U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

Computer Security Resource Center

Computer Security Resource Center

This is an archive
(replace .gov by .rip)
    Glossary
A  |  B  |  C  |  D  |  E  |  F  |  G  |  H  |  I  |  J  |  K  |  L  |  M  |  N  |  O  |  P  |  Q  |  R  |  S  |  T  |  U  |  V  |  W  |  X  |  Y  |  Z

authorization to operate (ATO)

Abbreviation(s) and Synonym(s):

ATO
Security Authorization (to Operate)
Security Authorization(to Operate)

Definition(s):

  The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.
Source(s):
CNSSI 4009-2015 from NIST SP 800-53 Rev. 4, NIST SP 800-53A Rev. 1, NIST SP 800-37 Rev. 1
NIST SP 800-137 under Authorization (to operate) from CNSSI 4009
NIST SP 800-161 under Authorization (to operate) from NIST SP 800-53 Rev. 4
NIST SP 800-30 Rev. 1 under Authorization (to operate) from CNSSI 4009
NIST SP 800-37 Rev. 1 under Authorization (to operate)
NIST SP 800-53 Rev. 4 under Authorization (to operate)
NIST SP 800-39 under Authorization(to operate)
NIST SP 800-53 Rev. 4 under Authorization(to operate)

  See authorization to operate (ATO).
Source(s):
CNSSI 4009-2015 under security authorization (to operate) from NIST SP 800-37 Rev. 1

  See Authorization (to operate).
Source(s):
NIST SP 800-30 Rev. 1 under Security Authorization (to Operate)
NIST SP 800-39 under Security Authorization(to Operate)

  Authorization to Operate; One of three possible decisions concerning an issuer made by a Designated Authorizing Official after all assessment activities have been performed stating that the issuer is authorized to perform specific PIV Card and/or Derived Credential issuance services.
Source(s):
NIST SP 800-79-2 under ATO

  The official management decision given by a senior Federal official or officials to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security and privacy controls. Authorization also applies to common controls inherited by agency information systems.
Source(s):
NIST SP 800-37 Rev. 2 under authorization to operate
NIST SP 800-53 Rev. 5 under authorization to operate from OMB Circular A-130 (2016)

  The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls and privacy controls.
Source(s):
NIST SP 800-53A Rev. 4 under Authorization (to operate) from NIST SP 800-37 - Adapted