FISMA & NIST RMF

Josef Kamara, CPA, CISSP, CISA · Updated May 2, 2026 · 1 minute read

ATO

Authority to Operate, the formal management decision by an Authorizing Official to accept the risk of operating a federal information system. An ATO is granted at the conclusion of RMF Step 5 based on the Security Assessment Report, the Plan of Action and Milestones, and the residual risk determination. ATOs are typically valid for three years under traditional RMF or maintained indefinitely under Ongoing Authorization.

The Authority Brief

One compliance analysis per week from Josef Kamara, CPA, CISSP, CISA. Federal and private compliance, written for practitioners.