Skip to main content

Authorization to Operate (ATO)

An Authorization to Operate (ATO) is a formal declaration by a Designated Approving Authority (DAA) that authorizes operation of a Business Product and explicitly accepts the risk to agency operations. The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.


LP3 ATO subject matter experts (SMEs) will provide:


  • Prepare Essential activities to prepare the organization to manage security and privacy risks
  • Categorize Categorize the system and information processed, stored, and transmitted based on an impact analysis
  • Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s)
  • Implement the controls and document how controls are deployed
  • Assess to determine if the controls are in place, operating as intended, and producing the desired results
  • Authorize Senior official makes a risk-based decision to authorize the system (to operate)
  • Monitor Continuously monitor control implementation and risks to the system
  • Complete documentation (as needed, including POA&Ms, & SSPs)
  • Incorporate applicable Risk Management Framework NIST SP 800-53 controls
  • Artifact creation & testing
  • eMASS uploads
  • Vulnerability assessments
  • Environment & Network Buildouts
  • SIPRNet and NIPRNet build-outs
  • Security Technical Implementation Guide (STIG) evaluations, in-depth Application Security assessments, and System Hardening


Schedule a

consultation