The document provides an overview of the four phases for obtaining an Authority to Operate (ATO) for a Department of Defense (DoD) cloud system: 1. Planning - Select a cloud service provider, categorize the system, select security controls, and develop initial architecture. 2. Initial Deployment and Documentation - Document control implementation, configure security tools, build out initial system, and request network space. 3. Finalize and Accredit Architecture - Load authorization package, submit final package, remediate findings, complete builds, and assess system security. 4. Continuous Monitoring - Update system security plan, conduct monthly scans, update definitions, perform patching and annual assessments. The process follows

1. Jennifer Gray
Public Sector Compliance Architect
From Zero to ATO: A Step-by-Step
Guide on the DoD Compliance
Framework
Jim Caggy
Senior DOD Security Architect

2. In today’s session we will…
 Review DoD Cloud Guidance and Data
Impact Levels
 Four Phases of DoD System Accreditation
 Questions

3. DoD Cloud References
FEDRAMP
Government-wide program that provides a standardized approach to security
assessment, authorization, and continuous monitoring for cloud products and
services.
DoD Cloud Computing Security Requirements Guide (CC SRG)
Outlines the security model by which DoD will leverage cloud computing along
with the security controls and requirements necessary for using cloud-based
solutions (as defined by NIST) by the DoD.
NIST SP 800-53 – Security and Privacy Controls for Federal
Information Systems and Organizations
A catalog of security and privacy controls for federal information systems. The
controls are customizable and implemented as part of an organization wide
process that manages information security and privacy risk.

4. Cloud Services Provider
DoD Cloud Security Requirements Guide – ATO Process
30+ FedRAMP Compliant
CSP’s (20+ in-process)
IaaS/PaaS/SaaS
Providers are a mix of
IaaS, PaaS, SaaS
(Initial Focus is on IaaS)
FedRAMP Authority to Operate
CSM ATO
Levels 1-2
(Public)
CSM ATO
Levels 3-5
(Unclass)
System-
Specific
ATO
John Doe
DoD DAA
The DoD provisionally
authorized
commercial CSP
offering is eligible to
be included in the
Enterprise Cloud
Service Catalog
DoD Cloud Security Model
(Administered via DISA)
3
4
5
6
20+ Provisional
Authorizations
granted
3 Provisional
Authorization granted
2
4
Increasing Security and
Operating Requirements
CSM ATO
Level 6
(Secret)
100’s of Cloud Service
Providers (CSP)
1
2

5. DoD Cloud Security Model Impact Levels
Impact Level Description
Level 1 Unclassified publicly releasable information e.g., recruiting websites.
Level 2
Unclassified publicly releasable information e.g., recruiting websites.
Unclassified publicly releasable information, with access controls e.g., library systems.
Level 3 Non-National Security System (non-NSS) Controlled Unclassified Information (CUI) – Low
confidentiality impact, Moderate integrity impact e.g., training systems.
Level 4
Non-National Security System (non-NSS) Controlled Unclassified Information (CUI) – Low
confidentiality impact, Moderate integrity impact e.g., training systems.
Non-NSS CUI – Moderate confidentiality impact, Moderate integrity impact e.g., HR systems.
Level 5 NSS CUI – Moderate confidentiality impact, Moderate integrity impact e.g., email systems.
Level 6 Classified information up to and including SECRET – Moderate confidentiality impact, Moderate
integrity impact e.g., C2 systems.

6. Phase 1: Planning
Plan
Document
Assess
Authorize
Monitor
Process
Check DISA catalog of
approved CSPs
Select CSP
Review AWS
compliance
documentation
Review security control
Inheritance and shared
Responsibility
Develop initial
Architecture
Phase I
Categorize system
Select SRG Impact Level
Select security controls

7. Phase 2: Initial Deployment and Documentation
Plan
Document
Assess
Authorize
Monitor
Process
Document security
control implementation
Coordinate with CNDSP
Tier 2
Configure AWS
CloudTrail, Config, VPC
Flow Logs and
CloudWatch
Document PPSM
Register in SNAP
and coordinate
CAP connection
Phase I
Phase II
Request DOD IP space
Build out base system
and test implementation
of security controls

8. Phase 3: Finalize and Accredit Architecture
Plan
Document
Assess
Authorize
Monitor
Process
Load security
authorization package into
eMass
Submit final ATO package
to your DAA
Phase I
Phase III
Phase II
Remediate
Document findings
Create Plans of
Action & Milestones
Complete architecture
build out, integrations
Requirements
Lock down system for
testing
Assess system
‒ Pentest
‒ Vulnerability scan
‒ Compliance reviews

9. Phase 4: Continuous Monitoring
Plan
Document
Assess
Authorize
Monitor
Process
Update SSP
Track and report
significant changes
to AO
Phase I
Phase III
Phase IV
Phase II
Conduct monthly ACAS
scans
Update HBSS definitions
Conduct patching
(IAVM process)
Perform annual
assessment

10. NIST SP 800-37 Risk Management Framework
Initiation Concept Planning
Requirements
Analysis
Design Development Test
Implemen-
tation
Operations &
Maintenance
Disposition
1 2 3 4
Architecture
Review
System
Accreditation
Security
Control
Assessment
Annual
Operational
Analysis
Independent
Verification &
Validation
Assessment
Implementatio
n Readiness
Review
Validation
Readiness
Review
Detailed
Design
Review
Integrated
Baseline
Review
Require-
ments
Review
Post-
Implemen-
tation Review
Security
Authorization
SLDC
Project Review Project Selection
Review
Project Baseline
Review
Preliminary
Design Review
Operational
Readiness Review
CATAGORIZE THE SYSTEM
SELECT CONTROLS
IMPLEMENT CONTROLS
ASSESS CONTROLS
AUTHORIZE THE
SYSTEM
MONITOR CONTROLS
NIST SP 800-37 Risk Management Framework

11. Questions?