Here are some common misconceptions we’ve heard about cATO:
- It is a way to avoid having to do RMF - you have to do RMF better than most to achieve initial and then ongoing authorization
- It is authorizing the people and/or the process - FISMA is a law that requires us to authorize systems, which gives consideration but not primacy to people and process
- It is a way to push whatever you want, whenever you want - you have to meet all security and privacy requirements to deploy to production
- It is a pipeline - pipelines can enforce some controls and scans, but it does not get you anywhere near ongoing authorization by itself
- It requires a platform with sidecar containers - the RMF is technology neutral and you could do this with VMs if you do the work
- It is a waiver - it starts with a zero based authorization and requires incredible RMF implementation to achieve ongoing authorizationIt is something only certain people can do - any authorizing official can grant an ongoing authorization
- It is less difficult / documentation / work - it requires a zero based review and then ongoing implementation excellence to achieve.
There are also common misconceptions about FedRAMP and DISA Provisional Authorizations. Here is what you need to know:
- FedRAMP does not directly apply to DoD. DISA does, however, use FedRAMP authorization packages to formally grant a sort of Provisional Authorization reciprocity.
- Provisional Authorization is not an ATO. Agency Mission Owner Authorizing Officials must review the Provisional Authorization along with agency specific implementation assessments, then grant an ATO for the system to be used. The goal is to maximize the reuse of existing evidence.
- You do not have to wait for a FedRAMP or DISA Provisional Authorization before your agency can use a system. Agencies are allowed to perform an initial authorization to operate and send their evidence to the JAB or DISA AO for review to sponsor the system for FedRAMP or DISA PA, respectively. This will likely be the fastest route to ATO. Check local policy with your agency.