Lifecycle of a Launch
ATO Sprints are staffed by cross-divisionally by the GSA Office of the Chief Information Security Officer (OCISO) and TTS.
There are a few factors that will determine how long it takes a project to get an ATO. These map to the checklist, so might be helpful to open that up in another window and follow along.
- Everything in Phase 1 needs to be done before the project can enter the ATO Sprint. That responsibility is on the project team and the respective Infrastructure Lead. Completing Phase 1 could take 40 hours of work.
- Your Infrastructure Lead conducts the documentation review of Phase 2. Projects are scheduled for Phase 3 by the Infrastructure Leads as a group.
- Phase 3 should take two weeks, assuming the previous Phases were done thoroughly.
The ATO Sprinting Team makes no guarantees regarding the timeline of ATOs.
As soon as you begin developing an alpha, create your ATO checklist to set up a tracking mechanism for your ATO. You can ask questions in your checklist thread to understand the specific considerations for your system. At this time it is also good to ensure your system is eligible for pre-assessment authorization for user testing purposes.
Work with your Infrastructure Lead to categorize your system’s impact levels, using the ATO Levels guide. GSA provides a “lightweight” ATO process designed for pilot systems running on GSA authorized infrastructure, for which fewer controls are in scope.
Work together with your Infrastructure Lead on this step. The documentation generated by similar TTS projects can be helpful at this stage. Consult the checklist for examples. SSP templates are available for both GSA LATOs and FedRAMP ATOs.
The first step in doing so is to run the security scans. This is a preliminary assessment, final assessment will be done in collaboration with GSA OCISO. You are encouraged to run scans yourself, so that there aren’t big surprises during the ATO Sprint.
In parallel, you will collaborate with a GSA OCISO assessor to verify all the controls in the SSP. The exact tests are given by this assessment case template.
Your Infrastructure Lead will work with you to schedule and prioritize your system assessment. Once assessment starts, the first step is that the AO will review all the items in your ATO checklist including all the documents you generated.
Then, for most systems, a team with members from the project team, your AO, your Infrastructure Lead, and the GSA OCISO will convene for at least a week and begin to follow the Lightweight Security Authorization Guide.
Folks from OCISO will conduct a penetration test on the system. Any penetration test findings deemed serious enough to prevent an ATO will need to be fixed right away to unblock the ATO process. They will also review the SSP document and test the control narratives. This testing and review process will take 1-2 weeks and should be the top priority for the project team at the time.
There are several ways to ensure that your system remains compliant:
- Act on any security notifications from your static analysis.
- Perform and act on findings from dynamic scanning.
- Re-certify your Privacy Threshold Analysis (PTA).
Beyond the general information:
If you’re planning a change that you think may require re-authorization, please open an issue in the TTS Tech Portfolio repository to explain your planned change, so they can evaluate it.
If your systems needs re-authorization, follow the usual steps for getting an ATO, starting with the checklist. You should be able to reuse most of your existing ATO materials, assuming they have been kept up-to-date.