The federal government has made cloud computing a strategic priority. Government organizations that embrace the cloud gain security, flexibility, and cost savings. They spend less time managing infrastructure, giving them more time to develop applications that help meet their mission.
But ensuring security and compliance in cloud environments presents a complex challenge. One of the most critical steps in deploying a cloud application for government use is obtaining an Authority to Operate (ATO)—a rigorous but necessary process for ensuring mission-critical workloads remain secure.
For government employees involved in IT procurement, security, and compliance, understanding the ATO process is essential. This blog explores the policy landscape, technical requirements, and practical steps necessary to streamline the ATO journey.
What is an ATO and why does it matter?
An Authority to Operate (ATO) is an official approval that allows an information system to process, store, or transmit government data. Systems must have an ATO before going into production at federal government agencies and must maintain it to remain operational.
The higher the security level an application requires, the more rigorous the ATO process. Understanding these levels helps agencies and cloud service providers determine which security requirements apply.
Mission owners can get an ATO faster and with less effort by using a cloud that has a Provisional Authority to Operate (P-ATO or PA)—a pre-approved security status showing the cloud provider meets baseline requirements. By inheriting security controls from the hosting cloud, they can streamline the process.
DoD security levels
The DoD impact level (IL) signifies the sensitivity of the data a system is authorized to handle:
IL2. Public or non-critical mission information
IL4. Controlled Unclassified Information (CUI) or non-CUI, non-critical mission information, non-national security systems
IL5. Higher sensitivity CUI, mission critical information, national security systems (NSS)
IL6. Classified SECRET, national security systems
Federal civilian security levels
Cloud applications at federal civilian agencies are overseen by FedRAMP, a government-wide program that standardizes security assessments, authorizations, and monitoring for cloud services.
FedRAMP has three security levels—Low, Moderate, and High—which correspond to the potential impact of a security breach.
- FedRAMP Low. With 125 security controls, this level is for systems handling low-risk, non-sensitive data (e.g., public-facing websites, open data repositories, collaboration tools).
- FedRAMP Moderate. With 325 security controls, this level is for systems handling CUI or sensitive government data where a breach could cause operational damage, financial loss, or individual harm (e.g., cloud-based email, HR apps, financial systems). Roughly equivalent to DoD IL2–IL4.
- FedRAMP High. With 400 security controls, this level is for systems processing highly sensitive data where a breach could result in loss of life or financial ruin (e.g., DoD systems, sensitive health records). Roughly equivalent to DoD IL4.
Key policies governing ATOs
To navigate compliance requirements more effectively, government employees responsible for securing an ATO should be familiar with several key policy frameworks:
NIST 800-53 Rev. 5 establishes the security and privacy controls necessary for federal information systems.
DoD ATOs also require compliance with the DoD Cloud Computing Security Requirements Guide (SRG).
Note that higher FedRAMP and DoD impact levels require stricter security controls, such as more stringent data encryption; network isolation (separating low-level and high-level environments); and incident response and monitoring to detect and respond to security threats in real time.
Common challenges in obtaining an ATO
Mission owners often face lengthy approval times for obtaining an ATO due to complex documentation requirements and security assessments. Achieving IL5 authorization, for example, requires the implementation, documentation, and assessment of hundreds of security controls. Agencies without in-house expertise often rely on external consultants or cloud service providers to help navigate the process.
Resource constraints like lack of personnel skilled in cybersecurity or compliance make it difficult to dedicate resources to the time-intensive ATO process. Experts familiar with NIST 800-53, FedRAMP High, and DoD Cloud SRG, for example, are not always easy to find.
Even agencies with skilled teams can struggle due to staff turnover, which creates knowledge gaps and delays. And since the ATO process is ongoing, maintaining compliance and continuous monitoring requires consistency.
Collaboration across government agencies, contractors, and cloud providers is essential. Knowing the roles involved can streamline the process:
Authorizing Official (AO) grants final ATO approval
Security Control Assessor (SCA) evaluates security controls and risks
- Mission owner implements security controls
- IT and Compliance teams handle security documentation, testing, and monitoring
Streamline the ATO process with an approved cloud
Without a PA, obtaining an ATO can take over a year, depending on system complexity, security level, and agency processes. Using a cloud environment with a PA, like Appian Government Cloud, significantly reduces timelines, as much of the security groundwork is already validated.
1. Inherited security controls
Applications can inherit about 75% of controls from the cloud provider’s PA. This reduces risk and speeds up time to production. The remaining 25% are typically straightforward customizations to the mission owner’s environment.
2. Prewritten security documentation
Documentation such as the System Security Plan, Incident Response Plan, CONOPs, Disaster Recovery Plan, and more—can be inherited. Writing these thousands of pages from scratch would require significant time and expert security knowledge.
3. Hardened security baselines
Hardened security baselines are predefined configurations that reduce vulnerabilities and meet FedRAMP and DoD requirements.
- FedRAMP baselines use NIST 800-53 controls and templates like STIGs and CIS Benchmarks. They define strict security configurations for identity management, encryption, logging, and continuous monitoring.
- DoD baselines rely on the SRG and STIGs and include stricter controls for encryption, privileged access, and zero-trust architecture.
4. Shared compliance by multiple agencies
A PA allows multiple agencies to use a shared security foundation, reducing duplication and cost. Multiple agencies can deploy applications in a pre-vetted secure environment without duplicating costly security reviews.
This scalable model accelerates deployment while maintaining standardized security. The government benefits from economies of scale, lowering overall costs while maintaining strong, standardized security across multiple agencies.
5. Continuous monitoring
The ATO process doesn’t end with approval. Ongoing compliance is required to prevent breaches.
Providers with automated scanning, alerting, and remediation help agencies detect and fix issues proactively, ensuring long-term compliance.
