Authority to Operate

Description   Related Tools    
Toggle All | Print Page Print Page
An Authorization to Operate (ATO) is a formal declaration by a Designated Approving Authority (DAA) that authorizes operation of a Business Product and explicitly accepts the risk to agency operations. The ATO is signed after a Certification Agent (CA) certifies that the system has met and passed all requirements to become operational.


All CDC IT systems are required to obtain a signed ATO prior to full start up. The ATO represents the formal management approval to place a system into operation at CDC. An ATO is granted after an IT system fully complies with the Certification and Accreditation (C&A) process. A system must be compliant with the following regulations specified in the C&A process:

For IT systems that complete the full C&A Process, the DAA is typically a senior management official, at the division level or above, within a center, institute or office. There are two different ATO forms, the Non-Reportable System/Application ATO and the Reportable System/Application ATO. The Certifying Authority (CA) must sign within the C&A Process pending on level of the Federal Information Processing Standard Publication (FIPS PUB) 199, Standards for Security Categorization of Federal Information and Information Systems. The CAs are typically the application sponsors, business steward, system owner, chief information security officer and/or designated approving authority.

FIPS PUB 199 is an important component of a suite of standards and guidelines that National Institute of Technology (NIST) is developing to improve the security in federal information systems, including those systems that are part of the nation's critical infrastructure. FIPS PUB 199 enables agencies to meet the requirements of the Federal Information Security Management ACT (FISMA) and improves the security of federal information systems.

The CA must use the Reportable ATO form if the system has a high FIPS PUB 199 impact level and/or are critical inventory systems.

The CA must use the Non-reportable ATO form if the system has a low or moderate FIPS PU B 199 impact level.

The ATO forms can be found in the following link

Note: The Office of the Chief Information Security Officer (OCISO) will not grant an ATO to a web-based system with an application scan containing high vulnerabilities. The CA must collaborate with OCISO to lower the system's vulnerabilities to an acceptable level prior to receiving an ATO. The project officer must submit a self-signed ATO, in PDF format, as part of the C&A package. The Certification Agent (CA) will sign the ATO upon approval of the accepted package.

For additional information, refer to the C&A process guide in the CDC UP website for full compliance details. The link to the C&A process guide can be found in the following link

Best Practices

Practice Activities
See the Others section of the Related Tools tab