|Toggle All | Print Page|
All CDC IT systems are required to obtain a signed ATO prior to full start up. The ATO represents the formal management approval to place a system into operation at CDC. An ATO is granted after an IT system fully complies with the Certification and Accreditation (C&A) process. A system must be compliant with the following regulations specified in the C&A process:
- Security Certification
- Security Accreditation
- Business Continuity Planning
For IT systems that complete the full C&A Process, the DAA is typically a senior management official, at the division level or above, within a center, institute or office. There are two different ATO forms, the Non-Reportable System/Application ATO and the Reportable System/Application ATO. The Certifying Authority (CA) must sign within the C&A Process pending on level of the Federal Information Processing Standard Publication (FIPS PUB) 199, Standards for Security Categorization of Federal Information and Information Systems. The CAs are typically the application sponsors, business steward, system owner, chief information security officer and/or designated approving authority.
FIPS PUB 199 is an important component of a suite of standards and guidelines that National Institute of Technology (NIST) is developing to improve the security in federal information systems, including those systems that are part of the nation's critical infrastructure. FIPS PUB 199 enables agencies to meet the requirements of the Federal Information Security Management ACT (FISMA) and improves the security of federal information systems.
The CA must use the Reportable ATO form if the system has a high FIPS PUB 199 impact level and/or are critical inventory systems.
The CA must use the Non-reportable ATO form if the system has a low or moderate FIPS PU B 199 impact level.
The ATO forms can be found in the following link http://intranet.cdc.gov/ociso/CandA/Full_CandA_Process_Documentation.html
Note: The Office of the Chief Information Security Officer (OCISO) will not grant an ATO to a web-based system with an application scan containing high vulnerabilities. The CA must collaborate with OCISO to lower the system's vulnerabilities to an acceptable level prior to receiving an ATO. The project officer must submit a self-signed ATO, in PDF format, as part of the C&A package. The Certification Agent (CA) will sign the ATO upon approval of the accepted package.
For additional information, refer to the C&A process guide in the CDC UP website for full compliance details. The link to the C&A process guide can be found in the following link
- C&A – ATO is dependent on a successful completion of the C&A process. It is vital for the CA to understand the C&A process and collaborate with the DAA to effectively facilitate the ATO process.
- Review – The CA must review the vulnerabilities (if high) of the system in the ATO process.
- Manage & Follow up – The C&A process can be a long process. It is the CA's responsibility to start the C&A process early in order to receive an ATO on a timely fashion.