Streamlining Authority to Operate (ATO) Process Builds Security and Accountability into VA Systems

VA distributes Authority to Operate (ATO) clearances to business partners to give them a “green light” to develop systems, products, and processes intended for use at VA. These ATOs are the front-line defense that certify that all applicable security standards are met for every VA system and are “baked” into product development. Proper planning and risk assessment ensures that VA can uphold our commitments to eliminating material weaknesses and safeguarding the sensitive Veteran information we are responsible for.

The process of risk assessment that goes into ATO distribution can seem confusing at first glance. It involves a complex system of checks and balances that ensures that every system in VA receives the clearance that shows it is both secure and beneficial for VA’s customers: our nation’s Veterans. That is why the Enterprise Program Management Office (EPMO) sought to streamline the process to help ensure that the Authorizing Official (AO) is making decisions that best serve Veteran interests.

To accomplish this, in 2018, EPMO developed the Authorizing Official Summary Brief (AOSB) tool and process to standardize the information sent to the Authorizing Official, expediting ATO approvals. The automated form populates a template with the information needed and receives signatures from the system owners, business owners, and Information System Security Officers (ISSOs) electronically once a decision is made. The AOSB provides a constant, 360-degree visibility around what ATO is up for approval, what has been approved, and what is coming down the pipeline, ensuring everyone is on the same page when a decision is made. That is not the only benefit — Ms. Ruchika Croall, EPMO Information Assurance Director and POC for the tool, explains, “Using this tool builds accountability into the process, so [system owners] understand that receiving ATO means so much more … if the system was breached or it impacted a Veteran, we would be responsible.”

In other words, this behind-the-scenes process at VA ensures each system — and by extension, the system owner — is being held accountable for its security, safety, and effectiveness. This process helps Authorizing Officials sort through the mass of systems they see every day to find only the ones that give the most immediate, safe, and positive benefits to Veterans. It also promotes a discussion of the merits of each system and how it will impact Veterans from their point of view. By providing the Authorizing Official with a better understanding of how the system will be used, the AOSB fosters an effective two-way communication between the development team and Authorizing Official, which ultimately results in better, more secure products. It also helps keep us accountable to our business partners — by working to eliminate potential material weaknesses, we’re ensuring that they receive only the best VA can offer and that VA makes smart business decisions.

The effectiveness of the template tool speaks for itself; we have already seen more than 298,000 system vulnerabilities identified and remediated since its inception this year, while the number of full-ATO approvals has increased by approximately 71 percent as of November 2018. Constant improvements to the process will ensure that we deliver functionality to our Veterans quicker, making their lives and the lives of those who use the systems — doctors, clinicians, and VA employees — easier. EPMO aims to use the tool to increase the number of ATOs while simultaneously managing risk and reducing vulnerabilities.