4 paths to secure an Authority to Operate (ATO) for your SaaS app (2023)

Delivering Software as a Service (SaaS) applications to Department of Defense (DoD) users can present unique challenges for a company looking to expand into this market. Whether it be facing a steep learning curve, mitigating the risk of highly variable cost, or navigating different accreditation requirements per customer, confronting these challenges are daunting at first. When it comes to authorizing and deploying your software for DoD use, understanding all options at your disposal will be key to navigating this process successfully.

4 paths to secure an Authority to Operate (ATO) for your SaaS app (1)

4 Ways to Deploy SaaS applications

Finding the best SaaS accreditation pathway for your organization will depend on defense customer requirements, the maturity of your organization and product teams, and funding available. Physical server space, containerization, and intellectual property needs should also be considered when choosing a pathway for accreditation.

4 paths to secure an Authority to Operate (ATO) for your SaaS app (2)

Traditional Authority to Operate (ATO) & Certification to Field (CTF)

The legacy process for deploying software into a government environment requires an Authority to Operate (ATO) or Certification to Field, and can be granted by a specific government agency or organization for their own network. This is a largely manual process where your system’s compliance with the National Institute of Standards and Technology (NIST)’s Risk Management Framework (RMF) based on standards such as NIST 800-53 must be assessed and submitted as a package along with supporting documentation. This process includes extensive configuration, documentation, and testing, and may include additional criteria depending on the sponsoring organization.

This method is frequently used for on-premise systems hosted in DoD data centers and requires finding a hosting environment for your software. It is built around older approaches to certifying and accrediting software and can be largely incompatible with modern software development best practices like DevSecOps and Continuous Integration and Continuous Delivery (CI/CD). This process has historically been known to take more than 6 months, although 18F has since shown it is at least possible to do so in as little as 30 days.

(Video) Application Security 101 - What you need to know in 8 minutes

Who is a Traditional ATO best for?

The ATO process is primarily used when security or operational integrity are concerns for on-premise technology. The ATO process is commonly used if the software being scanned is relatively static, requires server space within DoD areas, or if the company is looking to accredit a bundle of applications that are paired with hardware. Due to the extensive testing and documentation necessary for an ATO, companies with longer timelines and flexible funding are more likely to be able to successfully navigate this pathway.

Companies developing software or creating SaaS apps that need to be accessible to the DoD in one or more classifications can also benefit from the traditional ATO pathway. In addition, the ATO process may be mandatory for some DoD customers based on the unique needs communicated by their Authorizing Official (AO).

What are the key benefits?

An ATO allows DoD personnel to use specific software in a specific environment. Through a security compliance and assessment process, an ATO validates that your software has met the government’s security standards and is ready for use. For SaaS providers, this means you can get software in the hands of DoD users for testing and mission purposes.

Estimated time to accredit: 30-180+ days

4 paths to secure an Authority to Operate (ATO) for your SaaS app (3)


FedRAMP was launched in 2011 to streamline the accreditation process and enable the government to capture the benefits cloud-based solutions have to offer. FedRAMP is specific to cloud service offerings and provides a path for companies to authorize their cloud environment for controlled unclassified information (CUI). Similar to the traditional ATO path, this method includes building authorization packages and compliance with industry standards such as NIST 800-171 and CIS Benchmarks.

(Video) 5 Router Settings You Should Change Now!

According to the FedRAMP website, “There are two approaches to obtaining a FedRAMP Authorization, a provisional authorization through the Joint Authorization Board (JAB) or an authorization through an agency. To briefly describe the Joint Authorization Board, it is the governing body for FedRAMP that works with DoD, the Department of Homeland Security (DHS), and the General Services Administration (GSA). The JAB selects approximately 12 cloud products a year to work with for a JAB Provisional Authority to Operate (P-ATO), which can then be accepted on an agency-by-agency basis. In the Agency Authorization path, agencies may work directly with a Cloud Service Provider (CSP) for authorization at any time. CSPs that make a business decision to work directly with an agency to pursue an ATO will work with the agency throughout the FedRAMP Authorization process.”

Though historically notoriously slow and costly (our own conversations with industry professionals have indicated costs that vary significantly and regularly exceed $1 million), FedRAMP has made significant changes in recent years to speed transition and reduce cost for companies. The “FedRAMP Accelerated” case study highlights recent changes that have been made to speed up the decision-making process, with some companies receiving authorization in as little as 12 weeks.

Who is FedRAMP best for?

FedRAMP is best for medium to large SaaS companies that are looking to work with the federal government and accredit their entire SaaS platform. If the application is built on and/or integrated with a public cloud provider, companies can use the FedRAMP process and baselines to authorize their platform. Most companies use FedRAMP due to the security assurance from FedRAMP screening, in addition to its prominence within civilian agencies.

What are the key benefits?

FedRAMP ensures consistent levels of security throughout government cloud services—and consistency in evaluating and monitoring the product. The process is well-known across government and within the private sector, giving it credibility. FedRAMP also secures a singular standard for government agencies and all cloud providers. This security transparency gives everyone—federal agencies, critical infrastructure, or other commercial companies—more confidence in both the cloud solution and the CSP providing it.

Estimated time to accredit: 3-18 months

4 paths to secure an Authority to Operate (ATO) for your SaaS app (4)

(Video) AWS AMER Summit Aug 2021: Automate security for FedRAMP compliance in the cloud

Platform One Ecosystem

Platform One is an Air Force organization dedicated to providing DoD enterprise-wide DevSecOps software and managed services. Iron Bank is a Platform One service that enables DevSecOps across military branches by providing git repositories and a pipeline to build, scan, and authorize hardened containerized applications for use on DoD systems. Applications that have gone through this process can be found in Registry One and are available and approved for use on many DoD platforms. Visit the Iron Bank checklist to learn more about the onboarding and approval process.

Platform One also offers a hosting service called Party Bus that runs mission and enterprise applications. Iron Bank is an excellent accreditation path for containerized applications that must be used within several different hosting environments across DoD. Party Bus is a cost-effective hosting option comparatively, but it has the drawback of requiring funds to be sent from a government sponsor to Platform One before onboarding. Additionally, there is a selection process for applications chosen to be hosted on Party Bus with no guarantee that finding a sponsor and funding will secure your spot on the platform. Party Bus onboarding workshops are available to anyone who wants to explore this pathway.

Who is Platform One best for?

Platform One brings in the best aspects of DevSecOps to software developers by utilizing Platform One’s built-in continuous Authority to Operate (cATO). It is best for applications that are already containerized and are looking to speed up the process of development for and streamline acquisition of their software while maintaining high levels of security.

What are the key benefits?

The key benefits to Platform One include its ability to enable DevSecOps and CI/CD practices in addition to its cATO, enabling quick reauthorization as a result of robust system-level continuous monitoring programs. Without the constraints of having to go through the traditional ATO process multiple times, the cATO can alleviate time and funding stressors on a company and allow for continuous development and reauthorization.

Estimated time to accredit: <90 Days

4 paths to secure an Authority to Operate (ATO) for your SaaS app (5)

(Video) eInvoicing: Unlocking the Benefits for Bookkeepers

Game Warden

Building on lessons learned from Platform One and innovations pioneered by DoD software factories, our team at Second Front Systems (2F) set out to build a platform that could accelerate software delivery into DoD networks for companies of all sizes. 2F’s B2B model scales rapidly without the budget constraints and contracting requirements government agencies face.

Game Warden is a DoD-authorized DevSecOps Platform as a Service (PaaS) that can scan, harden, authorize, and host containerized applications in production environments that are accessible to defense end users. Game Warden follows a traditional licensing model and integrates a company’s Cloud Native Computing Foundation (CNCF) compliant containers into Game Warden’s container repository. From there, Game Warden continues to look for security weaknesses through functional testing, container security scans, container hardening, and test deployments. The platform includes infrastructure and platform management, in addition to ensuring your application and hosting environments meet or exceed government security standards.

Who is Game Warden best for?

Game Warden is ideal for SaaS companies looking to expand rapidly within the defense sector and for government organizations wanting to rapidly leverage commercial software for their missions. Companies looking to speed up their deployment process using DevSecOps methods are great fits for this pathway, especially if they have been containerized using Platform One’s Iron Bank or an other third-party containerization system which prepares an app for Game Warden’s technical requirements. Game Warden also includes a mutual non-disclosure agreement and strict access controls to prevent intellectual property theft.

What are the key benefits?

Game Warden accelerates the delivery and accreditation of commercial software for DoD environments. Game Warden is built to significantly reduce the barrier to entry for software vendors new to the defense space trying to get their products into the hands of DoD end-users and preparing for scale. The fully managed DevSecOps platform provides a secure, authorized hosting environment for your applications with a simple, user-friendly interface and dedicated support. Game Warden enables both commercial and government solutions to increase speed, security, and scalability for testing, evaluating, procuring, and hosting SaaS applications.

Estimated time to accredit: <90 Days


Entering the defense market as a software company isn’t easy. To make your delivery as streamlined as possible, it’ll be key to align your company’s development and deployment processes with your customer’s needs and accreditation requirements. Understanding each pathway and working with your DoD customer to choose which is best for you will greatly reduce overhead and obstacles faced when deploying to users.

(Video) Webinar: eInvoicing - Transforming Your Accounting Process from Bane to Boon


How do I secure my SaaS application? ›

The following practices are recommended for securing SaaS environments and assets.
  1. Enhanced Authentication. ...
  2. Data Encryption. ...
  3. Oversight and Vetting. ...
  4. Discovery and Inventory. ...
  5. CASB Tools. ...
  6. Situational Awareness. ...
  7. Use SaaS Security Posture Management (SSPM)

What is required for an ATO? ›

Generally the steps in the ATO process align with the NIST Risk Management Framework (RMF) and include: Categorize the system within the organization based on potential adverse impact to the organization. Select relevant security controls. Implement the security controls. Assess the effectiveness of the security ...

What is an Authority to operate? ›

An Authorization to Operate (ATO) is a formal declaration by a Designated Approving Authority (DAA) that authorizes operation of a Business Product and explicitly accepts the risk to agency operations.

What does ATO mean in cyber security? ›

Authorization to Operate; One of three possible decisions concerning an issuer made by a Designated Authorizing Official after all assessment activities have been performed stating that the issuer is authorized to perform specific PIV Card and/or Derived Credential issuance services.

What are three ways to secure applications? ›

Three Ways To Secure Application Services – Authentication, Automation, And Collaboration.

Who is responsible for security in SaaS? ›

SaaS: SaaS vendors are primarily responsible for the security of their platform, including physical, infrastructure and application security. These vendors do not own the customer data or assume responsibility for how customers use the applications.

What is the ATO process? ›

An ATO package includes documentation of the security control assessment. The package provides the Authorizing Official (AO) the essential information they need to make a risk-based decision about whether to authorize the operation of your application or a designated set of controls.

What is authorization to use? ›

Authorization is a process by which a server determines if the client has permission to use a resource or access a file. Authorization is usually coupled with authentication so that the server has some concept of who the client is that is requesting access.

What are the three types of authority relating to Organisations? ›

According to Max Weber, the three types of legitimate authority are traditional, rational-legal, and charismatic.

What does ATO stand for in RMF? ›

RMF is a security framework developed in late 2013 for the federal government... ... to replace the legacy Certification and Accreditation (C&A) process with a six-step lifecycle process used to obtain and maintain the Authority to Operate (ATO) federal systems.

What is an ATO in tech? ›


See authorization to operate (ATO).

Does software need an ATO? ›

An ATO or Authority to Operate is an authorization process that a software system needs to have before the agency can use it in a production environment.

What are the powers of the ATO? ›

When using our access powers, we are authorised to enter and remain on any land, premises or place and have full and free access to books, documents, goods or other property. We can make copies of documents for our records, but cannot seize or remove your documents without your consent.

What does ATO mean in FedRAMP? ›

In the Agency Authorization path, agencies may work directly with a Cloud Service Provider (CSP) for authorization at any time. CSPs that make a business decision to work directly with an agency to pursue an Authority to Operate (ATO) will work with the agency throughout the FedRAMP Authorization process.

What are the 4 main security tips you can use to protect your mobile operating system? ›

Set up Touch ID or Facial Recognition on your device, and back that up with a unique PIN or pattern. Don't download apps from third-party sites. Cybercriminals create “spoof” apps to trick people into downloading malware or spyware onto their device. Only use official apps from Google Play or the App Store.

What are the three 3 types of security to use as a methodical approach to protect a network infrastructure? ›

There are three components of network security: hardware, software, and cloud services. Hardware appliances are servers or devices that perform certain security functions within the networking environment.

What are the 3 key principles of security? ›

What are the 3 Principles of Information Security? The basic tenets of information security are confidentiality, integrity and availability. Every element of the information security program must be designed to implement one or more of these principles. Together they are called the CIA Triad.

Who has the most responsibility and accountability of security in SaaS? ›

Cloud consumers must always ensure the security of the endpoints that are used to access cloud services. In the SaaS model, this is the only responsibility of the cloud consumer regarding infrastructure security. With IaaS, the cloud user is responsible for network security and, if necessary, communication encryption.

Who is responsible for securing the data and users when using SaaS or IaaS services? ›

The SaaS vendor is responsible for securing the application and the supporting infrastructure. IT teams only have to worry about managing their data and security permissions.

What are the two primary areas of security concern for organizations using SaaS? ›

As SaaS usage and adoption continues to grow, SaaS security concerns grow along with them. Misconfigurations, access management, regulatory compliance, data storage, data retention, privacy and data breaches, and disaster recovery are the top seven SaaS security risks.

What is ATO platform? ›

ATO Platform. ATO is the new standard for artists, collectors, and galleries. ATO protects against the emergence of a counterfeit market and tracks historical information to ensure artists receive royalties from their resales. Artists. Artworks.

What is the purpose of the ATO? ›

The Australian Taxation Office (ATO) is the Australian Government's principal revenue collection agency, administering Australia's tax system and significant aspects of the superannuation system.

What is the aim of the ATO? ›

The ATO plays a key role as the Australian Government's principal revenue collection agency. The ATO administers the tax, excise and superannuation systems that support and fund services for Australians, and delivers various social and economic benefits and incentive programs.

What are the 4 phases of assessing security controls? ›

The process for conducting a security assessment is a relatively straightforward four-step process: prepare for the assessment, develop an assessment plan, conduct the assessment, and analyze the findings.

What are the four phases of security? ›

The four phases in the Secure Software Development Lifecycle are preparation, analysis, determining mitigations and validation.

What are the 3 types of authentication? ›

Authentication factors can be classified into three groups: something you know: a password or personal identification number (PIN); something you have: a token, such as bank card; something you are: biometrics, such as fingerprints and voice recognition.

What are the types of authorization? ›

There are four types of Authorization – API keys, Basic Auth, HMAC, and OAuth.

What are the different types of authentication? ›

What are the types of authentication?
  • Single-Factor/Primary Authentication. ...
  • Two-Factor Authentication (2FA) ...
  • Single Sign-On (SSO) ...
  • Multi-Factor Authentication (MFA) ...
  • Password Authentication Protocol (PAP) ...
  • Challenge Handshake Authentication Protocol (CHAP) ...
  • Extensible Authentication Protocol (EAP)
30 Sept 2020

How do you secure a cloud based application? ›

Here are 5 cloud application best practices for implementing effective security measures:
  1. Identity access management.
  2. Encryption.
  3. Threat monitoring.
  4. Data privacy & compliance.
  5. Automated security testing.

How do I protect my SaaS IP? ›

Copyright. Obtaining copyright registration to protect software code may be a good strategy for a SaaS startup. Copyrights protect the expression of an idea, i.e., how the code is written. By registering software code for copyright protection, others are prohibited from copying the protected code.

How do you get security on an application? ›

Enforce secure communication
  1. Safeguard communication between apps.
  2. Ask for credentials before showing sensitive information.
  3. Apply network security measures.
  4. Use WebView objects carefully.
  5. Use intents to defer permissions.
  6. Share data securely across apps.
  7. Store private data within internal storage.

How do you secure Microservices application? ›

8 Ways to Secure Your Microservices Architecture
  1. Make your microservices architecture secure by design. ...
  2. Scan for dependencies. ...
  3. Use HTTPS everywhere. ...
  4. Use access and identity tokens. ...
  5. Encrypt and protect secrets. ...
  6. Slow down attackers. ...
  7. Know your cloud and cluster security. ...
  8. Cover your security bases.

What are the four areas that cloud security needs to include? ›

These four pillars are the foundational requirements for comprehensive cloud security.
  • Visibility and compliance. ...
  • Compute-based security. ...
  • Network protections. ...
  • Identity security.
21 Jul 2020

What are the 3 categories of cloud security? ›

The three main types of cloud deployment models are private, public, or hybrid.

Which are the three steps to cloud security? ›

Three steps to an effective cloud security strategy
  1. Layer in layered security. Deploy private connectivity instead of a regular internet pathway to a cloud provider's network. ...
  2. Data privacy. ...
  3. Hold your cloud provider's feet to the fire.
7 Sept 2017

What are the 4 main methods of protecting IP? ›

Copyright, patents, designs and trade marks are all types of intellectual property protection.

What are the 4 types of intellectual property? ›

Patents, trademarks, copyrights, and trade secrets are valuable assets of the company and understanding how they work and how they are created is critical to knowing how to protect them.

What are the 3 main ways to protect IP and when would you use each? ›

Register copyrights, trademarks, and patents

Copyright, trademark, and patent are three of the most common types of IP protection. These grant you the exclusive rights to your creations, especially when it comes to the commercial gains of its use.

What are the different types of application security? ›

Different types of application security features include authentication, authorization, encryption, logging, and application security testing. Developers can also code applications to reduce security vulnerabilities.

What are five key steps that help to ensure database security? ›

Five Key Steps for Database Security in the Cloud Age
  • Define standards, security, and compliance policies. ...
  • Run vulnerability assessments. ...
  • Understand user privilege and access. ...
  • Use data analytics to mitigate risks. ...
  • Respond to policy violations in real time.
8 Feb 2022

What are application security controls? ›

Application security controls are the specific steps assigned to developers or other teams to implement those standards. The responsibility for application controls lies across departments, but developers have a key role to play.

What are the 3 C's of microservices? ›

When you are ready to start adopting a microservices architecture and the associated development and deployment best practices, you'll want to follow the three C's of microservices: componentize, collaborate, and connect.

What are the three options for authentication and authorization when deploying a microservices application? ›

Authentication and authorization logic needs to be handled in each microservice, and this part of the global logic needs to be implemented repeatedly in each microservice.
  • Distributed Session Management. ...
  • Client Token. ...
  • Single sign-on. ...
  • Client Token with API Gateway. ...
  • Third-party application access. ...
  • Mutual Authentication.
24 Apr 2018

Which of the following are the best practices to secure microservices? ›

Here are eight best practices for securing your microservices.
  • Use OAuth for user identity and access control. ...
  • Use 'defence in depth' to prioritize key services. ...
  • Don't write your own crypto code. ...
  • Use automatic security updates. ...
  • Use a distributed firewall with centralized control. ...
  • Get your containers out of the public network.


1. AWS Summit DC 2022 - Scaling automated governance with Landing Zone Accelerator on AWS
(AWS Events)
2. TX-RAMP Overview for Agencies
3. AWS Public Sector Summit Online 2021: Automate security for the FedRAMP Cloud
(AWS Public Sector)
4. Securing the Cloud - Prisma Cloud by Palo Alto Networks
5. Automating FedRAMP Security Compliance with Terraform
6. Strategies for Planning a FedRAMP Assessment
(Moss Adams)
Top Articles
Latest Posts
Article information

Author: Zonia Mosciski DO

Last Updated: 01/31/2023

Views: 5489

Rating: 4 / 5 (51 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Zonia Mosciski DO

Birthday: 1996-05-16

Address: Suite 228 919 Deana Ford, Lake Meridithberg, NE 60017-4257

Phone: +2613987384138

Job: Chief Retail Officer

Hobby: Tai chi, Dowsing, Poi, Letterboxing, Watching movies, Video gaming, Singing

Introduction: My name is Zonia Mosciski DO, I am a enchanting, joyous, lovely, successful, hilarious, tender, outstanding person who loves writing and wants to share my knowledge and understanding with you.