Dashboard
FIND Opportunities SBIR/STTR Topics OTA Tracker Regulatory Feed ANALYZE Price-to-Win Spending Analytics Competitor Tracker Bid Decisions
Proposal Workspace Past Performance Capability Statements Government Contacts Pre-Solicitation Docs Company Voice Library
CMMC Compliance Suite CMMC Tracker FAR/DFARS Navigator Compliance Checker Supply Chain FCL Navigator
LEARN Academy Training Modules Knowledge Library INTELLIGENCE Insights Dashboard TALENT Talent Network Employer Dashboard Open Positions TOOLS HawkGuide Assistant Evaluation Accelerator Contract Tracker Partner Marketplace Ask an Expert SAM.gov Guide

Authority to Operate (ATO) Guide for Government Contractors

An Authority to Operate (ATO) is a formal government authorization that allows an information system to operate in a federal environment. Obtaining an ATO requires completing the NIST Risk Management Framework (RMF) -- a 6-step process of categorizing your system, selecting and implementing security controls, undergoing assessment, and receiving authorization from an Authorizing Official. The process typically takes 6 to 18 months for agency ATOs and up to 18 months for FedRAMP.

What Is an Authority to Operate?

An ATO is the official management decision by an Authorizing Official (AO) to authorize the operation of an information system. It is not a one-time certification -- it represents an ongoing acceptance of the security risks associated with operating the system. Without an ATO, a contractor's system cannot process, store, or transmit federal data.

The ATO is governed by NIST Special Publication 800-37, which defines the Risk Management Framework. Every federal agency is required to follow the RMF for authorizing systems, though agencies may add their own supplemental requirements on top of the NIST baseline.

ATOs are typically granted for a period of three years, after which the system must undergo reauthorization. However, continuous monitoring requirements mean that security is assessed on an ongoing basis, not just at authorization time.

The RMF 6-Step Process

Step 1: Categorize the Information System

Using FIPS 199 and NIST SP 800-60, determine the impact level (Low, Moderate, or High) for confidentiality, integrity, and availability. The highest impact level across all three becomes your system's overall categorization. Most contractor systems fall into the Moderate category. This step produces the System Security Categorization document and begins the System Security Plan (SSP).

Step 2: Select Security Controls

Based on your categorization, select the appropriate baseline of security controls from NIST SP 800-53. A Low system requires approximately 130 controls, Moderate requires about 325, and High requires roughly 420. You may also tailor controls based on your specific operational environment and add any agency-specific overlays required by your customer.

Step 3: Implement Security Controls

Deploy the selected security controls within your system and its operating environment. Document how each control is implemented in the SSP. This is typically the most time-consuming step, as it involves configuring systems, writing policies, establishing procedures, and training personnel. Thorough documentation at this stage significantly eases the assessment step that follows.

Step 4: Assess Security Controls

An independent assessor (either internal or a third-party assessment organization) evaluates whether your controls are implemented correctly, operating as intended, and producing the desired outcome. The assessment results are documented in the Security Assessment Report (SAR), which identifies any weaknesses or deficiencies.

Step 5: Authorize the Information System

The Authorizing Official reviews the security authorization package -- including the SSP, SAR, and Plan of Action and Milestones (POA&M) -- and makes a risk-based decision. The AO can issue an ATO, a Denial of Authorization, or an Interim ATO (IATO) with conditions. The POA&M documents any accepted risks and remediation timelines.

Step 6: Monitor Security Controls

After authorization, continuously monitor the security posture of the system. This includes ongoing assessments of a subset of controls, vulnerability scanning, configuration management, incident response, and reporting to the AO. Significant changes to the system may trigger a reauthorization.

FedRAMP vs Agency ATO

Agency ATO authorizes your system for use by a single federal agency. Each agency maintains its own Authorizing Officials and may have unique supplemental requirements. If you serve multiple agencies, you may need multiple ATOs.

FedRAMP (Federal Risk and Authorization Management Program) provides a standardized, government-wide approach to security authorization for cloud products and services. A FedRAMP authorization is recognized by all federal agencies, following the "do once, use many" model. There are two authorization paths:

  • JAB Path: Reviewed by the Joint Authorization Board (representatives from DoD, DHS, and GSA). More rigorous, longer timeline, but carries significant market credibility.
  • Agency Path: An individual agency sponsors your authorization. Generally faster, and you can begin with a single customer relationship.

For small businesses, the agency path is usually more practical. Find an agency customer willing to sponsor your authorization, complete the process with that agency, and then leverage the FedRAMP authorization to expand to other agencies.

Preparing Your Systems for Authorization

Start preparing early -- ideally 12 to 18 months before you need the ATO. Key preparation steps include:

  • Conduct a gap assessment against NIST 800-53 controls for your target impact level
  • Build your system on FedRAMP-authorized cloud infrastructure (AWS GovCloud, Azure Government, Google Cloud for Government) to inherit a large portion of controls
  • Implement a robust configuration management and change control process
  • Deploy continuous monitoring tools (vulnerability scanning, log aggregation, SIEM)
  • Develop and maintain all required policies and procedures documentation
  • Train your staff on security awareness and incident response procedures
  • Establish a POA&M tracking process for any identified deficiencies

Using a GRC (Governance, Risk, and Compliance) platform can dramatically streamline documentation and evidence collection. Tools like eMASS, CSAM, or commercial alternatives help manage the hundreds of controls and associated evidence artifacts.

Common Pitfalls

  • Underestimating documentation effort: The SSP alone can be 200+ pages for a Moderate system. Budget adequate time and resources for writing, reviewing, and maintaining documentation.
  • Treating ATO as a one-time event: Authorization requires continuous monitoring, regular assessments, and prompt incident reporting. Failing to maintain your security posture can result in ATO revocation.
  • Not defining system boundaries clearly: Ambiguous boundaries lead to scope creep during assessment. Clearly define what is in scope, what is inherited from your cloud provider, and what is the responsibility of your customer.
  • Ignoring POA&M management: Open POA&M items with missed milestones signal poor security management to the AO. Track items diligently and close them on schedule.
  • Insufficient separation of duties: Assessors must be independent from implementers. Using the same team to build and assess controls will not satisfy requirements.

Timeline Expectations

Agency ATO
6 -- 18 months
Depends on system complexity and agency backlog
FedRAMP (Agency Path)
6 -- 12 months
With an agency sponsor and prepared documentation
FedRAMP (JAB Path)
12 -- 18 months
Most rigorous path with highest market value
Reauthorization
3 -- 6 months
Required every 3 years or after significant changes

Related Resources

CMMC Compliance Guide Security Clearance Guide Finding Government Contracts

Frequently Asked Questions

What is an Authority to Operate (ATO)?

An Authority to Operate is a formal authorization issued by a government Authorizing Official that permits an information system to operate within a federal environment. It certifies that the system meets security requirements defined by NIST and the agency, and that residual risks have been accepted.

How long does the ATO process take?

A typical agency ATO takes 6 to 18 months depending on system complexity and agency backlog. FedRAMP authorization generally takes 12 to 18 months for the JAB path and 6 to 12 months for the agency path, though well-prepared organizations can sometimes accelerate these timelines.

What is the difference between FedRAMP and agency ATO?

An agency ATO authorizes a system for use by a single federal agency. FedRAMP provides a standardized authorization recognized across all federal agencies, following the "do once, use many" model. FedRAMP is specifically for cloud service providers and carries more rigorous requirements but offers broader market access.

What are the 6 steps of the Risk Management Framework?

The six RMF steps are: (1) Categorize the information system, (2) Select security controls, (3) Implement security controls, (4) Assess security controls, (5) Authorize the information system, and (6) Monitor security controls continuously. These steps are defined in NIST SP 800-37.

Can a small business afford the ATO process?

ATO costs vary significantly by system complexity. A low-impact system may cost $50,000 to $150,000, while moderate or high-impact systems can exceed $500,000. Small businesses can reduce costs by leveraging FedRAMP-authorized cloud infrastructure, using automated compliance tools, and maintaining strong documentation from the start.

Last updated: February 2026