ATO CERTIFICATION
THE ATO STANDARD
The ATO is the authority to operate decisions that culminate from the security authorization process of an information technology system in the US federal government, which is a unique industry requiring specialized practices. The Authorizing Official (AO) signs the formal statement of risk acceptance, accepting the system´s security risk. This should be done before
the system or upgrade goes into production. There are usually three types of ATOs:
Initial ATO: Must be done prior to the system “going live” and must occur at least every three years thereafter.
Interim ATO: A conditional ATO, generally in effect for six months, often during the development or prototype phase.
Reauthorization: Due after three years or a significant change to the system´s risk level.
In order to understand how ATOCHECK will validate an environment as if it was simulating an ATO certification, it is required to understand the IT governance frameworks of an ATO process. There are a few steps in order to conduct such an authorization process standard. Firstly, we must have a full view of the current situation of the environment by applying the CIA parameters:
Confidentiality: Preserving authorized restrictions on information access and disclosure;
Integrity: Guarding against unauthorized information modification or destruction;
Availability: Ensuring timely and reliable access to and use of information;
ATOCHECK will be configured to run a diagnosis on these parameters and in order to do that, we must go through a few steps of assessment.
CATEGORIZATION
This is the system´s overall risk level, based on the security objectives of confidentiality, integrity, and availability. It can be categorized as high, moderate, or low impact. ATOCHECK will delineate and document it using the system’s parameters.
SELECTION
At this step, it is required to select a baseline for security controls. Using the system’s categorization choose the appropriate level of control. Systems will be assessed at the operating system, application, and database layers. Baseline security controls of the safeguards or countermeasures employed and specifying minimum assurance requirements are in this step.
IMPLEMENTATION
This is the step where the implementation of the security controls within the agency’s enterprise architecture takes place. There are multiple options in this step whether the individual controls are already implemented or planned, or if there are compensating controls in place. It is relevant to demonstrate the controls, whether it´s contemplating systemspecific or hybrid models. Every piece of detail is relevant, so ATOCHECK will ensure that.
ASSESSENT
Through verification of evidence, the controls are tested to determine if they are in place and operating as intended. The assessment of the security controls is key to determine their effectiveness.
AUTHORIZATION
During the ATO certification process, at this step documents are submitted to the Authorizing Officials (AO), who will either accept or deny the system’s risk in an accreditation decision. ATOCHECK will simulate the acceptance process of an AO in order to understand where your company stands.
MONITORING
At this step, ATOCHECK will continue monitoring to determine if the complete set of planned, required, and deployed security controls within an information system or inherited by the system continue to be effective over time while we start working towards solutions for the potential threats that were raised.
Once the ATOCHECK finalizes the assessment, the user will receive back an accreditation package, much like when you´re applying for an ATO certification but related to the simulation that took place. The final review consists of:
1.The accreditation decision letter, in this case pointing an adherence percentual on all of the steps as if you were applying for an ATO certification;
2.Threat assessment, showing all the potential threats from the points that were not adherent.
3.Plan of action and milestones (POAMs) for proposed remediations.
ATOCHECK can quickly navigate the US federal government’s industry-specific practices by understanding its ATO steps and process altogether. The ATO process in itself, along with the accreditation package received from the AO, can be complicated to comprehend for new users, but our goal is to demystify it. Once the potential impact on the CIA security parameter is determined, the overall impact level of the system is determined based on the high-water-mark principle. This process is described in NIST’s FIPS 200 publication. Determining the impact levels is ultimately subjective but with ATOCHECK we will make it objective.
ATOCHECK will act as a partner-driven process that includes training, tools, pre-built AWS CloudFormation templates, control implementation details, and pre-built policies and procedures. Optimizing the user´s cloud workloads, and improving the ability to meet the most demanding requirements. Below what will be contemplated by the ATOCHECK software
solutions:
SETUP
Usually, a company has multiple sets of system configurations. Whether we´re talking about a server, database, and even network-required equipment. We need to ensure that the setup of all these systems that are interconnected are indeed at optimal setup. Often times the configuration of these is not ideal, but as long as they´re running no additional check-ups are
made. Modifying unnecessary default features and setups assist in eliminating other opportunities for attack. Review the features that came enabled by default and disable or customize those will be contemplated within ATOCHECK solutions.
PERMISSION
Companies often have multiple levels of permission access. With ATOCHECK we want to ensure that there are defined processes for identifying new users and recording, approving, and maintaining access rights. These processes include the user access rights that are in line with the business needs; access rights are requested by the user management; the access rights are approval by system/data owners and the user access rights are implemented by the security administrators. Many data breaches can be reduced just by reviewing the permissions and access rights, and with ATOCHECK we will ensure that this is not forgotten.
COMMUNICATION
While several companies keep their data in-house, there are lines of businesses that require a connection with external environments. Just transferring data using an internet connection can raise unexpected threats. This is one of the most relevant points to be assessed. What´s the external and internal communication process and what can be done in order to improve its security process. ATOCHECK will present solutions based on your own integrated system.
CYBERSECURITY 101
The most basic way of protecting from a cyber breach is to have adequate security software installed. Antivirus software scans a file, programs, or applications and compares a specific set of code with information stored in its database. A firewall, on the other hand, is a system that provides network security by filtering incoming and outgoing network traffic based on a set of user-defined rules. ATOCHECK will evaluate whether you have antivirus and firewall protection on, but it will also evaluate their efficiency and how they are set up.
USUAL SOFTWARE
Companies often have multiple software solutions installed, and a lot of times some of these have potential threat breaches. We will also analyze all installed software, from office packages to poker clients, if it´s installed on your network ATOCHECK will scan it in order to identify any potential threats.
SPECIFIC PARAETERS
There are thousands of lines of businesses out there, and a security parameter that a company that sells shoes must follow is not necessarily the same as a company that is in the real estate business does. Each industry and even each location has different security parameters it must oblige. ATOCHECK understands that and all assessments and solutions will take place within that company´s specific line of business.
FIRMWARE UPDATES
Firmware is the software that is embedded into a hardware device. Firmware consists of a set of commands that control how your network device behaves. Although network devices should always be updated to the latest firmware version to ensure optimal network performance, this usually requires the user to scan for new updates and, most people do not do it unless the device stopped working. ATOCHECK will automatically look for new firmware updates in order to ensure that your device is running in the latest version. You will be able to set how often will ATOCHECK browse for firmware updates, but since hackers and ransomware strains are constantly adapting to exploit weaknesses in earlier software versions, it is advisable to update these applications regularly.
RE-ASSESS
To make sure all data is compliant with what is requested within the ATO procedures, ATOCHECK will often re-assess if any changes are made within the instances. These changes include new encryption methodologies, new software installed, setup changes, or anything that would potentially change how information is being handled and would require the company to submit an update to the System Security Plan (in the ATO process).
YOUR OWN SYSTEM
Often times small-to-medium businesses have their own operating system and changing it to a different platform might be challenging and inefficient as it takes time to learn. Thinking on that, ATOCHECK will contain an integration module that will assist the integration itself in the backend, leaving the frontend very similar to your own system. With that, the user can access the new functionalities ATOCHECK offers on a familiar user-friendly screen. In addition to that, you can opt to integrate your entire IT system or only the relevant parts that you run to have a full scan based on ATO-certified parameters.
EDUCATIONAL PRACTICE
We will offer a dedicated learning space. This space will contain not only guidance, templates, and tools to help understand how the ATO process parameters take place, but also educational videos and quick lectures from cybersecurity experts altogether. We believe that information is key when it comes to cybersecurity, so this practice is our way to assist our users in improving data security. We also plan to launch a dedicated assistance space with specialists to offer support through a specific process or subject, though this functionality is planned to take place only once we have a stable operation running.
RESULTS
After running a full and complete scan on all network and network-related devices, ATOCHECK will present a result informing the adherence percentual of your company based on the FedRAMP ATO process. It´s very likely that some amendment will be required. ATOCHECK will also inform what potential threats were raised, and what improvements should be taken. Just as well, ATOCHECK will classify which of these present a higher level of threat and which of them might not be that relevant. It will be the user’s choice to implement or not these changes.
ATOCHECK will be dealing with multiple fronts at the same time in addition to having access to detailed information that can be sensitive depending on the line of business. Ensuring that all the data of a company will be handled following the best safety procedures is a must. Following the tech model of ATOCHECK:
AES-256 ENCRYPTION
The Advanced Encryption Standard (AES) is the first and only publicly accessible cipher approved by the US National Security Agency (NSA) for protecting top-secret information. AES-256, which has a key length of 256 bits, supports the largest bit size and is practically unbreakable by brute force based on current computing power, making it the strongest
encryption standard. ATOCHECK will use AES-256 encryption methods as a management solution to automate the key lifecycle process, delivering the capacity to support hundreds of millions of keys, and offer network integration to safeguard assets from an attack on devices and infrastructures. Being the safest encryption solution, AES-256 is the best fit for our
services.
CLOUD-BASED
Cloud storage is a must with the amount of data we are producing every day. ATOCHECK entire business is based on cloud services and its security protocols. On cloud storage, servers are usually located in warehouses that most workers don’t have access to, files stored on cloud servers are always encrypted and it’s much less expensive to store data on cloud servers, which allows ATOCHECK to be more competitive when it comes to pricing.
PROGRAMMING LANGUAGE
Based on the functions that ATOCHECK will offer, we believe that Java, JavaScript, and C++ are the most suitable languages for our solutions. Java and JavaScript work as a structured interpreted programming language, high-level script with a dynamic type, failure, and multiparadigm. They´re among the main technologies of the World Wide Web. Since they allow interactive web pages they are essential for any type of web communication software. C++ is a multi-paradigm compiled programming and is for general use. Since the 1990s it has been the most popular commercial language, is widely used also in the academy due to its great performance and user base.
Infrastructure as a service (IaaS)
Infrastructure as a service (IaaS) is an instant computing with the ability to quickly scale up and down with demand and only pay for what you use.
IaaS helps you avoid the expense and complexity of buying and managing your own physical servers and other datacenter infrastructure. Each resource is offered as a separate service component, and you only need to rent a particular one for as long as you need it. ATOPROS manages the infrastructure, while you purchase, install, configure, and manage your own software—operating systems, middleware, and applications.
Common IaaS business scenarios
• Test and development. Teams can quickly set up and dismantle test and development environments, bringing new applications to market faster. IaaS makes it quick and economical to scale up dev-test environments up and down.
• Website hosting. Running websites using IaaS can be less expensive than traditional web hosting.
• Storage, backup, and recovery. Organizations avoid the capital outlay for storage and complexity of storage management, which typically requires a skilled staff to manage data and meet legal and compliance requirements. IaaS is useful for handling unpredictable demand and steadily growing storage needs. It can also simplify planning and management of backup and recovery systems.
• Web apps. IaaS provides all the infrastructure to support web apps, including storage, web and application servers, and networking resources. Organizations can quickly deploy web apps on IaaS and easily scale infrastructure up and down when demand for the apps is unpredictable.
• High-performance computing. High-performance computing (HPC) on supercomputers, computer grids, or computer clusters helps solve complex problems involving millions of variables or calculations. Examples include earthquake and protein folding simulations, climate and weather predictions, financial modeling, and evaluating product designs
• Big data analysis. Big data is a popular term for massive data sets that contain potentially valuable patterns, trends, and associations. Mining data sets to locate or tease out these hidden patterns requires a huge amount of processing power, which IaaS economically provides.