Skip to main content

CMS ATO Notice

CMS ATO information can now be found at security.cms.gov, along with other security and privacy resources.

This website will be retired. You will be redirected in a moment.

Background

From Waterfall to Iterative Security Planning

Using the old waterfall process, getting and maintaining an Authority to Operate (ATO) can take 3-9 months and cost $90,000-$700,000. That is a significant amount of time and resources that could be used to build secure systems.

Planning for, embracing and internalizing security and compliance early and throughout the development cycle will help your project navigate the system and address requirements more efficiently. This is the goal of the Rapid ATO initiative.

By educating and preparing stakeholders, embracing iterative security planning and automating aspects of the ATO process, Rapid ATO will lower costs and shorten timelines required to achieve authorization. This will make CMS more secure and encourage more innovation at the agency.

How did we get here?

The Federal Information Security Management Act (FISMA) of 2002 requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency. FISMA was amended in 2014 to modernize federal security practices.

Every information system operated by or on behalf of the U.S federal government is required to meet FISMA standards, which includes system authorization (ATO) signed by an Authorizing Official (AO).

What is a system?

A federal information system—"system"—is composed of components for collecting, storing, and processing data. This includes all hardware, software, humans and processes associated with developing, deploying, administrating, and maintaining the application. Systems provide information and knowledge in the form of digital products.

Why do you need an ATO?

Before a system can be deployed into production, the federal agency must issue an ATO. The process used to obtain ATO is the National Institute of Standard and Technology (NIST) Risk Management Framework.

This process ensures that CMS can track and manage the risk exposure of individual systems and the agency at large. It is essential to protect critical resources and sensitive information.

When to start working on an ATO?

Getting an ATO is a complex, multi-step process that impacts the design and implementation of your system. You should start thinking about how it applies to your system before you begin designing and implementing it. Starting the ATO process after you’ve already invested in development can result in costly delays and painful rework.

We don’t develop products using waterfall anymore. It’s time to end waterfall compliance.

How to use this site?

This site should be used early and often throughout your System Development Life Cycle, especially when you’re starting to consider a future project launch or feature release. This not only ensures the long-term protection of sensitive information but also prevents costly, duplicative effort after the project’s completion.

To better understand and prepare for key points in the ATO process and align your SDLC appropriately, it’s helpful to think about the ATO in phases:

  1. Initiate
  2. Develop and Assess
  3. Operate
  4. Retire