Stakeholders in the authorization to operate process
This is part one of a ATO-focused blog series covering the balancing act of achieving regulatory agility and compliance with ATO. This release focuses on ATO personas and their roles. The personas discussed today include system owners, agency ISO/ISSOs, Information System Security Managers (ISSM), Agency Assessors, the Operations/implementation team, and the Authorizing Official.
The system owner is responsible for overseeing the system or application as well as keeping up all system documentation. The system owner holds final responsibility for all development and operational activities, including submitting and requesting any code, database or web scan pertaining to the application.
Agency Information (System) Security Officer (ISO/ISSO)
The agency ISO/ISSO is responsible for ensuring the implementation and maintenance of security controls for the system. The ISSO provides coordination on all security related documentation and validation for a specific system or application. The ISSO verifies application categorization (Low, Moderate, High) and creates or reviews the Privacy Threshold Analysis/Privacy Impact Analysis (PTA/PIA). The ISSO provides templates, forms and process guidance for documentation and then acts as the primary source for risk information related to the application. They do this by identifying the risks and answering questions about the security of the system. Once the application is launched they will continue to monitor ATO status and keep information up-to-date as needed.
Information System Security Manager (ISSM)
The Information System Security Manager is responsible for providing oversight and additional resources for the ISSO to ensure all ISSO tasks are completed successfully. This individual may coordinate with higher level executives to track ATO progress and ensure timely completion.
Generally, security assessors validate the security control implementations specific to an agency system or application. The scope of the assessment only includes controls that are part of the customer responsibility, and not inherited controls from the CSP. CSP-specific controls are covered as part of the FedRAMP ATO and 3PAO (Third Party Assessment Organization) assessment conducted for the CSP.
The implementation team is in charge of implementing and documenting the logical and functional characteristics of the application as well as creating and delivering training for the application to users. They also address any issues that are identified within the code, database or network scans.
The Authorizing Official (AO) makes the final risk-based decision with regard to granting an ATO. This individual is generally at the executive level and may be the agency Chief Information Security Officer (CISO) or Chief Information Officer (CIO). The AO signs off on the entire ATO package provided by the ISSO and provides the final authority for the system to operate in production.
These personas are not necessarily the all-inclusive of ATO personas. We would love to hear what personas other agencies use to shed more light on what works within other organizations when it comes to cloud computing and ATO. We also welcome comments on what content you would like to see related to ATO as part of this blog series.
We welcome your comments and suggestions to help us improve your Azure Government experience. To stay up to date on all things Azure Government, be sure to subscribe to our RSS feed and to receive emails by clicking “Subscribe by Email!” on the Azure Government Blog. To experience the power of Azure Government for your organization, sign up for an Azure Government Trial.