Subscribe
Welcome back!
My name is Kelley Kiernan and I'm here representing the Department of the Air Force Chief Information Security Officer and AFWERX.
This is number 5 in the Blue Cyber Series: Fast Track ATO. In our discussion today, we're going to be talking about ATOs or authorization to operate.
Let me explain. An ATO is the official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations, organizational assets, individuals, other organizations, and the nation based upon the implementation of an agreed upon set of security controls.
ATOS often have conditions and assumptions which must be continually monitored by the program office which applied for the ATO. A fast-track ATO is based upon a cyber security baseline, a threat risk assessment, and an information system continuous monitoring strategy. These three factors allow for a risk-based decision on an ATO.
Let's back up and talk about risk management framework or RMF. The RMF is a criteria that describes the processes for architecture, security, and monitoring of U.S. government IT systems. The RMF was created by the Department of Defense in 2010. It has been documented by NIST and serves as the foundation for federal data security strategy. The RMF requires secure data governance strategies and the performance of cyber risk modeling to identify cyber risk threat areas.
The fast-track ATO accelerates RMF steps select through authorize. It does this by focusing on operationally relevant risk identification and threat informed risk assessments for Department of the Air Force systems and missions. What this means practically is that if there are items of low risk that are not quite secure an ATO can be issued with a due date for those items to become secure.
You might be wondering: how do I get an ATO? Again, an ATO is a relationship between a Department of the Air Force program office and an authorizing official. The program office is a Department of the Air Force program of record which has the leadership and resources such as cybersecurity resources which can accept and manage the risk outlined in the ATO.
You might be wondering where does the vendor come in? The vendor comes in when they complete the AO Determination Briefing. That briefing is a set of slides where the vendor describes comprehensively their IT and the risk to operations.
How does the process begin? The process begins when an Airman or Guardian decides to acquire a vendor’s IT. They go then to their program office and inquire about how to begin. If there is no program office, go to the wing cybersecurity office to begin.
Thanks for spending time with me during this discussion today. Today, we talked about the fast-track ATO and how to begin the process.
A reminder that this presentation is not a substitute for reading the FAR and DFARS in your small business contract. My name is Kelly Kiernan and I'm here representing the Department of the Air Force Chief Information Security Officer and AFWERX.
| Date Taken: | 03.03.2022 |
| Date Posted: | 03.11.2022 15:34 |
| Category: | Video Productions |
| Video ID: | 834424 |
| VIRIN: | 220304-F-WY291-1194 |
| Filename: | DOD_108855250 |
| Length: | 00:03:47 |
| Location: | OHIO, US |
| Downloads: | 6 |
| High-Res. Downloads: | 6 |
This work, Fast Track ATO, by Dave Pope, identified by DVIDS, must comply with the restrictions shown on https://www.dvidshub.net/about/copyright.
