Risk Determination / Acceptance Q1-2022

  • After reviewing the Security Authorization Package, the Authorizing Official/designated representative makes a decision whether to issue:
    • Authorize to Operate (ATO) letter-AO accept all risks associated with the system
    • Interim Authorize to Operate letter-AO issue a conditional ATO pending system owner solving all POAM items within a specific period of time, usually 6 months
    • Denial Authorization   to Operate-AO do not issue ATO pending system owner solving all POAM items identified
    • Authorize to Operate (ATO) letter- specify the time period within which the system is authorized to operate, and also specify the expiration date. Letter is signed by both System Owner and AO
  • ATO is usually valid for a period of 3 years
error: Content is protected !!