Achieve an Authority to Operate (ATO) Faster Through Automation

IT organizations throughout the U.S. Federal Government are constantly working to defend against cyber attacks, nation state actors, criminals, and have to do that while modernizing their network infrastructure and applications. The process to become certified to provide these requires an Authority to Operate (ATO). In today’s environment, doing this the old fashion way of manually scanning, importing to checklists, tracking separate spreadsheets for compliance, and “checking off CCIs” manually has GOT TO GO!!

We must automate to have good consistent processes and results in the most efficient way with our IT, management and cyber personnel.

We must automate to combat bad actors and maintain good cyber hygiene.

And we must automate to reduce non-value-added tasks and give our personnel time back to go harden our systems and applications.

Compare the old and new ways for achieving an ATO below and see where you and your team fit. Then take action!

Out With the Old

The old way of achieving an ATO is what a majority of groups have been doing for the past 15+ years, with some bandaids and patchwork done on pieces of the process to make them better. It is what most organizations have told us they are still doing during our conversations and demos with them over the past year+.

  • Scan computers with DISA or other SCAP scanners
  • Manually take scan results, put into STIGViewer for each scan, to create or update checklist CKL files
  • Track individual checklist files
  • Run patch scans on the operating system
  • Read reports on the screen or PDFs of scans to figure out what devices and patches to remediate across your infrastructure
  • Track separate CCIs and know how they relate to RMF controls for the process, procedure, policy questions (all manual checks) in yet another a spreadsheet
  • Keep track of all the latest information across the whole team through various emails, Slack messages, text messages, meetings, video calls, and phone calls
  • Backup files in case of bad data or to trace history
  • Live in “Excel Hell” with multiple spreadsheets for disjointed data for SAR, RAR, SSP, POAM, vulnerability trends, data calls and trying to keep that up-to-date in real time
  • Have all your files in some kind of shared drive or configuration management system to track changes (hopefully)
  • Do this at least every 3 years, maybe 1 time a year, with a flurry of work done a few months before the deadline
Frustrated by the old (i.e. current for most groups) way of tracking ATO for RMF and FedRAMP

In With the New

What does the new way to achieve an ATO and maintain that status involve? In a word: automation!

Here are ways you can use OpenRMF Professional to automate collecting, ingesting and processing all this data right now, today, to get a streamlined, consistent, structured view of your RMF or FedRAMP package for an ATO. And it is repeatable across all your teams going through this process:

  • Use the same scanning tools you already have, just combine the disjointed data through an integrated application with RBAC
  • Automate scans with DISA / OpenSCAP / Nessus SCAP scanner and scheduling Nessus/ACAS SCAP or Audit Compliance Scans
  • Automate upload of raw SCAP or Audit Compliance results that turn in checklists and keep information up-to-date automatically (a.k.a. continuous monitoring)
  • Automate OS patch vulnerability scans with Nessus/ACAS patch scans
  • Automate ingest of those patch scans to track patch vulnerability is as near real-time as possible
  • Automate software and container scans with tools like MicroFocus Fortify, SonarQube, Netsparker, Anchore, Sysdig and more
  • Automate ingesting those scan results to track ALL vulnerabilities affecting your system package for the ATO
  • Use pre-defined checklist templates for all manual checks for your NIST control families — Awareness and Training (AT), Incident Response (IR), Media Protection (MP), Physical and Environmental (PE), Security Planning and Policy (PL), Program Management (PM), Personnel Security (PS), Risk Assessment (RA) and System and Services Acquisition (SA)
  • Create checklists from those templates listed above, fill them out easily through a web browser, and track them to ensure compliance for all the manual (a.k.a. not scannable) controls as well as those that can be scanned and automated
Reduce stress, automate to reduce time and money, trust your process for RMF and FedRAMP ATO

What You Can Do Now

Now that you have automated a lot of data generation and the process to group it and relate it across your entire system package, you can track and correlate all that data against your RMF or FedRAMP compliance needs in OpenRMF Professional quickly and easily:

  • Automated ingest of scan results = tracking history and trends over time
  • Have your POAM automatically update based on scan status and vulnerability changes
  • Push-button compliance generated against all data for all required RMF controls easily
  • Export CKLs where required for artifacts
  • Generate your SSP, SAR, RAR, and POAM in defined formats from your most up-to-date live data
  • See real-time information on your cyber compliance across manual processes, automated scans, policies, and procedures to make informed decisions
  • Track compliance with the click of a button
  • Have your cyber, network admin, system admin, developer, project manager, analysts, and even upper management go to one source-of-truth to get your information
  • Keep this automation going for true continuous monitoring and updated information for decision making

All of these ways above in your new processes to save you time and money through automation are real and here today. You can do all this and more with OpenRMF Professional!

OpenRMF Professional v2.8 — Cyber Compliance Automation

Experience OpenRMF Professional For Yourself

Soteria Software’s OpenRMF Professional is revolutionizing the way you track RMF, FedRAMP and Cyber Compliance through automation! Whether you are tracking RMF and FedRAMP right now by itself, automating in a DevSecOps process, need a cyber compliance engine for your Software Factory or are even migrating on premise to cloud infrastructure — OpenRMF Professional can help ease the workload and get you there faster.

You also will have a standardized, structured way to track your cyber compliance across all your teams and customers.

You are in essence building your own Cyber Compliance Factory!

Have all team members manage and import/update their specific data. Generate compliance with a click of a button. Then export your Checklist (CKL) files, System Security Plan (SSP), Security Assessment Report (SAR), Risk Assessment Report (RAR) as well as your POAM for your approved government or corporate system of record.

See for yourself by downloading a copy with an evaluation license!



CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft