ATO Checklist

The ATO checklist helps you track progress towards a successful launch throughout your project. It is a formatted issue on GitHub, and is the canonical source of information for your path to launch.

To start the security clearance process, create an issue in the Infrastructure repository using this template as the body. Make sure to replace the placeholders (the things in [square brackets]). Feel free to add a username after each task to assign it, and/or make corresponding items in your issue tracker. Unless otherwise specified, all tasks are the responsibility of the project team.

The tasks are in suggested order of priority, though they can often be done in parallel. Note that all of the prerequisite tasks need to be completed before your project will be scheduled for a sprint.

Make sure to:

  • Mention the @18F/ato team in any issues or pull requests.
  • Leave a comment in the ATO issue when the Project team section of the checklist is complete and ready for review.

You are welcome to ask any questions as comments in the issue or #infrastructure.

Checklist preview

  • Main repository: [url]
  • Site: [url]
  • Product manager: @[username]
  • System Owner: @[username of technical point of contact who will be the project representative in the Sprint]
  • Infrastructure Lead: @[username]
  • ATO folder: [url]
  • Sprint notes: [url]


If your system isn’t live yet, “production” refers to the environment that will be production.

Phase 1: ATO Sprint prerequisites

Everything in this section needs to be completed before the project will be scheduled for an ATO Sprint.

Infrastructure Lead

  • Set up an ATO intro meeting with the project team.
  • Determine the impact level.
    • Confirm with @[Authorizing Official]
  • Add this issue to the Backlog of the ATO Kanban board.
  • Assign the appropriate labels to this issue.
  • Set up the project ATO folder.
  • Make a copy of the ATO Sprinting notes template and save it in the Sprinting Team folder with a title of ATO Sprinting Team notes - <project>.
    • Fill out the placeholders.
    • Link to it as the Sprint notes at the top of this issue.

Project team


These tasks apply to every repository/application/hostname/language that is directly involved in your project.

  • Enable protected branches for the project repository.
    • Get help via #admins-github, if needed.
  • Ensure that your production environment is fully set up, and matches what’s described in your ATO materials.
  • Set up monitoring
  • Log required events
  • Perform security scans, and put the results (or a link to them) in the project’s ATO folder.
    • Set up dependency analysis service
      • Add service badge to your README
      • Put a point-in-time PDF of the scan results in the project’s ATO folder.
    • Set up static code analysis
      • If using a service, add the badge to your README.
    • Perform dynamic vulnerability scanning
      • Resolve any visible security issues, re-running the scan as needed
      • Add the issue-free scan report or documentation about false positives to the project’s ATO folder.
  • If this is a new system, add a prominent Beta label to the site.
  • Ensure the production environment has sufficient capacity to withstand the testing.
    • The testing tools create very heavy usage and traffic.

…reading and writing.

Phase 2: Documentation review

  1. Move this issue to the Documentation review column of the ATO Kanban board. - @[infrastructure lead]
  2. Schedule a documentation review session. - @[infrastructure lead]
    • One or more follow-up sessions may be necessary.
  3. Fix any documentation issues identified in the session.
  4. RoE signed
    • System Owner
    • GSA IT
  5. Confirm you can access Archer

Phase 3: ATO Sprint

  1. Sprint started.
  2. Polish up the System Security Plan (SSP).
  3. Penetration test complete. - @[tester]
    • Enhanced Scanning and Assessment Process (ESAP) document added to ATO folder - @[tester]
  4. Put all vulnerabilities from the ESAP in the project’s issue tracker.
  5. Fix any Critical or High vulnerabilities from the ESAP.
    • This needs to be done before the ATO can be issued, though not necessarily before the end of the sprint.

Phase 4: Post-Sprint

  1. Controls tested - @[GSA IT representative]
  2. Create a Plan of Actions and Milestones (POAM). - @[GSA IT representative]
  3. Final review and risk acceptance signatures (issue the ATO) - @[Authorizing Official]
  4. Remove the Beta label from the site.
  5. Fix all Moderate vulnerabilities - due [30 days after ATO issued]
  6. Fix all Low vulnerabilities - due [60 days after ATO issued]
  7. Join the TTS Private Bug Bounty - due [60 days after ATO issued]
  8. Move to the TTS Public Bug Bounty - ask #bug-bounty - due [two weeks after start] or two weeks after the last critcal/high report was triaged, whichever comes last

See the Before You Ship site for more information.

/cc @18F/tts-tech-portfolio