Skip to main content

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Published: 11/28/2023

CFACTS Update: Improvements to ATO Request workflow

by CFACTS Team

Learn about new fields and views in CFACTS to improve the ATO Request process.

Getting an Authorization to Operate (ATO) is a lot of work. The CFACTS team is dedicated to making the process smoother for ISSOs and other ATO stakeholders. We have made updates to the ATO Request workflow in CFACTS, which are summarized below. 

ATO Document Progress View 

  • What it is: A new feature that shows your progress through completing all documents required for ATO. 

  • Why this is helpful: You can see what documents or steps are still needed before submitting an ATO Request. 

  • Where to find it: Go to the ATO Document Progress tab in the ATO Request. 

New fields and updates in the Executive Summary 

  • What it is: The Final Executive Summary is the part of the ATO Request that verifies the completion of all the required ATO documentation and summarizes why the system should be granted an ATO. For the Executive Summary, we have added a new Residual Risks field. Internal and External Interconnections are now two separate fields. Also, Business and System Risks are now two separate fields for the ISRA Summary. 

  • Why this is helpful: The new fields in the Executive Summary makes it easier for ATO stakeholders to see and analyze the data that indicates a system’s readiness for ATO. 

  • Where to find it: Go to the Executive Summary tab. 

New section: FedRAMP Cloud Service Providers 

  • What it is:  New FedRAMP Cloud Service Providers (CSPs) section in the Final Executive Summary which also includes the Cloud Service Offering with the FedRAMP ID. 

  • Why this is helpful: The new CSP section in the Executive Summary makes it easier for ATO stakeholders to see the CSP’s systems are leveraging when submitting their ATO. 

  • Where to find it: Go to the Executive Summary tab. 

ATO Reviewer step is removed 

  • The ATO Reviewer workflow step is removed so the ATO Request now goes to the CRA after the Business Owner Review.  

Who to contact 

Post any questions or comments on the #cfacts-community channel in CMS Slack, or request support by using the CFACTS support portal

More CFACTS resources 

About the publisher:

The CMS FISMA Continuous Tracking System (CFACTS) is the database used to track system security and support the system authorization process. The CFACTS Team works on improvements to the platform and helps people use it effectively.

Related posts and updates

See all posts