Types of ATO
There are several different methods in obtaining a GSA Authorization as described in the policy IT Security Procedural Guide: Managing Enterprise Risk CIO-IT Security-06-30 in Insite
- GSA Standard A&A Process
- Lightweight Security Authorization Process
- GSA Salesforce Platform Process
- Security Reviews for Low Impact Software as a Service Process
- FedRAMP Process
- GSA Moderate Impact Software as a Service (MiSaaS) Security Authorization Process
- GSA Subsystem Process
- GSA Information System Continuous Monitoring Program
In most cases, the types of ATO that will be pursued for TTS custom software systems are the GSA Lightweight ATO (LATO). The GSA LATO process is described in a guide on Insite (search for “Lightweight Security Authorization Guide” on that page). Systems that are under development must fulfill the requirements for pre-assessment for internal government use.
The GSA LATO is designed for Low and Moderate impact level systems built using agile methods that run on top of cloud infrastructure which has already received an ATO (such as AWS, Azure, and cloud.gov).
The GSA LATO is “lightweight” because it represents a tailored subset of the hundreds of controls in NIST Special Publication (SP) 800-53.
The GSA LATO Low risk system ATOs are valid for 3 years. he GSA LATO Moderate risk system ATOs are valid for 1 year. The Authorizing Official (AO) and Chief Information Security Officer (CISO) may sometimes grant a 90-day ATO, on a case by case basis. The default expectation is to avoid 90-day ATOs whenever possible, since they make more work for everyone.
Conditions for pre-assessment
Previously known as “pre-authorization”.
You may operate without further authorization, based on our approved pre-existing security authorization, if all of the following conditions are met:
- The system is deployed to cloud.gov or the 18F AWS East/West environment.
- The system does not:
- interact with or change the state of any production Federal information system, whether it is operated by TTS or our Federal partners
- collect or store any sensitive personally identifiable information (PII)
- is not the canonical source of any “production” data
- The system is only available to:
- staff of the General Services Administration
- other Federal staff / agencies, by one of:
For systems where all of the information in the system is already publicly available and is non-confidential, the last step can be skipped once you have begun your ATO assesment with GSA IT.