System Authorization
Overview
System Authorization at CMS is the result of testing and documenting security compliance for FISMA systems. Authorization to Operate (ATO) is the stamp of approval from an Authorizing Official (AO) that verifies a system is appropriately protected to operate with minimal risk.
CMS Business Owners, ISSOs, and other stakeholders work together to confirm that a system's security and privacy controls are working as intended. Modern programs at CMS such as Ongoing Authorization focus on continuous assessment and management of risk.
All resources in System Authorization
General Information
- Authorization to Operate (ATO)
- CMS Information Security Advisory Board (CISAB)
- CMS Information System Risk Assessment (ISRA)
- CMS Interconnection Security Agreement (ISA)
- CMS Technical Reference Architecture (TRA)
- ISSO Appointment Letter
- Ongoing Authorization (OA)
- Security Controls Assessment (SCA)
- Security Impact Analysis (SIA)
- System Security and Privacy Plan (SSPP)
Policies and Handbooks
Latest articles and updates
- 6/11/2025UpdatesFrom CFACTS
CFACTS Update: New features to streamline ATO workflows
Learn about new features in CFACTS that make ATO workflows easier, including an ATO Document Progress View and ATO Conditions.
- 3/27/2024UpdatesFrom Policy
The SSP is now the SSPP: Here’s Why
The plan formerly known as the System Security Plan (SSP) is now the System Security and Privacy Plan (SSPP)
- 3/25/2024