Assuring ATO-as-Code for Federal Compliance

Congress has mandated that federal agencies automate cybersecurity compliance processes. The Office of Management and Budget (OMB), National Institute of Standards and Technology (NIST), and Federal Risk and Authorization Management Program (FedRAMP) released the guidelines for implementing this mandate. In 2022, Congress passed the FedRAMP Authorization Act, reauthorizing FedRAMP and requiring the automation of compliance and authorization processes across the federal government.

Similarly, OMB has issued draft guidance mandating that federal agencies who provide Authority-to-Operate (ATO) to a Cloud Service Provider must submit relevant artifacts (such as SSP, SAP, SAR, POA&Ms) to the FedRAMP PMO using machine-readable and interoperable formats. These formats, defined as the Open Security Controls Assessment Language (OSCAL) by NIST, necessitate federal agencies to implement plans to accept, manage, and maintain ATO documentation in an OSCAL format.

The American Council for Technology-Industry Advisory Council (ACT-IAC) whitepaper resulted from the collaboration between government and industry partners, including DRTConfidence. The paper advocates OSCAL-Native GRC tools for automating manual and laborious complex compliance operations. 

Download the whitepaper and learn more about

  • The objectives of ATO-as-Code
  • How to modernize RMF using OSCAL
  • The implications of the Compliance Automation Process Maturity Model for federal agencies
  • What OSCAL can do for standardizing and automating the ATO process