Case Study: NIST A&A Authority to Operate (ATO) Support

The Business Challenge

At the direction of the Defense Intelligence Agency (DIA) Chief Information Officer, Team BI will provide System Security Assessments that are consistent with Federal Information Security Management Act (FISMA), National Institute of Standards Technology (NIST), and DIA guidance.  As required by FISMA, NIST provides Special Publications (SP) describing the framework and basis controls for the security authorization of information systems owned by or operated on the behalf of the Federal government.  NIST SP 800-37, “Risk Management Framework (RMF),” as well as SP800-137, “Information System Continuous Monitoring,” provide a detailed description of the NIS Risk Management Framework and approaches to effective Continuous Monitoring practices. NIST SP800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” and “SP800-53A, “Guide for Assessing the Security Controls in Federal Information Systems and Organizations provide the basis security controls for implementing of information systems.  DIA specific requirements to support the security of systems containing, transporting or processing sensitive compartmented information are defined in Director of Central Intelligence Directive (DCID) 6/3, “Protecting Sensitive Compartmented Information within Information Systems,” and (later) in Intelligence Community Directive (ICD) 503, “Intelligence Community Information Technology Systems Security Risk Management, Certification, and Accreditation.” In addition to the applicable NIST security controls, the BI Assessment Team will assess the DIA specific processes and current templates as defined in the DIA System Authorization Handbook..

QSMI's Approach to the Solution

Our security assessment process consists of the following meetings with system POCs and the creation, compilation, and processing of multiple documents.

  • Kickoff and System Overview - Starts authorization process.

  • System Security Plan (SSP) meeting - Review existing system implementation statements in SSP to prepare questions for SCA meeting.

  • Security Control Assessment (SCA) Walkthrough - Conduct non-intrusive testing, and examine system to collect evidence, review security controls, update SSP, and collect assessment information.

  • Internal Findings and Recommendations (F&R) Review meeting: Review the POA&M items internally and with the AIS POC.

  • Findings and Recommendations (F&R) Review meeting - Discuss and finalize findings with system owners.

The documents prepared and generated during the assessment process comprise the system’s authorization package, a group of documents that can include security plans, security assessment reports, and POA&Ms.


To support the Risk Management Framework Documentation requirement, Business Integra will develop and maintain a collaborative document management resource in a secure environment.  The Tool will be developed using the SharePoint tool or similar resource and be used as a central location for the creation and management of all Assessment and Authorization documents.  The Tool will also be used as a technical library to store and manage NIST and DIA Requirements documents, and System Risk Management Framework documentation for assigned systems.  Security Control Assessors will review all System Risk Management Framework documentation related to assigned systems prior to conducting any assessment. The use of the Tool will allow the BI Assessor to maintain open communication with the responsible system personnel and request additional data and documentation during the system assessment phase. The BI Assessor will maintain all assessment documentation in an organized assessment package during the assessment process and upon completion of the system assessment, the assessor will finalize the document package and provide the formalized documented assessment package to the appropriate agency’s authorizing official the for approval. Upon completion of assessment, the BI Assessor shall review and ensure all required body of evidence information is present and provided to the responsible part of the assessed system.  As a minimum, the final assessment package shall contain the following documentation.

  • Executive Summary

  • System Security Plan (SSP)

  • Security Assessment Report (SAR)

  • Risk Assessment Report (RAR)

  • Security Controls Traceability Matrix (SCTM)

  • Installation Guides/Privilege Users Guide

  • Authorization to Operate (ATO)

​​Benefits to the Customer

QSMI's cyber security personnel leveraged our Team's knowledge of the systems development program from its inception, as well as our good working relationships with the Government's Information Security Office (ISO) and the customer's Information Technology Infrastructure Team, to draft, validate all of the ATO paperwork and gain accreditation in under slightly over nine months from the start of accreditation process.  Originally the master project plan had estimated that the process would last a year.  Thus, the system was able to be brought up in the customer's production environment three months earlier than anticipated, saving time, money and accelerating customer training.

Because the software development effort involved rapid incremental Agile software product releases, features and capabilities were added in a rapid fashion.  QSMI continued to work closely with the development team, ISO, and the IT Team to assess the required security controls and update the ATO documentation in order to maintain accreditation in conjunction with the rapid software product release cycle .

Unique Capabilities for a Unique Customer Communinty

  • White LinkedIn Icon

Copyright © 1997-2020 ​QUALITY SYSTEMS MANAGEMENT, INC.  all rights reserved