What Is an Authority to Operate (ATO) and Why It Matters for OT?

As OT systems and IT networks become more interconnected, the cybersecurity risks grow along with them. That’s why having a solid risk assessment and management process tailored specifically for OT is so important—it helps safeguard your organization’s data, infrastructure, and people. This is where the Authority to Operate (ATO) process plays a key role.

What is an ATO?

An ATO is a formal authorization by a government entity that certifies a system has met specific security requirements and is safe to operate within a designated environment. The ATO process is designed to help ensure operational safety while protecting against the growing threat of cyberattacks.

For OT environments managing critical infrastructure—such as those in manufacturing or defense—covering industrial control systems, building automation systems, energy infrastructure and grid operations, medical devices, and the internet of things-obtaining an ATO is vital to ensure continuity, compliance, and protection against cyber threats. It ensures these systems meet rigorous security and operational standards, minimizing risks to both infrastructure and national security.

In order for a system to achieve the ATO status, an organization must pass through a 7 step process called the Risk Management Framework as defined by NIST (National Institute of Standards and Technology). As part of this process, organizations submit a package of artifacts that detail how the system adheres to various security controls as defined by NIST.

Challenges with today’s ATO Process and OT Systems

Today’s ATO accreditation processes are revealing distinct challenges specific to OT networks and equipment, including:

• Many manufacturing systems were not originally designed with modern cybersecurity controls in mind, such as authentication or access control. As a result, OT equipment often cannot meet the security standards built for IT systems. IT security teams may struggle to accept OT connections to IT environments because OT equipment can't be configured with Security Technical Implementation Guides (STIGs), a requirement of ATO package submissions.
• OT-Specific Controls - Standard controls like Identity, Authentication, Access, Backups and more still apply to Industrial Networks but so do unique controls as described in NIST 800-82.  Read more in our recent post Compliance Drivers in the Age of Industry 4.0.
• Patching and upgrades can be tricky or not even possible – manufacturing systems may be running legacy operating systems, require a multi-stage patching strategy, and/or require specialized vendor knowledge to update. OT equipment has longer upgrade lifecycles and often lacks protocol standardization, making it harder to establish consistent security controls
• Careful response is key – Unlike IT systems that can be isolated or immediately shut down, manufacturing systems require a delicate, often thoughtful touch on safe shutdown or segmentation  

For these reasons, achieving an ATO that connects OT and IT systems is often an arduous journey, sometimes spanning over a year or more from start to finish. As a result, many OT enclaves remain isolated from IT networks throughout DoD organizations. Even in manufacturing settings outside of the DoD with less strict security controls, it is not uncommon for organizations to isolate their OT equipment to reduce their risk and attack surface. 

What’s in an ATO submission?

One of the critical tasks of the Risk Management Framework is the work required as part of ‘Step 2 - Categorize’ to effectively describe and document the system’s characteristics. To do this, system owners must construct several artifacts. Common artifacts to produce include:

Depending on the relevant security controls as well as organization-specific requirements, ATO packages can also require various other types of documents and forms to complete. Some examples from Corsha’s experience include: 

• Information Technology Categorization and Selection Checklist (ITCSC): a form that captures system information, documents the relevant security control overlays, and assesses data privacy risks.
• Security Impact Analysis (SIA): assesses the impact of proposed modifications or additions to a particular boundary - this is typically only needed when submitting a Major Change Request (MCR) to an existing boundary with an ATO.

Taking it all into consideration, there’s quite a lot to put together! And for good reason: the security of the systems being introduced or modified, especially in defense settings, are paramount to the overall mission success and warfighter safety. 

But these artifacts are also resource and time-intensive to build and review - it is this artifact generation step that is one of the primary driving forces behind the lengthy duration of the ATO process today. 

So how can we improve upon today’s ATO processes and reduce the arduous artifact work without sacrificing on quality and thoroughness?  

Key Learnings from Getting our Own ATO

Through several programs with the Air Force Sustainment Center (AFSC), the Corsha team has successfully secured an ATO at Impact Level (IL4). Throughout this effort, we have uncovered several key learnings and have been able to improve and streamline the ATO process in our own programs.

Agree On Controls in Scope Early

Work with your stakeholders in the ATO office (ISSM and SCA) early to determine which controls are in scope and apply.  

Scan and Review Results Internally

Deploy an internal scanning pipeline that mirrors the scanners that will be used to assess your system. This will help reduce back and forth remediations with your ATO office stakeholders from any issues or CVEs found during the scanning process

Use Templates and Expect to Modify them along the Way

Leverage existing templates that provide a better starting point for new ATO packages and make the overall time-to-submission faster. The quality of submission can be further improved by outlining what elements are necessary (or not necessary) for these systems, reducing potential re-work and time-consuming iterations. Our team is also exploring new and exciting ways to build artifacts using generative models to further streamline the ATO submission process.

How Corsha Creates a “STIG-able” access Point

Another critical piece that the Corsha platform brings to the ATO process is a “STIG-able” access point that enables secure connections between OT and IT systems. Reach out to us to learn more on how Corsha has helped AFSC accelerate technology adoption and ATO’s on the shop floor.   

Next up: A Deep Dive on Boundary Diagrams

In our next post in this series, we will deep dive specifically on the Boundary Diagram artifact and discuss the ways in which new standards, technologies, and tools can significantly increase the overall efficiency of the ATO process and simultaneously improve an organization’s security posture. Stay tuned!

Also be sure to read our AFSC case study

About Peter Gray

Peter serves as a Customer Success Executive supporting our enterprise customers at Corsha. He has 14 years serving customers across various technology domains including Business Intelligence, AI/ML, and SaaS applications, and is passionate about helping build and grow post-sales teams in start-up environments. Outside of work, Peter is typically chasing after 3 little ones and taking in the incredible outdoor trail and camping opportunities in Virginia’s Shenandoah Valley with them as much as possible.

About Corsha

Corsha is an Identity Provider for Machines that allows OT enterprises to securely connect, move data, and automate with confidence from anywhere to anywhere. Corsha uses Zero Trust principles to build secure identity and access to diverse OT equipment from inside or outside your industrial network and brings innovation like automated, single-use MFA credentials to machine-to-machine communications. Strong identity, access, and encryption for machines helps you track all of your connections, create a unified zero trust baseline, and securely move data across your industrial network in real-time.