-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathoverview.html
321 lines (253 loc) · 15.9 KB
/
overview.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<title>Planning for ATO at CMS</title>
<script src="assets/uswds-2.11.1/js/uswds-init.min.js"></script>
<link rel="stylesheet" href="assets/uswds-2.11.1/css/uswds.min.css" />
<meta http-equiv="refresh" content="10;url=https://security.cms.gov/learn/authorization-operate-ato"/>
</head>
<body>
<script src="assets/uswds-2.11.1/js/uswds.min.js"></script>
<a class="usa-skipnav" href="#main-content">Skip to main content</a>
<!--
<section class="usa-banner" aria-label="Official government website">
<div class="usa-accordion">
<header class="usa-banner__header">
<div class="usa-banner__inner">
<div class="grid-col-auto">
<img class="usa-banner__header-flag" src="assets/img/uswds-2.11.1/us_flag_small.png" alt="U.S. flag">
</div>
<div class="grid-col-fill tablet:grid-col-auto">
<p class="usa-banner__header-text">An official website of the United States government</p>
<p class="usa-banner__header-action" aria-hidden="true">Here’s how you know</p>
</div>
<button class="usa-accordion__button usa-banner__button"
aria-expanded="false" aria-controls="gov-banner">
<span class="usa-banner__button-text">Here’s how you know</span>
</button>
</div>
</header>
<div class="usa-banner__content usa-accordion__content" id="gov-banner">
<div class="grid-row grid-gap-lg">
<div class="usa-banner__guidance tablet:grid-col-6">
<img class="usa-banner__icon usa-media-block__img" src="assets/img/uswds-2.11.1/icon-dot-gov.svg" role="img" alt="" aria-hidden="true">
<div class="usa-media-block__body">
<p>
<strong>
Official websites use .gov
</strong>
<br/>
A <strong>.gov</strong> website belongs to an official government organization in the United States.
</p>
</div>
</div>
<div class="usa-banner__guidance tablet:grid-col-6">
<img class="usa-banner__icon usa-media-block__img" src="assets/img/uswds-2.11.1/icon-https.svg" role="img" alt="" aria-hidden="true">
<div class="usa-media-block__body">
<p>
<strong>
Secure .gov websites use HTTPS
</strong>
<br/>
A <strong>lock</strong> (
<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-title banner-lock-description" focusable="false"><title id="banner-lock-title">Lock</title><desc id="banner-lock-description">A locked padlock</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"/></svg></span>
) or <strong>https://</strong> means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
</p>
</div>
</div>
</div>
</div>
</div>
</section>
-->
<div class="usa-overlay"></div>
<header class="usa-header usa-header--extended"><div class="usa-navbar">
<div class="usa-logo" id="extended-logo">
<em class="usa-logo__text"><a href="index.html" title="Home" aria-label="Home">CMS Security & Compliance Planning</a></em>
</div>
<button class="usa-menu-btn">Menu</button>
</div>
<!-- Redirection Notice -->
<section class="usa-site-alert usa-site-alert--emergency" aria-label="Site alert,">
<div class="usa-alert">
<div class="usa-alert__body">
<h3 class="usa-alert__heading">CMS ATO Notice</h3>
<p class="usa-alert__text">
CMS ATO information can now be found at <a class="usa-link" href="https://security.cms.gov">security.cms.gov</a>, along with other security and privacy resources.
</p>
<p class="usa-alert__text">
This website will be retired. You will be redirected in a moment.
</p>
</div>
</div>
</section>
<!-- End Redirection Notice -->
<nav aria-label="Primary navigation" class="usa-nav">
<div class="usa-nav__inner"><button class="usa-nav__close"><img src="assets/img/uswds-2.11.1/usa-icons/close.svg" role="img" alt="close"></button>
<ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item">
<button class="usa-accordion__button usa-nav__link usa-current " aria-expanded="false" aria-controls="extended-nav-section-one"><span>CMS Rapid ATO</span></button>
<ul id="extended-nav-section-one" class="usa-nav__submenu">
<li class="usa-nav__submenu-item">
<a href="rato.html" class=""> What is CMS Rapid ATO</a>
</li>
<li class="usa-nav__submenu-item">
<a href="overview.html" class=""> Background</a>
</li>
</ul></li>
<li class="usa-nav__primary-item">
<button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="extended-nav-section-two"><span>ATO Phases</span></button>
<ul id="extended-nav-section-two" class="usa-nav__submenu">
<!-- <li class="usa-nav__submenu-item">
<a href="#" class=""> Preparation</a>
</li>-->
<li class="usa-nav__submenu-item">
<a href="overview-phases.html" class=""> Overview</a>
</li><li class="usa-nav__submenu-item">
<a href="initiate.html" class=""> Initiate</a>
</li><li class="usa-nav__submenu-item">
<a href="develop.html" class=""> Develop and Assess</a>
</li><li class="usa-nav__submenu-item">
<a href="operate.html" class=""> Operate</a>
</li>
<li class="usa-nav__submenu-item">
<a href="retire.html" class=""> Retire</a>
</li></ul></li>
<li class="usa-nav__primary-item">
<button class="usa-accordion__button usa-nav__link usa-current" aria-expanded="false" aria-controls="extended-nav-section-three"><span>Resources</span></button>
<ul id="extended-nav-section-three" class="usa-nav__submenu">
<!-- <li class="usa-nav__submenu-item">
<a href="#" class=""> Preparation</a>
</li>-->
<li class="usa-nav__submenu-item">
<a href="types.html" class=""> Authorizations & Agreements </a>
</li>
<li class="usa-nav__submenu-item">
<a href="roles.html" class=""> Key Roles & Stakeholders</a>
</li>
<li class="usa-nav__submenu-item">
<a href="tools.html" class=""> Tools & Services </a>
</li>
</ul></li>
</ul>
</div>
</nav>
</header>
<main id="main-content">
<div class="usa-section">
<div class="grid-container">
<div class="grid-row grid-gap">
<div class="usa-layout-docs__sidenav desktop:grid-col-3">
<nav aria-label="Secondary navigation">
<ul class="usa-sidenav">
<li class="usa-sidenav__item">
<a href="types.html" class="usa-current">Background</a><ul class="usa-sidenav__sublist">
<li class="usa-sidenav__item">
<a href="#system" class="">What is a system</a><ul class="usa-sidenav__sublist">
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#ato" class="">Why do you need an ATO</a><ul class="usa-sidenav__sublist">
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#start" class="">When to start working on an ATO</a><ul class="usa-sidenav__sublist">
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#site" class="">How to use this site</a><ul class="usa-sidenav__sublist">
</ul>
</li>
</ul>
</nav>
</div>
<main class="usa-layout-docs__main desktop:grid-col-9 usa-prose usa-layout-docs" id="main-content">
<h1>Background</h1>
<h3>From Waterfall to Iterative Security Planning
</h3>
<p>Using the old waterfall process, getting and maintaining an Authority to Operate (ATO) can take 3-9 months and cost $90,000-$700,000. That is a significant amount of time and resources that could be used to build secure systems. </p>
<p>Planning for, embracing and internalizing security and compliance early and throughout the development cycle will help your project navigate the system and address requirements more efficiently. This is the goal of the Rapid ATO initiative.</p>
<p>By educating and preparing stakeholders, embracing iterative security planning and automating aspects of the ATO process, Rapid ATO will lower costs and shorten timelines required to achieve authorization. This will make CMS more secure and encourage more innovation at the agency. </p>
<h3><strong>How did we get here?</strong></h3>
<p>The <a href="https://www.cisa.gov/federal-information-security-modernization-act">Federal Information Security Management Act (FISMA) of 2002</a> requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency. FISMA was amended in 2014 to modernize federal security practices.</p>
<p>Every information system operated by or on behalf of the U.S federal government is required to meet FISMA standards, which includes system authorization (ATO) signed by an Authorizing Official (AO).</p>
<h3 id="system"><strong>What is a system?</strong></h3>
<p>A federal information system—"system"—is composed of components for collecting, storing, and processing data. This includes all hardware, software, humans and processes associated with developing, deploying, administrating, and maintaining the application. Systems provide information and knowledge in the form of digital products. </p>
<h3 id="ato"><strong>Why do you need an ATO?</strong></h3>
<p>Before a system can be deployed into production, the federal agency must issue an ATO. The process used to obtain ATO is the National Institute of Standard and Technology (NIST) <a href="https://atos.open-control.org/steps/">Risk Management Framework</a>.</p>
<p>This process ensures that CMS can track and manage the risk exposure of individual systems and the agency at large. It is essential to protect critical resources and sensitive information.</p>
<h3 id="start"><strong>When to start working on an ATO?</strong></h3>
<p>Getting an ATO is a complex, multi-step process that impacts the design and implementation of your system. You should start thinking about how it applies to your system <strong><em>before</em></strong> you begin designing and implementing it. Starting the ATO process after you’ve already invested in development can result in costly delays and painful rework.</p>
<p><strong>We don’t develop products using waterfall anymore. It’s time to end waterfall compliance. <br /></strong></p>
<h3 id="site"><strong>How to use this site?</strong></h3>
<p>This site should be used<strong> early and often </strong>throughout your System Development Life Cycle, especially when you’re starting to consider a future project launch or feature release. This not only ensures the long-term protection of sensitive information but also prevents costly, duplicative effort after the project’s completion.</p>
<p>To better understand and prepare for key points in the ATO process and align your SDLC appropriately, it’s helpful to think about the ATO in phases:</p>
<ol>
<li><a href="initiate.html">Initiate</a></li>
<li><a href="develop.html">Develop and Assess</a></li>
<li><a href="operate.html">Operate</a></li>
<li><a href="retire.html">Retire</a></li>
</ol>
</main>
</div>
</div>
</div>
</main>
<footer class="usa-footer usa-footer--slim">
<div class="grid-container usa-footer__return-to-top">
<!--- <a href="#">Return to top</a>-->
</div>
<div class="usa-footer__primary-section">
<div class="usa-footer__primary-container grid-row">
<div class="mobile-lg:grid-col-8">
<!-- <nav class="usa-footer__nav" aria-label="Footer navigation">
<ul class="grid-row grid-gap">
<li class="mobile-lg:grid-col-6 desktop:grid-col-auto usa-footer__primary-content">
<a class="usa-footer__primary-link" href="javascript:void(0);">Primary link</a>
</li>
<li class="mobile-lg:grid-col-6 desktop:grid-col-auto usa-footer__primary-content">
<a class="usa-footer__primary-link" href="javascript:void(0);">Primary link</a>
</li>
<li class="mobile-lg:grid-col-6 desktop:grid-col-auto usa-footer__primary-content">
<a class="usa-footer__primary-link" href="javascript:void(0);">Primary link</a>
</li>
<li class="mobile-lg:grid-col-6 desktop:grid-col-auto usa-footer__primary-content">
<a class="usa-footer__primary-link" href="javascript:void(0);">Primary link</a>
</li>
</ul>
</nav>-->
</div>
<div class="mobile-lg:grid-col-4">
<address class="usa-footer__address">
<div class="grid-row grid-gap">
<div class="grid-col-auto mobile-lg:grid-col-12 desktop:grid-col-auto">
<div class="usa-footer__contact-info">
<a href="tel:1-800-555-5555"></a>
</div>
</div>
<div class="grid-col-auto mobile-lg:grid-col-12 desktop:grid-col-auto">
<div class="usa-footer__contact-info">
<a href="mailto:[email protected]"></a>
</div>
</div>
</div>
</address>
</div>
</div>
</div>
<div class="usa-footer__secondary-section">
<div class="grid-container">
<div class="usa-footer__logo grid-row grid-gap-2">
<div class="grid-col-auto">
<img class="usa-footer__logo-img" src="assets/img/uswds-2.11.1/logo-img.png" alt="">
</div>
<div class="grid-col-auto">
<p class="usa-footer__logo-heading"></p>
</div>
</div>
</div>
</div>
</footer>
</body>
</html>