’s almost seven months!

While preparing a package for a traditional Risk Management Framework (RMF) Authorization or FedRAMP Authority to Operate (ATO) in the federal government can vary in duration based on agency readiness, resource availability, complexity and size of the system, classification of risk assessed, and process efficiencies, it’s no small nor brief feat. (We summarized some of the challenges behind this complexity in our Compliance to Confidence POV piece here.)

In Fiscal Year 2019, agencies reported an average of 208 days to prepare a traditional RMF ATO package. Assuming the Cloud Service Provider (CSP) completed control implementation and documentation prep perfectly, the FedRAMP Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO) assessments take about 7-9 months and an agency ATO takes 4-6 months. The preparation process to even get to a submission point is arduous and resource-intensive, entailing the sponsoring agency, a 3PAO, and the involvement of cross-department specialists.

Both the RMF and FedRAMP ATO processes follow a rigor designed to thoroughly review the risks of the asset (e.g., system, product) allowing agencies to evaluate the system benefits against the operational risks, work through micro-level decisions about accepting or mitigating the risks, and make an informed, explicit decision to grant permission of asset use and acceptance of remaining risks.

Although these processes follow different lifecycles, they share similarities in the overarching approach:

• The project team (e.g.: product owner and his/her provider or the CSP) complete cycles of self-assessment and system development, where they understand compliance requirements and bring system to compliance and/or document how it complies.
• Agency representatives review the heavy documentation and provide feedback towards finalizing the authorization package – this may entail audits, interviews, and continued iterations of system development and package updates.
• Additional review cycles are completed with reviews and approvals progressing through the designated authorities.

FICTION: Preparing an ATO package HAS TO TAKE about seven (7) months!

Although navigating the ATO process is an involved journey dependent on several factors, there are process and collaboration challenges that can be improved through automation and streamlining. These include:

• No Centralized and Standardized Way to Collaborate: The ATO process involves stakeholders across different departments and even organizations, which presents access challenges for collaboration. This may include ensuring the right personnel obtain proper training and access to repository systems (e.g.: Enterprise Mission Assurance Support Service (eMASS), Cyber Security Assessment and Management (CSAM), OMB MAX), requesting the infrastructure team’s assistance in establishing a SharePoint or other workspaces, brainstorming ways to exchange large files, or completing PDF forms to request existing authorization packages. With both the information and stakeholders spread across sources, this naturally siloes the participants and the information they need to bring to discussion from their respective expertise area.
• Manual Effort Necessary to Share Information: Once the primary stakeholders have access defined, there remains additional challenges to overcome. Working with your Information System Security Officer (ISSO) and Information Systems Security Manager (ISSM) through the review and preparation process involves everything from documentation review to getting on the same place about controls guidance, system development activities, and evidence strength. Because of the diversity of activities, the information shared may be presented in different forms: STIG Viewers, PDFs, word, Excel, images, Teams messages, emails, and other systems (e.g.: OMB MAX and eMASS). Conversion from one format to another often requires manual effort so that all team members involved can provide the right input.
• Labor-intensive Tracking of Progress and Bottlenecks: Decreasing the delay between review cycles and stakeholder handoffs places tedious demands on the cybersecurity and project team. This administrative action is critical to keeping progress and identifying bottlenecks and challenges, but often requires several meetings and different tracking methods (e.g.: project schedule in Microsoft Project, milestone lists in using excel, cybersecurity integrated master schedules (IMS), manual cybersecurity dashboards, etc.). Oftentimes, the status beyond project and cybersecurity team is managed separately (e.g.: Privacy Office queue), which presents additional visibility barriers that require manual follow-ups with no predictive insight into estimated completion time.

FACT: Security ARMOR® can cut down the manual toil and timeline by 50%!

There is no fiction for this one. DX360°® Security ARMOR® is the one-stop-shop solution necessary to tackle all these challenges and more so agencies can manage a unified, secured portfolio. With powerful features such as package digitization, process automation, audit history and license-free collaboration, everyone benefits from the reduced cycle time, easy-to-read status dashboards, automated and visual task lists, and performance-improving metrics. These include:

1. Process Digitization: Selecting the right controls or inheriting security controls from related boundaries that have already been issued an ATO is available with a click and flexible to importing additional guidance.
2. Intelligent Assessments: Based on the impact levels and other defining criteria finalized by the right stakeholders (including accreditation package reuse from accepted systems), your authorization package is pre-populated with the relevant security controls, policies, and overlays so the team can focus on determining the applicability to your system and not be distracted by research and manual retrieval tasks.
3. Artifact Creation: Create full authorization packages, complete in your agency’s latest templates, without the need to write and re-write word documents so that your artifacts reflect the latest changes. With built-in document management, cross-referencing against policies, reports, and evidence samples can be completed without leaving the app.
4. Real-Time Collaboration: Communication should be seamless. With secured, role-based access not constrained to user license limitations, cross-organizational task assignments, comment threads, document sharing, notifications, and your customized To-Do dashboard, your team can finally save mail storage space and put a stop to more endless email chains.
5. Unified and Secured Portfolio: Enterprise dashboards help visually trace your asset relationships – making continuous monitoring, POA&M management, and vulnerabilities management about risk mitigation and not a manual, time-consuming exercise subject to human error. Project teams are notified of ecosystem risks affecting their assets, cybersecurity teams spend their time guiding and assisting teams instead of creating reports, the FedRAMP PMO can easily identify bottlenecked areas and workload demand, and Executives gain agency-wide visibility and a truly robust security posture.

Contact NetImpact today for a personalized, live demo and discover how Security ARMOR® can revolutionize your ATO process.